In testing MBAM, I selected the option to allow my user account for exemption to encryption. Now none of the machines I log in to will encrypt. I'd like to take myself off of the user exemption list. What's the best way to do this? I don't see the option to remove a user from an exemption list in the web management interface. Thanks! MCITP Windows 7 MCTS Windows Server 2008

On Win7 client machine, if you have click user postpone then Delete: HKCU\Software\Microsoft\MBAM Restart the MBAM agent service and when you hit the next client wake up frequency, we prompt you to start the encryption. Manoj Sehgal

Thanks for your reply, Manoj! I removed the key and restarted the MBAM agent service and restarted my machine. But event viewer still shows that the user is exempt from encryption. I've also tried introducing HKCU\Software\MBAM and setting the NoStartupDelay option to 1. And after a reboot, the user still shows exempted. Now I'm hacking SQL tables to see if I can fix. Please offer some more advice before I break this system :-)MCITP Windows 7 MCTS Windows Server 2008

This step what you did is incorrect: I've also tried introducing HKCU\Software\MBAM and setting the NoStartupDelay option to 1. And after a reboot, the user still shows exempted. Follow these steps: 1. On Win7 client machine, if you have click user postpone then Delete: HKCU\Software\Microsoft\MBAM 2. HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1 3. There is a random delay of up to 90 minutes when MBAM service starts on windows 7 client. If you don’t want random delay, then create a dword value “NoStartupDelay” under HKLM\Software\Microsoft\MBAM and set its value to 1. Restart the MBAM Client Service and then client will talk to server in 1 minute. Monitor the MBAM logs on client.Manoj Sehgal

This step what you did is incorrect: I've also tried introducing HKCU\Software\MBAM and setting the NoStartupDelay option to 1. And after a reboot, the user still shows exempted. Follow these steps: 1. On Win7 client machine, if you have click user postpone then Delete: HKCU\Software\Microsoft\MBAM 2. HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1 3. There is a random delay of up to 90 minutes when MBAM service starts on windows 7 client. If you don’t want random delay, then create a dword value “NoStartupDelay” under HKLM\Software\Microsoft\MBAM and set its value to 1. Restart the MBAM Client Service and then client will talk to server in 1 minute. Monitor the MBAM logs on client.Manoj Sehgal

Hi, Did your issue solved by the suggestion of Manoj Sehgal? Please feel free to give me any update. Thanks. Regards, Leo Huang TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hey Leo, Manoj's suggestions were very helpful in terms of coming to troubleshoot the system quickly. However, after carefully following the advice laid out, my user account still shows up as exempt in the MBAM web console. Now, i can enforce the user side of group policy such that I'm not exempt. But there's still no change in the MBAM console when running the Enteprise Compliance Report. In other words, the console shows one user exempt (me) even though group policy dictates that i'm not exempt. Not a big deal at the moment. Just would hate to have a group of users who applied for exemption to still show up in the exemption list after we've removed the user exemption policy when auditing BitLocker. Thanks! MCITP Windows 7 MCTS Windows Server 2008

Greg, Enterprise compliance report updates once in 6 hrs. check this to update manually: 2620269 MBAM Enterprise Reporting Not Getting Updated http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620269 If you had configured User Exemption for MBAM - make sure the user account is removed from that GPO. Do gpupdate /force on client. Verify using rsop.msc or gpresult that user exemption is not applied. Do same steps again: HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1 3. There is a random delay of up to 90 minutes when MBAM service starts on windows 7 client. If you don’t want random delay, then create a dword value “NoStartupDelay” under HKLM\Software\Microsoft\MBAM and set its value to 1. Restart the MBAM Client Service and then client will talk to server in 1 minute. Monitor the MBAM logs on client. When you see an entry in operational logs for MBAM - The encryption data was successfully sent, then check the enterprise compliance report and update it manually using 2620269 MBAM Enterprise Reporting Not Getting Updated http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620269 I hope this helps.Manoj Sehgal

Greg, Enterprise compliance report updates once in 6 hrs. check this to update manually: 2620269 MBAM Enterprise Reporting Not Getting Updated http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620269 If you had configured User Exemption for MBAM - make sure the user account is removed from that GPO. Do gpupdate /force on client. Verify using rsop.msc or gpresult that user exemption is not applied. Do same steps again: HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1 3. There is a random delay of up to 90 minutes when MBAM service starts on windows 7 client. If you don’t want random delay, then create a dword value “NoStartupDelay” under HKLM\Software\Microsoft\MBAM and set its value to 1. Restart the MBAM Client Service and then client will talk to server in 1 minute. Monitor the MBAM logs on client. When you see an entry in operational logs for MBAM - The encryption data was successfully sent, then check the enterprise compliance report and update it manually using 2620269 MBAM Enterprise Reporting Not Getting Updated http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620269 I hope this helps.Manoj Sehgal

Manoj, Thanks again for the continued support. Love the information on using SQL Server Management studio to start the create cache routine to update the MBAM compliance report. After following the steps you mentioned above, I was able to fix the issue by disabling the group policy setting "Configure user exemption policy". After running a gpupdate and starting the Create Cache job in SQL Server Management studio per KB2620269, the user exemption status showed up as Not Exempt. This tool is going to a very effective way for us to audit our BitLocker systems, and I especially look forward to implementing this product in our organization and can't wait to see it mature over time. Great job! :-)MCITP Windows 7 MCTS Windows Server 2008