Skip to main content

BitLocker Drive Encryption Support for Windows Devices

Updated over 3 weeks ago

Swif’s BitLocker policy lets you configure and enforce encryption on Windows 10+ devices. This guide covers TPM-based encryption, Force Without TPM scenarios, where to find passwords/recovery keys, and frequently asked questions.

Overview

  • BitLocker is a built-in encryption feature for Windows 10 Pro, Windows 11 Pro, and above.

  • Swif’s BitLocker Policy configures which drives to encrypt and whether to force a password when no TPM is detected.

  • Recovery Keys are automatically stored in your Swif console/device details for safekeeping.

Requirements

  1. Supported OS

    • Windows 10 Pro or Enterprise, Windows 11 Pro or Enterprise, or Education equivalents.

  2. Swif Desktop Agent

    • Must be installed and running on the device.

Note: Windows Home editions do not support full BitLocker management and typically appear as ineligible for this policy.

TPM vs. Non-TPM BitLocker Scenarios

1. Devices with a TPM

  • Seamless Encryption:
    Utilizes TPM for key storage and transparency.

  • No Mandatory Boot Password:
    By default, BitLocker does not require a password on each boot.

  • Recovery Key:
    A BitLocker recovery key is still generated—Swif stores it in the device details.

  • Policy Considerations:

    • You usually don’t need Force Without TPM for these devices.

    • Encryption proceeds silently once the policy is applied.

    • If you make hardware/firmware changes, Windows may prompt for the recovery key.

2. Devices without a TPM (or with TPM disabled)

  • Forced Password Prompt:
    If you enable Force Without TPM, Swif will require a password on every boot.

  • Boot Password Required:
    The user must enter this password to unlock the drive each time.

  • Encryption Flow:

    • No Password = No Encryption: If the user ignores the prompt, encryption does not start.

    • Provide Password = Start Encryption: Once a password is entered, BitLocker begins encrypting the specified drives.

    • Swif displays both the user-chosen password and the recovery key in the device details.

Tip: Force Without TPM ensures older devices or those lacking a functional TPM can still be protected by BitLocker.

Enabling BitLocker Policy

  1. Go to Policy Management
    In your Swif dashboard, find Device Management > Policies and either create a new BitLocker policy or edit an existing one.

  2. Select Which Drives to Encrypt

    • C, D, E: Encrypt only specific volumes.

    • *: Encrypt all drives (including USB).

    • INTERNAL: Encrypt all internal drives (excluding USB).

    • EXTERNAL: Encrypt only USB/external drives.

  3. Set “Force Without TPM”

    • Checked:

      • For devices lacking a TPM (or disabled TPM), users must set a password and will be prompted on each boot.

    • Unchecked:

      • BitLocker relies on TPM if present and available. Otherwise, encryption may fail on devices with no TPM.

  4. Save and Assign
    Once saved, the policy will be pushed to targeted devices. Those that meet the OS requirement and have the Swif agent installed will apply the policy.

Behavior on a Non-TPM Machine (Example)

  1. Swif Desktop App Prompts for Password

    • If no TPM is detected, the user sees a prompt to create a BitLocker password.

    • If they do not enter a password, no encryption is performed.

    • If they do enter a password, encryption begins immediately.

  2. Per-Boot Password Prompt

    • Every time the machine restarts, a boot password prompt appears (BitLocker Pre-Boot Environment).

    • The user must enter the password to unlock the drive.

  3. Recovery Key

    • Automatically generated alongside the user password.

    • Stored in the Swif console under device details, ensuring admins can retrieve it if the password is forgotten.

Where to Find the Password and Recovery Key

After Force Without TPM encryption begins (and a user sets a password):

Admin Console:

  1. Open the Swif Admin Console

    • Navigate to Devices and select the relevant Windows device.

  2. Check Device Details

    • Look for the Security section

    • You should see both:

      • TPM Password (the one they entered on the device)

      • Recovery Key (automatically generated)

Employee Console:

  1. Open the Swif Employee Console

  2. Check Device > Security

    1. You should see:

      • TPM Password (the one device user entered on the device)

Important: Keep this information in a safe place—anyone with the recovery key can unlock the drive.

Monitoring and Verifying Encryption

Use Manage-BDE (a built-in Windows command-line tool) to see detailed encryption status:

  1. Open Command Prompt as Administrator.

  2. Run:

    manage-bde -status

  3. Look for fields like:

    • Conversion Status: Indicates if encryption is in progress or complete.

    • Percentage Encrypted: Shows the encryption progress from 0–100%.

    • Protection Status: Tells you if BitLocker is on, off, or suspended.

When Percentage Encrypted reaches 100%, your drive is fully protected.

Frequently Asked Questions (FAQs)

Q: Do I need to enable “Force Without TPM” for devices that have a functioning TPM?
A: Typically, no. Devices with a TPM can automatically handle BitLocker encryption without needing a password at boot.

Q: My device doesn’t have a TPM. Does that mean I can’t use BitLocker at all?
A: You can still use BitLocker in password-only mode. Just enable Force Without TPM so that a password is required on every reboot.

Q: Can I recover my BitLocker key if my user forgets their password?
A: Yes. Swif stores the recovery key in the device’s details within the Swif console. This is essential for unlocking the drive in case of a lost password.

Q: How do I confirm encryption is completed?
A: Use the manage-bde -status command or check the device’s BitLocker status in the Windows Control Panel. The Percentage Encrypted should read 100%.

Q: Are USB drives encrypted if I choose the ‘*’ option in the BitLocker policy?
A: Yes. * applies encryption to all drives, including USB/external ones. Alternatively, you can specify INTERNAL or EXTERNAL if you only want to target internal or external drives.

Q: Is it recommended to encrypt all drives?
A: Not always. Encrypting all drives (especially external USBs) can impact performance and user workflow. Many organizations prefer encrypting just the C drive for the operating system and critical data.

Q: Does this work on Windows Home Edition?
A: No. Windows Home editions do not officially support BitLocker. You must have Pro, Enterprise, or Education editions.

Additional Tips

  • Back Up Your Recovery Key: Even though Swif stores it, it’s wise to save a copy securely offline.

  • Minimize the Encryption Scope: Start with system drive (C:) encryption for simplicity and reliability.

  • Maintenance and Updates: Major Windows updates can sometimes prompt for a BitLocker recovery key if firmware or boot configuration changes occur.

Need Further Help?

If you encounter any issues or have additional questions, please contact Swif Support or visit our Help Center.

Last Updated: March, 2025

Related Articles
Enable FileVault Disk Encryption (macOS)
Bitlocker encryption not turning on
How to Retrieve and Save Linux Device Encryption Recovery Keys in Swif
Can a Mac with FileVault Encryption Be Wiped or Reformatted?
Windows Insider Build Crash Due to External USB Adapters
Did this answer your question?