BitLocker is Microsoft’s built-in drive encryption feature, designed to protect data at rest. Swif provides a streamlined way to deploy and manage BitLocker across your Windows fleet. However, BitLocker availability depends on the edition of Windows and whether your devices have a Trusted Platform Module (TPM). This article outlines these requirements and introduces how Swif automatically handles non-TPM encryption with a password on every reboot.
1. Windows Edition Requirements
Windows Home
Not Supported: Windows Home does not include BitLocker Drive Encryption.
Outcome: If you push a BitLocker policy to Windows Home, the encryption will remain off. You’ll see a status indicating the OS is not supported.
Windows Pro (or higher: Enterprise/Education)
Fully Supported: BitLocker is available on Windows Pro, Enterprise, and Education editions.
Recommended: For the most transparent and user-friendly experience, ensure devices include a TPM (version 1.2 or 2.0).
Tip: Not sure which Windows edition you have? Check the Device Details in the Swif admin console, or run winver on the device.
2. TPM vs. Non-TPM BitLocker Scenarios
Scenario A: Windows Pro with TPM
TPM-Based Encryption
A hardware-backed chip on the motherboard (TPM) securely stores the BitLocker encryption key.
No External Password at Startup: Most users won’t be prompted on reboot; BitLocker unlocks automatically.
Recovery Key is still available in the Swif admin console and the employee portal for emergencies.
Scenario B: Windows Pro without TPM
Password-Based Encryption
Devices without a TPM must use a startup password or USB key for BitLocker.
Swif-Generated Startup Password
Auto-Created: Swif automatically creates a strong, unique BitLocker startup password for each non-TPM device.
Prompted on Every Reboot: On every reboot, the user must enter this password. There is no TPM to store/unlock the key silently.
Secure Storage of the Password
Admin Portal → Device Details > Security
Employee Portal → Accessible in:
Swif Desktop app
Employee Web view
Swif Chrome extension/tab
The password is only visible to authorized users (admins or the device’s assigned employee).
Registry/Policy Configuration
Typically, Swif automatically configures the necessary registry or Group Policy to allow BitLocker without a TPM. No manual action is needed in most deployments.
Recovery Key
A separate BitLocker Recovery Key is also stored by Swif. This is used if the startup password is lost or if Windows prompts for recovery unexpectedly.
3. Where to Find the Password and Recovery Key
Admin View
In the Swif admin console, navigate to Devices → select the target device → Security tab.
See both the Startup Password (for non-TPM) and the Recovery Key.
Copy if you need to help a user unlock their device.
Employee View
Desktop App: Employees open the Swif app from the system tray or Start menu. Under their device details, they’ll see the BitLocker password.
Web Portal: Employees log into the Swif Employee Portal and choose My Devices to see encryption details.
Chrome Extension/Tab: If installed, employees can view device details, including the password.
4. Deployment and Setup
Assign the Policy
In Swif → Policies, create or edit a BitLocker policy and assign it to your Windows devices.
Swif Checks OS and TPM
Windows Home: Not supported.
Windows Pro or higher + TPM: Seamless encryption, no startup password required.
Windows Pro or higher - No TPM: Swif auto-generates a startup password and configures Windows to require it on every reboot.
Automatic Encryption
Devices begin encrypting in the background. Users can continue working normally during encryption.
Swif securely stores the Recovery Key (and if non-TPM, the Startup Password).
Check Status
In the Swif admin console, go to Device Details > Security to confirm encryption is active.
On the device, open Control Panel > System and Security > BitLocker Drive Encryption to see the encryption status.
5. FAQs
Q: Will users be prompted for the password on every single reboot if there’s no TPM?
Yes. Without a TPM, BitLocker relies on a password-based startup. Swif auto-creates this password, and the user must enter it each time the device restarts.
Q: Do I need to manually configure anything for non-TPM devices?
Not usually. Swif’s BitLocker policy automatically enables the “Allow BitLocker without TPM” setting in Windows. You don’t need to edit registry or Group Policy manually.
Q: If the user loses their password, how can they unlock the device?
They can retrieve it from the Employee Portal, Desktop app, or Chrome tab. Alternatively, admins can retrieve the Startup Password or the Recovery Key from the Swif admin console.
Q: What if the device has a disabled TPM in BIOS?
Swif sees the device as “No TPM.” Enabling TPM in the BIOS lets you switch to a TPM-based scenario so users won’t need a password at every reboot.
6. Related Articles
BitLocker Encryption Not Turning On
Troubleshooting if encryption fails to start or is blocked.Set Up BitLocker for Windows
Step-by-step guide to create and deploy BitLocker policies in Swif.
7. Summary
Windows Home: Not supported for BitLocker—encryption stays off.
Windows Pro or higher + TPM: Seamless hardware-based encryption without needing a startup password.
Windows Pro or higher, No TPM: Swif automatically:
Configures Windows to allow BitLocker without a TPM.
Generates a startup password and secures it in the Swif portals.
Users must enter this password on every reboot.
Recovery Key: Always stored and accessible via the Swif admin or employee views.
By using Swif’s BitLocker management, you ensure your Windows devices remain protected—even in non-TPM scenarios—while giving both admins and end users simple access to the necessary passwords and recovery keys.
Need More Assistance?
If you encounter issues or have further questions, check out our BitLocker Knowledge Base or reach out to Swif Support.