Windows

MBAM Report Errors: Understanding Microsoft BitLocker Administration and Monitoring compliance state and error status

MBAM-report-errors

Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. You configure MBAM Group Policy Templates that enable you to set BitLocker Drive Encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changesKindly refer to these related guides on MBAm: How to create MBAM Enterprise and Compliance, and Recovery Audit reports, how to determine why an MBAM protected device is non-compliant, MBAM components: How to deploy Microsoft BitLocker Administration and Monitoring Tool, How to unlock a fixed drive protected by BitLocker, and how to correctly encrypt additional drives added to an MBAM protected device.

The following figure below shows the possible erros you will encounter when working with MBAM. I had to attach the following hyperlinks in order to describe the following topics and to bring you to speed with most of the aspects of MBAM: System check found some issues during MBAM encryption: Fail, the Power cable must be connected, MBAM reports cannot be accessed because it could not load folder contents, and Understanding Microsoft BitLocker Administration and Monitoring Roles.
complaint
MBAM Error Types
A System Drive is the one Windows is installed on, and a Fixed Drive is a drive that is neither a system drive nor a removable drive. That is some sort of disk installed, usually internally, for extra storage. Here is a guide on MBAM report fileds: Enterprise Compliance, Computer Compliance, and Recovery Audit Report: Understanding the Microsoft BitLocker Administration and Monitoring (MBAM) reports fields. 

Explanation of MBAM error types:

Below is a summary of the reasons for your non-compliant drives which in most cases is the System Drives. Please see how to fix System Partition not available or large enough on Microsoft BitLocker Administration and Monitoring [Part 1].

MBAM ErrorsPossible Actions
No ErrorsThis can mean a lot. Some of which you may have not interactively accessed your device upon the installation of the MBAM agent. It could mean the device isn’t connected to your network. Even while in-home office, it is recommended to connect via VPN at least once a month. 
Drives not yet encrypted This could mean that the MBAM agent and update have not been installed. If you are using DSM, you do not have to worry about the update as they are being bundled together. Make sure that MBAM Group Policy settings are applied on the client’s computer. The following registry subkey is created if the Group Policy settings were applied on the client computer: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement
Drive encrypted but shows non-compliantOut of sync with your network. Please ensure your device is connected to the network. If you are working remotely, please initiate a VPN connection to the domain.
System Partition not available or large enoughBitLocker requires a SYSTEM partition to enable encryption. If this partition is missing, kindly use this command line to create the required Bitlocker partition.BdeHdCfg -target default -quiet. You may want to see these guides below.

How to fix System Partition not available or large enough on Microsoft BitLocker Administration and Monitoring [Part 1].
BitLocker System Partition: Detailed steps to troubleshoot and fix System Partition not available or large enough [Part 2]
Unable to find compatible TPMThis implies that the TPM is not visible. The TPM is likely does not have a compatible TPM or that the TPM is disabled in the BIOS, and Windows can’t see it at all.

– Open TPM Management (tpm.msc), and check whether the computer has a TPM device. If tpm.msc does not show a device, open Device Manager (devmgmt.msc), and check for a Trusted Platform Module under Security Devices. If you do not see a Trusted Platform Module device, this might be true for one of the following reasons: Your system doesn’t have a Trusted Platform Module (TPM/Security) device. The TPM device is disabled in the BIOS, then the solution is to Enable TPM in the BIOS. TPM Device is enabled in the BIOS, but the management of the TPM device from the operating system setting is disabled in the BIOS. You aren’t using a Microsoft driver for the TPM device. Review the devices that are listed in the device manager to identify the Microsoft TPM device driver. If the TPM device is not using the C:\Windows\System32\tpm.sys driver, you should update the driver by selecting the C:\Windows\Inf\tpm.inf file

– Related guides: How to fix unable to find compatible TPM, how to determine if TPM is present and how to enable TPM in the BIOS.

An unknown error has occurred

This error below could be because the cipher straight wasn’t defined etc. Kindly take a look at the device Event Viewer. From the Event Viewer – Applications and Services Logs – Microsoft – Windows – MBAM – Operational path. You may want to see some guides on TPM: How to clear the TPM via the management console or Windows Defender Center App, how to delegate permissions for backing up TPM passwords, and how to clear, enable or disable TPM in Windows via the BIOS or UEFI.

Screenshot-2022-03-03-at-10.19.22

No Errors

I would like to elaborate on this error “No Error”. If a remote desktop protocol (RDP) connection is active, the MBAM client doesn’t start BitLocker Drive Encryption actions. You will need to close all remote console connections and sign in to a console session with a domain user account. Then BitLocker Drive Encryption begins and the client uploads recovery keys and packages.

Also, if you sign in with a local user account, BitLocker Drive Encryption doesn’t start. You can use RDP to remotely connect to the console session of the device with the /admin switch as shown below. A console session is either when you’re at the computer’s physical console, or a remote connection that’s the same as if you’re at the computer’s physical console.

mstsc.exe /admin /v:<IP address of device>

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x