Implement prominent messages for the use of non-primary Bitlocker Protectors
In case of an incorrect TPM-initialization, clients try to use the fallback protector.
It is possible to use "password" as fallback and a GPO that encrypts the machine without TPM.
In this scenario users will use a non-TPM protected machine without knowing (average users see no difference between pin an numeric-4-letter-password).
Clients should inform the user or the SO via Management Center, that Fallback Protector is used and primary Protector wasn't used at all.