TPM+PIN is the best practice. There are successful attacks on TPM, plus attacks on a booted memory that contains decryption key material. PIN will prevent both.

In Windows 11/10 and TPM 2.0 now, the BitLocker PIN length was increased to 6 characters. Also, the TPM 2.0 lockout period is greater than the default when a PIN is changed.

If you want to prevent standard users from changing your BitLocker drive encryption password/PIN, you can deploy the relevant Enable/Disable GPO setting for this.

BitLocker enables whole-disk encryption to provide efficient, easy-to-implement data protection that systems admins can manage. ... and best practices. Delivered every Monday, ...