If you have machine which is not connected to domain, but has TPM chip you might want to encrypt disks with BitLocker and enable PIN protection at boot-up.

In order to do that you have to make sure TPM is activated and enabled for provisioning in BIOS. Next step will be to allow PIN use, as by default that option is not active especially on machines not connected to Active Directory domain.

So, to enable ability to set PIN follow the steps:

Press Windows Key + R, type mmc and press Enter, as shown on screenshot below


Once MMC is started go to File / Add/Remove Snap-in…, find Group Policy Object Editor on the list of snap-ins, click Add and then confirm that you want to edit Group Policy on Local Computer by clicking Finish. All as shown on screenshot below.

Once snap-in is added to list click OK in order to load snap-in with chosen parameters (see screenshot below).

Once snap-in is loaded, locate in left-pane BitLocker entry for modification:

Console Root\Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Double-click on Require additional authentication at startup setting in right-pane.

Once you have configuration dialog for that setting, Enable. Other parameters will be set correctly, but you can review them and adjust to your requirements. Once setting is enabled and all parameters set to requirements click OK.

Now, from Command Prompt with Administrative privileges run following commands:

manage-bde -protectors -add c: -TPMAndPIN

BitLocker will request PIN to be entered twice and after that PIN will be set on hard disk. From now on every time you boot machine BitLocker will request PIN.