@J L
Hi,
Does BIOS have Legacy options enabled? That may need to be disabled and changed over to UEFI to allow secure boot of the OS.
https://learn.microsoft.com/en-US/troubleshoot/windows-client/windows-security/tpm-is-ready-for-use-with-reduced-functionality
Also, run gpedit
Local computer policy> computer configuration > administrative templates > Windows Components > bitlocker drive encryption > Operating system drives
Require additional authentication at startup
Enable it, then open up a command prompt and run a gpupdate /force
Hope above information can help you.
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.