Computers reporting non-compliant, no error to MBAM.
I have a small percentage of the win7 fleet that shows up as Non-Compliant but with a status of No Error.
Our policy requires that a PIN is set. We encrypt drives with TPM only at image time and rely on group policy to let the user know they need to enter a PIN after logon policy processing completes.
Of the machines I've been able to check with this problem, there seems to be a theme:
Compliance Status: Non-Compliant
Exemption: Not Exempt
Policy: Operating System Drive: Encryption Required: TPM, PIN
Compliance Status Details: No Error
Opening up the machine details shows:
Protector Type: TPM
Protector State: Off
Encryption State: "Encrypting"
However, this machine will have finished encrypting long ago. It seems to never check back in naturally with MBAM or resolve its state.
Standard behavior is to get a popup fairly soon after login (while it's still encrypting with TPM only protectors) and then change to TPM + PIN. It almost immediately at that point sends the recovery information up to the MBAM database.
August 21st, 2012 3:20pm
What does the Event Viewer logs on those machines say? The MBAM logs.PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog:
rorymon.com Twitter: @Rorymon
Free Windows Admin Tool Kit Click here and download it now
August 22nd, 2012 10:36pm
Compliance status in MBAM is governed by GPOs.
Open MBAM console and click on computer compliance reports.
Type your computer name and then expand the name of your computer in reports.
we will show the GPOs and also information about volumes in reports.
Also check last contact date/time column.
Now you should match the GPOs with what your computer has and see what is not matching.
This will tell you the reason why it is Non-compliant?Manoj Sehgal
August 24th, 2012 1:10pm
mbam logs- a mix of messages
admin logs will report being unable to contact the endpoint now and then
operational logs will report that it has successfully connected to the service and that the encryption status has sent successfully.
looking at one right now
[computername]
[domain]
Portable
Microsoft Windows 7 Enterprise
Non-Compliant
128-Bit with Diffuser
Encryption Required: TPM, PIN
Encryption Not Required
Encryption Not Required
;
Not Exempt
LENOVO
2537FP9
No Error
8/24/2012 12:09:26 AM
Drive Letter
Drive Type
Cipher Strength
Protector Type
Protector State
Encryption State
Compliance Status
Compliance Status Details
C:
Operating System Drive
Encryption Not Enabled
Off
Not Encrypted
Non-Compliant
No Error
this one is obviously not one of the "Encrypting" status ones, but it still falls into the "non-compliant" "no error" zone.
if the TPM is off it usually reports an error - unable to find a compatible TPM.
I'll look for some of the other variety to paste in here as well.
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2012 1:40pm
This one is Non-compliant.
OS drives require TPM + PIN and you do not have any encryption on C drive. So it is non-compliant.Manoj Sehgal
August 24th, 2012 3:06pm
right, question is why? also this is funky error messaging. if it's non compliant and not exempt there's an error state somewhere or a status that should be surfaced- simply saying it's not encrypted is fairly useless (and difficult to isolate in reporting).
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2012 3:11pm
there are 2 frequency in MBAM.
One is client reporting which will check if volume is encrypted or not and other is status reporting frequency.
so in your case, status reporting frequency is working properly and is reporting the status of client to MBAM server.
You need to check the Admin logs for MBAM and see why it cannot start encryption on client.
Also check Application logs on MBAM server?Manoj Sehgal
August 24th, 2012 3:28pm
admin log on the above non-compliant will ever now and then complain about the endpoint being unreachable. but that's once maybe every month.
server app logs don't have anything with the host name in question.
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2012 6:05pm