Microsoft BitLocker Administration and Monitoring

Welcome to the Microsoft BitLocker Administration and Monitoring customer feedback site! Please submit your ideas or vote for one of the current features suggested below. The engineering team is actively monitoring the site and we want to hear from you!

I suggest you ...

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. Document the SSRS reports customization for large enterprises

    Allow to define report scope by definable categories to allow federation base on roles. example report base on region,country site and role...

    7 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    • Identify TPM Owner Hash by HardwareID

      Currently the TPM Hash is identified by the Computername, which could change. I think it would be better to use a hardwareID like Serial or UUID instead. Computernames can change, and during a rebuild with computername change you do not even get a new TPM Owner Hash, because TPM is already owned (only way to come around this is to clear TPM during rebuild, unfortunatly you get Physical Presence BIOS Prompts by doing so, so this is not as "unattended" as required).

      10 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
      • Integrate DRA to installation requirements and planning

        DRA should be in planning and install consideration today no best practices are available ..

        3 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          1 comment  ·  Admin →
        • Customizable challenge /pin screen for all OS supported

          Currently no legal notice can be addressed an url links need to be customizable for a enterprise with language support.

          2 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
          • Add Hardware readiness checks

            Allow customers to define hardware bios versions they would like to support and security chip configurations compliance out side of PCR checks .. Some he Physical presence for provision needs to be disabled in order to allow n automated build to proceed.. Mbam check for power why not a customer define white list... At mbam client install.. As a prerequisite check...

            This can save customers from hours of work per model they support with bitlocker..

            2 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
            • Client side diagnostic for escrow of tpm and drive keys..

              Today a install can occur drive escrows but tpm could fail and too late to detect an issue until after a system register to sql db...

              There should be a check that when using tpm as a protector that this is checked before you begin encryption..

              2 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
              • Mbam sql backup / extract prcedure or too prior to sql cleanup for aged systems in db..

                Create a saftey net so SQL db can be clean up and admin can if they do not have a highly redundant enviroment for dev or test...

                This would help admins perform safe cleanups versus not performing this maintence in these environments .

                1 vote
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                • Multi OS base policy tpm or tpm +pin

                  As new hw become more secure admin will need to create multI level OS specific policies... One policy for the enterprise to allow combination of supported configurations ... Extend what's been done for UEFI and legacy system ..versus multiple policies and multiple sub OUs..

                  1 vote
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                  • Automate notification for Non-compliance

                    There should be an automation in the process of finding the cause for the non-compliance of the machine. There should be method so that the administrators can know reason for the non-compliance easy enough. If a machine is non-compliant, MBAM Admin can receive a notification about the non-compliance and the reason for it.

                    14 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                    • Ability to create device exceptions

                      Other encryption solutions allow the ability to add exceptions for single devices (i.e. a specific USB device) or groups of devices (i.e. all USB drives of a certain make/model). I believe it's based on hardware IDs or something else that's unique to each device/group.

                      95 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                      • USB device MBAM client support

                        Currenlty MBAM Client 2.5 does not have any activity in encrypting USB sticks, even if Removable Media policies are configured. USB stick encryption must be done manually with OS Bitlocker control, and it will require to print-out the recovery key, since AD recovery is not used because we have MBAM. Printing out Recovery Key is problematic and security risk for end-users.

                        15 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                        • Client, Server and Setup general improvements.

                          I think that a lot of functionalities are lacking in the Client and Server. The work for whoever is implementing MBAM could be greatly simplified by some additions

                          Client:
                          - 'Status' tab which shows what the client has sent to the MBAM server, how long ago it sent it, if communications are OK to the server in the last x hours.
                          - A list of users that have been associated with the computer so that you know who can request the key in the self service site (this is maybe useless, but it might be good for debugging purposes)

                          Server: …

                          38 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)

                            Hi Miguel, It sounds like you want improved diagnostics. Great feedback. Can you provide more information about the challenges with Setup? You mention confusing online instructions, etc. Can you provide some examples?

                          • Client Install Dependencies

                            We run into issues with Visual Studio Assemblies (Redistribute Package) updates for latest MBAM 2.5 client. In default install is some library blocked by HP Software preinstalled with some drivers. Nice, if some in knowledgabase is written working set of dependencies or some of this type of troubleshooting. Client after run only silenty fail with this scenario.

                            1 vote
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              1 comment  ·  Admin →
                            • Add Compliance reporting for Bitlocker to Go devices in MBAM.

                              Right now, MBAM does not report on compliance for Bitlocker To Go devices. Specifically USB based devices. I am aware of the GPO to set the devices to read only if they are not encrypted, however, reporting on compliance in terms of what IS encrypted/un-encrypted would be helpful for customers that have strict regulatory compliance audits.

                              22 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                under review  ·  1 comment  ·  Admin →
                              • What about a diagnostic tool for client side troubleshooting ?

                                I think that a user friendly tool dedicated to MBAM/Bitlocker more explicit that EventLog or others logfiles can help IT to resolve this cases :
                                - Why encryption not start ?
                                - My Mbam server is up and ready to escro the key ?
                                - Existing GPO/Regedit conflits settings ?
                                - Reporting is OK ?
                                - etc.

                                Regards,
                                Jean-Baptiste

                                80 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                • Provide coherent documentation on how to implement MBAM

                                  The technet documentation is a perfect example of how not to structure knowledge. I've never seen anything more fragmented and incoherent. Half the content is represented by pointers to other content.

                                  20 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                  • Multi-Client capability

                                    All companies i have been in the past with BL and MBAM are asking for this to Support different departments inside their AD/Company.
                                    So department A should not be able to get Keys from department B and so on. This should be solved with one instance of MBAM.

                                    35 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      under review  ·  1 comment  ·  Admin →
                                    • 9 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                      • 50 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                        • Self-Service Portal on Extranet

                                          My customer doesn’t have 24/7 helpdesk support, so it will be great feature to allow users to get BitLocker Recovery Key without Intranet connection (i.e. supported deployment in DMZ, Extranet, …) with possibility to support strong authentication with or without ADFS.

                                          15 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                          • Don't see your idea?

                                          Microsoft BitLocker Administration and Monitoring

                                          Feedback and Knowledge Base