Event ID 24605 — BitLocker Startup

Applies To: Windows Server 2008 R2

When a computer protected with BitLocker Drive Encryption is restarted, the early startup components perform a series of integrity checks and, if the system passes, attempts to retrieve the needed key information to unlock any BitLocker-protected volumes. Success depends on the availability of configured key protectors, such as the TPM or a user-supplied PIN, and the existence of volume metadata stored within the encrypted drive.

If Windows cannot unlock the Windows operating system volume, BitLocker enters recovery mode. If the user can supply a recovery password or insert a USB flash drive with a recovery key, BitLocker will unlock the volume.

After the Windows operating system volume has been successfully unlocked, BitLocker uses encrypted information stored in the volume metadata and Windows registry to unlock any data volumes configured for automatic unlocking.

Event Details

Product: Windows Operating System
ID: 24605
Source: Microsoft-Windows-BitLocker-Driver
Version: 6.1
Symbolic Name: FVE_KEYRING_PIN_INVALID
Message: No volume master key was retrieved from a PIN during restart.

Resolve

Use the correct PIN

BitLocker entered recovery, and a user has successfully completed the recovery process by using a recovery key (stored on a USB flash drive) or a recovery password (entered manually at the recovery screen). In order to unlock the Windows operating system volume that is protected by the TPM and a PIN, the correct PIN must be entered during startup.

Note: This condition may indicate simply that a user typed the incorrect PIN. If the user subsequently provided the correct PIN, no further actions are required. However, if the recovery process is required at every startup, continue with the following procedures.

If the user can recall or locate a copy of the correct PIN, resume using it.

If not, use the Manage BitLocker Keys wizard to create a new TPM PIN.

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Use the Manage BitLocker Keys wizard to create a new PIN

To use the Manage BitLocker Keys wizard to create a new PIN:

  1. Click Start, and then click Control Panel.
  2. Click Security.
  3. Click BitLocker Drive Encryption.
  4. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  5. Click Manage BitLocker Keys for the encrypted volume.
  6. Follow the prompts presented by the BitLocker wizard to create the desired keys or passwords.

Verify

To verify that BitLocker has started successfully:

  1. If the computer is not running, start the computer.
  2. If BitLocker has been configured to use a USB flash drive, insert the USB flash drive. If BitLocker has been configured to use a PIN, enter your PIN when prompted.
  3. Verify that Windows Welcome Screen, Logon Screen or Desktop appears. This indicates that BitLocker has correctly unlocked the Windows operating system volume.
  4. Log on to Windows and access any data volumes that are encrypted with BitLocker.

Note: Data volumes can be configured to be automatically unlocked or to require manual unlocking.

BitLocker Startup

Core Security