I have a small percentage of the win7 fleet that shows up as Non-Compliant but with a status of No Error. Our policy requires that a PIN is set. We encrypt drives with TPM only at image time and rely on group policy to let the user know they need to enter a PIN after logon policy processing completes. Of the machines I've been able to check with this problem, there seems to be a theme: Compliance Status: Non-Compliant Exemption: Not Exempt Policy: Operating System Drive: Encryption Required: TPM, PIN Compliance Status Details: No Error Opening up the machine details shows: Protector Type: TPM Protector State: Off Encryption State: "Encrypting" However, this machine will have finished encrypting long ago. It seems to never check back in naturally with MBAM or resolve its state. Standard behavior is to get a popup fairly soon after login (while it's still encrypting with TPM only protectors) and then change to TPM + PIN. It almost immediately at that point sends the recovery information up to the MBAM database.

What does the Event Viewer logs on those machines say? The MBAM logs.PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

Compliance status in MBAM is governed by GPOs. Open MBAM console and click on computer compliance reports. Type your computer name and then expand the name of your computer in reports. we will show the GPOs and also information about volumes in reports. Also check last contact date/time column. Now you should match the GPOs with what your computer has and see what is not matching. This will tell you the reason why it is Non-compliant?Manoj Sehgal

mbam logs- a mix of messages admin logs will report being unable to contact the endpoint now and then operational logs will report that it has successfully connected to the service and that the encryption status has sent successfully. looking at one right now [computername] [domain] Portable Microsoft Windows 7 Enterprise Non-Compliant 128-Bit with Diffuser Encryption Required: TPM, PIN Encryption Not Required Encryption Not Required ; Not Exempt LENOVO 2537FP9 No Error 8/24/2012 12:09:26 AM Drive Letter Drive Type Cipher Strength Protector Type Protector State Encryption State Compliance Status Compliance Status Details C: Operating System Drive Encryption Not Enabled Off Not Encrypted Non-Compliant No Error this one is obviously not one of the "Encrypting" status ones, but it still falls into the "non-compliant" "no error" zone. if the TPM is off it usually reports an error - unable to find a compatible TPM. I'll look for some of the other variety to paste in here as well.

This one is Non-compliant. OS drives require TPM + PIN and you do not have any encryption on C drive. So it is non-compliant.Manoj Sehgal

right, question is why? also this is funky error messaging. if it's non compliant and not exempt there's an error state somewhere or a status that should be surfaced- simply saying it's not encrypted is fairly useless (and difficult to isolate in reporting).

there are 2 frequency in MBAM. One is client reporting which will check if volume is encrypted or not and other is status reporting frequency. so in your case, status reporting frequency is working properly and is reporting the status of client to MBAM server. You need to check the Admin logs for MBAM and see why it cannot start encryption on client. Also check Application logs on MBAM server?Manoj Sehgal

admin log on the above non-compliant will ever now and then complain about the endpoint being unreachable. but that's once maybe every month. server app logs don't have anything with the host name in question.