How to enable BitLocker to prompt for PIN during startup

You can do this after BitLocker has encrypted the entire drive. First you have to enable the local policy to require a PIN during startup. You could also do that centrally enterprise wide through Group Policy (GPO). To do this:-

  • Click Start > Run.
  • Type “gpedit.msc”


  • Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
  • One the right pane, double-click on Require additional authentication at startup.


  • Choose Enabled
  • Uncheck the Allow BitLocker without a compatible TPM
  • Under Configure TPM startup PIN:, choose Require startup PIN with TPM

After all that is done, you need type a few commands to get it going. Here’s how.

  1. Start your command prompt (make sure you run it as an administrator).
  2. Type; “manage-bde -protectors -add c: -TPMAndPIN”.
  3. Then type; “manage-bde -status” to check whether the TPMAndPin protector has been added.

After you’ve done this and still realise you’re not prompted for PIN during startup, you might want to try this.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s