Swif’s Device Lock command on Windows leverages BitLocker to enforce a full-disk lock and shutdown. The exact behavior depends on:
Windows Edition (Home vs. Pro)
Existence of a BitLocker policy on the C: drive
Presence of a TPM (Trusted Platform Module)
Context
For device encryption, Swif uses BitLocker, which supports the following protectors:
Password – A user-defined password set by the user. The TPM password is a user-defined password, and it’s used when the device is encrypted in a non-TPM device.
Numerical Password – A system-generated 48-digit recovery key. It’s used to unlock the device when the device is locked.
TPM – A hardware security chip that unlocks the drive automatically at boot.
Remote Device Lock Flow: When a lock command is sent, the agent enforces the Numerical Password on the next boot, regardless of whether the device has a TPM chip. This requires the 48-digit key to unlock the device.
To keep the disk encrypted after the lock, a second protector is maintained:
TPM-enabled devices → TPM remains as the ongoing protector.
Non-TPM devices → A user-defined Password is used instead. The TPM password is a user-defined password, and it’s used when the device is encrypted in a non-TPM device. The disk needs a password to encrypt it, and it’ll be used on every boot after unlock.
Below is a summary of the lock and unlock scenarios you may encounter.
1. Windows Home Edition
BitLocker support: Not available
Lock behavior: Ignored (no effect)
Unlock behavior: N/A
2. Windows Pro with Existing BitLocker Policy
TPM Present? | Lock Action | Unlock Behavior |
Yes | Immediately shuts down the device (lock enforced) | Enter the recovery key once; the drive remains unlocked on subsequent boots without re-prompting. |
No | Immediately shuts down the device (lock enforced) | Enter the recovery key once. User-defined Password is required for future boot. |
Scenario detail: Swif issues the lock command, BitLocker shuts down the PC, and on TPM machines, the recovery key is only needed once; on non-TPM machines, the prompt repeats each time.
3. Windows Pro without Existing BitLocker Policy
TPM Present? | Encryption Action | Lock Action | Unlock Behavior |
Yes | Initiates C: drive encryption, then shuts down | Shutdown after starting encryption | Enter the recovery key once; the drive remains encrypted but unlocked on subsequent boots. |
No | Initiates C: drive encryption, then shuts down | Shutdown after starting encryption | Enter the recovery key once. User-defined Password is required for future boot. |
Scenario detail: Swif’s lock command first triggers BitLocker encryption, then powers off. Unlocking once on TPM devices leaves the drive encrypted but accessible; without TPM, you must re-enter the key each time.
How to Unlock
On the Swif dashboard devices table, click the locked Windows device and select Unlock.
Retrieve the recovery key (48-digit numerical password) from the device details in the Swif dashboard.
On the device, power it on and enter the recovery key at the BitLocker recovery screen.
Summary
Edition | BitLocker Policy | TPM | Device Lock | Device Unlock |
Home | Any | N/A | Unsupported | N/A |
Pro | Exists | Yes | Immediate shutdown | Recovery key once; no further prompts |
Pro | Exists | No | Immediate shutdown | Recovery key on every boot |
Pro | Not exists | Yes | Start encryption + shutdown | Recovery key once; drive stays encrypted but unlocked thereafter |
Pro | Not exists | No | Start encryption + shutdown | Recovery key on every boot; drive stays encrypted |
Key Takeaways
Windows Home: Device Lock has no effect.
Windows Pro + BitLocker policy: Lock is immediate; unlock prompts vary by TPM.
Windows Pro without policy: Lock first initiates encryption, then shuts down; unlock behavior again depends on TPM.
These behaviors ensure that device locks via Swif enforce full-disk security on Pro machines while gracefully handling the lack of BitLocker support on Home editions.