====== Bitlocker: Enable PIN on boot ======
If you want your system to require a PIN number in order to unlock a Bitlocker encrypted drive at boot time, you need to change one small GPO setting (assuming that you have Bitlocker already set up):

Start Group Policy editor by pressing Windows+R and entering the command ‘gpedit.msc’
[{{ :windows:client_os:tpm1.png |Start the Local Group Policy Editor}}]
Navigate to Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Bitlocker Drive Encryption -> Operating System Drives
[{{ :windows:client_os:tpm2.png |Navigate to ‘Operating System Drives’}}]
Select the ‘Require additional authentication at startup’ option, and set it to ‘Enabled’. Then set ‘Configure TPM startup PIN’ to ‘Require startup PIN with TPM’
[{{ :windows:client_os:tpm3.png |Set ‘Configure TPM startup pin’ to ‘Require startup PIN with TPM’}}]
Now open CMD in elevated mode and enter the command to set the PIN
<code bash>manage-bde -protectors -add c: -TPMAndPIN</code>
This will prompt you for a PIN which You will enter at Boot time.