Hi @tj_zero
You can try the following steps:
- Open the Group Policy Editor (gpedit.msc).
- Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
- Find the "Require PIN or password to activate" option and set it to "Enabled".
- Find the option that says "Allow users to save BitLocker recovery passwords and key packs on unencrypted OS drives" and set it to "Disabled".
- Find the "Allow users to disable BitLocker Drive Encryption" option and set it to "Disabled".
- Find the option to "Allow users to save BitLocker recovery passwords and key packs on unencrypted non-OS drives" and set it to "Disabled".
- Find the "Require additional authentication to boot on the operating system drive" option and set it to "Enabled".
- Find the "Configure Options that require additional authentication to boot on the OS drive" option and set it to "Use TPM".
- Find the "Configure TPM Required PIN Length" option and set it to the desired PIN length.
- Find the "Configure TPM Requirement PIN Complexity" option and set it to "Enabled".
- Find the "Configure TPM Requirement PIN Complexity" option and set it to the desired PIN Complexity requirement.
- Save & Close
Once set up, BitLocker will ask users to enter their PIN or password for verification every time they log in, without having to reboot their computer system.
Hope it helps.
Kind regards,
Lei