Query MBAM-protected Client for non-compliance [Part 2]
IT support teams face numerous BitLocker compliance alerts daily from remote, and home/hybrid deployments. But without remote WMI queries etc., each ticket demands time-consuming VPN/RDP sessions, physical dispatches, or endless “reboot due to upgrades and updates. In this article, we shall discuss how to query MBAM-protected Client for non-compliance [Part 2]. Please, see how to determine why an MBAM-protected device is non-compliant, and SQL Server 2025 Upgrade Requirements and Compatibility.
Windows updates frequently cause TPM/BitLocker protector mismatches according to Microsoft. MBAM dashboards show ‘Unknown’ for 30-50% of remote laptops due to offline agents. WMI queries help reveal true compliance instantly.
Unfortunately, MBAM (Microsoft BitLocker Administration and Monitoring) is currently in extended support until April 14, 2026, after which Microsoft will no longer provide updates or support.
As a result, organizations are encouraged to start planning for a replacement to ensure continued management of BitLocker encryption. Potential alternatives include Microsoft Endpoint Configuration Manager, which can integrate with MBAM features and provide a more streamlined management solution. Please, see “MBAM extended support ends April 2026: Find alternative solution“, I have done a fantastic job on your behalf.
Please, see “Manage TPM Protector: How to encrypt additional drives on an MBAM-protected device, and “how to enable or disable a Remote WMI Connection in Windows“.
Why a Remote MBAM-protected PC is non-compliant
Oftentimes, when you get a support query due to errors that a device is not protected. This means, BitLocker protection is suspended and that the encryption is temporarily paused. This allows access to the drive without requiring authentication, thereby impacting data security.
In theory, “BitLocker protection of C: is stopped” to avoid recovery key prompts. This is an ideal behaviour which means that “BitLocker is protecting the drive”. See the image below and associated icon for more information.
When this is the case, you head over to the MBAM Enterprise Reporting Services to view more details. As you can see, most times, this is not comprehensive enough. If you wish to setup MBAM in your own environment. Please, see Unable to install Microsoft Bitlocker Administration: Uninstall your current version of MBAM and run setup again, and how to deploy MBAM for BitLocker Administration.
Also, see Understanding Microsoft BitLocker Administration and Monitoring Roles, and how to deploy MBAM Client as part of a Windows Deployment.
Because of this, you might want to query the device remotely to get more information.
manage-bde -status -computer testPC1
Note: While the drive remains encrypted, the decryption keys are accessible. This means that the system can boot without requiring a PIN or recovery key. This exposes your data to potential unauthorized access until BitLocker is resumed gain. This is why you will have to ensure fast resolution to this concern.
Please, see Query and display Windows information via WMI Explorer, and “Remote WMI Connection: How to enable or disable WMI Traffic Using Firewall UI“.
Inspecting WMI Using PowerShell for Analysis
To be honest, this issue does not require further troubleshooting as it clearly states a reboot is required. Considering the background of this issue which emanated due to upgrade to Windows 11 25H2. It does, there are pending updates and reboot needed for sure.
You can use your preferred method to view WMI, such as Command line or PowerShell to connect remotely to the device.
Get-WmiObject -Class mbam_volume -Namespace root\microsoft\mbam -ComputerName "192.168.1.100"With credentials, run the following command and do not forget to replace the IP address with your IP address or hostname.
Get-WmiObject -Class mbam_volume -Namespace root\microsoft\mbam -ComputerName "192.168.1.100" -Credential (Get-Credential)For Physical device you are directly connected to, run the command below.
gwmi -class mbam_volume -Namespace root\microsoft\mbam
You can filter for non-complaince only as you wish as shown below
Get-WmiObject -Class mbam_volume -Namespace root\microsoft\mbam -ComputerName "192.168.1.100" | Where-Object {$_.Compliant -ne 1} | Select VolumeName, ReasonsForNoncompliancePlease, see “How to fix importing the project failed: Project namespace path can contain only letters, digits, etc“, and “Windows Management Instrumentation Commands“.
Remote WMI Query Syntax
Use these PowerShell commands to query MBAM compliance remotely without WinRM. Here you can use the PC name or IP Address as you wish.
Get-WmiObject -Class mbam_volume -Namespace root\microsoft\mbam -ComputerName "192.168.1.100" | Select VolumeName, Compliant, ReasonsForNoncomplianceFor specific drives, please use the comamnd below. Add -Credential for domain auth; WMI uses DCOM (ports 135 + dynamic).
Get-WmiObject -Class mbam_volume -Namespace root\microsoft\mbam -ComputerName "192.168.1.100" -Credential (Get-Credential) | Where-Object {$_.VolumeName -like "C:*"} | Select ReasonsForNoncompliancePlease, see Force BitLocker Recovery: Perform BitLocker Recovery via the Self-Service Portal and Helpdesk, and Get MBAM BitLocker Recovery Keys from Microsoft SQL Server.
