Swif’s BitLocker policy lets you configure and enforce encryption on Windows 10+ devices. This guide covers TPM-based encryption, Force Without TPM scenarios, where to find passwords/recovery keys, and frequently asked questions.
Overview
BitLocker is a built-in encryption feature for Windows 10 Pro, Windows 11 Pro, and above.
Swif’s BitLocker Policy configures which drives to encrypt and whether to force a password when no TPM is detected.
Recovery Keys are automatically stored in your Swif console/device details for safekeeping.
Requirements
Supported OS
Windows 10 Pro or Enterprise, Windows 11 Pro or Enterprise, or Education equivalents.
Swif Desktop Agent
Must be installed and running on the device.
Note: Windows Home editions do not support full BitLocker management and typically appear as ineligible for this policy.
TPM vs. Non-TPM BitLocker Scenarios
1. Devices with a TPM
Seamless Encryption:
Utilizes TPM for key storage and transparency.No Mandatory Boot Password:
By default, BitLocker does not require a password on each boot.Recovery Key:
A BitLocker recovery key is still generated—Swif stores it in the device details.Policy Considerations:
You usually don’t need Force Without TPM for these devices.
Encryption proceeds silently once the policy is applied.
If you make hardware/firmware changes, Windows may prompt for the recovery key.
2. Devices without a TPM (or with TPM disabled)
Forced Password Prompt:
If you enable Force Without TPM, Swif will require a password on every boot.Boot Password Required:
The user must enter this password to unlock the drive each time.Encryption Flow:
No Password = No Encryption: If the user ignores the prompt, encryption does not start.
Provide Password = Start Encryption: Once a password is entered, BitLocker begins encrypting the specified drives.
Swif displays both the user-chosen password and the recovery key in the device details.
Tip: Force Without TPM ensures older devices or those lacking a functional TPM can still be protected by BitLocker.
Enabling BitLocker Policy
Go to Policy Management
In your Swif dashboard, find Device Management > Policies and either create a new BitLocker policy or edit an existing one.Select Which Drives to Encrypt
C, D, E: Encrypt only specific volumes.
*
: Encrypt all drives (including USB).INTERNAL
: Encrypt all internal drives (excluding USB).EXTERNAL
: Encrypt only USB/external drives.
Set “Force Without TPM”
Save and Assign
Once saved, the policy will be pushed to targeted devices. Those that meet the OS requirement and have the Swif agent installed will apply the policy.
Behavior on a Non-TPM Machine (Example)
Swif Desktop App Prompts for Password
Per-Boot Password Prompt
Every time the machine restarts, a boot password prompt appears (BitLocker Pre-Boot Environment).
The user must enter the password to unlock the drive.
Recovery Key
Automatically generated alongside the user password.
Stored in the Swif console under device details, ensuring admins can retrieve it if the password is forgotten.
Where to Find the Password and Recovery Key
After Force Without TPM encryption begins (and a user sets a password):
Admin Console:
Open the Swif Admin Console
Navigate to Devices and select the relevant Windows device.
Check Device Details
Employee Console:
Open the Swif Employee Console
Check Device > Security
Important: Keep this information in a safe place—anyone with the recovery key can unlock the drive.
Monitoring and Verifying Encryption
Use Manage-BDE (a built-in Windows command-line tool) to see detailed encryption status:
Open Command Prompt as Administrator.
Run:
manage-bde -status
Look for fields like:
Conversion Status: Indicates if encryption is in progress or complete.
Percentage Encrypted: Shows the encryption progress from 0–100%.
Protection Status: Tells you if BitLocker is on, off, or suspended.
When Percentage Encrypted reaches 100%, your drive is fully protected.
Frequently Asked Questions (FAQs)
Q: Do I need to enable “Force Without TPM” for devices that have a functioning TPM?
A: Typically, no. Devices with a TPM can automatically handle BitLocker encryption without needing a password at boot.
Q: My device doesn’t have a TPM. Does that mean I can’t use BitLocker at all?
A: You can still use BitLocker in password-only mode. Just enable Force Without TPM so that a password is required on every reboot.
Q: Can I recover my BitLocker key if my user forgets their password?
A: Yes. Swif stores the recovery key in the device’s details within the Swif console. This is essential for unlocking the drive in case of a lost password.
Q: How do I confirm encryption is completed?
A: Use the manage-bde -status
command or check the device’s BitLocker status in the Windows Control Panel. The Percentage Encrypted should read 100%.
Q: Are USB drives encrypted if I choose the ‘*’ option in the BitLocker policy?
A: Yes. *
applies encryption to all drives, including USB/external ones. Alternatively, you can specify INTERNAL
or EXTERNAL
if you only want to target internal or external drives.
Q: Is it recommended to encrypt all drives?
A: Not always. Encrypting all drives (especially external USBs) can impact performance and user workflow. Many organizations prefer encrypting just the C drive for the operating system and critical data.
Q: Does this work on Windows Home Edition?
A: No. Windows Home editions do not officially support BitLocker. You must have Pro, Enterprise, or Education editions.
Additional Tips
Back Up Your Recovery Key: Even though Swif stores it, it’s wise to save a copy securely offline.
Minimize the Encryption Scope: Start with system drive (C:) encryption for simplicity and reliability.
Maintenance and Updates: Major Windows updates can sometimes prompt for a BitLocker recovery key if firmware or boot configuration changes occur.
Need Further Help?
If you encounter any issues or have additional questions, please contact Swif Support or visit our Help Center.
Last Updated: March, 2025