EncryptAfterHardwareTest method of the Win32_EncryptableVolume class
The EncryptAfterHardwareTest method of the Win32_EncryptableVolume class begins encryption of a fully decrypted operating system volume after a hardware test. A reboot is required to perform this hardware test. Use this method instead of the Encrypt method to check that BitLocker will work as expected.
Note
If the hard drive is hardware encrypted, this method does not encrypt data. Instead, it sets the band status to unlocked from "perpetually unlocked". If the band is locked, unlocked or is read-only, the drive is considered to be encrypted.
Syntax
uint32 EncryptAfterHardwareTest(
[in, optional] uint32 EncryptionMethod,
[in, optional] uint32 EncryptionFlags
);
Parameters
-
EncryptionMethod [in, optional]
-
Type: uint32
Specifies the encryption algorithm and key size used to encrypt the volume. Leave this parameter blank to use the default value of zero. If the volume is partially or fully encrypted, the value of this parameter must be 0 or match the volume's existing encryption method. If the corresponding Group Policy setting has been enabled with a valid value, the value of this parameter must be 0 or match the Group Policy setting.
If the corresponding Group Policy setting is invalid, the default of AES 128 with diffuser is used.
Value Meaning - Unspecified
- 0
Use the current Group Policy setting, if available and valid, or the default encryption method otherwise. - 1
AES 128 WITH DIFFUSER
Encrypt the volume by using the Advanced Encryption Standard (AES) algorithm enhanced with a diffuser layer and by using an AES key size of 128 bits.- 2
AES 256 WITH DIFFUSER
Encrypt the volume by using the Advanced Encryption Standard (AES) algorithm enhanced with a diffuser layer and by using an AES key size of 256 bits.- AES_128
- 3
Encrypt the volume by using the Advanced Encryption Standard (AES) algorithm and by using an AES key size of 128 bits. - AES_256
- 4
Encrypt the volume by using the Advanced Encryption Standard (AES) algorithm and by using an AES key size of 256 bits. -
EncryptionFlags [in, optional]
-
Type: uint32
Flags that describe the encryption behavior.
Windows 7, Windows Server 2008 R2, Windows Vista Enterprise and Windows Server 2008: This parameter is not available.
A combination of 32 bits with the following bits currently defined.
Value Meaning - 0x00000001
Perform volume encryption in data-only encryption mode when starting new encryption process. If encryption has been paused or stopped, calling the Encrypt method effectively resumes conversion and the value of this bit is ignored. This bit only has effect when either the Encrypt or EncryptAfterHardwareTest methods start encryption from the fully decrypted state, decryption in progress state, or decryption paused state. If this bit is zero, meaning that it is not set, when starting new encryption process, then full mode conversion will be performed. - 0x00000002
Perform on-demand wipe of the volume free space. Calling the Encrypt method with this bit set is only allowed when volume is not currently converting or wiping and is in an "encrypted" state. - 0x00010000
Perform the requested operation synchronously. The call will block until requested operation has completed or was interrupted. This flag is only supported with the Encrypt method. This flag can be specified when Encrypt is called to resume stopped or interrupted encryption or wiping or when either encryption or wiping is in progress. This allows the caller to resume synchronously waiting until the process is completed or interrupted.
Return value
Type: uint32
This method returns one of the following codes or another error code if it fails.
This method returns immediately. If the volume is already fully encrypted and no other errors are returned, this method returns zero.
| Return code/value | Description |
|---|---|
|
The method was successful. |
|
The EncryptionMethod parameter is provided but is not within the known range or does not match the current Group Policy setting. |
|
No encryption key exists for the volume. Either disable key protectors by using the DisableKeyProtectors method, or use one of the following methods to specify key protectors for the volume:
|
|
The volume cannot be encrypted because this computer is configured to be part of a server cluster. |
|
No key protectors of the type "TPM", "TPM And PIN", "TPM And PIN And Startup Key", "TPM And Startup Key", or "External Key" can be found. The hardware test only involves the previous key protectors. If you still want to run a hardware test, you must use one of the following methods to specify key protectors for the volume:
|
|
The volume is partially or fully encrypted. The hardware test applies before encryption occurs. If you still want to run the test, first use the Decrypt method and then use one of the following methods to add key protectors:
|
|
The volume is a data volume. The hardware test applies only to volumes that can start the operating system. Run this method on the currently started operating system volume. |
|
No key protectors of the type "Numerical Password" are specified. The Group Policy requires a backup of recovery information to Active Directory Domain Services. To add at least one key protector of that type, use the ProtectKeyWithNumericalPassword method. |
Remarks
When you use this method without the second optional parameter (according to the Windows 7 and Windows Vista Enterprise definition), the method will always initiate full mode conversion in order to keep backward compatible behavior. This way the security expectation of existing applications and scripts will not be broken with the addition of the second optional parameter in Windows 8 and Windows Server 2012.
Unlike the Encrypt method, this method does the following:
- Tests whether the TPM will be able to unlock the volume, if a TPM-related key protector exists.
- Tests whether the computer can read a USB flash drive that contains an external key file during start, if the volume will be unlocked by an external key (including a startup key).
- Requires a computer restart to run the hardware test.
- Begins encryption only if the hardware test succeeds.
- Cannot be used on a data volume, on a partially or fully encrypted volume, or to resume encryption.
Before running this method, use the following methods to create the related key protectors:
- ProtectKeyWithExternalKey
- ProtectKeyWithTPM
- ProtectKeyWithTPMAndPIN
- ProtectKeyWithTPMAndPINAndStartupKey
- ProtectKeyWithTPMAndStartupKey
After running this method, take these additional steps:
- Insert into the computer a USB flash drive that contains an external key file. This step applies only if the volume has a key protector of type "External Key" or "TPM And Startup Key".
- Restart the computer.
On computer restart, the hardware test runs automatically.
Encryption begins if the hardware test succeeds. Otherwise, attempt to resolve any hardware failures. Run GetHardwareTestStatus after restarting the computer to get test results.
Managed Object Format (MOF) files contain the definitions for Windows Management Instrumentation (WMI) classes. MOF files are not installed as part of the Windows SDK. They are installed on the server when you add the associated role by using the Server Manager. For more information about MOF files, see Managed Object Format (MOF).
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client |
Windows Vista Enterprise, Windows Vista Ultimate [desktop apps only] |
| Minimum supported server |
Windows Server 2008 [desktop apps only] |
| Namespace |
Root\CIMV2\Security\MicrosoftVolumeEncryption |
| MOF |
|
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for