A Bit Confused About Group Policy

Question

Hi All, 
 I am currently deploying Bitlocker Encryption for my Windows 10 laptops, and I thought all was going well. I have a policy in Sophos Encryption that enforces encryption and requires startup authentication, I assign a license to the laptop, then add it to the policy. 
 This appears to work quite well, the user gets prompted to kick off the encryption process with a "pin" and after a reboot all is well. The most recent laptop however apparently did not ask the user for a password but is encrypted by TPM only. 
 On looking at the forums for similar problems the usual answer is to check the Bitlocker settings in Group Policy, but I have not configured group policy for Bitlocker as I thought the way I was deploying it did not require it. 
 My 2 questions are: 1. Do I need to use group policy? 2. How do I rectify the TPM only encryption issue with this one laptop? 
 All laptops and PC's have pretty much the same setting applied to them via Group Policy in the Domain. 
 
 Regards, 
 
 Colin

MichaelMcLannahan · Answer

Hi Colin - It may be the laptop is hybrid and you have conflicting GPO's set that prevent applying the TPM AND PIN policy. 
 This is normally by design, and not a mistake. Early Surfaces and other tablet manufacturers didn't used to support a keyboard at boot (you may remember some devices had to use the volume buttons to control UEFI/BIOS) 
 So - If you set a PIN on this device - You'd have no way to type it in when the PC booted! Unless you had a USB keyboard too hand? 
 If the PC DOES support its keyboard at boot you could "force" the PIN option by using the following at an elevated command prompt (without the quotes) 
 "manage-bde -protectors -add c: -TPMAndPIN" 
 
 GPO's ARE needed as well as Sophos policies, you need them to set policies such as this and also to prevent the recovery key backing up into AD (As Sophos is now backing up this keuy for you)