Muokkaa

Jaa


View BitLocker reports

Applies to: Configuration Manager (current branch)

After you install the reports on the reporting services point, you can view the reports. The reports show BitLocker compliance for the enterprise and for individual devices. They provide tabular information and charts, and have filters that let you view data from different perspectives.

In the Configuration Manager console, go to the Monitoring workspace, expand Reporting, and select the Reports node. The following reports are in the BitLocker Management category:

You can access all of these reports directly from the reporting services point website.

Note

For these reports to display complete data:

  • Create and deploy a BitLocker management policy to a device collection
  • Clients in the target collection need to send hardware inventory

BitLocker computer compliance

Use this report to collect information that's specific to a computer. It provides detailed encryption information about the OS drive and any fixed data drives. To view the details of each drive, expand the Computer Name entry. It also indicates the policy that's applied to each drive type on the computer.

Example screenshot of BitLocker computer compliance report

You can also use this report to determine the last known BitLocker encryption status of lost or stolen computers. Configuration Manager determines compliance of the device based on the BitLocker policies that you deploy. Before you try to determine the BitLocker encryption state of a device, verify the policies that you've deployed to it.

Note

This report doesn't show the Removable Data Volume encryption status.

Computer details

Column name Description
Computer name User-specified DNS computer name.
Domain name Fully qualified domain name for the computer.
Computer Type Type of computer, valid types are Non-Portable and Portable.
Operating system OS type of the computer.
Overall compliance Overall BitLocker compliance status of the computer. Valid states are Compliant and Non-compliant. The compliance status per drive may indicate different compliance states. However, this field represents that compliance state from the specified policy.
Operating system compliance Compliance status of the OS on the computer. Valid states are Compliant and Non-compliant.
Fixed data drive compliance Compliance status of a fixed data drive on the computer. Valid states are Compliant and Non-compliant.
Last update date Date and time that the computer last contacted the server to report compliance status.
Exemption Indicates whether the user is exempt or non-exempt from the BitLocker policy.
Exempted user The user who's exempt from the BitLocker policy.
Exemption date Date on which the exemption was granted.
Compliance status details Error and status messages about the compliance state of the computer from the specified policy.
Policy cipher strength Cipher strength that you selected in the BitLocker management policy.
Policy: Operating system drive Indicates if encryption is required for the OS drive and the appropriate protector type.
Policy: Fixed data drive Indicates if encryption is required for the fixed data drive.
Manufacturer Computer manufacturer name as it appears in the computer BIOS.
Model Computer manufacturer model name as it appears in the computer BIOS.
Device users Known users on the computer.

Computer volume

Column name Description
Drive letter The drive letter on the computer.
Drive type Type of drive. Valid values are Operating System Drive and Fixed Data Drive. These entries are physical drives rather than logical volumes.
Cipher strength Cipher strength that you selected during in the BitLocker management policy.
Protector types Type of protector that you selected in the policy to encrypt the drive. The valid protector types for an OS drive are TPM or TPM+PIN. The valid protector type for a fixed data drive is Password.
Protector state Indicates that the computer enabled the protector type specified in the policy. The valid states are ON or OFF.
Encryption state Encryption state of the drive. Valid states are Encrypted, Not Encrypted, or Encrypting.

BitLocker enterprise compliance dashboard

This report provides the following graphs, which show BitLocker compliance status across your organization:

  • Compliance status distribution

  • Non-compliant - Errors distribution

  • Compliance status distribution by drive type

Example screenshot of BitLocker enterprise compliance dashboard

Compliance status distribution

This pie chart shows compliance status for computers in the organization. It also shows the percentage of computers with that compliance status, compared to the total number of computers in the selected collection. The actual number of computers with each status is also shown.

The pie chart shows the following compliance statuses:

  • Compliant

  • Non-compliant

  • User exempt

  • Temporary user exempt

  • Policy not enforced

    Note

    This state may be caused by a device that's encrypted and previously escrowed its key, but can't currently escrow its key. Because it can't escrow its key it doesn't enforce policy anymore.

  • Unknown. These computers reported a status error, or they're part of the collection but have never reported their compliance status. The lack of a compliance status could occur if the computer is disconnected from the organization.

Non-compliant - Errors distribution

This pie chart shows the categories of computers in your organization that aren't compliant with the BitLocker Drive Encryption policy. It also shows the number of computers in each category. The report calculates each percentage from the total number of non-compliant computers in the collection.

