Upravit

Sdílet prostřednictvím


Win32_EncryptableVolume class

The Win32_EncryptableVolume WMI provider class represents an area of storage on a hard disk that can be protected by using BitLocker Drive Encryption. Only NTFS volumes can be encrypted. It can be a volume that contains an operating system, or it can be a data volume on the local disk. It cannot be a network drive.

To realize the benefits of BitLocker, you must specify a protection method for the volume's encryption key and then fully encrypt the volume.

To protect the volume's encryption key, add key protectors by using these methods:

Each type of key protector provides a different authentication experience for unlocking access to the encrypted data. External keys and numerical passwords can provide authentication during recovery scenarios. For TPM-based key protectors, you may first need to properly initialize the TPM. For more information, see the Win32_Tpm WMI provider class.

Use the Encrypt or EncryptAfterHardwareTest method to begin encryption. Key protectors must be added prior to starting the encryption, or else you must use the DisableKeyProtectors method to expose an unprotected clear key. If the computer turns off while encryption is in progress, encryption will automatically resume when the computer restarts.

You can use the GetConversionStatus and GetProtectionStatus methods to check on the status of an accessible volume.

Syntax

class Win32_EncryptableVolume
{
  string DeviceID;
  string PersistentVolumeID;
  string DriveLetter;
  uint32 ProtectionStatus;
};

Members

The Win32_EncryptableVolume class has these types of members:

Methods

The Win32_EncryptableVolume class has these methods.

Method Description
BackupRecoveryInformationToActiveDirectory Saves all external keys and related information that is needed for recovery to the Active Directory.
ChangeExternalKey Changes the external key associated with an encrypted volume.
ChangePassphrase Uses the new passphrase to obtain a new derived key.
ChangePIN Changes a PIN associated with an encrypted volume.
ClearAllAutoUnlockKeys Removes all external keys and related information saved onto the currently running operating system volume that are used to automatically unlock data volumes.
Decrypt Begins decryption of a fully encrypted volume or resumes decryption of a partially encrypted volume.
DeleteKeyProtector Deletes a given key protector for the volume.
DeleteKeyProtectors Deletes all key protectors for the volume.
DisableAutoUnlock Removes the external key saved on the currently running operating system volume so that the volume is not automatically unlocked when it is mounted.
DisableKeyProtectors Disables all key protectors associated with this volume.
EnableAutoUnlock Allows a data volume to be automatically unlocked when the volume is mounted.
EnableKeyProtectors Enables all disabled key protectors.
Encrypt Begins encryption of a fully decrypted volume or resumes encryption of a partially encrypted volume.
EncryptAfterHardwareTest Begins encryption of a fully decrypted volume after a hardware test.
FindValidCertificates Enumerates all certificates on the system that match the indicated criteria and returns a list of thumbprints.
GetConversionStatus Indicates the status of the encryption or decryption on the volume.
GetEncryptionMethod Indicates the encryption algorithm and key size used on the volume.
GetExternalKeyFileName Returns the name of the file that contains the external key.
GetExternalKeyFromFile Returns the external key from a file.
GetHardwareTestStatus Returns status information on a hardware test.
GetIdentificationField Returns the identifier string that is available in the volume's metadata.
GetKeyPackage Returns information that make help salvage encrypted data when the drive is severely damaged.
GetKeyProtectorCertificate Retrieves the public key and certificate thumbprint for a public key protector.
GetKeyProtectorExternalKey Retrieves the external key for a given key protector of the appropriate type.
GetKeyProtectorFriendlyName Retrieves the display name used to identify a given key protector.
GetKeyProtectorNumericalPassword Retrieves the numerical password for a given key protector of the appropriate type.
GetKeyProtectorPlatformValidationProfile Retrieves the platform validation profile for a given key protector of the appropriate type.
GetKeyProtectors Lists the protectors used to secure the volume's encryption key.
GetKeyProtectorType Indicates the type of a given key protector.
GetLockStatus Indicates whether the contents of the volume are accessible from the currently running operating system.
GetProtectionStatus Indicates whether the volume and its encryption key (if any) are secured.
GetVersion Indicates the FVE metadata version of the volume.
IsAutoUnlockEnabled Indicates whether the volume is automatically unlocked when mounted.
IsAutoUnlockKeyStored Indicates whether there exists in the currently running operating system volume any external keys and related information that may be used to automatically unlock data volumes.
IsKeyProtectorAvailable Indicates whether protectors are available for the volume.
IsNumericalPasswordValid Indicates whether the numerical password meets the special format requirements.
Lock Dismounts the volume and removes the volume's encryption key from system memory.
PauseConversion Pauses the encryption or decryption of a volume.
PrepareVolume Creates a BitLocker volume with the specified file system type of the discovery volume.
ProtectKeyWithCertificateFile Validates the Enhanced Key Usage (EKU) object identifier (OID) of the provided certificate file.
ProtectKeyWithCertificateThumbprint Validates the Enhanced Key Usage (EKU) object identifier (OID) of the provided certificate thumbprint.
ProtectKeyWithExternalKey Secures the volume's encryption key with a 256-bit external key.
ProtectKeyWithNumericalPassword Secures the volume's encryption key with a specially formatted 48-digit password.
ProtectKeyWithPassphrase Uses the passphrase to obtain the derived key.
ProtectKeyWithTPM Secures the volume's encryption key by using the Trusted Platform Module (TPM) Security Hardware on the computer, if available.
ProtectKeyWithTPMAndPIN Secures the volume's encryption key by using the Trusted Platform Module (TPM) Security Hardware on the computer, if available, enhanced by a user-specified personal identification number (PIN) that must be provided to the computer at startup.
ProtectKeyWithTPMAndPINAndStartupKey Secures the volume's encryption key by using the Trusted Platform Module (TPM) Security Hardware on the computer, if available, enhanced by a user-specified personal identification number (PIN) and by an external key that must be provided to the computer at startup.
ProtectKeyWithTPMAndStartupKey Secures the volume's encryption key by using the Trusted Platform Module (TPM) Security Hardware on the computer, if available, enhanced by an external key that must be provided to the computer at startup.
ResumeConversion Resumes the encryption or decryption of a volume.
SaveExternalKeyToFile Writes the external key associated with the specified volume key protector to a specified file location.
SetIdentificationField Sets the specified identifier string in the volume's metadata.
UnlockWithCertificateFile Uses the provided certificate file to obtain the derived key and unlock the encrypted volume.
UnlockWithCertificateThumbprint Uses the provided certificate thumbprint to obtain the derived key and unlock the encrypted volume.
UnlockWithExternalKey Uses a provided external key to access the contents of a data volume.
UnlockWithNumericalPassword Uses a provided numerical password to access the contents of a data volume.
UnlockWithPassphrase Uses the passphrase to obtain the derived key. After the derived key is calculated, the derived key is used to unlock the encrypted volume's master key.
UpgradeVolume Upgrades a volume from the Windows Vista format to the Windows 7 format.

