Deploying Windows 7 with BitLocker using MDT 2010

by Mitch Tulloch [Published on 19 April 2012 / Last Updated on 19 April 2012]

A tip concerning deploying Windows 7 using MDT 2010 and enabling BitLocker with TPM+PIN on target computers.

You want to use MDT 2010 to deploy Windows 7 to target computers so that Windows BitLocker Encryption is enabled on these computers with both Trusted Platform Module (TPM) and personal identification number (PIN) as protectors.  Unfortunately, enabling PIN during deployment blocks reboots and the deployment fails to complete.  What should you do?

Use MDT 2010 to deploy Windows 7 with BitLocker enabled but only Trusted Platform Module (TPM) as a protector.  Then after deployment the users can run the Manage-BDE.exe command-line tool to add PIN as a second protector.  Note however that doing this requires admin-level privileges.  For the syntax of Manage-BDE.exe, see

Mitch Tulloch is a seven-time recipient of the Microsoft Most Valuable Professional (MVP) award and widely recognized expert on Windows administration, deployment and virtualization. For more tips by Mitch you can follow him on Twitter or friend him on Facebook.


See Also

The Author — Mitch Tulloch

Mitch Tulloch is a well-known expert on Windows Server administration and cloud computing technologies. He has published over a thousand articles on information technology topics and has written, contributed to or been series editor for over 50 books.

Featured Links