ProtectKeyWithAdSid method of the Win32_EncryptableVolume class

The ProtectKeyWithAdSid method of the Win32_EncryptableVolume class secures the volume's encryption key by using a Active Directory security identifier (SID).


uint32 ProtectKeyWithAdSid(
  [in, optional] string FriendlyName,
  [in]           string SidString,
  [in]           uint32 Flags,
  [out]          string VolumeKeyProtectorID


FriendlyName [in, optional]

A string that specifies a user-assigned identifier for this key protector. If this parameter is not specified, a blank value is used.

SidString [in]

String that contains the Active Directory SID used to protect the encryption key.

Flags [in]

Flags that change the function behavior. This can be one of the following values.

Value Meaning
No effect.
Specifies that the SID-based protector was protected to a service account. If this flag is specified, the caller should ensure that it is running as the appropriate service account before calling UnlockWithAdSid (by temporarily dropping impersonation, for example).


VolumeKeyProtectorID [out]

A unique identifier associated with the created protector. You can use this string to manage the key protector.

If the drive supports hardware encryption and BitLocker has not taken band ownership, the ID string is set to "BitLocker" and the key protector is written to per band metadata.

Return value

This method returns one of the following codes or another error code if it fails.

Return code/value Description
0 (0x0)
The method was successful.



Managed Object Format (MOF) files contain the definitions for Windows Management Instrumentation (WMI) classes. MOF files are not installed as part of the Windows SDK. They are installed on the server when you add the associated role by using the Server Manager. For more information about MOF files, see Managed Object Format (MOF)

By default, you cannot add an Active Directory account or group protector remotely. You must enable constrained delegation on the domain controller and source computer. On the domain controller, perform the following steps:

  1. Open Server Manager
  2. Select Computers in Active Directory roles
  3. Select the target client computer and right click
  4. Select the Delegation tab
  5. Select the "Trust this computer for delegation to specified services only" radio button
  6. Select the "Use Kerberos only" radio button
  7. Click Add
  8. Select "Users or Computers"
  9. Select host/ as the Service Principal Name

Perform steps 3 through 9 on the source computer.


Requirement Value
Minimum supported client
Windows 8 Enterprise, Windows 8 Pro [desktop apps only]
Minimum supported server
Windows Server 2012 [desktop apps only]

See also