Properties

The Win32_EncryptableVolume class has these properties.

ConversionStatus

Data type: uint32

Access type: Read-only

An integer corresponding to the encryption state of the volume. This value is stored when class is instantiated. It is possible for the conversion status to change state between instantiation and when you check the value. To check the value of the ConversionStatus property in real time, use the GetConversionStatus method.

Value Meaning
0
FULLY DECRYPTED

1
FULLY ENCRYPTED

2
ENCRYPTION IN PROGRESS

3
DECRYPTION IN PROGRESS

4
ENCRYPTION PAUSED

5
DECRYPTION PAUSED

DeviceID

Data type: string

Access type: Read-only

Qualifiers: Key

A unique identifier for the volume on this system. Use this to associate a volume with other WMI provider classes, for example, Win32_Volume.

DriveLetter

Data type: string

Access type: Read-only

The drive letter of the volume. This identifier can be used to associate a volume with other WMI provider classes, for example Win32_Volume.

For volumes without drive letters, this value is NULL.

EncryptionMethod

Data type: uint32

Access type: Read-only

An integer identifying the algorithm used to encrypt the volume.

Value Meaning
0
NOT ENCRYPTED
The volume is not encrypted, nor has encryption begun.
1
AES 128 WITH DIFFUSER

2
AES 256 WITH DIFFUSER

3
AES 128

4
AES 256

5
HARDWARE ENCRYPTION

6
XTS-AES 128
This is the default setting for Windows 10.
7
XTS-AES 256 WITH DIFFUSER

IsVolumeInitializedForProtection

Data type: bool

Access type: Read-only

States whether the volume is in a state ready for encryption to start. At least one key protector must be added before this will be True and encryption can begin.

PersistentVolumeID

Data type: string

Access type: Read-only

A persistent identifier for the volume on this system. This identifier is exclusive to Win32_EncryptableVolume.

This identifier is an empty string if the volume is a standard fully decrypted NTFS volume; otherwise, it has a unique value.

ProtectionStatus

Data type: uint32

Access type: Read-only

The status of the volume, whether or not BitLocker is protecting the volume. This value is stored when the class is instantiated. It is possible for the protection status to change state between instantiation and when you check the value. To check the value of the ProtectionStatus property in real time, use the GetProtectionStatus method.

Value Meaning
0
PROTECTION OFF
The volume is not encrypted, partially encrypted, or the volume's encryption key for the volume is available in the clear on the hard disk.
1
PROTECTION ON
The volume is fully encrypted and the encryption key for the volume is not available in the clear on the hard disk.
2
PROTECTION UNKNOWN
The volume protection status cannot be determined. One potential cause is that the volume is in a locked state.

VolumeType

Data type: uint32

Access type: Read-only

An integer identifying the type of volume relevant to encryption for use of appropriate key protectors and encryption methods.

Value Meaning
0
SYSTEM
The volume contains the Windows operating system. Standard key protectors are usually TPM, sometimes in conjunction with a PIN, and Numerical (Recovery) Password
1
FIXED DISK
This volume is a non-system storage device for the system. It is often recommended to configure auto-unlock in conjunction with the system volume.
2
REMOVABLE
This volume is hot removable from the system. Typically this will indicate an external drive or flash drive. Different encryption methods may be considered due to compatibility concerns with other systems.

Security Considerations

The Win32_EncryptableVolume WMI provider class relies on the WMI namespace security and on the BitLocker Drive Encryption subsystem for access control.

To use the Win32_EncryptableVolume methods, the following conditions must be met:

To enable remote connections, remote WMI traffic must be allowed. For more information about enabling WMI traffic, see Connecting to WMI Remotely Starting with Vista.

The default namespace security setting includes an entry to allow editing by default. For more information about WMI namespace auditing, see Access to WMI Namespaces.

Remarks

Managed Object Format (MOF) files contain the definitions for Windows Management Instrumentation (WMI) classes. MOF files are not installed as part of the Windows SDK. They are installed on the server when you add the associated role by using the Server Manager. For more information about MOF files, see Managed Object Format (MOF).

Requirements

Requirement Value
Minimum supported client
Windows Vista Enterprise, Windows Vista Ultimate [desktop apps only]
Minimum supported server
Windows Server 2008 [desktop apps only]
Namespace
Root\CIMV2\Security\MicrosoftVolumeEncryption
MOF
Win32_encryptablevolume.mof