POA screen don't appear after the second reboot .

Hi. I'm a little confused here with what you're trying to do?

As such Windows 10 doesn't use POA - Windows 10 has BitLocker, and it's that that's managed by Sophos SafeGuard. 

From what you've said, do you want the key protector to be passphrase, TPM, or TPM and PIN?

MichaelMcLannahan , 

thank you for your reply.

the authentication policy that i configured for the Bitlocker is :

1) Bitlocker logon mode for boot volumes : TPM

2)Bitlocker falback logon mode for boot volumes : password

So by this policy i excpected that the pc after the installation of sophos safeguard ask me to insert password for the boot authentication at the next reboot .

I configured the requirements setup but the pc that didn't ask me for a password and didn't authenticate at the startup .

Thanks for that screenshot, that helps a lot!

What you have configured is

1 - TPM ONLY for PC's with TPM (most business laptops/PC's)  - That is to say you will NOT see an additional prompt - The data is secured by the internal module.

2 - Fallback mode (for PC's that DON'T have TPM (or a TPM that's disabled) is configured for password. So IF a PC doesn't have TPM (which your laptop sounds like it DOES) you will be asked for a password instead of the TPM module.

It HAS authenticated - but rather than asking for a PIN/password, it confirmed the authenticity with the internal TPM chip. You can add to this security by ALSO adding a PIN to this stage.

What you need to do for this laptop if you want to see a additional prompt (which I would strongly recommend) then you need to change that first policy to TPM+PIN. You don't need to change the second part - password for fallback mode is correct for most scenarios.

The PIN doesn't HAVE to be digits, it could be a passphrase if you wanted but personally I would encourage users to use NUMBERS for a PIN and characters for a PASSWORD/PHRASE

thank you very much,

for my case i need all pc' or laptops authenticate at startup and ask me for password not PIN (i don't want PIN) .

by your clarification i understand that i should  change the first policy to TPM+PIN. it's right ??

i need this screen to insert password on all PC's 

Yes, that's correct. Set TPM+PIN but then you "could" tell your users to set a password as their PIN.

It does depend on how many of your devices have TPM. If it's most then you'll need to tell the majority of your users to set a password as their PIN and the others that don't have TPM a password instead.

I would personally (if the estate are majority PIN) promote that. I think it's a bit of a confusing message to ask users to set a password when it requests a PIN. All the interface of Windows hints at PIN too (Change BitLocker PIN etc...) Users are used to PINs for their bank cards - makes more sense to me.

Having said that - 99% of my estate IS TPM and PIN, so it's an easier message to promote.

To add - You will only see this screen on PC's that do NOT have TPM.

Your other option (but not one I'd do but...) would be to disable (and hide if possible) TPM within BIOS for EVERY PC that has TPM.

This would then give you this prompt on ALL PC's (those with or without TPM) as the TPM PC's would then "fallback" to non-TPM mode and set a password instead.

This would be consistent but less secure as you're not using the features/security of the TPM module. It's also much more work to then go round to each PC and disable it but if you only have a few PC's?? 

Really like your answer it helped me to settled my issue, also given a thumbs up to your answer....thanks