I am trying to write a powershell script that will run after the deployment of the system image as ADMIN (SYSTEM/MACHINE afaik).

Enable-Bitlocker -MountPoint "C" -EncryptionMethod "Aes256" -UsedSpaceOnly -TpmAndPinProtector
This works but there's 2 issues with this:

1) It doesn't use full disk encryption
2) I need to manually set up the local GPO 'Bitlocker Pre-Boot Authorization PIN' and set it to 'DEMAND'

My objective: Rewrite the code in that it will use full disk encryption and set up the local GPO Bitlocker Pre-Boot Authorization PIN (DEMAND) via the CODE, not manually

Can some kind folks help me out?