Understanding MBAM Reports in Configuration Manager
When Microsoft BitLocker Administration and Monitoring (MBAM) is installed with the Configuration Manager Integrated topology, the hardware compliance and reporting features are moved into the Configuration Manager infrastructure and out of MBAM. When you use the Configuration Manager topology, you run reports from Configuration Manager rather than from MBAM, except for the Recovery Audit Report, which you continue to access by using the Administration and Monitoring Website.
The reports for the Configuration Manager Integrated topology show BitLocker compliance for the enterprise and for individual computers and devices that MBAM manages. The reports provide both tabular information and charts, and enable you to filter reports to view data from different perspectives.
The information in this topic describes the MBAM reports that you run from Configuration Manager. For information about MBAM reports for the Stand-alone topology, see Understanding MBAM Reports.
Accessing Reports in Configuration Manager
To access the Reports feature in Configuration Manager, open the Configuration Manager console. To display the list of available reports:
In Configuration Manager 2007, expand the Computer Management node, and then expand the Reporting node.
In System Center 2012 Configuration Manager, in the Monitoring workspace under Overview, expand the Reporting node and then click Reports.
BitLocker Enterprise Compliance Dashboard
The BitLocker Enterprise Compliance Dashboard provides the following graphs, which show BitLocker compliance status across the enterprise:
Compliance Status Distribution
Non Compliant Errors Distribution
Compliance Status Distribution by Drive Type
Compliance Status Distribution
This pie chart shows computer compliance statuses within the enterprise, and shows the percentage of computers, compared to the total number of computers in the selected collection, that have that compliance status. The actual number of computers with each status is also shown. The pie chart shows the following compliance statuses:
Compliant
Non Compliant
User Exempt
Temporary User Exempt
Policy Not Enforced
Unknown -computers whose status was reported as an error, or devices that are part of the collection but have never reported their compliance status, for example, if they are disconnected from the organization
Non Compliant Errors Distribution
This pie chart shows the categories of computers in the enterprise that are not compliant with the BitLocker drive encryption policy, and shows the number of computers in each category. Each category percentage is calculated from the total number of non-compliant computers in the collection.
User postponed encryption
Unable to find compatible TPM
System Partition not available or large enough
Policy conflict
Waiting for TPM auto provisioning
An unknown error has occurred
No information – computers that do not have the MBAM Client installed, or that have the MBAM Client installed but not activated, for example, the service is not working
Compliance Status Distribution by Drive Type
This bar chart shows the current BitLocker compliance status by drive type. The statuses are “Compliant” and “Non Compliant.” Bars are shown for fixed data drives and operating system drives. Computers that do not have a fixed data drive are included and show a value only in the Operating System Drive bar. The chart does not include users who have been granted an exemption from the BitLocker drive encryption policy or the “No Policy” category.
BitLocker Enterprise Compliance Details Report
This report shows information about the overall BitLocker compliance across your enterprise for the collection of computers that is targeted for BitLocker use.
BitLocker Enterprise Compliance Details Report Fields
| Column Name | Description |
|---|---|
Managed Computers |
Number of computers that MBAM manages. |
% Compliant |
Percentage of compliant computers in the enterprise. |
% Non-Compliant |
Percentage of non-compliant computers in the enterprise. |
% Unknown Compliance |
Percentage of computers whose compliance state is not known. |
% Exempt |
Percentage of computers exempt from the BitLocker encryption requirement. |
% Non-Exempt |
Percentage of computers exempt from the BitLocker encryption requirement. |
Compliant |
Percentage of compliant computers in the enterprise. |
Non-Compliant |
Percentage of non-compliant computers in the enterprise. |
Unknown Compliance |
Percentage of computers whose compliance state is not known. |
Exempt |
Total computers that are exempt from the BitLocker encryption requirement. |
Non-Exempt |
Total computers that are not exempt from the BitLocker encryption requirement. |
BitLocker Enterprise Compliance Details Report - Compliance States
| Compliance Status | Exemption | Description |
|---|---|---|
Noncompliant |
Not Exempt |
The computer is noncompliant, according to the specified policy. |
Compliant |
Not Exempt |
The computer is compliant in accordance with the specified policy. |
BitLocker Enterprise Compliance Summary Report
Use this report type to show information about the overall BitLocker compliance across your enterprise and to show the compliance for individual computers that are in the collection of computers that is targeted for BitLocker use.
