Microsoft BitLocker Administration and Monitoring

Welcome to the Microsoft BitLocker Administration and Monitoring customer feedback site! Please submit your ideas or vote for one of the current features suggested below. The engineering team is actively monitoring the site and we want to hear from you!

I suggest you ...

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. Provide computers' history of changes

    For investigations, I am often confronted with the need to determine when a specific computer has been encrypted for the first time and all the modifications that have been done since that time (protection suspension, etc.).

    Today with MBAM, we can only retrieve the very last computer's information. It would be great to save audit changes any time some characteristic (on the compliance side) of a machine changes.
    A new report displaying this information per-machine would be great then.

    39 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      You have left! (?) (thinking…)

      Can you explain more why the history of changes would be helpful for auditors? If a machine was lost or stolen, wouldn’t the last state be the one you cared about?

    • Provide better information on how to backup and restore MBAM databases

      Documentation could be much better on backup and restore topic

      9 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
      • Add pin change to group policy

        Allow customer to define if the want to enforce a pin expiration.

        Allow deployment team to encrypt drive and policy would then cause a user to input pin on first use.

        base on the 30 /60 / 90 or custome quantity of days in the policy.

        58 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
        • Provide an easy to use DB Cleanup tool

          Provide an easy to use DB Cleanup tool...overtime as users and machines change, there should be an easy to use tool to report on inactive machines and perform a clean up or even a tool which allows techs to enter a machine name to remove all traces of it from the DB, if desired.

          12 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            1 comment  ·  Admin →
          • allow monitoring of workgroup machines

            allow monitoring of workgroup (non domain) machines

            5 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
            • Document the SSRS reports customization for large enterprises

              Allow to define report scope by definable categories to allow federation base on roles. example report base on region,country site and role...

              7 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
              • Identify TPM Owner Hash by HardwareID

                Currently the TPM Hash is identified by the Computername, which could change. I think it would be better to use a hardwareID like Serial or UUID instead. Computernames can change, and during a rebuild with computername change you do not even get a new TPM Owner Hash, because TPM is already owned (only way to come around this is to clear TPM during rebuild, unfortunatly you get Physical Presence BIOS Prompts by doing so, so this is not as "unattended" as required).

                10 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                • Integrate DRA to installation requirements and planning

                  DRA should be in planning and install consideration today no best practices are available ..

                  3 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    1 comment  ·  Admin →
                  • Customizable challenge /pin screen for all OS supported

                    Currently no legal notice can be addressed an url links need to be customizable for a enterprise with language support.

                    2 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                    • Add Hardware readiness checks

                      Allow customers to define hardware bios versions they would like to support and security chip configurations compliance out side of PCR checks .. Some he Physical presence for provision needs to be disabled in order to allow n automated build to proceed.. Mbam check for power why not a customer define white list... At mbam client install.. As a prerequisite check...

                      This can save customers from hours of work per model they support with bitlocker..

                      2 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                      • Client side diagnostic for escrow of tpm and drive keys..

                        Today a install can occur drive escrows but tpm could fail and too late to detect an issue until after a system register to sql db...

                        There should be a check that when using tpm as a protector that this is checked before you begin encryption..

                        2 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                        • Mbam sql backup / extract prcedure or too prior to sql cleanup for aged systems in db..

                          Create a saftey net so SQL db can be clean up and admin can if they do not have a highly redundant enviroment for dev or test...

                          This would help admins perform safe cleanups versus not performing this maintence in these environments .

                          1 vote
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                          • Multi OS base policy tpm or tpm +pin

                            As new hw become more secure admin will need to create multI level OS specific policies... One policy for the enterprise to allow combination of supported configurations ... Extend what's been done for UEFI and legacy system ..versus multiple policies and multiple sub OUs..

                            1 vote
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                            • Automate notification for Non-compliance

                              There should be an automation in the process of finding the cause for the non-compliance of the machine. There should be method so that the administrators can know reason for the non-compliance easy enough. If a machine is non-compliant, MBAM Admin can receive a notification about the non-compliance and the reason for it.

                              17 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                              • Ability to create device exceptions

                                Other encryption solutions allow the ability to add exceptions for single devices (i.e. a specific USB device) or groups of devices (i.e. all USB drives of a certain make/model). I believe it's based on hardware IDs or something else that's unique to each device/group.

                                101 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                • USB device MBAM client support

                                  Currenlty MBAM Client 2.5 does not have any activity in encrypting USB sticks, even if Removable Media policies are configured. USB stick encryption must be done manually with OS Bitlocker control, and it will require to print-out the recovery key, since AD recovery is not used because we have MBAM. Printing out Recovery Key is problematic and security risk for end-users.

                                  15 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                  • Client, Server and Setup general improvements.

                                    I think that a lot of functionalities are lacking in the Client and Server. The work for whoever is implementing MBAM could be greatly simplified by some additions

                                    Client:
                                    - 'Status' tab which shows what the client has sent to the MBAM server, how long ago it sent it, if communications are OK to the server in the last x hours.
                                    - A list of users that have been associated with the computer so that you know who can request the key in the self service site (this is maybe useless, but it might be good for debugging purposes)

                                    Server: …

                                    38 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)

                                      Hi Miguel, It sounds like you want improved diagnostics. Great feedback. Can you provide more information about the challenges with Setup? You mention confusing online instructions, etc. Can you provide some examples?

                                    • Client Install Dependencies

                                      We run into issues with Visual Studio Assemblies (Redistribute Package) updates for latest MBAM 2.5 client. In default install is some library blocked by HP Software preinstalled with some drivers. Nice, if some in knowledgabase is written working set of dependencies or some of this type of troubleshooting. Client after run only silenty fail with this scenario.

                                      1 vote
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        1 comment  ·  Admin →
                                      • Add Compliance reporting for Bitlocker to Go devices in MBAM.

                                        Right now, MBAM does not report on compliance for Bitlocker To Go devices. Specifically USB based devices. I am aware of the GPO to set the devices to read only if they are not encrypted, however, reporting on compliance in terms of what IS encrypted/un-encrypted would be helpful for customers that have strict regulatory compliance audits.

                                        25 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          under review  ·  1 comment  ·  Admin →
                                        • What about a diagnostic tool for client side troubleshooting ?

                                          I think that a user friendly tool dedicated to MBAM/Bitlocker more explicit that EventLog or others logfiles can help IT to resolve this cases :
                                          - Why encryption not start ?
                                          - My Mbam server is up and ready to escro the key ?
                                          - Existing GPO/Regedit conflits settings ?
                                          - Reporting is OK ?
                                          - etc.

                                          Regards,
                                          Jean-Baptiste

                                          80 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                          • Don't see your idea?

                                          Microsoft BitLocker Administration and Monitoring

                                          Feedback and Knowledge Base