• EN

How to query the number of times a devices has successfully requested for the BitLocker recovery Key via MBAM

Iams3le
Userlevel 7
Badge +9

In this article, I will be sharing a script that will enable you query the BitLocker recovery key from the MBAM reporting services. I have written a guide on how to query MBAM to display the report for BitLocker Recovery for a specified period of time. In this way, you will be able to save the report as a CSV file that we will later query in order to determine the number of times, a devices has been recovered via the MBAM help-desk or Self-service recovery. 

If you would like to set up an Microsoft BitLocker Administration and Monitoring, please see this this link.

Upon downloading the BitLocker Recovery CSV file, kindly save it in your desired location. You can also configure the reporting servces to automatically save this report for you. Here is a guide on how to go about this “MBAM reports automatic E-mail notification: How to create MBAM Enterprise and Compliance, and Recovery Audit reports”. The process is similarand you just have to change the destination (delivery method).

When this is done, you have to create a script that will query the CSV file in order to get your desired results. Below is the python script that can be tweaked to your need.

import csv
import datetime
from collections import defaultdict

# Get the current date and time
current_date = datetime.datetime.now()

# Calculate the date six months ago
six_months_ago = current_date - datetime.timedelta(weeks=27)

# Open the CSV file
with open("C:\\Users\\xxx\\Documents\\RecoveryAudit\Recovery Audit Report.csv", 'r') as file:
    reader = csv.reader(file)
    # Skip the header row
    next(reader)
    # Keep track of success events by computer name
    success_by_computer = defaultdict(int)
    total_by_computer = defaultdict(int)
    for row in reader:
        event_date = datetime.datetime.strptime(row[0], '%m/%d/%Y %H:%M:%S %p')
        if event_date >= six_months_ago:
            computer_name = row[5]
            total_by_computer[computer_name] += 1
            if row[2] == "Successful":
                success_by_computer[computer_name] += 1

# Calculate the rate of success for each computer
rates = {}
for computer_name, success_count in success_by_computer.items():
    total_count = total_by_computer[computer_name]
    rates[computer_name] = success_count / total_count

# Print the number of computers that have requested BitLocker recovery keys more than once in the past six months
count = 0
print("Computers that have requested BitLocker recovery keys more than once in the last six months:")
for computer_name, rate in rates.items():
    if rate > 0:
        count += 1
        print("{}: {} times".format(computer_name, int(total_by_computer[computer_name])))

print("Number of computers: ", count)

This will display the result in the terminal. But if you wish to send the report to a shared folder, you will have to customise this script. You can also include this in a scheduled task. I have an article I am currently compiling, and when this is done. I will add the link to this post. 

[Microsoft MVP | Veeam Legend 5* | VMware vExpert 4* | Cisco Champion 3*]

6 comments

Chris.Childerhose
Userlevel 7
Badge +20

Very interesting share. I like seeing things non backup related and Bitlocker is interesting.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Iams3le
Userlevel 7
Badge +9

Very interesting share. I like seeing things non backup related and Bitlocker is interesting.

Absolutely 💯 

[Microsoft MVP | Veeam Legend 5* | VMware vExpert 4* | Cisco Champion 3*]
JMeixner
Userlevel 7
Badge +17

Interesting share,  I did not much queries with BitLocker up to now.

Jochen (Joe) Meixner | Veeam Vanguard 2024 | Veeam Legend 2021 - 2023 | Veeam Certified Architect (VMCA) 2022 | Twitter: @JoMeix | BlueSky: @jmeixner.bsky.social
Iams3le
Userlevel 7
Badge +9

As promised, I have an up to date script that is capable of query the CSV file imported from the SQL Reporting Services for the number of times, a device has requested for the BitLocker key from the Selfservice portal or Helpdesk. The output will not be displayed in the terminal this time, but will be saved to a text file. This is the sole difference between the previous script and this.

import csv
import datetime
from collections import defaultdict

# Get the current date and time
current_date = datetime.datetime.now()

# Calculate the date two weeks ago
two_weeks_ago = current_date - datetime.timedelta(weeks=2)

# Open the CSV file
with open("//xxxx/xxxx//audit/imported.csv", 'r') as file:
    reader = csv.reader(file)
    # Skip the header row
    next(reader)
    # Keep track of success events by computer name
    success_by_computer = defaultdict(int)
    total_by_computer = defaultdict(int)
    for row in reader:
        event_date = datetime.datetime.strptime(row[0], '%m/%d/%Y %H:%M:%S %p')
        if event_date >= two_weeks_ago:
            computer_name = row[5]
            total_by_computer[computer_name] += 1
            if row[2] == "Successful":
                success_by_computer[computer_name] += 1

# Calculate the rate of success for each computer
rates = {}
for computer_name, success_count in success_by_computer.items():
    total_count = total_by_computer[computer_name]
    rates[computer_name] = success_count / total_count

