Share via

BitLocker SCCM CB - Non-Compliance

Matt Dillon 1,211 Reputation points
2021-02-08T20:20:17.863+00:00

New setup of CM. Setting up MBAM. Copied all settings that were in GPO. Everything works, but client still reports back as non-compliant for the Fixed Drive settings. Is there a log or something that can direct us to find the reason or the setting that is not compliant.

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,812 questions
Microsoft Configuration Manager
0 comments

16 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Youssef Saad 3,401 Reputation points
    2021-02-10T08:22:52.773+00:00

    I think there is something doesn't match between MBAM and MEMCM in Bitlocker Management, I've resolved this compliance issue when I've encrypted the device using MEMCM and now it shows as compliant.

    Regards,

    Youssef Saad | New blog: https://youssef-saad.blogspot.com
    Please remember to ** “Accept answer” ** or upvote for useful answers, thank you!

    2 people found this answer helpful.
    0 comments
  2. Youssef Saad 3,401 Reputation points
    2021-02-08T20:44:48.753+00:00

    Hi @Matt Dillon ,

    Did you check the built-in Bitlocker Management reports? You can also run the configuration item from the client side and export the compliance report.

    Regards,

    Youssef Saad | New blog: https://youssef-saad.blogspot.com
    Please remember to ** “Accept answer” ** or upvote for useful answers, thank you!

    1 person found this answer helpful.
    0 comments
  3. Matt Dillon 1,211 Reputation points
    2021-02-08T20:46:01.53+00:00

    the report from the client points to the Fixed drive - but does not gets much more detailed than that.

    0 comments
  4. Matt Dillon 1,211 Reputation points
    2021-02-08T21:17:04.657+00:00

    Some details from the report:

    Non-Compliant Rules:

    Setting Name: BitLockerManagementSettings_BMSFDVEncryptionPolicy
    Setting Type: None
    Rule Name: BitLockerManagementSettings_0_BMSFDVEncryptionPolicy
    Severity: Warning

    Instance Data - Expression:
    Equals <policy name="BMSFDVEncryptionPolicy" class="Machine" supportedon="SUPPORTED_Windows7" state="Enabled"> <Setting key="SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement" valuename="ShouldEncryptFixedDataDrive" type="DWORD" isdeleted="false" value="1" /> <Setting key="SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement" valuename="AutoUnlockFixedDataDrive" type="DWORD" isdeleted="false" value="2" /> </policy>

    Current Value: 0
    Rule Type: Value

    0 comments
  5. Matt Dillon 1,211 Reputation points
    2021-02-08T21:28:22.117+00:00

    Registry value FDVEnforcePassphrase under key SOFTWARE\Policies\Microsoft\FVE is not compliant. This is the only thing in the BitlockerManagementGroupPolicy log that shows any sign of non-compliance

    0 comments