ProtectKeyWithCertificateThumbprint method of the Win32_EncryptableVolume class

The ProtectKeyWithCertificateThumbprint method of the Win32_EncryptableVolume class validates the Enhanced Key Usage (EKU) object identifier (OID) of the provided certificate.


uint32 ProtectKeyWithCertificateThumbprint(
  [in, optional] string FriendlyName,
  [in]           string CertThumbprint,
  [out]          string VolumeKeyProtectorID


FriendlyName [in, optional]

Type: string

A string that specifies a user-assigned string identifier for this key protector. If this parameter is not specified, the FriendlyName parameter is created by using the Subject Name in the certificate.

CertThumbprint [in]

Type: string

A string that specifies the certificate thumbprint.

VolumeKeyProtectorID [out]

Type: string

A string that uniquely identifies the created key protector that can be used to manage this key protector.

If the drive supports hardware encryption and BitLocker has not taken band ownership, the ID string is set to "BitLocker" and the key protector is written to per band metadata.

Return value

Type: uint32

This method returns one of the following codes or another error code if it fails.

Return code/valueDescription
0 (0x0)

The method was successful.

13 (0xD)

The data is not valid.

2150695022 (0x8031006E)

The EKU attribute of the specified certificate does not permit it to be used for BitLocker Drive Encryption. BitLocker does not require that a certificate have an EKU attribute, but if one is configured, it must be set to an OID that matches the OID configured for BitLocker.

2150695026 (0x80310072)

Group Policy does not permit user certificates, such as smart cards, to be used with BitLocker.

2150695028 (0x80310074)

Group Policy requires that you supply a smart card to use BitLocker.

2150695046 (0x80310086)

Group Policy does not permit the use of self-signed certificates.



If the OID does not match the one associated with the service controller in the registry, this method fails. This prevents the user from setting data recovery agent (DRA) protectors manually on the volume. DRAs are only to be set by the service.


Minimum supported client

Windows 7 Enterprise, Windows 7 Ultimate [desktop apps only]

Minimum supported server

Windows Server 2008 R2 [desktop apps only]





See also