Again, that is a lot of trust since it could trivially just… not show it. Which is already the default for most FDE systems for intermediate/system managed keys.
It could also just pretend to encrypt your drive with a null key and not do anything, either.
You need some implicit trust in a system to use it. And at worst, you can probably reverse engineer the (unencrypted) BitLocker metadata that preboot authentication reads.
Using the same CLI, which shows all the alternative "protectors".
Again, that is a lot of trust since it could trivially just… not show it. Which is already the default for most FDE systems for intermediate/system managed keys.
It could also just pretend to encrypt your drive with a null key and not do anything, either.
You need some implicit trust in a system to use it. And at worst, you can probably reverse engineer the (unencrypted) BitLocker metadata that preboot authentication reads.