Bitlocker + TPM + PIN + error code 0x80310031

When I try to add PIN protection to my bitlocker set-up I get the following error:

ERROR: An error occurred (code 0x80310031): This key protector cannot be added. Only one key protector of this type is allowed for this drive.

I have selected "Require startup PIN with TPM" in group policy settings. The rest is set to 'allow'.

Then I used the following command:

manage-bde -protectors -add c: -TPMAndPIN

From what I recall this is a proper setting (I am not setting up TPM+PIN bitlocker for the first time).

Ideas?

Here's the steps I used, note this was for a cluster shared volume but presumably will work just as well for a local volume.

$BLV = Get-BitLockerVolume -MountPoint "C:\clusterstorage\volume3"
Remove-BitlockerKeyProtector -MountPoint "C:\clusterstorage\volume3" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId

Note that in the MS documentation it uses index 1, but if you only have one protector then it should actually be index 0! You can check this by comparing the output from $BLV.KeyProtector[0] to the (probably zero) output from $BLV.KeyProtector[1].

Also, until I added the final .KeyProtectorID I kept getting "invalid class string".

Reference: https://docs.microsoft.com/en-us/powershell/module/bitlocker/remove-bitlockerkeyprotector?view=win10-ps