A quick look at reporting in MBAM integrated within Microsoft Endpoint Manager Configuration Manager

Introduction

Microsoft have been hard at work adding MBAM (Microsoft BitLocker Management and Monitoring) features natively to Microsoft Endpoint Manager Configuration Manager, and those features have been improved since they were first released, with bug fixes and new features added over time.

Initially, when TP1905 shipped with MBAM integrated, there was a lot of excitement about this new integration within ConfigMgr. It finally brought together native integration of MBAM within ConfigMgr for on premises devices. However, reporting capabilities were not included.

A brief history of my MBAM reporting experiences in ConfigMgr

In a later Technical Preview (TP1909), reporting ability was added to the Reporting node in ConfigMgr and I blogged about that here. That release contained a bunch of reports for MBAM located in the Reporting node shown below.

Sadly however when I tried to run any of them I got an error:

Microsoft.Reporting.WinForms.ReportServerException
An error has occurred during report processing. (rsProcessingAborted)


Stack Trace:
at Microsoft.Reporting.WinForms.ServerReport.ServerUrlRequest(Boolean isAbortable, String url, Stream outputStream, String& mimeType, String& fileNameExtension)
at Microsoft.Reporting.WinForms.ServerReport.InternalRender(Boolean isAbortable, String format, String deviceInfo, NameValueCollection urlAccessParameters, Stream reportStream, String& mimeType, String& fileNameExtension)
at Microsoft.Reporting.WinForms.AsyncMainStreamRenderingOperation.RenderServerReport(ServerReport report)
at Microsoft.Reporting.WinForms.AsyncRenderingOperation.PerformOperation()
at Microsoft.Reporting.WinForms.ReportViewer.AsyncReportOperationWrapper.PerformOperation()
at Microsoft.Reporting.WinForms.ProcessingThread.ProcessThreadMain(Object arg)

I alerted the Microsoft Product Group about this and a known issues was appended to the release notes, however the suggested workaround didn’t solve my reporting issues.

I continued to work with Microsoft Product Group and particularly Frederic Mokren (thanks Frederic) until we figured out my issues.

First of all I could see the issue with reading reports in the above screenshots, but further digging revealed permission denied errors on the ConfigMgr database. This was solved by changing the permissions of the ConfigMgr reporting services reporting point user windowsnoob\CM_SR  to have db_datareader on the CM database.

And below is the user account in question.

The above changes should have been implemented in production releases of the same so hopefully you won’t encounter the problems that I did.

Server side reports

So let’s take a look at the reports for BitLocker Management in ConfigMgr.  The reports are found in the Monitoring workspace under BitLocker Management and currently there are 5 (including the audit report in the language specific sub folder).

Note: The reports in this blog post won’t have much data as this is a lab and you are limited to the number of active clients in Technical Preview releases.

  • BitLocker Computer Compliance
    BitLocker Enterprise Compliance Dashboard
    BitLocker Enterprise Compliance Details
    BitLocker Enterprise Compliance Summary
    Recovery Audit Report

BitLocker Computer Compliance

When running the BitLocker Computer Compliance report you are prompted for a computer name.

The BitLocker Computer Compliance Report provides detailed encryption information about each drive on a computer (operating system and fixed data drives). It also provides an indication of the policy that is applied to each drive type on the computer.

After running you should get some data back, such as the below.

Note: In the above report are some additional columns that are not shown in the screenshot, but in the actual report you can scroll right to see that data.

If however you only see an error stating “Error: MBAM view(s) are missing” then trigger a hardware inventory (HINV) cycle on the client(s).

 

BitLocker Enterprise Compliance Dashboard

In the BitLocker Enterprise Compliance Dashboard, you’ll be prompted to enter a collection ID of the collection (of computers targeted with a Bitlocker Compliance policy) that you want to check compliance of. The BitLocker Enterprise Compliance Dashboard provides several graphs, which show BitLocker compliance status across the enterprise.

If all of your computers are non-compliant (such as the one computer in this report below) it will appear in red.

and after fixing my compliance issues…

BitLocker Enterprise Compliance Details

The BitLocker Enterprise Compliance Details report provides details about your targeted computers and allows you to sort by certain data values for

  • Compliance Status
  • Error Status

Selecting the Compliance status option gives you further search criteria.

as does Error status

Once you’ve defined the search criteria (and collection id) the report is displayed by clicking on View Report.

BitLocker Enterprise Compliance Summary

The BitLocker Enterprise Compliance Summary is just that, it’s a summary of your BitLocker Enterprise Compliance. You’ll need to enter a collection id so that if can gather data for that BitLocker policy targeted collection.

I only have one computer reporting data currently in this lab and it’s decrypting as I speak, so naturally it’s non-compliant. But here’s a view of my summary.

and the same report looks like this when my devices are compliant

Recovery Audit Report

The Recovery Audit Report is a special report in the language specific (eg: en-us) sub folder of BitLocker Management. This report allows you to see which of your help desk users revealed keys to specific users, so it’s a great tracking tool.

It’s also special in that (at least in my lab) the ConfigMgr reporting services reporting point user needed db_owner in order to generate the report without error. The data in this report is derived from a help desk user (or advanced user) doing a new helpdesk request as described in a previous blog post here.

Client side report

You can generate an XML report using the Configuration Manager client agent, on the Configurations tab shown below, select the Bitlocker Compliance policy targeted at the computer. It will list the policy name, what revision it is (which is useful when you change settings in ConfigMgr itself), when it was last evaluated and whether it’s compliant or not.

To view the report, click on View Report. The report below is from a client in non-compliant state.

You can then drill down further into this report to see what’s the issue.

Once you’ve resolved the compliance issues, it should register as complient such as in this xml

So that’s if for this blog post, I’ll update it over the coming days with some more insights as I get time.

Related reading

 

 

 

 

 

 

 

This entry was posted in 1911, MBAM helpdesk, MBAM SelfService, Reporting. Bookmark the permalink.

2 Responses to A quick look at reporting in MBAM integrated within Microsoft Endpoint Manager Configuration Manager

  1. Pingback: Want to learn about MBAM integrated with Microsoft Endpoint Manager Configuration Manager ? | just another windows noob ?

  2. Pingback: Learn about MBAM in Microsoft Endpoint Configuration Manager version 1910 – part 7 Reporting and compliance | just another windows noob ?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.