Introduction
Microsoft have been hard at work adding MBAM (Microsoft BitLocker Management and Monitoring) features natively to Microsoft Endpoint Manager Configuration Manager, and those features have been improved since they were first released, with bug fixes and new features added over time.
Initially, when TP1905 shipped with MBAM integrated, there was a lot of excitement about this new integration within ConfigMgr. It finally brought together native integration of MBAM within ConfigMgr for on premises devices. However, reporting capabilities were not included.
A brief history of my MBAM reporting experiences in ConfigMgr
In a later Technical Preview (TP1909), reporting ability was added to the Reporting node in ConfigMgr and I blogged about that here. That release contained a bunch of reports for MBAM located in the Reporting node shown below.
Sadly however when I tried to run any of them I got an error:
Microsoft.Reporting.WinForms.ReportServerException An error has occurred during report processing. (rsProcessingAborted) Stack Trace: at Microsoft.Reporting.WinForms.ServerReport.ServerUrlRequest(Boolean isAbortable, String url, Stream outputStream, String& mimeType, String& fileNameExtension) at Microsoft.Reporting.WinForms.ServerReport.InternalRender(Boolean isAbortable, String format, String deviceInfo, NameValueCollection urlAccessParameters, Stream reportStream, String& mimeType, String& fileNameExtension) at Microsoft.Reporting.WinForms.AsyncMainStreamRenderingOperation.RenderServerReport(ServerReport report) at Microsoft.Reporting.WinForms.AsyncRenderingOperation.PerformOperation() at Microsoft.Reporting.WinForms.ReportViewer.AsyncReportOperationWrapper.PerformOperation() at Microsoft.Reporting.WinForms.ProcessingThread.ProcessThreadMain(Object arg)
I alerted the Microsoft Product Group about this and a known issues was appended to the release notes, however the suggested workaround didn’t solve my reporting issues.
I continued to work with Microsoft Product Group and particularly Frederic Mokren (thanks Frederic) until we figured out my issues.
First of all I could see the issue with reading reports in the above screenshots, but further digging revealed permission denied errors on the ConfigMgr database. This was solved by changing the permissions of the ConfigMgr reporting services reporting point user windowsnoob\CM_SR to have db_datareader on the CM database.
And below is the user account in question.
The above changes should have been implemented in production releases of the same so hopefully you won’t encounter the problems that I did.
Server side reports
So let’s take a look at the reports for BitLocker Management in ConfigMgr. The reports are found in the Monitoring workspace under BitLocker Management and currently there are 5 (including the audit report in the language specific sub folder).
Note: The reports in this blog post won’t have much data as this is a lab and you are limited to the number of active clients in Technical Preview releases.
- BitLocker Computer Compliance
BitLocker Enterprise Compliance Dashboard
BitLocker Enterprise Compliance Details
BitLocker Enterprise Compliance Summary
Recovery Audit Report
BitLocker Computer Compliance
When running the BitLocker Computer Compliance report you are prompted for a computer name.
The BitLocker Computer Compliance Report provides detailed encryption information about each drive on a computer (operating system and fixed data drives). It also provides an indication of the policy that is applied to each drive type on the computer.
After running you should get some data back, such as the below.
Note: In the above report are some additional columns that are not shown in the screenshot, but in the actual report you can scroll right to see that data.
If however you only see an error stating “Error: MBAM view(s) are missing” then trigger a hardware inventory (HINV) cycle on the client(s).
BitLocker Enterprise Compliance Dashboard
In the BitLocker Enterprise Compliance Dashboard, you’ll be prompted to enter a collection ID of the collection (of computers targeted with a Bitlocker Compliance policy) that you want to check compliance of. The BitLocker Enterprise Compliance Dashboard provides several graphs, which show BitLocker compliance status across the enterprise.
If all of your computers are non-compliant (such as the one computer in this report below) it will appear in red.
and after fixing my compliance issues…
BitLocker Enterprise Compliance Details
The BitLocker Enterprise Compliance Details report provides details about your targeted computers and allows you to sort by certain data values for
- Compliance Status
- Error Status
Selecting the Compliance status option gives you further search criteria.
as does Error status
Once you’ve defined the search criteria (and collection id) the report is displayed by clicking on View Report.
BitLocker Enterprise Compliance Summary
The BitLocker Enterprise Compliance Summary is just that, it’s a summary of your BitLocker Enterprise Compliance. You’ll need to enter a collection id so that if can gather data for that BitLocker policy targeted collection.
I only have one computer reporting data currently in this lab and it’s decrypting as I speak, so naturally it’s non-compliant. But here’s a view of my summary.
and the same report looks like this when my devices are compliant
Recovery Audit Report
The Recovery Audit Report is a special report in the language specific (eg: en-us) sub folder of BitLocker Management. This report allows you to see which of your help desk users revealed keys to specific users, so it’s a great tracking tool.
It’s also special in that (at least in my lab) the ConfigMgr reporting services reporting point user needed db_owner in order to generate the report without error. The data in this report is derived from a help desk user (or advanced user) doing a new helpdesk request as described in a previous blog post here.
Client side report
You can generate an XML report using the Configuration Manager client agent, on the Configurations tab shown below, select the Bitlocker Compliance policy targeted at the computer. It will list the policy name, what revision it is (which is useful when you change settings in ConfigMgr itself), when it was last evaluated and whether it’s compliant or not.
To view the report, click on View Report. The report below is from a client in non-compliant state.
You can then drill down further into this report to see what’s the issue.
Once you’ve resolved the compliance issues, it should register as complient such as in this xml
So that’s if for this blog post, I’ll update it over the coming days with some more insights as I get time.
Related reading
- https://www.niallbrady.com/2019/10/07/how-does-key-rotation-work-in-mbam-integrated-with-sccm/
- https://www.niallbrady.com/2019/10/06/how-can-you-use-the-help-desk-feature-when-mbam-is-integrated-within-sccm/
- https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2
- https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25
- On-premises BitLocker management using System Center Configuration Manager
- How can I get BitLocker Recovery Keys from the ConfigMgr database
- How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant”
- https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-expands-BitLocker-management-capabilities-for-the/ba-p/544329
Pingback: Want to learn about MBAM integrated with Microsoft Endpoint Manager Configuration Manager ? | just another windows noob ?
Pingback: Learn about MBAM in Microsoft Endpoint Configuration Manager version 1910 – part 7 Reporting and compliance | just another windows noob ?