Understanding MBAM Reports in Configuration Manager

When Microsoft BitLocker Administration and Monitoring (MBAM) is installed with the Configuration Manager Integrated topology, the hardware compliance and reporting features are moved into the Configuration Manager infrastructure and out of MBAM. When you use the Configuration Manager topology, you run reports from Configuration Manager rather than from MBAM, except for the Recovery Audit Report, which you continue to access by using the Administration and Monitoring Website.

The reports for the Configuration Manager Integrated topology show BitLocker compliance for the enterprise and for individual computers and devices that MBAM manages. The reports provide both tabular information and charts, and enable you to filter reports to view data from different perspectives.

The information in this topic describes the MBAM reports that you run from Configuration Manager. For information about MBAM reports for the Stand-alone topology, see Understanding MBAM Reports.

Accessing Reports in Configuration Manager

To access the Reports feature in Configuration Manager, open the Configuration Manager console. To display the list of available reports:

  • In Configuration Manager 2007, expand the Computer Management node, and then expand the Reporting node.

  • In System Center 2012 Configuration Manager, in the Monitoring workspace under Overview, expand the Reporting node and then click Reports.

BitLocker Enterprise Compliance Dashboard

The BitLocker Enterprise Compliance Dashboard provides the following graphs, which show BitLocker compliance status across the enterprise:

  • Compliance Status Distribution

  • Non Compliant Errors Distribution

  • Compliance Status Distribution by Drive Type

Compliance Status Distribution

This pie chart shows computer compliance statuses within the enterprise, and shows the percentage of computers, compared to the total number of computers in the selected collection, that have that compliance status. The actual number of computers with each status is also shown. The pie chart shows the following compliance statuses:

  • Compliant

  • Non Compliant

  • User Exempt

  • Temporary User Exempt

  • Policy Not Enforced

  • Unknown -computers whose status was reported as an error, or devices that are part of the collection but have never reported their compliance status, for example, if they are disconnected from the organization

Non Compliant Errors Distribution

This pie chart shows the categories of computers in the enterprise that are not compliant with the BitLocker drive encryption policy, and shows the number of computers in each category. Each category percentage is calculated from the total number of non-compliant computers in the collection.

  • User postponed encryption

  • Unable to find compatible TPM

  • System Partition not available or large enough

  • Policy conflict

  • Waiting for TPM auto provisioning

  • An unknown error has occurred

  • No information – computers that do not have the MBAM Client installed, or that have the MBAM Client installed but not activated, for example, the service is not working

Compliance Status Distribution by Drive Type

This bar chart shows the current BitLocker compliance status by drive type. The statuses are “Compliant” and “Non Compliant.” Bars are shown for fixed data drives and operating system drives. Computers that do not have a fixed data drive are included and show a value only in the Operating System Drive bar. The chart does not include users who have been granted an exemption from the BitLocker drive encryption policy or the “No Policy” category.

BitLocker Enterprise Compliance Details Report

This report shows information about the overall BitLocker compliance across your enterprise for the collection of computers that is targeted for BitLocker use.

BitLocker Enterprise Compliance Details Report Fields

Column Name Description

Managed Computers

Number of computers that MBAM manages.

% Compliant

Percentage of compliant computers in the enterprise.

% Non-Compliant

Percentage of non-compliant computers in the enterprise.

% Unknown Compliance

Percentage of computers whose compliance state is not known.

% Exempt

Percentage of computers exempt from the BitLocker encryption requirement.

% Non-Exempt

Percentage of computers exempt from the BitLocker encryption requirement.

Compliant

Percentage of compliant computers in the enterprise.

Non-Compliant

Percentage of non-compliant computers in the enterprise.

Unknown Compliance

Percentage of computers whose compliance state is not known.

Exempt

Total computers that are exempt from the BitLocker encryption requirement.

Non-Exempt

Total computers that are not exempt from the BitLocker encryption requirement.

BitLocker Enterprise Compliance Details Report - Compliance States

Compliance Status Exemption Description

Noncompliant

Not Exempt

The computer is noncompliant, according to the specified policy.

Compliant

Not Exempt

The computer is compliant in accordance with the specified policy.

BitLocker Enterprise Compliance Summary Report

Use this report type to show information about the overall BitLocker compliance across your enterprise and to show the compliance for individual computers that are in the collection of computers that is targeted for BitLocker use.

BitLocker Enterprise Compliance Summary Report Fields

Column Name Description

Managed Computers

Number of computers that MBAM manages.

% Compliant

Percentage of compliant computers in the enterprise.

