Deploying Windows 7 with BitLocker using MDT 2010

by Mitch Tulloch [Published on 19 April 2012 / Last Updated on 19 April 2012]

A tip concerning deploying Windows 7 using MDT 2010 and enabling BitLocker with TPM+PIN on target computers.

You want to use MDT 2010 to deploy Windows 7 to target computers so that Windows BitLocker Encryption is enabled on these computers with both Trusted Platform Module (TPM) and personal identification number (PIN) as protectors.  Unfortunately, enabling PIN during deployment blocks reboots and the deployment fails to complete.  What should you do?

Use MDT 2010 to deploy Windows 7 with BitLocker enabled but only Trusted Platform Module (TPM) as a protector.  Then after deployment the users can run the Manage-BDE.exe command-line tool to add PIN as a second protector.  Note however that doing this requires admin-level privileges.  For the syntax of Manage-BDE.exe, see

Mitch Tulloch is a seven-time recipient of the Microsoft Most Valuable Professional (MVP) award and widely recognized expert on Windows administration, deployment and virtualization. For more tips by Mitch you can follow him on Twitter or friend him on Facebook.


Featured Links