Implement prominent messages for the use of non-primary Bitlocker Protectors
In case of an incorrect TPM-initialization, clients try to use the fallback protector.
It is possible to use "password" as fallback and a GPO that encrypts the machine without TPM.
In this scenario users will use a non-TPM protected machine without knowing (average users see no difference between pin an numeric-4-letter-password).
Clients should inform the user or the SO via Management Center, that Fallback Protector is used and primary Protector wasn't used at all.
In Central Device Encryption we create an alert if the TPM cannot be initialized properly and do not automatically fallback from TPM + PIN to e.g. a password protector. The automatic fallback happens only if the TPM is not enabled in the BIOS and therefore we don’t know that there is a TPM existing. Nowadays almost all systems come with the TPM enabled in the BIOS.