Disabling the pin in a TPM+Pin configuration via command line on the local machine for Sophos Central Encryption never prompts for a new pin, or generate any alerts. Using the command "manage-bde -protectors -add C: -tpm" removed the pin requirement from the machine. After it is disable and the machine reboots multiple times, Sophos never asks for a new pin, despite the "Require startup authentication" being turned on for the policy of that computer. Additionally no warnings of this happening are generated, no emails are sent, the machine remains green with the checkmark. The only indication is that the Authentication Type under that machine displays "TPM Only" and the log entry is generated "Message: Encryption has been postponed." on an already fully encrypted machine. Expected behavior: Send an alert that the machine does not meet the policy requirements of startup authentication, mark the machine with a yellow warning symbol instead of the green checkmark, and ask the user to set up a new pin on each reboot. On machines with this policy I occasionally have to do some after hours work applying and removing updates so I disable the pin so I can reboot the machine instead of driving an hour at 8PM to apply updates. After this happens I have to reapply the pin manually with the command line. This also means users can disable it and we will never be notified.