Security | Vulnerability Scans and Assessment Windows Server

How to determine why an MBAM protected device is non-compliant

MBAM-noncompliance
BitLocker Management with MBAM

MBAM includes logging for server installation, client installation, and events. This logging should be referred to for troubleshooting. MBAM has separate event-logging channels. The Admin, Analytical, and Operational log files are located in Event Viewer, under Application and Services Logs > Microsoft > Windows > MBAM. The table below is a typical error displayed by MBAM when the agent is unable to report the device status to the database. MBAM is an administrator interface used to manage BitLocker drive encryption. Kindly refer to the following similar guides on BitLocker. How to view BitLocker disk encryption status in Windows, how to backup existing and new BitLocker recovery keys to Active Directory, BitLocker Drive Encryption architecture and implementation types on Windows, how to fix missing BitLocker Recovery Tab in Active Directory Users and Computers, and how to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines.

Screenshot-2022-01-12-at-19.29.25

The following noncompliance codes are provided by WMI and describe the reasons why a particular device is reported by MBAM as noncompliant. As you can see in the image above, this device is non-compliant without any errors.

In this guide, I will be describing various errors and how to fix them. Kindly refer to the following similar guides on BitLocker. How to view BitLocker disk encryption status in Windows, how to backup existing and new BitLocker recovery keys to Active Directory, BitLocker Drive Encryption architecture and implementation types on Windows, how to fix missing BitLocker Recovery Tab in Active Directory Users and Computers, and how to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines.

You can use your preferred method to view WMI such as Commandline or PowerShell. If you use PowerShell, run the following command below.

gwmi -class mbam_volume -Namespace root\microsoft\mbam
Screenshot-2022-01-12-at-19.29.47

Below are possible reasons for non-compliance. As you can see in the image below, there isn’t a reason for this error other than, the device isn’t in sync with the domain. That is, it is not connected to the network via VPN, because it is being used remotely. You should be able to determine various reasons from your experience with MBAM. This guide shows how to create MBAM Enterprise and Compliance, and Recovery Audit reports.

Non-Compliance CodeReason for Non-Compliance
0Cipher strength, not AES 256.
1MBAM Policy requires this volume to be encrypted but it is not.
2MBAM Policy requires this volume to NOT be encrypted, but it is.
3MBAM Policy requires this volume to use a TPM protector, but it does not.
4MBAM Policy requires this volume to use a TPM+PIN protector, but it does not.
5MBAM Policy does not allow non-TPM machines to report as compliant.
6Volume has a TPM protector but the TPM is not visible (booted with recover key after disabling TPM in BIOS?).
7MBAM Policy requires this volume to use a password protector, but it does not have one.
8MBAM Policy requires this volume NOT to use a password protector, but it has one.
9MBAM Policy requires this volume to use an auto-unlock protector, but it does not have one.
10MBAM Policy requires this volume NOT to use an auto-unlock protector, but it has one.
11Policy conflict detected preventing MBAM from reporting this volume as compliant.
12A system volume is needed to encrypt the OS volume but it is not present.
13Protection is suspended for the volume.
14AutoUnlock is unsafe unless the OS volume is encrypted.
15The policy requires minimum cipher strength is XTS-AES-128 bit, actual cipher strength is weaker than that.
16The policy requires minimum cipher strength is XTS-AES-256 bit, actual cipher strength is weaker than that.

Via CMD

wmic /namespace:\\root\microsoft\mbam path MBAM_Volume where "VolumeName like 'C:%'" get ReasonsForNoncompliance

WMI

Namespace: root\Microsoft\MBAM

Select ReasonsForNoncompliance from MBAM_Volume where VolumeName like 'C:%'

Configuration Manager (current branch)

As described above, the WMI on the client provides the following non-compliance codes and the reasons why a particular device reports as non-compliant. There are various methods to view WMI. Using the following PowerShell command or the method described above. You may also want to see how to resolve the following issue “waiting for auto-provisioning“.

(Get-WmiObject -Class mbam_Volume -Namespace root\microsoft\mbam).ReasonsForNoncompliance
Non-compliance codeReason for non-compliance
0Cipher strength, not AES 256.
1BitLocker policy requires this volume to be encrypted, but it isn’t.
2BitLocker policy requires this volume to not be encrypted, but it is.
3BitLocker policy requires this volume to use a TPM protector, but it doesn’t.
4BitLocker policy requires this volume to use a TPM+PIN protector, but it doesn’t.
5BitLocker policy doesn’t allow non-TPM machines to report as compliant.
6Volume has a TPM protector, but the TPM isn’t visible.
7BitLocker policy requires this volume to use a password protector, but it doesn’t have one.
8BitLocker policy requires this volume not to use a password protector, but it has one.
9BitLocker policy requires this volume to use an auto-unlock protector, but it doesn’t have one.
10BitLocker policy requires this volume not to use an auto-unlock protector, but it has one.
11BitLocker detects a policy conflict, which prevents it from reporting this volume as compliant.
12A system volume is needed to encrypt the OS volume, but it isn’t present.
13Protection is suspended for the volume.
14Auto-unlock protector is unsafe unless the OS volume is encrypted.
15The policy requires minimum cipher strength is XTS-AES-128 bit, actual cipher strength is weaker.
16The policy requires minimum cipher strength is XTS-AES-256 bit, actual cipher strength is weaker.

Note: If the device is compliant, this command doesn’t return anything. You can also check the Compliant attribute of this class, which is 1 if the device is compliant.

Querry Remote Device TPM Status

But to remotely query the compliance status of a device, you can run the command, replacing mpLApstop1 with your device name “Get-WmiObject -namespace root\cimv2\security\MicrosoftVolumeEncryption -class Win32_EncryptableVolume -ComputerName mpLApstop1“.

Get-WmiObject -namespace root\cimv2\security\MicrosoftVolumeEncryption -class Win32_EncryptableVolume -ComputerName mpLApstop1

Here is a guide on how to deploy Microsoft BitLocker Administration and Monitoring Tool. I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x