# Print the number of computers that have requested BitLocker recovery keys more than once in the past two weeks
count = 0
output = "Computers that have requested BitLocker recovery keys more than once in the last two weeks:\n"
for computer_name, rate in rates.items():
    if rate > 0:
        count += 1
        output += "{}: {} times\n".format(computer_name, int(total_by_computer[computer_name]))

output += "Number of computers: {}\n".format(count)

# Save the output to a text file
with open("//xxxxyourUNCpath//RecoveryKeyRequest.txt", 'w') as file:
    file.write(output)

 

[Microsoft MVP | Veeam Legend 5* | VMware vExpert 4* | Cisco Champion 3*]
Chris.Childerhose
Userlevel 7
Badge +20

As promised, I have an up to date script that is capable of query the CSV file imported from the SQL Reporting Services for the number of times, a device has requested for the BitLocker key from the Selfservice portal or Helpdesk. The output will not be displayed in the terminal this time, but will be saved to a text file. This is the sole difference between the previous script and this.

import csv
import datetime
from collections import defaultdict

# Get the current date and time
current_date = datetime.datetime.now()

# Calculate the date two weeks ago
two_weeks_ago = current_date - datetime.timedelta(weeks=2)

# Open the CSV file
with open("//xxxx/xxxx//audit/imported.csv", 'r') as file:
    reader = csv.reader(file)
    # Skip the header row
    next(reader)
    # Keep track of success events by computer name
    success_by_computer = defaultdict(int)
    total_by_computer = defaultdict(int)
    for row in reader:
        event_date = datetime.datetime.strptime(row[0], '%m/%d/%Y %H:%M:%S %p')
        if event_date >= two_weeks_ago:
            computer_name = row[5]
            total_by_computer[computer_name] += 1
            if row[2] == "Successful":
                success_by_computer[computer_name] += 1

# Calculate the rate of success for each computer
rates = {}
for computer_name, success_count in success_by_computer.items():
    total_count = total_by_computer[computer_name]
    rates[computer_name] = success_count / total_count

# Print the number of computers that have requested BitLocker recovery keys more than once in the past two weeks
count = 0
output = "Computers that have requested BitLocker recovery keys more than once in the last two weeks:\n"
for computer_name, rate in rates.items():
    if rate > 0:
        count += 1
        output += "{}: {} times\n".format(computer_name, int(total_by_computer[computer_name]))

output += "Number of computers: {}\n".format(count)

# Save the output to a text file
with open("//xxxxyourUNCpath//RecoveryKeyRequest.txt", 'w') as file:
    file.write(output)

 

Awesome update!  👌🏼

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Iams3le
Userlevel 7
Badge +9

As promised, I have an up to date script that is capable of query the CSV file imported from the SQL Reporting Services for the number of times, a device has requested for the BitLocker key from the Selfservice portal or Helpdesk. The output will not be displayed in the terminal this time, but will be saved to a text file. This is the sole difference between the previous script and this.

import csv
import datetime
from collections import defaultdict

# Get the current date and time
current_date = datetime.datetime.now()

# Calculate the date two weeks ago
two_weeks_ago = current_date - datetime.timedelta(weeks=2)

# Open the CSV file
with open("//xxxx/xxxx//audit/imported.csv", 'r') as file:
    reader = csv.reader(file)
    # Skip the header row
    next(reader)
    # Keep track of success events by computer name
    success_by_computer = defaultdict(int)
    total_by_computer = defaultdict(int)
    for row in reader:
        event_date = datetime.datetime.strptime(row[0], '%m/%d/%Y %H:%M:%S %p')
        if event_date >= two_weeks_ago:
            computer_name = row[5]
            total_by_computer[computer_name] += 1
            if row[2] == "Successful":
                success_by_computer[computer_name] += 1

# Calculate the rate of success for each computer
rates = {}
for computer_name, success_count in success_by_computer.items():
    total_count = total_by_computer[computer_name]
    rates[computer_name] = success_count / total_count

# Print the number of computers that have requested BitLocker recovery keys more than once in the past two weeks
count = 0
output = "Computers that have requested BitLocker recovery keys more than once in the last two weeks:\n"
for computer_name, rate in rates.items():
    if rate > 0:
        count += 1
        output += "{}: {} times\n".format(computer_name, int(total_by_computer[computer_name]))

output += "Number of computers: {}\n".format(count)

# Save the output to a text file
with open("//xxxxyourUNCpath//RecoveryKeyRequest.txt", 'w') as file:
    file.write(output)

 

Awesome update!  👌🏼

Thank you @Chris.Childerhose 

[Microsoft MVP | Veeam Legend 5* | VMware vExpert 4* | Cisco Champion 3*]

Comment


Terms & Conditions