How to Enable BitLocker to prompt for PIN during startup


You can do this after BitLocker has encrypted the entire drive. First you have to enable the local policy to require a PIN during startup. You could also do that centrally enterprise wide through Group Policy (GPO). To do this:-

  • Click Start > Run.
  • Type “gpedit.msc”


  • Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
  • One the right pane, double-click on Require additional authentication at startup.


  • Choose Enabled
  • Uncheck the Allow BitLocker without a compatible TPM
  • Under Configure TPM startup PIN:, choose Require startup PIN with TPM

After all that is done, you need type a few commands to get it going. Here’s how.

  1. Start your command prompt (make sure you run it as an administrator).
  2. Type; “manage-bde -protectors -add c: -TPMAndPIN”.
  3. Then type; “manage-bde -status” to check whether the TPMAndPin protector has been added.

After you’ve done this and still realise you’re not prompted for PIN during startup, you might want to try this.



Free MS Press Books


I found a list with free ebooks from Microsoft Press, that you may find useful too. Many of them are quite technical, so they won’t be for everybody. I bet there are some people around you that would appreciate this list:

imagePersonally, I haven’t read them all – but I have read the Understanding Microsoft Virtualization Solutions book – mainly to make sure that I can keep up with some of my more technical colleagues and customers, and to understand what the true potential can be in different scenarios.