Understanding MBAM Reports

If you chose the Stand-alone topology when you installed Microsoft BitLocker Administration and Monitoring (MBAM), you can run different reports in MBAM to monitor BitLocker usage and compliance. MBAM reports compliance and other information about all of the computers and devices it manages. The information in this topic can be used to help you understand the Microsoft BitLocker Administration and Monitoring reports for enterprise and individual computer compliance and for key recovery activity.

Note   If you chose the Configuration Manager topology when you installed Microsoft BitLocker Administration and Monitoring (MBAM), reports are generated from Configuration Manager rather than from MBAM. For more information about reports that are run from Configuration Manager, see Understanding MBAM Reports in Configuration Manager.

Understanding Reports

To access the Reports feature of Microsoft BitLocker Administration and Monitoring, open a web browser and open the Administration and Monitoring website. Select Reports in the left menu bar and then select from the top menu bar the kind of report that you want to generate.

Enterprise Compliance Report

Use this report type to collect information on overall BitLocker compliance in your organization. You can use different filters to narrow your search results to Compliance state and Error status. The report information is updated every six hours.

Enterprise Compliance Report Fields

Column Name Description

Computer Name

User-specified DNS name that is being managed by MBAM.

Domain Name

Fully qualified domain name where the client computer resides and is managed by MBAM.

Compliance Status

State of compliance for the computer, according to the policy specified for the computer. The states are Noncompliant and Compliant. See the Enterprise Compliance Report Compliance States table for more information about how to interpret compliance states.

Compliance Status Details

Error and status messages of the compliance state of the computer in accordance to the policy specified.

Last Contact

Date and time when the computer last contacted the server to report compliance status. The contact frequency is configurable (see MBAM policy settings).

Enterprise Compliance Report Compliance States

Compliance Status Exemption Description User Action

Noncompliant

Not Exempt

The computer is noncompliant, according to the specified policy.

Expand the Computer Compliance Report details by clicking Computer Name, and determine whether the state of each drive complies with the specified policy. If the encryption state indicates that the computer is not encrypted, encryption may be in process, or there is an error on the computer. If there is no error, the likely cause is that the computer is still in the process of connecting or establishing the encryption status. Check back later to determine if the state changes.

Compliant

Not Exempt

The computer is compliant, according to the specified policy.

No action needed; the state of the computer can be confirmed by viewing the Computer Compliance Report.

Computer Compliance Report

Use this report type to collect information that is specific to a computer or user.

This report can be viewed by clicking the computer name in the Enterprise Compliance Report, or by typing the computer name in the Computer Compliance Report. The Computer Compliance Report provides detailed encryption information about each drive (operating system and fixed data drives) on a computer, and also an indication of the policy that is applied to each drive type on the computer. To view the details of each drive, expand the Computer Name entry.

Note   Removable Data Volume encryption status will not be shown in the report.

Computer Compliance Report Fields

Column Name Description

Computer Name

User-specified DNS computer name that is being managed by MBAM.

Domain Name

Fully qualified domain name, where the client computer resides and is managed by MBAM.

Computer Type

Type of computer. Valid types are non-Portable and Portable.

Operating System

Operating system type found on the MBAM-managed client computer.

Compliance Status

Overall compliance status of the computer managed by MBAM. Valid states are Compliant and Noncompliant. Notice that the compliance status per drive (see the following table) may indicate different compliance states. However, this field represents that compliance state, according to the specified policy.

Policy Cipher Strength

Cipher strength selected by the administrator during MBAM policy specification (for example, 128-bit with Diffuser).

Policy Operating System Drive

Indicates if encryption is required for the operating system and shows the appropriate protector type.

Policy-Fixed Data Drive

Indicates if encryption is required for the fixed data drive.

Policy Removable Data Drive

Indicates if encryption is required for the removable drive.

Device Users

Known users on the computer that is being managed by MBAM.

Manufacturer

Computer manufacturer name, as it appears in the computer BIOS.

Model

Computer manufacturer model name, as it appears in the computer BIOS.

Compliance Status Details

Error and status messages of the compliance state of the computer, in accordance with the specified policy.

Last Contact

Date and time that the computer last contacted the server to report compliance status. The contact frequency is configurable (see MBAM policy settings).

Computer Compliance Report Drive Fields

Column Name Description

Drive Letter

Computer drive letter that was assigned to the particular drive by the user.

Drive Type

Type of drive. Valid values are Operating System Drive and Fixed Data Drive. These are physical drives rather than logical volumes.

Cipher Strength

Cipher strength selected by the administrator during MBAM policy specification.

Protector Type

Type of protector selected via the policy used to encrypt an operating system or fixed data volume.

Protector State

Indicates that the computer being managed by MBAM has enabled the protector type that is specified in the policy. The valid states are ON or OFF.

Encryption State

Encryption state of the drive. Valid states are Encrypted, Not Encrypted, and Encrypting.

Compliance Status

State that indicates whether the drive is in accordance with the policy. States are Noncompliant and Compliant.

Compliance Status Details

Error and status messages of the compliance state of the computer, according to the specified policy.

Recovery Audit Report

Use this report type to audit users who have requested access to recovery keys. The report offers several filters based on the desired filtering criteria. Users can filter on a specific type of user, either a Help Desk user or an end user, whether the request failed or was successful, the specific type of key requested, and a date range during which the retrieval occurred. The administrator can produce contextual reports based on need.

Recovery Audit Report Fields

Column Name Description

Request Date and Time

Date and time that a key retrieval request was made by an end user or Help Desk user.

Request Status

Status of the request. Valid statuses are either Successful (the key was retrieved), or Failed (the key was not retrieved).

Helpdesk User

Help Desk user that initiated the request for key retrieval. Note: If the Help Desk user retrieves the key on behalf on an end-user, the End User field will be blank.

User

End user who initiated the request for key retrieval.

Key Type

Type of key that was requested by either the Help Desk user or the end user. The three types of keys that MBAM collects are: Recovery Key Password (used to recovery a computer in recovery mode), Recovery Key ID (used to recover a computer in recovery mode on behalf of another user), and TPM Password Hash (used to recover a computer with a locked TPM).

Reason Description

Reason the specified Key Type was requested by the Help Desk user or the end user. The reasons are specified in the Drive Recovery and Manage TPM features of the Administration and Monitoring website. The valid entries are either user-entered text, or one of the following reason codes:

  • Operating System Boot Order changed

  • BIOS Changed

  • Operating System files changed

  • Lost Startup key

  • Lost PIN

  • TPM Reset

  • Lost Passphrase

  • Lost Smartcard

  • Reset PIN lockout

  • Turn on TPM

  • Turn off TPM

  • Change TPM password

  • Clear TPM

Note   Report results can be saved to a file by clicking the Export button on the reports menu bar. For more information about how to run MBAM reports, see How to Generate MBAM Reports.

Monitoring and Reporting BitLocker Compliance with MBAM 2.0