OK, that makes sense. Whether an org should or shouldn't use a PBA is an often-debated topic. The current state of not having a built-in path to set the PIN initially using Intune mottles the discussion and adds additional complexity. Windows and Intune are generally aware of the ask from customers in this area but for a variety of reasons, no direct path or solution has been prioritized.

There are three main talking-points on this (all of which are more or less debatable and subjective):

1. Don't use a PBA. Microsoft makes no specific recommendation on its use and leaves this decision up to customers based on their individual risk profile and assessment. In general, most (if not all) known attack vectors for BitLocker that expose the secret from a TPM are eliminated by recent hardware or not feasible for the "average" attacker.
2. Use a community-based script that runs elevated to enable the end user to set the PIN the first time. Also, configure the Windows policy setting to allow standard users to change it thereafter. Alternatively, use simple script to set the PIN to something known on devices during provisioning and instruct user to change it after (assuming you configure the policy to allow standard users to do this). Or some combination/variation of these.
3. Use Personal Data Encryption (PDE) to add an additional layer of protection for data at rest in the form of file level encryption protected by Windows Hello for Business.

Some combination/variation of all of the above is possible as well.

Ultimately, we're open to additional feedback on this that will help us better prioritize any associated work. This feedback is generally most effective when is characterizes exactly what impact not having this functionality has on your business and costs associated with not having it.