In case of an incorrect TPM-initialization, clients try to use the fallback protector.
It is possible to use "password" as fallback and a GPO that encrypts the machine without TPM.
In this scenario users will use a non-TPM protected machine without knowing (average users see no difference between pin an numeric-4-letter-password).
Clients should inform the user or the SO via Management Center, that Fallback Protector is used and primary Protector wasn't used at all.7 votesAwaiting Feedback · AdminRobert Zeh (Senior Product Manager, Sophos Features & Ideas Laboratory) responded
In Central Device Encryption we create an alert if the TPM cannot be initialized properly and do not automatically fallback from TPM + PIN to e.g. a password protector. The automatic fallback happens only if the TPM is not enabled in the BIOS and therefore we don’t know that there is a TPM existing. Nowadays almost all systems come with the TPM enabled in the BIOS.
- Don't see your idea?