Deploying Windows 7 with BitLocker using MDT 2010

by Mitch Tulloch [Published on 19 April 2012 / Last Updated on 19 April 2012]

A tip concerning deploying Windows 7 using MDT 2010 and enabling BitLocker with TPM+PIN on target computers.

You want to use MDT 2010 to deploy Windows 7 to target computers so that Windows BitLocker Encryption is enabled on these computers with both Trusted Platform Module (TPM) and personal identification number (PIN) as protectors.  Unfortunately, enabling PIN during deployment blocks reboots and the deployment fails to complete.  What should you do?

Use MDT 2010 to deploy Windows 7 with BitLocker enabled but only Trusted Platform Module (TPM) as a protector.  Then after deployment the users can run the Manage-BDE.exe command-line tool to add PIN as a second protector.  Note however that doing this requires admin-level privileges.  For the syntax of Manage-BDE.exe, see

Mitch Tulloch is a seven-time recipient of the Microsoft Most Valuable Professional (MVP) award and widely recognized expert on Windows administration, deployment and virtualization. For more tips by Mitch you can follow him on Twitter or friend him on Facebook.


The Author — Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see .

Latest Contributions

Featured Links