Understanding MBAM Reports
If you chose the Stand-alone topology when you installed Microsoft BitLocker Administration and Monitoring (MBAM), you can run different reports in MBAM to monitor BitLocker usage and compliance. MBAM reports compliance and other information about all of the computers and devices it manages. The information in this topic can be used to help you understand the Microsoft BitLocker Administration and Monitoring reports for enterprise and individual computer compliance and for key recovery activity.
If you chose the Configuration Manager topology when you installed Microsoft BitLocker Administration and Monitoring (MBAM), reports are generated from Configuration Manager rather than from MBAM. For more information about reports that are run from Configuration Manager, see Understanding MBAM Reports in Configuration Manager.
To access the Reports feature of Microsoft BitLocker Administration and Monitoring, open a web browser and open the Administration and Monitoring website. Select Reports in the left menu bar and then select from the top menu bar the kind of report that you want to generate.
Enterprise Compliance Report
Use this report type to collect information on overall BitLocker compliance in your organization. You can use different filters to narrow your search results to Compliance state and Error status. The report information is updated every six hours.
Enterprise Compliance Report Fields
User-specified DNS name that is being managed by MBAM.
Fully qualified domain name where the client computer resides and is managed by MBAM.
State of compliance for the computer, according to the policy specified for the computer. The states are Noncompliant and Compliant. See the Enterprise Compliance Report Compliance States table for more information about how to interpret compliance states.
Compliance Status Details
Error and status messages of the compliance state of the computer in accordance to the policy specified.
Date and time when the computer last contacted the server to report compliance status. The contact frequency is configurable (see MBAM policy settings).
Enterprise Compliance Report Compliance States
|Compliance Status||Exemption||Description||User Action|
The computer is noncompliant, according to the specified policy.
Expand the Computer Compliance Report details by clicking Computer Name, and determine whether the state of each drive complies with the specified policy. If the encryption state indicates that the computer is not encrypted, encryption may be in process, or there is an error on the computer. If there is no error, the likely cause is that the computer is still in the process of connecting or establishing the encryption status. Check back later to determine if the state changes.
The computer is compliant, according to the specified policy.
No action needed; the state of the computer can be confirmed by viewing the Computer Compliance Report.
Computer Compliance Report
Use this report type to collect information that is specific to a computer or user.
This report can be viewed by clicking the computer name in the Enterprise Compliance Report, or by typing the computer name in the Computer Compliance Report. The Computer Compliance Report provides detailed encryption information about each drive (operating system and fixed data drives) on a computer, and also an indication of the policy that is applied to each drive type on the computer. To view the details of each drive, expand the Computer Name entry.
Removable Data Volume encryption status will not be shown in the report.
Computer Compliance Report Fields
User-specified DNS computer name that is being managed by MBAM.
Fully qualified domain name, where the client computer resides and is managed by MBAM.
Type of computer. Valid types are non-Portable and Portable.
Operating system type found on the MBAM-managed client computer.
Overall compliance status of the computer managed by MBAM. Valid states are Compliant and Noncompliant. Notice that the compliance status per drive (see the following table) may indicate different compliance states. However, this field represents that compliance state, according to the specified policy.
Policy Cipher Strength
Cipher strength selected by the administrator during MBAM policy specification (for example, 128-bit with Diffuser).
Policy Operating System Drive
Indicates if encryption is required for the operating system and shows the appropriate protector type.
Policy-Fixed Data Drive
Indicates if encryption is required for the dixed data drive.
Policy Removable Data Drive
Indicates if encryption is required for the removable drive.
Known users on the computer that is being managed by MBAM.
Computer manufacturer name, as it appears in the computer BIOS.
Computer manufacturer model name, as it appears in the computer BIOS.
Compliance Status Details
Error and status messages of the compliance state of the computer, in accordance with the specified policy.
Date and time that the computer last contacted the server to report compliance status. The contact frequency is configurable (see MBAM policy settings).
Computer Compliance Report Drive Fields
Computer drive letter that was assigned to the particular drive by the user.
Type of drive. Valid values are Operating System Drive and Fixed Data Drive. These are physical drives rather than logical volumes.
Cipher strength selected by the administrator during MBAM policy specification.
Type of protector selected via the policy used to encrypt an operating system or fixed data volume.
Indicates that the computer being managed by MBAM has enabled the protector type that is specified in the policy. The valid states are ON or OFF.
Encryption state of the drive. Valid states are Encrypted, Not Encrypted, and Encrypting.
State that indicates whether the drive is in accordance with the policy. States are Noncompliant and Compliant.
Compliance Status Details
Error and status messages of the compliance state of the computer, according to the specified policy.
Recovery Audit Report
Use this report type to audit users who have requested access to recovery keys. The report offers several filters based on the desired filtering criteria. Users can filter on a specific type of user, either a Help Desk user or an end user, whether the request failed or was successful, the specific type of key requested, and a date range during which the retrieval occurred. The administrator can produce contextual reports based on need.
Recovery Audit Report Fields
Request Date and Time
Date and time that a key retrieval request was made by an end user or Help Desk user.
Status of the request. Valid statuses are either Successful (the key was retrieved), or Failed (the key was not retrieved).
Help Desk user that initiated the request for key retrieval. Note: If the Help Desk user retrieves the key on behalf on an end-user, the End User field will be blank.
End user who initiated the request for key retrieval.
Type of key that was requested by either the Help Desk user or the end user. The three types of keys that MBAM collects are: Recovery Key Password (used to recovery a computer in recovery mode), Recovery Key ID (used to recover a computer in recovery mode on behalf of another user), and TPM Password Hash (used to recover a computer with a locked TPM).
Reason the specified Key Type was requested by the Help Desk user or the end user. The reasons are specified in the Drive Recovery and Manage TPM features of the Administration and Monitoring website. The valid entries are either user-entered text, or one of the following reason codes:
Report results can be saved to a file by clicking the Export button on the reports menu bar. For more information about how to run MBAM reports, see How to Generate MBAM Reports.