diff --git a/roles/configuration/tasks/encryption/tpm2.yml b/roles/configuration/tasks/encryption/tpm2.yml
index 8ed6c50..664543e 100644
--- a/roles/configuration/tasks/encryption/tpm2.yml
+++ b/roles/configuration/tasks/encryption/tpm2.yml
@@ -79,6 +79,12 @@
           chroot stderr={{ configuration_luks_tpm2_enroll_chroot.stderr | default('') }},
           host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }}
   rescue:
+    - name: Warn about TPM2 enrollment failure
+      ansible.builtin.debug:
+        msg: >-
+          TPM2 enrollment failed — falling back to keyfile auto-decrypt.
+          The system will use a keyfile instead of TPM2 for automatic LUKS unlock.
+
     - name: Fallback to keyfile auto-decrypt
       ansible.builtin.set_fact:
         configuration_luks_auto_method: keyfile