BitLocker Enterprise Compliance Summary Report Fields
| Column Name | Description |
|---|---|
Managed Computers |
Number of computers that MBAM manages. |
% Compliant |
Percentage of compliant computers in the enterprise. |
% Non-Compliant |
Percentage of non-compliant computers in the enterprise. |
% Unknown Compliance |
Percentage of computers whose compliance state is not known. |
% Exempt |
Percentage of computers exempt from the BitLocker encryption requirement. |
% Non-Exempt |
Percentage of computers exempt from the BitLocker encryption requirement. |
Compliant |
Percentage of compliant computers in the enterprise. |
Non-Compliant |
Percentage of non-compliant computers in the enterprise. |
Unknown Compliance |
Percentage of computers whose compliance state is not known. |
Exempt |
Total computers that are exempt from the BitLocker encryption requirement. |
Non-Exempt |
Total computers that are not exempt from the BitLocker encryption requirement. |
BitLocker Enterprise Compliance Summary Report - Computer Details
| Column Name | Description |
|---|---|
Computer Name |
User-specified DNS computer name that is being managed by MBAM. |
Domain Name |
Fully qualified domain name, where the client computer resides and is managed by MBAM. |
Compliance Status |
Overall Compliance Status of the computer managed by MBAM. Valid states are Compliant and Noncompliant. Notice that the compliance status per drive (see table that follows) may indicate different compliance states. However, this field represents that compliance state, in accordance with the policy specified. |
Exemption |
Status that indicates whether the user is exempt or non-exemption from the BitLocker policy. |
Device Users |
User of the device. |
Compliance Status Details |
Error and status messages of the compliance state of the computer in accordance to the policy specified. |
Last Contact |
Date and time that the computer last contacted the server to report compliance status. The contact frequency is configurable (see MBAM policy settings). |
BitLocker Computer Compliance Report
Use this report type to collect information that is specific to a computer. The Computer Compliance Report provides detailed encryption information about each drive (Operating System and Fixed data drives) on a computer, and also an indication of the policy that is applied to each drive type on the computer. To view the details of each drive, expand the Computer Name entry.
Note Removable Data Volume encryption status is not shown in the report.
BitLocker Computer Compliance Report – Computer Details Fields
| Column Name | Description |
|---|---|
Computer Name |
User-specified DNS computer name that is being managed by MBAM. |
Domain Name |
Fully qualified domain name, where the client computer resides and is managed by MBAM. |
Computer Type |
Type of computer. Valid types are non-Portable and Portable. |
Operating System |
Operating System type found on the MBAM managed client computer. |
Overall Compliance |
Overall Compliance Status of the computer managed by MBAM. Valid states are Compliant and Noncompliant. Notice that the compliance status per drive (see table that follows) may indicate different compliance states. However, this field represents that compliance state, in accordance with the policy specified. |
Operating System Compliance |
Compliance status of the operating system that is managed by MBAM. Valid states are Compliant and Noncompliant. |
Fixed Data Drive Compliance |
Compliance status of the Fixed Data Drive that is managed by MBAM. Valid states are Compliant and Noncompliant. |
Last Update Date |
Date and time that the computer last contacted the server to report compliance status. The contact frequency is configurable (see MBAM policy settings). |
Exemption |
Status that indicates whether the user is exempt or non-exemption from the BitLocker policy. |
Exempted User |
User who is exempt from the BitLocker policy. |
Exemption Date |
Date on which the exemption was granted. |
Compliance Status Details |
Error and status messages of the compliance state of the computer in accordance to the policy specified. |
Policy Cipher Strength |
Cipher Strength selected by the Administrator during MBAM policy specification. (for example, 128-bit with Diffuser). |
Policy: Operating System Drive |
Indicates if encryption is required for the O/S and the appropriate protector type. |
Policy:Fixed Data Drive |
Indicates if encryption is required for the Fixed Drive. |
Manufacturer |
Computer manufacturer name as it appears in the computer BIOS. |
Model |
Computer manufacturer model name as it appears in the computer BIOS. |
Device Users |
Known users on the computer that is being managed by MBAM. |
BitLocker Computer Compliance Report – Computer Volume Fields
| Column Name | Description |
|---|---|
Drive Letter |
Computer drive letter that was assigned to the particular drive by the user. |
Drive Type |
Type of drive. Valid values are Operating System Drive and Fixed Data Drive. These are physical drives rather than logical volumes. |
Cipher Strength |
Cipher Strength selected by the Administrator during MBAM policy specification. |
Protector Types |
Type of protector selected via policy used to encrypt an operating system or Fixed volume. The valid protector types on an operating system are TPM or TPM+PIN and for a Fixed Data Volume is Password. |
Protector State |
Indicates that the computer being managed by MBAM has enabled the protector type specified in the policy. The valid states are ON or OFF. |
Encryption State |
Encryption state of the drive. Valid states are Encrypted, Not Encrypted, and Encrypting. |