% Non-Compliant

Percentage of non-compliant computers in the enterprise.

% Unknown Compliance

Percentage of computers whose compliance state is not known.

% Exempt

Percentage of computers exempt from the BitLocker encryption requirement.

% Non-Exempt

Percentage of computers exempt from the BitLocker encryption requirement.

Compliant

Percentage of compliant computers in the enterprise.

Non-Compliant

Percentage of non-compliant computers in the enterprise.

Unknown Compliance

Percentage of computers whose compliance state is not known.

Exempt

Total computers that are exempt from the BitLocker encryption requirement.

Non-Exempt

Total computers that are not exempt from the BitLocker encryption requirement.

BitLocker Enterprise Compliance Summary Report - Computer Details

Column Name Description

Computer Name

User-specified DNS computer name that is being managed by MBAM.

Domain Name

Fully qualified domain name, where the client computer resides and is managed by MBAM.

Compliance Status

Overall Compliance Status of the computer managed by MBAM. Valid states are Compliant and Noncompliant. Notice that the compliance status per drive (see table that follows) may indicate different compliance states. However, this field represents that compliance state, in accordance with the policy specified.

Exemption

Status that indicates whether the user is exempt or non-exemption from the BitLocker policy.

Device Users

User of the device.

Compliance Status Details

Error and status messages of the compliance state of the computer in accordance to the policy specified.

Last Contact

Date and time that the computer last contacted the server to report compliance status. The contact frequency is configurable (see MBAM policy settings).

BitLocker Computer Compliance Report

Use this report type to collect information that is specific to a computer. The Computer Compliance Report provides detailed encryption information about each drive (Operating System and Fixed data drives) on a computer, and also an indication of the policy that is applied to each drive type on the computer. To view the details of each drive, expand the Computer Name entry.

Note   Removable Data Volume encryption status is not shown in the report.

BitLocker Computer Compliance Report – Computer Details Fields

Column Name Description

Computer Name

User-specified DNS computer name that is being managed by MBAM.

Domain Name

Fully qualified domain name, where the client computer resides and is managed by MBAM.

Computer Type

Type of computer. Valid types are non-Portable and Portable.

Operating System

Operating System type found on the MBAM managed client computer.

Overall Compliance

Overall Compliance Status of the computer managed by MBAM. Valid states are Compliant and Noncompliant. Notice that the compliance status per drive (see table that follows) may indicate different compliance states. However, this field represents that compliance state, in accordance with the policy specified.

Operating System Compliance

Compliance status of the operating system that is managed by MBAM. Valid states are Compliant and Noncompliant.

Fixed Data Drive Compliance

Compliance status of the Fixed Data Drive that is managed by MBAM. Valid states are Compliant and Noncompliant.

Last Update Date

Date and time that the computer last contacted the server to report compliance status. The contact frequency is configurable (see MBAM policy settings).

Exemption

Status that indicates whether the user is exempt or non-exemption from the BitLocker policy.

Exempted User

User who is exempt from the BitLocker policy.

Exemption Date

Date on which the exemption was granted.

Compliance Status Details

Error and status messages of the compliance state of the computer in accordance to the policy specified.

Policy Cipher Strength

Cipher Strength selected by the Administrator during MBAM policy specification. (for example, 128-bit with Diffuser).

Policy: Operating System Drive

Indicates if encryption is required for the O/S and the appropriate protector type.

Policy:Fixed Data Drive

Indicates if encryption is required for the Fixed Drive.

Manufacturer

Computer manufacturer name as it appears in the computer BIOS.

Model

Computer manufacturer model name as it appears in the computer BIOS.

Device Users

Known users on the computer that is being managed by MBAM.

BitLocker Computer Compliance Report – Computer Volume Fields

Column Name Description

Drive Letter

Computer drive letter that was assigned to the particular drive by the user.

Drive Type

Type of drive. Valid values are Operating System Drive and Fixed Data Drive. These are physical drives rather than logical volumes.

Cipher Strength

Cipher Strength selected by the Administrator during MBAM policy specification.

Protector Types

Type of protector selected via policy used to encrypt an operating system or Fixed volume. The valid protector types on an operating system are TPM or TPM+PIN and for a Fixed Data Volume is Password.

Protector State

Indicates that the computer being managed by MBAM has enabled the protector type specified in the policy. The valid states are ON or OFF.

Encryption State

Encryption state of the drive. Valid states are Encrypted, Not Encrypted, and Encrypting.

Using MBAM with Configuration Manager