ProtectKeyWithAdSid method of the Win32_EncryptableVolume class
The ProtectKeyWithAdSid method of the Win32_EncryptableVolume class secures the volume's encryption key by using a Active Directory security identifier (SID).
Syntax
uint32 ProtectKeyWithAdSid(
[in, optional] string FriendlyName,
[in] string SidString,
[in] uint32 Flags,
[out] string VolumeKeyProtectorID
);
Parameters
-
FriendlyName [in, optional]
-
A string that specifies a user-assigned identifier for this key protector. If this parameter is not specified, a blank value is used.
-
SidString [in]
-
String that contains the Active Directory SID used to protect the encryption key.
-
Flags [in]
-
Flags that change the function behavior. This can be one of the following values.
Value Meaning - FVE_DPAPI_NG_FLAG_NONE
- 0x0000
No effect. - FVE_DPAPI_NG_FLAG_UNLOCK_AS_SERVICE_ACCOUNT
- 0x0001
Specifies that the SID-based protector was protected to a service account. If this flag is specified, the caller should ensure that it is running as the appropriate service account before calling UnlockWithAdSid (by temporarily dropping impersonation, for example). -
VolumeKeyProtectorID [out]
-
A unique identifier associated with the created protector. You can use this string to manage the key protector.
If the drive supports hardware encryption and BitLocker has not taken band ownership, the ID string is set to "BitLocker" and the key protector is written to per band metadata.
Return value
This method returns one of the following codes or another error code if it fails.
| Return code/value | Description |
|---|---|
|
The method was successful. |
Remarks
Managed Object Format (MOF) files contain the definitions for Windows Management Instrumentation (WMI) classes. MOF files are not installed as part of the Windows SDK. They are installed on the server when you add the associated role by using the Server Manager. For more information about MOF files, see Managed Object Format (MOF)
By default, you cannot add an Active Directory account or group protector remotely. You must enable constrained delegation on the domain controller and source computer. On the domain controller, perform the following steps:
- Open Server Manager
- Select Computers in Active Directory roles
- Select the target client computer and right click
- Select the Delegation tab
- Select the "Trust this computer for delegation to specified services only" radio button
- Select the "Use Kerberos only" radio button
- Click Add
- Select "Users or Computers"
- Select host/ as the Service Principal Name
Perform steps 3 through 9 on the source computer.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client |
Windows 8 Enterprise, Windows 8 Pro [desktop apps only] |
| Minimum supported server |
Windows Server 2012 [desktop apps only] |
| Namespace |
Root\CIMV2\Security\MicrosoftVolumeEncryption |
| MOF |
|
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for