Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. You configure MBAM Group Policy Templates that enable you to set BitLocker Drive Encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. Here are some interesting guides: MBAM components: How to deploy Microsoft BitLocker Administration and Monitoring Tool, How to unlock a fixed drive protected by BitLocker, and how to correctly encrypt additional drives added to an MBAM-protected device.
In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changesKindly refer to these related guides on MBAm: How to create MBAM Enterprise and Compliance, and Recovery Audit reports, how to determine why an MBAM protected device is non-compliant.
The following figure below shows the possible errors you will encounter when working with MBAM. I had to attach the following hyperlinks in order to describe the following topics and to bring you to speed with most of the aspects of MBAM: System check found some issues during MBAM encryption: Fail, the Power cable must be connected, MBAM reports cannot be accessed because it could not load folder contents, and Understanding Microsoft BitLocker Administration and Monitoring Roles.
A System Drive is the one Windows is installed on, and a Fixed Drive is a drive that is neither a system drive nor a removable drive. That is some sort of disk installed, usually internally, for extra storage. Here is a guide on MBAM report fileds: Enterprise Compliance, Computer Compliance, and Recovery Audit Report: Understanding the Microsoft BitLocker Administration and Monitoring (MBAM) reports fields.
Explanation of MBAM error types:
Below is a summary of the reasons for your non-compliant drives which in most cases is the System Drives. Please see how to fix System Partition not available or large enough on Microsoft BitLocker Administration and Monitoring [Part 1].
|MBAM Errors||Possible Actions|
|No Errors||This can mean a lot. Some of which you may have not interactively accessed your device upon the installation of the MBAM agent. It could mean the device isn’t connected to your network. Even while in-home office, it is recommended to connect via VPN at least once a month. |
Rare case: You may also want to check if the agent is truly installed. Because if the GPO is applied only, this behavior is also expected.
MBAM Client will NEVER start BitLocker Drive Encryption actions if a remote desktop protocol connection is active. All remote console connections must be closed and a user must be logged on to a physical console session via the Domain account before BitLocker Drive Encryption can begin as discussed previously: Reference: How to Deploy the MBAM Client to Desktop or Laptop Computers – Microsoft Desktop Optimization Pack | Microsoft Learn
|Drives not yet encrypted||This could mean that the MBAM agent and update have not been installed. If you are using DSM, you do not have to worry about the update as they are being bundled together. Make sure that MBAM Group Policy settings are applied on the client’s computer. The following registry subkey is created if the Group Policy settings were applied on the client computer: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement|
|Drive encrypted but shows non-compliant||Out of sync with your network. Please ensure your device is connected to the network. If you are working remotely, please initiate a VPN connection to the domain.|
|System Partition not available or large enough||BitLocker requires a SYSTEM partition to enable encryption. If this partition is missing, kindly use this command line to create the required Bitlocker partition.|
– How to fix System Partition not available or large enough on Microsoft BitLocker Administration and Monitoring [Part 1].
– BitLocker System Partition: Detailed steps to troubleshoot and fix System Partition not available or large enough [Part 2]
|Unable to find compatible TPM||This implies that the TPM is not visible. The TPM is likely does not have a compatible TPM or that the TPM is disabled in the BIOS, and Windows can’t see it at all.|
– Open TPM Management (tpm.msc), and check whether the computer has a TPM device. If tpm.msc does not show a device, open Device Manager (devmgmt.msc), and check for a Trusted Platform Module under Security Devices. If you do not see a Trusted Platform Module device, this might be true for one of the following reasons: Your system doesn’t have a Trusted Platform Module (TPM/Security) device. The TPM device is disabled in the BIOS, then the solution is to Enable TPM in the BIOS. TPM Device is enabled in the BIOS, but the management of the TPM device from the operating system setting is disabled in the BIOS. You aren’t using a Microsoft driver for the TPM device. Review the devices that are listed in the device manager to identify the Microsoft TPM device driver. If the TPM device is not using the C:\Windows\System32\tpm.sys driver, you should update the driver by selecting the C:\Windows\Inf\tpm.inf file
– Related guides: How to fix unable to find compatible TPM, how to determine if TPM is present and how to enable TPM in the BIOS.
An unknown error has occurred
This error below could be because the cipher straight wasn’t defined etc. Kindly take a look at the device
Event Viewer. From the Event Viewer – Applications and Services Logs – Microsoft – Windows – MBAM – Operational path. You may want to see some guides on TPM: How to clear the TPM via the management console or Windows Defender Center App, how to delegate permissions for backing up TPM passwords, and how to clear, enable or disable TPM in Windows via the BIOS or UEFI.
I would like to elaborate on this error “No Error”. If a remote desktop protocol (RDP) connection is active, the MBAM client doesn’t start BitLocker Drive Encryption actions. You will need to close all remote console connections and sign in to a console session with a domain user account. Then BitLocker Drive Encryption begins and the client uploads recovery keys and packages.
Also, if you sign in with a local user account, BitLocker Drive Encryption doesn’t start. You can use RDP to remotely connect to the console session of the device with the
/admin switch as shown below. A
console session is either when you’re at the computer’s physical console, or a remote connection that’s the same as if you’re at the computer’s physical console.
mstsc.exe /admin /v:<IP address of device>
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.