Understanding MBAM 2.5 Stand-alone Reports

  • Article

This topic describes the reports that are available when you are running Microsoft BitLocker Administration and Monitoring (MBAM) in the Stand-alone topology.

Note
If you are running MBAM with the Configuration Manager Integration topology, you generate reports from Configuration Manager rather than from MBAM. See Viewing MBAM 2.5 Reports for the Configuration Manager Integration Topology for more information about these reports.

Understanding the MBAM Stand-alone topology reports

MBAM provides three report types that you can use to monitor your organization for BitLocker compliance:

To access MBAM reports when you are running MBAM in the Stand-alone topology, open a web browser, and then open the Administration and Monitoring Website. Select Reports in the left menu bar. From the top menu bar, select the kind of report that you want to generate. For more information about generating these reports, see Generating MBAM 2.5 Stand-alone Reports.

Enterprise Compliance Report

Use this report type to collect information about overall BitLocker compliance in your organization. You can use filters to narrow your search results to learn more about the compliance state and error status of computers in your organization.

Enterprise Compliance Overview

Column Name Description

Managed Computers

Number of computers that MBAM manages.

% Compliant

Percentage of compliant computers in the enterprise.

% Non-Compliant

Percentage of non-compliant computers in the enterprise.

% Exempt

Percentage of computers exempt from the BitLocker encryption requirement.

% Non-Exempt

Percentage of computers not exempt from the BitLocker encryption requirement.

Compliant

Percentage of compliant computers in the enterprise.

Non-Compliant

Percentage of non-compliant computers in the enterprise.

Exempt

Total computers that are exempt from the BitLocker encryption requirement.

Non-Exempt

Total computers that are not exempt from the BitLocker encryption requirement.

Enterprise Compliance Computer Details

Column Name Description

Computer Name

User-specified DNS name that is managed by MBAM.

Domain Name

Fully qualified domain name where the client computer resides and is managed by MBAM.

Compliance Status

State of compliance for the computer, according to the policy specified for the computer. The states are Noncompliant and Compliant. See the following Enterprise Compliance Report Compliance States table for more information about how to interpret compliance states.

Exemption

Status that indicates whether this computer is exempt from the BitLocker policy.

Compliance Status Details

Error and status messages about the compliance state of the computer in accordance to the policy specified.

Last Contact

Date and time when the computer last contacted the server to report compliance status. The contact frequency is configurable. For more information, see the MBAM Group Policy settings.

Computer Compliance Report

Use this report type to collect information that is specific to a computer or user.

View this report by clicking the computer name in the Enterprise Compliance Report, or by typing the computer name in the Computer Compliance Report. This report shows detailed encryption information about each drive (operating system and fixed data drives) on a computer. It also indicates the policy that is applied to each drive type on the computer. To view the details of each drive, expand the Computer Name entry.

Note
Removable Data Volume encryption status is not shown in this report.

Computer Compliance Report Fields

Column Name Description

Computer Name

User-specified DNS computer name that is managed by MBAM.

Domain Name

Fully qualified domain name where the client computer resides and is managed by MBAM.

Computer Type

Type of computer. Valid types are Non-Portable and Portable.

Operating System

Operating system type found on the client computer that is managed by MBAM.

Compliance Status

Overall compliance status of the computer that is managed by MBAM. Valid states are Compliant and Noncompliant.

Notice that the compliance status per drive (see the following table) may indicate different compliance states. However, this field represents that compliance state, according to the specified policy.

Policy Cipher Strength

Cipher strength selected by the administrator during MBAM policy specification (for example, 128-bit with diffuser).

Policy Operating System Drive

Indicates if encryption is required for the operating system and shows the appropriate protector type.

Policy-Fixed Data Drive

Indicates if encryption is required for the fixed data drive.

Policy Removable Data Drive

Indicates if encryption is required for the removable drive.

Device Users

Known users on the computer that is managed by MBAM.

Exemption

Status that indicates whether this computer is exempt from the BitLocker policy.

Manufacturer

Computer manufacturer name, as it appears in the computer BIOS.

Model

Computer manufacturer model name, as it appears in the computer BIOS.

Compliance Status Details

Error and status messages about the compliance state of the computer, in accordance with the specified policy.

Last Contact

Date and time that the computer last contacted the server to report compliance status. The contact frequency is configurable. For more information, see the MBAM Group Policy settings.

Computer Compliance Report Drive Fields

Column Name Description

Drive Letter

Computer drive letter that was assigned to the particular drive by the user.

Drive Type

Type of drive. Valid values are Operating System Drive and Fixed Data Drive. These are physical drives rather than logical volumes.

Cipher Strength

Cipher strength selected by the administrator during MBAM policy specification.

Protector Type

Type of protector selected through the Group Policy setting used to encrypt an operating system or fixed data volume.

Protector State

Indicates that the computer being managed by MBAM has enabled the protector type that is specified in the policy. The valid states are ON or OFF.

Encryption State

Encryption state of the drive. Valid states are Encrypted, Not Encrypted, and Encrypting.

Compliance Status

State that indicates whether the drive is in accordance with the policy. States are Noncompliant and Compliant.

Compliance Status Details

Error and status messages of the compliance state of the computer, according to the specified policy.

Recovery Audit Report

Use this report type to audit users who have requested access to BitLocker recovery keys. The report offers several filters based on the desired filtering criteria. You can filter on a specific type of user (a Help Desk user or an end user), whether the request failed or was successful, the specific type of key requested, and a date range during which the retrieval occurred.

Recovery Audit Report Fields

Column Name Description

Request Date and Time

Date and time that a key retrieval request was made by an end user or Help Desk user.

Audit Request Source

The site from which the request was initiated. This entry will have one of two values: Self-Service Portal or Helpdesk.

Request Status

Status of the request. Valid statuses are Successful (the key was retrieved), or Failed (the key was not retrieved).

Helpdesk User

Help Desk user who initiated the request for key retrieval.

Note

If an Advanced Helpdesk User recovers the key without specifying the end user, the End User field will be blank. A standard Helpdesk User must specify the end user, and that user will appear in this field.

A recovery via the Self-Service Portal will list the requesting end user both in this field and in the End User field.

End User

End user who initiated the request for key retrieval.

Computer

Computer name of the computer that was recovered.

Key Type

Type of key that was requested by the Help Desk user or the end user. The three types of keys that MBAM collects are:

  • Recovery Key Password (used to recover a computer in recovery mode)

  • Recovery Key ID (used to recover a computer in recovery mode on behalf of another user)

  • TPM Password Hash (used to recover a computer with a locked TPM)

Reason Description

Reason the specified key type was requested by the Help Desk user or the end user. The reasons are specified in the Drive Recovery and Manage TPM features of the Administration and Monitoring Website. The valid entries are user-entered text or one of the following reason codes:

  • Operating System Boot Order changed

  • BIOS Changed

  • Operating System files changed

  • Lost Startup key

  • Lost PIN

  • TPM Reset

  • Lost Passphrase

  • Lost Smartcard

  • Reset PIN lockout

  • Turn on TPM

  • Turn off TPM

  • Change TPM password

  • Clear TPM

Note
Report results can be saved to a file by clicking the Export button on the Reports menu bar.

Monitoring and Reporting BitLocker Compliance with MBAM 2.5

Generating MBAM 2.5 Stand-alone Reports

Got a suggestion for MBAM?

For MBAM issues, use the MBAM TechNet Forum.