Jump to content


anyweb

A quick look at reporting in MBAM integrated within Microsoft Endpoint Manager Configuration Manager

By anyweb, in System Center Configuration Manager (Current Branch)

Recommended Posts

anyweb Proficient

anyweb

Posted
Posted

Introduction

Microsoft have been hard at work adding MBAM (Microsoft BitLocker Management and Monitoring) features natively to Microsoft Endpoint Manager Configuration Manager, and those features have been improved since they were first released, with bug fixes and new features added over time.

Initially, when TP1905 shipped with MBAM integrated, there was a lot of excitement about this new integration within ConfigMgr. It finally brought together native integration of MBAM within ConfigMgr for on premises devices. However, reporting capabilities were not included.

A brief history of my MBAM reporting experiences in ConfigMgr

In a later Technical Preview (TP1909), reporting ability was added to the Reporting node in ConfigMgr and I blogged about that here. That release contained a bunch of reports for MBAM located in the Reporting node shown below.

bitlocker-reports.pngSadly however when I tried to run any of them I got an error, I alerted the Microsoft Product Group about this and a known issues was appended to the release notes, however the suggested workaround didn’t solve my reporting issues.

crashed-report.pngI continued to work with Microsoft Product Group and particularly Frederic Mokren (thanks Frederic) until we figured out my issues.

First of all I could see the issue with reading reports in the above screenshots, but further digging revealed permission denied errors on the ConfigMgr database. This was solved by changing the permissions of the ConfigMgr reporting services reporting point user windowsnoob\CM_SR  to have db_datareader on the CM database.

db_datareader.pngAnd below is the user account in question.

cm_sr-user.pngThe above changes should have been implemented in production releases of the same so hopefully you won’t encounter the problems that I did.

Server side reports

So let’s take a look at the reports for BitLocker Management in ConfigMgr.  The reports are found in the Monitoring workspace under BitLocker Management and currently there are 5 (including the audit report in the language specific sub folder).

Note: The reports in this blog post won’t have much data as this is a lab and you are limited to the number of active clients in Technical Preview releases.

  • BitLocker Computer Compliance
    BitLocker Enterprise Compliance Dashboard
    BitLocker Enterprise Compliance Details
    BitLocker Enterprise Compliance Summary
    Recovery Audit Report

BitLocker Computer Compliance

When running the BitLocker Computer Compliance report you are prompted for a computer name.

computer-name.pngThe BitLocker Computer Compliance Report provides detailed encryption information about each drive on a computer (operating system and fixed data drives). It also provides an indication of the policy that is applied to each drive type on the computer.

After running you should get some data back, such as the below.

bitlocker-computer-compliance-report.pngNote: In the above report are some additional columns that are not shown in the screenshot, but in the actual report you can scroll right to see that data.

BitLocker Enterprise Compliance Dashboard

In the BitLocker Enterprise Compliance Dashboard, you’ll be prompted to enter a collection ID of the collection (of computers targeted with a Bitlocker Compliance policy) that you want to check compliance of. The BitLocker Enterprise Compliance Dashboard provides several graphs, which show BitLocker compliance status across the enterprise.

If all of your computers are non-compliant (such as the one computer in this report below) it will appear in red.

bitlocker-enterprise-compliance-dashboar

and after fixing my compliance issues…

compliant-in-compliance-dashboard.png

BitLocker Enterprise Compliance Details

The BitLocker Enterprise Compliance Details report provides details about your targeted computers and allows you to sort by certain data values for

  • Compliance Status
  • Error Status

Selecting the Compliance status option gives you further search criteria.

parameter-value.pngas does Error status

error-status.png

Once you’ve defined the search criteria (and collection id) the report is displayed by clicking on View Report.

report-criteria-results.png

BitLocker Enterprise Compliance Summary

The BitLocker Enterprise Compliance Summary is just that, it’s a summary of your BitLocker Enterprise Compliance. You’ll need to enter a collection id so that if can gather data for that BitLocker policy targeted collection.

I only have one computer reporting data currently in this lab and it’s decrypting as I speak, so naturally it’s non-compliant. But here’s a view of my summary.

bitlocker-enterprise-compliance-summary.and the same report looks like this when my devices are compliant

compliant-in-enterprise-compliance-summa

Recovery Audit Report

The Recovery Audit Report is a special report in the language specific (eg: en-us) sub folder of BitLocker Management. This report allows you to see which of your help desk users revealed keys to specific users, so it’s a great tracking tool.

It’s also special in that (at least in my lab) the ConfigMgr reporting services reporting point user needed db_owner in order to generate the report without error. The data in this report is derived from a help desk user (or advanced user) doing a new helpdesk request as described in a previous blog post here.

helpdeskuser-audit.png

Client side report

You can generate an XML report using the Configuration Manager client agent, on the Configurations tab shown below, select the Bitlocker Compliance policy targeted at the computer. It will list the policy name, what revision it is (which is useful when you change settings in ConfigMgr itself), when it was last evaluated and whether it’s compliant or not.

client-agent-configurations-tab.png

To view the report, click on View Report. The report below is from a client in non-compliant state.

compliance-report-in-edge.pngYou can then drill down further into this report to see what’s the issue.

compliance-issue.pngOnce you’ve resolved the compliance issues, it should register as complient such as in this xml

client-side-compliant-report.png

So that’s if for this blog post, I’ll update it over the coming days with some more insights as I get time.

Related reading

 

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.