Microsoft has confirmed in a statement to Forbes that the company will provide the FBI access to BitLocker encryption keys if a valid legal order is requested. These keys enable the ability to decrypt and access the data on a computer running Windows, giving law enforcement the means to break into a device and access its data.
The news comes as Forbes reports that Microsoft gave the FBI the BitLocker encryption keys to access a device in Guam that law enforcement believed to have "evidence that would help prove individuals handling the island’s Covid unemployment assistance program were part of a plot to steal funds" in early 2025.
This was possible because the device in question had its BitLocker encryption key saved in the cloud. By default, Windows 11 forces the use of a Microsoft Account, and the OS will automatically tie your BitLocker encryption key to your online account so that users can easily recover their data in scenarios where they might get locked out. This can be disabled, letting you choose where to save them locally, but the default behavior is to store the key in Microsoft's cloud when setting up a PC with a Microsoft Account.
"While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide... how to manage their keys,” Microsoft spokesperson Charles Chamberlayne said in a statement to Forbes.
Microsoft told Forbes that it receives around 20 requests for BitLocker encryption keys from the FBI a year, but the majority of requests are unable to be met because the encryption key was never uploaded to the company's cloud.
This is notable as other tech companies, such as Apple, have famously refused to provide law enforcement with access to encrypted data stored on their products. Apple has openly fought against the FBI in the past when it was asked to provide a backdoor into an iPhone. Other tech giants, such as Meta, will store encryption keys in the cloud, but use zero-knowledge architectures and encrypt the keys server-side so that only the user can access them.
It's frankly shocking that the encryption keys that do get uploaded to Microsoft aren't encrypted on the cloud side, too. That would prevent Microsoft from seeing the keys, but it seems that, as things currently stand, those keys are available in an unencrypted state, and it is a privacy nightmare for customers.
To see Microsoft so willingly hand over the keys to encrypted Windows PCs is concerning, and should make everybody using a modern Windows computer think twice before backing up their keys to the cloud. You can see which PCs have their BitLocker keys stored on Microsoft's servers on the Microsoft Account website here, which will let you delete them if present.
Follow Windows Central on Google News to keep our latest news, insights, and features at the top of your feeds!
