question

MattD-7613 avatar image
0 Votes"
MattD-7613 asked saldana-msft edited

BitLocker SCCM CB - Non-Compliance

New setup of CM. Setting up MBAM. Copied all settings that were in GPO. Everything works, but client still reports back as non-compliant for the Fixed Drive settings. Is there a log or something that can direct us to find the reason or the setting that is not compliant.

mem-cm-generalwindows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

YoussefSaad avatar image
1 Vote"
YoussefSaad answered

Hi @MattD-7613,

Did you check the built-in Bitlocker Management reports? You can also run the configuration item from the client side and export the compliance report.

Regards,


Youssef Saad | New blog: https://youssef-saad.blogspot.com
Please remember to “Accept answer” or upvote for useful answers, thank you!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MattD-7613 avatar image
0 Votes"
MattD-7613 answered

the report from the client points to the Fixed drive - but does not gets much more detailed than that.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MattD-7613 avatar image
0 Votes"
MattD-7613 answered

Some details from the report:

Non-Compliant Rules:

Setting Name: BitLockerManagementSettings_BMSFDVEncryptionPolicy
Setting Type: None
Rule Name: BitLockerManagementSettings_0_BMSFDVEncryptionPolicy
Severity: Warning

Instance Data - Expression:
Equals <policy name="BMSFDVEncryptionPolicy" class="Machine" supportedon="SUPPORTED_Windows7" state="Enabled"> <Setting key="SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement" valuename="ShouldEncryptFixedDataDrive" type="DWORD" isdeleted="false" value="1" /> <Setting key="SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement" valuename="AutoUnlockFixedDataDrive" type="DWORD" isdeleted="false" value="2" /> </policy>

Current Value: 0
Rule Type: Value

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MattD-7613 avatar image
0 Votes"
MattD-7613 answered

Registry value FDVEnforcePassphrase under key SOFTWARE\Policies\Microsoft\FVE is not compliant. This is the only thing in the BitlockerManagementGroupPolicy log that shows any sign of non-compliance

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SimonRenMSFT-3639 avatar image
0 Votes"
SimonRenMSFT-3639 answered

Hi,

Thanks for reply.

The registry value FDVEnforcePassphrase under key SOFTWARE\Policies\Microsoft\FVE is about "configure use of passwords for fixed data drives" policy, this policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives.

Have you chosen to permit the use of a password? If yes, have you set password complexity and minimum password length for fixed data drive? For the complexity requirement setting to be effective the Group Policy setting "Password must meet complexity requirements" located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled.

For more information, please refer to: Configure use of passwords for fixed data drives

Thanks for your time.

Best regards,
Simon


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MattD-7613 avatar image
0 Votes"
MattD-7613 answered

65807-screenshot-2021-02-09-075218.jpg




Here are the group policy settings - we matched the SCCM BitLocker settings exactly.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MattD-7613 avatar image
0 Votes"
MattD-7613 answered

65883-mbam1.png65884-mbam2.png65819-mbam3.png65885-mbam4.png65886-mbam5.png65887-mbam6.png65870-mbam7.png65877-mbam8.png65904-mbam9.png65878-mbam10.png



mbam1.png (135.7 KiB)
mbam2.png (142.6 KiB)
mbam3.png (173.2 KiB)
mbam4.png (149.5 KiB)
mbam5.png (142.4 KiB)
mbam6.png (126.7 KiB)
mbam7.png (153.8 KiB)
mbam8.png (158.4 KiB)
mbam9.png (156.4 KiB)
mbam10.png (172.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MattD-7613 avatar image
0 Votes"
MattD-7613 answered

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MattD-7613 avatar image
0 Votes"
MattD-7613 answered

65888-compliance-report-picture.jpg



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BenS-6590 avatar image
0 Votes"
BenS-6590 answered MattD-7613 commented

I am having the same exact problem.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sounds like a bug to me. If not, I'm guessing there are settings that are either not setting correctly in the registry or somehow conflicting with one another.

0 Votes 0 ·

I actually have a MS case open regarding this but personally I am leaning towards some sort of bug at this point. I have compared the reg keys with with what is set in the policy and they match up yet it still shows non-compliant.

The only other thing I can think of at this point is that I seem to remember reading the MECM/SCCM can only do full disk encryption however our drives were already encrypted with used space only. Since they were already encrypted they wont automatically make any changes to the encryption settings.

We just started working on the case but so far the only advice we have gotten is to decrypt the drive and let the MECM/SCCM policy re-encrypt the drive.

1 Vote 1 ·

That actually makes total sense. I will keep looking here for updates. Please let me know what they tell you. Good Luck!

0 Votes 0 ·