You can do this after BitLocker has encrypted the entire drive. First you have to enable the local policy to require a PIN during startup. You could also do that centrally enterprise wide through Group Policy (GPO). To do this:-
- Click Start > Run.
- Type “gpedit.msc”
- Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
- One the right pane, double-click on Require additional authentication at startup.
- Choose Enabled
- Uncheck the Allow BitLocker without a compatible TPM
- Under Configure TPM startup PIN:, choose Require startup PIN with TPM
After all that is done, you need type a few commands to get it going. Here’s how.
- Start your command prompt (make sure you run it as an administrator).
- Type; “manage-bde -protectors -add c: -TPMAndPIN”.
- Then type; “manage-bde -status” to check whether the TPMAndPin protector has been added.
After you’ve done this and still realise you’re not prompted for PIN during startup, you might want to try this. http://weikingteh.wordpress.com/2011/03/17/how-to-get-bitlocker-to-prompt-for-pin-during-startup/