Table showing reasons for Non-Compliance
You should be able to determine various reasons from your experience with MBAM. This guide shows how to create MBAM Enterprise and Compliance, and Recovery Audit reports.
| Non-Compliance Code | Reason for Non-Compliance |
|---|---|
| 0 | Cipher strength, not AES 256. |
| 1 | MBAM Policy requires this volume to be encrypted but it is not. |
| 2 | MBAM Policy requires this volume to NOT be encrypted, but it is. |
| 3 | MBAM Policy requires this volume to use a TPM protector, but it does not. |
| 4 | MBAM Policy requires this volume to use a TPM+PIN protector, but it does not. |
| 5 | MBAM Policy does not allow non-TPM machines to report as compliant. |
| 6 | Volume has a TPM protector but the TPM is not visible (booted with recover key after disabling TPM in BIOS?). |
| 7 | MBAM Policy requires this volume to use a password protector, but it does not have one. |
| 8 | MBAM Policy requires this volume NOT to use a password protector, but it has one. |
| 9 | MBAM Policy requires this volume to use an auto-unlock protector, but it does not have one. |
| 10 | MBAM Policy requires this volume NOT to use an auto-unlock protector, but it has one. |
| 11 | Policy conflict detected preventing MBAM from reporting this volume as compliant. |
| 12 | A system volume is needed to encrypt the OS volume but it is not present. |
| 13 | Protection is suspended for the volume. |
| 14 | AutoUnlock is unsafe unless the OS volume is encrypted. |
| 15 | The policy requires minimum cipher strength is XTS-AES-128 bit, actual cipher strength is weaker than that. |
| 16 | The policy requires minimum cipher strength is XTS-AES-256 bit, actual cipher strength is weaker than that. |
Via CMD to determine why an MBAM-protected device is non-compliant
wmic /namespace:\root\microsoft\mbam path MBAM_Volume where "VolumeName like 'C:%'" get ReasonsForNoncomplianceWMI to determine why an MBAM-protected device is non-compliant
Namespace: root\Microsoft\MBAM
Select ReasonsForNoncompliance from MBAM_Volume where VolumeName like 'C:%'Determine if a PC need Reboot
The error attached above shows the value of 13 “Protection is suspended for volume”. Suspension allows you to access your data without restrictions. It is crucial to resume protection promptly to maintain security.
So, let us determine if the device truly need to be rebooted.
Please, see Fast Boot Options: Fix specific Drive issue with BitLocker [MBAM], BitLocker Protection off: Update UEFI/BIOS to fix issues, and BitLocker behavior when MBAM agent is removed: No Uninstall Option in Control Panel.
Directly Connected Device (Console/Physical PC)
For console or RDP access, run the command below on a PC you are directly connected to or via RDP. As you can see, there are no pending updates for this PC.
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending"
Please, see how to fix VMware and HyperV are not compatible, and “how to configure Windows Deployment Services on Windows Server“. Here is how to Query MBAM to display the BitLocker Recovery report.
Remotely Determine if Reboot is required
You can use this PowerShell command to check the key registry location indicating a pending reboot on a remote PC.
$keys = @(
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired"
)
Invoke-Command -ComputerName "192.168.xxx.xxx" -ScriptBlock {
$keys | ForEach-Object {
if (Test-Path $_) { "Reboot pending: $_" }
}
}To use this above command, ensure that PSRemoting is enabled on the remote (target) PC.
Enable-PSRemoting -ForceYou could also run the remote registry check using current logged-in user’s credentials automatically. Here, no credential prompt is required. This command runs on the remote machine using your current credentials, assuming WinRM is enabled and the connection is trusted.
Invoke-Command -ComputerName "192.168.1.100" { Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending" }
Alternatively, you may want use domain admin credentials and get prompted as shown below via Get-Credential popup. Then enter your administrative creds for authentication against the remote PC. This is useful when your current account doesn’t have rights on the target system.
Both commands rely on WinRM being configured and reachable. Otherwise the connection attempt will fail as shown in the image above.
Please, see Email notifications for MBAM Enterprise and Compliance and Recovery Audit reports, how to Visualize MBAM Recovery Audit Report with Python, and Fix FileNotFoundError: [Errno 2] No such file or directory.
Check for Updates and Reboot
Suspension allows you to access your data without restrictions. But it is crucial to resume protection promptly to maintain security. To fix this, please check for updates as shown below.
When there are more updates, install and ensure you restart when prompted.. You can also restart by click on the Start Menu, and navigate to the Power option and select “Restart”. You could also do this via the Command Prompt or PowerShell.
If you wish to manually resume BitLocker, kindly use the command below
manage-bde -resume C:For me, BitLocker is been managed by MBAM. BitLocker will begin protecting the device automatically once all prerequisites are met, provided the machine complies with MBAM policies and the MBAM agent is functioning properly.
Please, see Hub Transport Server: Resolving ‘Failed to Reach Running Status’, how to Enable Virtualization in Windows: Fixing VirtualBox’s 32-bit Option, and Domain Name System Protocol: Client Registration Issue.
What if the issue persists
When the issue persists, you can use the following command “manage-bde -protectors -enable C:” to re-enables BitLocker protection on the C: drive after it was temporarily suspended. This forces Windows to reset the “pending reboot” state.
manage-bde -protectors -enable C:
You can run the following command to have your PC restarted!
shutdown /r /t 0To check the status, please run the command below
manage-bde -status C:To list the key protectors, use
manage-bde -protectors -get C:Since you are administering a remote PC, you can use the comamnd below to see if the BitLocker WMI class exists on the remote PC. With “Win32_EncryptableVolume”, and “MSFT_EncryptableVolume”.
Get-CimClass -CimSession $session -Namespace "root\CIMV2\Security\MicrosoftVolumeEncryption" | Select-Object CimClassName
With this, you can use the WMI or CIM commands to administer your PC remotely. We will discuss the below steps in a subsequent article.
$session = New-CimSession -ComputerName "REMOTEPC" -SessionOption (New-CimSessionOption -Protocol Dcom)$vol = Get-CimInstance -CimSession $session -Namespace "root\CIMV2\Security\MicrosoftVolumeEncryption" -ClassName Win32_EncryptableVolume | Where-Object { $_.DriveLetter -eq "C:" }$vol
Next, run the command below. This sequence forces BitLocker to reset its “pending reboot” state.
Invoke-CimMethod -InputObject $vol -MethodName "EnableKeyProtectors"I hope you found this article on “Query MBAM-protected Client for non-compliance [Part 2]” very useful. Please, feel free to leave a comment below.
