If you need to identify and extract a list of all devices with BitLocker recovery keys stored in a Univention Active Directory (Univention-AD), the relevant data is located under the msFVE-RecoveryInformation object.
Navigating the LDAP query syntax can sometimes be challenging, but the following search filter will help you efficiently locate the objects that store the msFVE-RecoveryInformation attribute:
(&(&(objectClass=msFVE-RecoveryInformation)(msFVE-RecoveryPassword=*)))
-
objectClass=msFVE-RecoveryInformation: This ensures that only objects of themsFVE-RecoveryInformationclass, which is specifically used to store BitLocker recovery details, are included in the results. -
msFVE-RecoveryPassword=*: This condition filters the results to include only objects where a BitLocker recovery password is present.
By combining these criteria using the & (AND) operator, the filter returns precisely the objects relevant to your query. This is particularly useful for auditing or managing BitLocker recovery keys within your Univention-AD environment.