ProtectKeyWithCertificateThumbprint method of the Win32_EncryptableVolume class
The ProtectKeyWithCertificateThumbprint method of the Win32_EncryptableVolume class validates the Enhanced Key Usage (EKU) object identifier (OID) of the provided certificate.
Syntax
uint32 ProtectKeyWithCertificateThumbprint(
[in, optional] string FriendlyName,
[in] string CertThumbprint,
[out] string VolumeKeyProtectorID
);
Parameters
-
FriendlyName [in, optional]
-
Type: string
A string that specifies a user-assigned string identifier for this key protector. If this parameter is not specified, the FriendlyName parameter is created by using the Subject Name in the certificate.
-
CertThumbprint [in]
-
Type: string
A string that specifies the certificate thumbprint.
-
VolumeKeyProtectorID [out]
-
Type: string
A string that uniquely identifies the created key protector that can be used to manage this key protector.
If the drive supports hardware encryption and BitLocker has not taken band ownership, the ID string is set to "BitLocker" and the key protector is written to per band metadata.
Return value
Type: uint32
This method returns one of the following codes or another error code if it fails.
| Return code/value | Description |
|---|---|
|
The method was successful. |
|
The data is not valid. |
|
The EKU attribute of the specified certificate does not permit it to be used for BitLocker Drive Encryption. BitLocker does not require that a certificate have an EKU attribute, but if one is configured, it must be set to an OID that matches the OID configured for BitLocker. |
|
Group Policy does not permit user certificates, such as smart cards, to be used with BitLocker. |
|
Group Policy requires that you supply a smart card to use BitLocker. |
|
Group Policy does not permit the use of self-signed certificates. |
Remarks
If the OID does not match the one associated with the service controller in the registry, this method fails. This prevents the user from setting data recovery agent (DRA) protectors manually on the volume. DRAs are only to be set by the service.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client |
Windows 7 Enterprise, Windows 7 Ultimate [desktop apps only] |
| Minimum supported server |
Windows Server 2008 R2 [desktop apps only] |
| Namespace |
Root\CIMV2\Security\MicrosoftVolumeEncryption |
| MOF |
|
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for