You need a separate pin because windows lives on the encrypted disk so you need to decrypt it before you can boot completely.

macOS solved this (and a lot of other problems) by putting the OS on a separate read-only partition - technically an APFS volume - that doesn’t get encrypted. Microsoft’s backwards-compatibility obsession might not let them make that the default, but they could at least make it an option.