Windows Server

Enterprise Compliance, Computer Compliance, and Recovery Audit Report: Understanding the Microsoft BitLocker Administration and Monitoring (MBAM) reports fields

MBAM-Reports

Microsoft BitLocker Administration and Monitoring (MBAM) generates various reports to monitor BitLocker usage and compliance. To access the Reports feature of MBAM, open the MBAM administration website. Select Reports in the navigation pane. Then, in the main content pane, click the tab for your report type: Enterprise Compliance Report, Computer Compliance Report, Recovery Audit Report, or Volume Report. In addition, this topic also includes detailed information to help understand MBAM reports. In this guide, I will be discussing the MBAM Enterprise Compliance Reports, Computer Compliance Reports, and Recovery Audit Reports.

To access the Reports feature of Microsoft BitLocker Administration and Monitoring, open a web browser and open the Administration and Monitoring Website as shown in the image below. Select Reports in the left menu bar and then select from the top menu bar the kind of report that you want to generate. Kindly refer to these related guides: How to create MBAM Enterprise and Compliance, and Recovery Audit reports, how to resolve “MBAM reports cannot be accessed because it could not load folder contents“, how to analyze group policies applied to a user and computer account, and how to determine why an MBAM protected device is non-compliant.

Screenshot-2022-02-02-at-23.53.39

To run the reports, you must be a member of the Report Users Role on the servers where the “Administration and Monitoring Server,” “Compliance and Audit Reports,” and “Compliance Status Database” features are installed. This article does not address the “Configuration Manager topology”.

If you chose the stand-alone topology when installing Microsoft BitLocker Administration and Monitoring (MBAM), you can run different reports in MBAM to monitor BitLocker usage and compliance. MBAM reports compliance and other information about all of the computers and devices it manages. The information in this topic can be used to help you understand the Microsoft BitLocker Administration and Monitoring reports for enterprise and Computer (Individual) Compliance and for key recovery activity.

Enterprise Compliance Report

An Enterprise Compliance Report provides information on overall BitLocker compliance in your organization. Use this report type to collect information on overall BitLocker compliance in your organization. There are available filters for this report that allow you to narrow your search results according to Compliance state and Error status. This report runs every six hours.

Use this report type to collect information on overall BitLocker compliance in your organization. You can use different filters to narrow your search results to Compliance state and Error status. The report information is updated every six-hour.

Enterprise Compliance Report fields

Column NameDescription
Computer NameThe user-specified DNS name is being managed by MBAM.
Domain NameThe fully qualified domain name where the client computer resides and is managed by MBAM.
Compliance StatusThe state of compliance for the computer, according to the policy specified for the computer. The possible states are Noncompliant and Compliant. For more information, see Enterprise Compliance Report Compliance States in this topic.
ExemptionThe state of the computer hardware for determining the identification of the hardware type and whether the computer is exempt from policy. There are three possible states: Hardware Unknown (the hardware type has not been identified by MBAM), Hardware Exempt (the hardware type was identified and was marked as exempt from MBAM policy), and Not Exempt (the hardware was identified and is not exempt from policy).
Device UsersKnown users on the computer that is being managed by MBAM.
Compliance Status DetailsError and status messages about the compliance state of the computer in accordance to the specified policy.
Last ContactDate and time when the computer last contacted the server to report compliance status. This time is configurable. See MBAM policy settings.

Enterprise Compliance Report Compliance states

Compliance StatusExemptionDescriptionUser Action
NoncompliantNot ExemptThe computer is non-compliant according to the specified policy, and the hardware type has not been indicated as exempt from the policy.Click Computer Name to expand the Computer Compliance Report and determine whether the state of each drive complies with the specified policy. If the encryption state indicates that the computer is not encrypted, encryption might still be in process, or there might be an error on the computer. If there is no error, the likely cause is that the computer is still in the process of connecting or establishing the encryption status. Check back later to determine if the state changes.
CompliantNot ExemptThe computer is compliant in accordance with the specified policy.No Action is needed. Optionally, you can view the Computer Compliance Report to confirm the state of the computer.
CompliantHardware ExemptIf the Hardware type is exempt. Regardless of how the policy is set or the individual status of each hard drive, the overall state is considered to be compliant.No action is needed.
CompliantHardware UnknownMBAM recognizes the hardware type, but MBAM does not know whether it is exempt or not exempt. This occurs if the administrator has not set the Compatible status for the hardware. Therefore, MBAM reverts to Compliant status by default.This is the initial state of a newly deployed MBAM client. It is typically only a transient state. Even if the administrator has marked the Hardware as Compatible, there can be a significant delay or configurable wait time before the client computer reports back in. Make note of the time of Last Contact, and check in again after the specified interval to see if the state has changed. If the state has not changed, there may be an error for this computer or hardware type.