  • User postponed encryption

  • Unable to find compatible TPM

  • System partition not available or large enough

  • TPM visible but not initialized

  • Policy conflict

  • Waiting for TPM auto provisioning

  • An unknown error has occurred

  • No information. These computers don't have the BitLocker management agent installed, or it's installed but not activated. For example, the service isn't working.

Compliance status distribution by drive type

This bar chart shows the current BitLocker compliance status by drive type. The statuses are Compliant and Non-compliant. Bars are shown for fixed data drives and OS drives. The report includes computers without a fixed data drive, and only shows a value in the Operating System Drive bar. The chart doesn't include users who have been granted an exemption from the BitLocker Drive Encryption policy or the No Policy category.

BitLocker enterprise compliance details

This report shows information about the overall BitLocker compliance across your organization for the collection of computers to which you deployed the BitLocker management policy.

Example screenshot of BitLocker enterprise compliance details

Column name Description
Managed computers Number of computers to which you deployed a BitLocker management policy.
% Compliant Percentage of compliant computers in the organization.
% Non-compliant Percentage of non-compliant computers in the organization.
% Unknown compliance Percentage of computers with a compliance state that's not known.
% Exempt Percentage of computers exempt from the BitLocker encryption requirement.
% Non-exempt Percentage of computers not exempt from the BitLocker encryption requirement.
Compliant Count of compliant computers in the organization.
Non-Compliant Count of non-compliant computers in the organization.
Unknown Compliance Count of computers with a compliance state that's not known.
Exempt Count of computers that are exempt from the BitLocker encryption requirement.
Non-exempt Count of computers that aren't exempt from the BitLocker encryption requirement.

Computer details

Column name Description
Computer name DNS computer name of the managed device.
Domain name Fully qualified domain name for the computer.
Compliance status Overall compliance status of the computer. Valid states are Compliant and Non-compliant.
Exemption Indicates whether the user is exempt or non-exempt from the BitLocker policy.
Device users Users of the device.
Compliance status details Error and status messages about the compliance state of the computer from the specified policy.
Last contact Date and time that the computer last contacted the server to report compliance status.

BitLocker enterprise compliance summary

Use this report to show the overall BitLocker compliance across your organization. It also shows the compliance for individual computers to which you deployed the BitLocker management policy.

Example screenshot of BitLocker enterprise compliance summary

Column name Description
Managed computers Number of computers that you manage with BitLocker policy.
% Compliant Percentage of compliant computers in your organization.
% Non-compliant Percentage of non-compliant computers in your organization.
% Unknown compliance Percentage of computers with a compliance state that's not known.
% Exempt Percentage of computers exempt from the BitLocker encryption requirement.
% Non-exempt Percentage of computers not exempt from the BitLocker encryption requirement.
Compliant Count of compliant computers in your organization.
Non-compliant Count of non-compliant computers in your organization.
Unknown compliance Count of computers with a compliance state that's not known.
Exempt Count of computers that are exempt from the BitLocker encryption requirement.
Non-exempt Count of computers that aren't exempt from the BitLocker encryption requirement.

Recovery audit report

Note

This report is only available from the BitLocker administration and monitoring website.

Use this report to audit users who have requested access to BitLocker recovery keys. You can filter on the following criteria:

  • A specific type of user, for example, a help desk user or an end user
  • If the request failed or was successful
  • The specific type of key requested: Recovery Key Password, Recovery Key ID, or TPM Password Hash
  • A date range during which the retrieval occurred

Example screenshot of BitLocker Recovery audit report

Column name Description
Request date and time Date and time that an end user or help desk user requested a key.
Audit request source The site from where the request came. Valid values are Self-Service Portal or Helpdesk.
Request result Status of the request. Valid values are Successful or Failed.
Helpdesk user The administrative user who requested the key. If a helpdesk admin recovers the key without specifying the user name, the End User field is blank. A standard helpdesk user must specify the user name, which appears in this field. For recovery via the self-service portal, this field and the End User field display the name of the user making the request.
End user Name of the user who requested key retrieval.
Computer Name of the computer that was recovered.
Key type Type of key that the user requested. The three types of keys are:

- Recovery key password: used to recover a computer in recovery mode
- Recovery key ID: used to recover a computer in recovery mode for another user
- TPM password hash: used to recover a computer with a locked TPM
Reason description Why the user requested the specified key type, based upon the option they selected in the form.