-1

I have query in Active Directory which should return all computers with bitlocker not active based on this script:

https://community.spiceworks.com/topic/1083065-bitlocker-status-on-all-computers

Script works fine so the values are there.

But my query is not returning anything. It looks like this:

(&(&(objectCategory=computer)(objectClass=msFVE-RecoveryInformation)(!(msFVE-RecoveryPassword=*))))

I want to return computers which dont have active bitlocker.

Can someone point me to right direction where could be mistake, still learning with ldap queries.

//EDIT

So i found out msFVE-RecoveryInformation is object by it self, when i do:

(&(&(objectClass=msFVE-RecoveryInformation)(msFVE-RecoveryPassword=*)))

It filters objects with recovery keys but name of computers is coded in atribute "distinguishedName like this:

CN=2020-02-10T16:32:51\+01:00{4C74584A-BF6C-4AFA-9E46-582DDFC207A6},CN=NAMEOFNTB,OU=computers,OU=blabla,DC=test,DC=local

Somehow i can filter only computers with this attribute?

Johny Wave
  • 11
  • 5

1 Answers1

0

You need to read the msDS-ParentDistName attribute in each msFVE-RecoveryInformation object, and then query for those distinguished names to get the computer objects.

Also, this is not a good way to measure this due to:

  • A system may have been re-imaged.
  • Encryption may be turned off or suspended indefinitely.
  • A system may be encrypted, but the recovery password/key not backed up to Active Directory.
  • A recovery password/key may have been re-generated/replaced but not backed up to Active Directory.
  • Some of the drives may be encrypted but others not.
  • It doesn't provide any information on the protectors used. For example, if only a TPM protector is used without a PIN.
Greg Askew
  • 34,339
  • 3
  • 52
  • 81