Computer Compliance Report

The Computer Compliance Report displays information that is specific to a computer or user. This report can be viewed by clicking the computer name in the Enterprise Compliance Report, or by typing the computer name in the Computer Compliance Report. The Computer Compliance Report provides detailed encryption information and applicable policies for each drive on a computer, including operating system drives and fixed data drives. To view the details of each drive, expand the Computer Name entry.

Note!

Removable Data Volume encryption status will not be shown in the report.

Note   This report does not provide encryption status for Removable Data Volumes

Computer Compliance Report fields

Column NameDescription
Computer NameThe user-specified DNS computer name is being managed by MBAM.
Domain NameThe fully qualified domain name where the client computer resides and is managed by MBAM.
Computer TypeThe portability type of computer. Valid types are non-Portable and Portable.
Operating SystemOperating System type installed on the MBAM managed client computer.
Compliance StatusThe overall Compliance Status of the computer is managed by MBAM. Valid states are Compliant and Noncompliant. While it is possible to have Compliant and Noncompliant drives in the same computer, this field indicates the overall computer compliance per specified policy.
Policy Cypher StrengthThe Cipher Strength was selected by the Administrator during the MBAM policy specification. For example, 128-bit with Diffuser
Policy Operating System DriveIndicates whether encryption is required for the O/S and the protector type as applicable.
Policy Fixed Data DriveIndicates whether encryption is required for the Fixed Drive.
Policy Removable Data DriveIndicates whether encryption is required for the Removable Drive.
Device UsersProvides the identity of known users on the computer.
ExemptionIndicates whether the computer hardware type is recognized by MBAM and, if known, whether the computer has been indicated as exempt from the policy. There are three states: Hardware Unknown (the hardware type has not been identified by MBAM); Hardware Exempt (the hardware type was identified and was marked as exempt from MBAM policy); and Not Exempt (the hardware was identified and is not exempt from the policy).
ManufacturerThe computer manufacturer’s name as it appears in the computer BIOS.
ModelThe computer manufacturer model name as it appears in the computer BIOS.
Compliance Status DetailsError and status messages of the compliance state of the computer in accordance with the specified policy.
Last ContactDate and time that the computer last contacted the server to report compliance status. T

Computer Compliance Report Drive fields

Use this report type to collect information that is specific to a computer or user. This report can be viewed by clicking the computer name in the Enterprise Compliance Report, or by typing the computer name in the Computer Compliance Report. The Computer Compliance Report provides detailed encryption information about each drive (operating system and fixed data drives) on a computer, and also an indication of the policy that is applied to each drive type on the computer. To view the details of each drive, expand the Computer Name entry.

Removable Data Volume encryption status will not be shown in the report.

This report can help you audit changes to the Hardware Compatibility status of specific computer makes and models. To help you narrow your search results, this report includes filtering on criteria such as type of change and time of occurrence. Each state change is tracked by user and date and time. The Hardware Type is automatically populated by the MBAM agent that runs on the client computer. This report tracks user changes to the information collected directly from the MBAM managed computer. A typical administrative change is changing from Compatible to incompatible. However, the administrator can also revise any field.

Recovery Audit Report

The Recovery Audit Report can help you audit users who have requested access to recovery keys. The filter criteria for this report include the type of user making the request, type of key requested, time of occurrence, success or fail, time of occurrence, and type of user requesting (help desk, end-user). This report enables administrators to produce contextual reports based on need.

Recovery Audit Report Fields

Column NameDescription
Request Date and TimeThe date and time that a key retrieval request was made by an end-user or help desk user.
Request StatusStatus of the request. Valid statuses are either Successful (the key was retrieved) or Failed (the key was not retrieved).
Helpdesk UserThe help desk user who initiated the request for key retrieval. If the help desk user retrieves the key on behalf of an end-user, the End User field will be blank.
UserThe end-user who initiated the request for key retrieval.
Key TypeThe type of key that was requested. MBAM collects three key types: Recovery Key Password (to recover a computer in recovery mode); Recovery Key ID (to recover a computer in recovery mode on behalf of another user); and Trusted Platform Module (TPM) Password Hash (to recover a computer with a locked TPM).
Reason DescriptionThe reason that the specified Key Type was requested. The reasons are specified in the Drive Recovery and Manage TPM features of the Administrative website. Valid entries include user-entered text or one of the following reason codes: Operating System Boot Order changedBIOS changed operating System files changed lost Startup key lost PINTPM ResetLost PassphraseLost SmartcardReset PIN lockout turns on TPMTurn off TPMChange TPM password clear TPM

Note   To save report results to a file, click the Export button on the reports menu bar. I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x