How-To: Extracting a List of Devices with BitLocker Keys Stored in AD

If you need to identify and extract a list of all devices with BitLocker recovery keys stored in a Univention Active Directory (Univention-AD), the relevant data is located under the msFVE-RecoveryInformation object.

Navigating the LDAP query syntax can sometimes be challenging, but the following search filter will help you efficiently locate the objects that store the msFVE-RecoveryInformation attribute:

(&(&(objectClass=msFVE-RecoveryInformation)(msFVE-RecoveryPassword=*)))
  • objectClass=msFVE-RecoveryInformation: This ensures that only objects of the msFVE-RecoveryInformation class, which is specifically used to store BitLocker recovery details, are included in the results.
  • msFVE-RecoveryPassword=*: This condition filters the results to include only objects where a BitLocker recovery password is present.

By combining these criteria using the & (AND) operator, the filter returns precisely the objects relevant to your query. This is particularly useful for auditing or managing BitLocker recovery keys within your Univention-AD environment.

2 Likes

This topic was automatically closed after 24 hours. New replies are no longer allowed.

Mastodon