Hello Marshall
I do it in a different way, using purely group policy
1.Go to Group Policy Editor in "gpedit.msc"
2.Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
3.n the right pane, double-click "Require additional authentication at startup"
4.Make sure the "Enabled" option is chosen so that all other options below will be active.
5.Uncheck the box for "Allow BitLocker without a compatible TPM."
6.For the choice of "Configure TPM startup:", choose "Allow TPM."
7.For the choice of "Configure TPM startup PIN:", choose "Require startup PIN with TPM."
8.For the choice of "Configure TPM startup key:", choose "Allow startup key with TPM."
9.For the choice of "Configure TPM startup key and PIN:", choose "Allow startup key and PIN with TPM."
10. Click the "Apply" button and then the "OK" button to save the changes.
Hope this helps in your case,
Best regards,