Export (0) Print
Expand All

Event ID 24622 — BitLocker Encryption and Decryption

Updated: December 16, 2008

Applies To: Windows Server 2008 R2

red

Whenever the operating system or an application attempts to read from or write to a BitLocker-protected volume, the BitLocker filter driver must decrypt or encrypt data in real time, sector by sector. The filter driver writes event log information when it encounters problems, even if the problem is corrected with an automatic retry of the operation.

Event Details

Product: Windows Operating System
ID: 24622
Source: Microsoft-Windows-BitLocker-Driver
Version: 6.1
Symbolic Name: FVE_MOR_BIT_WAIT_INIT_ERROR
Message: BIOS/TCG Memory Overwrite Control: Error finding TPM driver.

Resolve

Confirm system compatibility, revert BIOS, update BIOS, or continue without memory overwrite

Normally, the Windows operating system holds the BitLocker volume encryption keys and other sensitive data in memory. If the computer is restarted without having been fully shut down, this information may still be present in memory. During the normal restart process, the operating system ensures the removal of this information by overwriting the memory space.

If the system restarted without the operating system have the chance to overwrite memory, the memory must be erased by the system BIOS early in the boot process--before any malicious software components could access memory and retrieve keys.

A special non-volatile bit called the Memory Overwrite Request (MOR) bit is used to tell the BIOS that the system memory should be erased early in the boot process. The operating system sets this bit before placing sensitive information in memory and clears the bit during normal shutdown after the sensitive information has been cleared from memory.

The MOR bit is used only in computer systems with a Trusted Platform Module (TPM). Memory will only be cleared by the BIOS if the MOR bit is set and if ownership for the TPM has been taken.

The correct operation of this process depends on a system BIOS that is fully compatible with this version of Windows and the BitLocker Drive Encryption feature.

To resolve this condition, first confirm that your system is certified as compatible with this version of Windows. If your BIOS has recently been updated, you may need to revert to an earlier version. If the manufacturer of your computer system has made a new BIOS version available, you may need to update the computer system BIOS. Lastly, if you wish to accept the potential security risk, you may continue without the protection of the memory overwrite feature.

Confirm that your computer is certified as compatible with Windows BitLocker Drive Encryption

To confirm that your computer is certified as compatible with Windows BitLocker Drive Encryption:

  1. See Windows Vista Hardware Compatibility List (http://go.microsoft.com/fwlink/?LinkId=104414) and check whether the computer system is certified to be compatible with Windows Vista.
  2. If your computer system is not certified as compatible with this version of Windows, you may not be able to use all of the features included with Windows, such as BitLocker Drive Encryption. Contact your hardware supplier or hardware support team to see if upgrades or alternatives are available.

Revert the computer BIOS

To revert the computer BIOS:

  1. If your computer BIOS or firmware was recently updated, check with your computer hardware supplier or hardware support team to determine whether the update supports the MOR bit.
  2. If not, follow the instructions provided by your computer hardware supplier to revert to the previous BIOS.

Update the computer BIOS

To update the computer BIOS:

  1. Check with your computer hardware supplier to determine whether an updated BIOS is available that supports the MOR bit.
  2. If so, follow the computer hardware supplier instructions for installing the updated BIOS.

Alternatively, depending on the security policies in place in your organization, you may choose to continue using Windows without the memory being cleared in the circumstances described above.

Continue without memory overwrite

To continue without memory overwrite:

  • If it is acceptable to operate the computer without being assured that the memory has been overwritten at each startup, simply continue to use Windows as normal.

Note: Other problems with the computer system or BIOS may also exist. This is not recommended as a long-term solution.

Verify

To verify the correct operation of BitLocker encryption and decryption, read data from and write data to an encrypted volume. The read and write should occur without error.

Caution: We strongly recommend that all important data be backed up regularly.

Related Management Information

BitLocker Encryption and Decryption

Core Security

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft