Hi guys, we have implemented MBAM in our environment. We had different encryption methods on some machines. Some have the cypher strength "128-Bit" and some have "128-Bit" with diffuser" What we see in the console is that machines that have "128-Bit with Diffuser" they are marked as non-compliant How does MBAM determine if a client is "compliant". Is this via group policy settings we have applied? We do have policies set with different cypher strenghts end result is clients have different results when reporting back to the database What we would like to do is say if any machines have either "128-Bit" or "128-Bit with diffuser" then these devices are compliant. How can I do that? Thanks

How did you encrypt the machines? 2 different OU's with different GPO for users in the different OU's? The level being checked should be checked against the Group Policy I believe. If you have all machines in the same OU or the same policies applied to the computer OU's across the board then I'd bet the policy states 128-bit. So it will see the 128-bit with Diffuser as non-compliant. You could try putting the Diffuser computers into a separate OU and apply the Diffuser policy to themPLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

How did you encrypt the machines? 2 different OU's with different GPO for users in the different OU's? The level being checked should be checked against the Group Policy I believe. If you have all machines in the same OU or the same policies applied to the computer OU's across the board then I'd bet the policy states 128-bit. So it will see the 128-bit with Diffuser as non-compliant. You could try putting the Diffuser computers into a separate OU and apply the Diffuser policy to themPLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

Thanks for your response. Actually there are two group policy objects which conflict applied to all laptops. 1 enforces 128 Bit the other 128 with diffuser so that is where our issues have originated from. Now we dont know what the impact of changing these is, i.e chaging the "128 Bit with diffuser" policy to "128 Bit". Both of these encryption methods are fine with us so should show as compliant in the compliance reports. By the sounds of it if a group of machines are in an OU where BitLocker policies are applied they can only have 1 type of "compliant" encryption method? Thanks

From my own experience I believe that to be true and since the policy in question is to do with the form of encryption used. I would say your only option is standardize on one and the decrypt and encrypt the machines again using the correct bit. Or have two different OU's, one which will see 128-bit as the required encryption and flags as compliant and another that's set to DiffUser and will see those machines as compliant. To be honest MBAM does not feel like a finished product to me. I've seen policies which actually confict with the Bitlocker encryption tool and stops it from working. Microsoft need to revisit the tool, simple changes would make a big differencePLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

From my own experience I believe that to be true and since the policy in question is to do with the form of encryption used. I would say your only option is standardize on one and the decrypt and encrypt the machines again using the correct bit. Or have two different OU's, one which will see 128-bit as the required encryption and flags as compliant and another that's set to DiffUser and will see those machines as compliant. To be honest MBAM does not feel like a finished product to me. I've seen policies which actually confict with the Bitlocker encryption tool and stops it from working. Microsoft need to revisit the tool, simple changes would make a big differencePLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon