An
evil maid attack involves physical access to an unattended device — installing a keylogger, replacing firmware, or compromising the bootloader to steal encryption keys.
BitLocker with a startup PIN requires the PIN at boot — defeating evil maid attacks that try to extract the key from TPM alone. TPM + PIN + Secure Boot = strong protection against physical attacks.