Information
The topic you requested is included in another documentation set. For convenience, it's displayed below. Choose Switch to see the topic in its original location.

ProtectKeyWithAdSid method of the Win32_EncryptableVolume class

The ProtectKeyWithAdSid method of the Win32_EncryptableVolume class secures the volume's encryption key by using a Active Directory security identifier (SID).

Syntax


uint32 ProtectKeyWithAdSid(
  [in, optional]  string FriendlyName,
  [in]            string SidString,
  [in]            uint32 Flags,
  [out]           string VolumeKeyProtectorID
);

Parameters

FriendlyName [in, optional]

A string that specifies a user-assigned identifier for this key protector. If this parameter is not specified, a blank value is used.

SidString [in]

String that contains the Active Directory SID used to protect the encryption key.

Flags [in]

Flags that change the function behavior. This can be one of the following values.

ValueMeaning
FVE_DPAPI_NG_FLAG_NONE
0x0000

No effect.

FVE_DPAPI_NG_FLAG_UNLOCK_AS_SERVICE_ACCOUNT
0x0001

Specifies that the SID-based protector was protected to a service account. If this flag is specified, the caller should ensure that it is running as the appropriate service account before calling UnlockWithAdSid (by temporarily dropping impersonation, for example).

 

VolumeKeyProtectorID [out]

A unique identifier associated with the created protector. You can use this string to manage the key protector.

If the drive supports hardware encryption and BitLocker has not taken band ownership, the ID string is set to "BitLocker" and the key protector is written to per band metadata.

Return value

This method returns one of the following codes or another error code if it fails.

Return code/valueDescription
S_OK
0 (0x0)

The method was successful.

 

Remarks

Managed Object Format (MOF) files contain the definitions for Windows Management Instrumentation (WMI) classes. MOF files are not installed as part of the Windows SDK. They are installed on the server when you add the associated role by using the Server Manager. For more information about MOF files, see Managed Object Format (MOF)

By default, you cannot add an Active Directory account or group protector remotely. You must enable constrained delegation on the domain controller and source computer. On the domain controller, perform the following steps:

  1. Open Server Manager
  2. Select Computers in Active Directory roles
  3. Select the target client computer and right click
  4. Select the Delegation tab
  5. Select the "Trust this computer for delegation to specified services only" radio button
  6. Select the "Use Kerberos only" radio button
  7. Click Add
  8. Select "Users or Computers"
  9. Select host/ as the Service Principal Name

Perform steps 3 through 9 on the source computer.

Requirements

Minimum supported client

Windows 8 Enterprise, Windows 8 Pro [desktop apps only]

Minimum supported server

Windows Server 2012 [desktop apps only]

Namespace

\\.\root\CIMV2\Security\MicrosoftVolumeEncryption

MOF

Win32_encryptablevolume.mof

See also

Win32_EncryptableVolume

 

 

Community Additions

Show:
© 2014 Microsoft