Comment by ndiddy

Note that Microsoft did take the “Linux can decrypt drives in TPM-only” scenario into account. If any UEFI settings are changed related to stuff like boot order, the computer is supposed to see that the settings have changed and require the recovery password to unlock the volume. Knowing the quality of vendor firmware implementation, I’m not sure how well this works in practice.

Agreed that the default Bitlocker config is much less secure than having a PIN at boot time due to the amount of code that gets run.