Microsoft says it will provide encryption keys for Windows PC data protected by BitLocker where it has access to them and it’s received a valid warrant.
getty
Early last year, the FBI served Microsoft with a search warrant, asking it to provide recovery keys to unlock encrypted data stored on three laptops. Federal investigators in Guam believed the devices held evidence that would help prove individuals handling the island’s Covid unemployment assistance program were part of a plot to steal funds.
The data was protected with BitLocker, software that’s automatically enabled on many modern Windows PCs to safeguard all the data on the computer’s hard drive. BitLocker scrambles the data so that only those with a key can decode it.
It’s possible for users to store those keys on a device they own, but Microsoft also recommends BitLocker users store their keys on its servers for convenience. While that means someone can access their data if they forget their password, or if repeated failed attempts to login lock the device, it also makes them vulnerable to law enforcement subpoenas and warrants.
In the Guam case, it handed over the encryption keys to investigators.
Microsoft confirmed to Forbes that it does provide BitLocker recovery keys if it receives a valid legal order. “While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide… how to manage their keys,” said Microsoft spokesperson Charles Chamberlayne.
He said the company receives around 20 requests for BitLocker keys per year and in many cases, the user has not stored their key in the cloud making it impossible for Microsoft to assist.
“If Apple can do it, if Google can do it, then Microsoft can do it.”
Matt Green, associate professor at Johns Hopkins University
The Guam case is the first known instance where the Redmond, Washington company has provided any encryption key to law enforcement. Back in 2013, a Microsoft engineer claimed he’d been approached by government officials to install backdoors in BitLocker, but had turned the requests down.
Senator Ron Wyden said in a statement to Forbes that it is “simply irresponsible for tech companies to ship products in a way that allows them to secretly turn over users’ encryption keys.”
“Allowing ICE or other Trump goons to secretly obtain a user’s encryption keys is giving them access to the entirety of that person’s digital life, and risks the personal safety and security of users and their families,” he added.
This isn’t just an issue in the U.S. Jennifer Granick, surveillance and cybersecurity counsel at the ACLU, noted that foreign governments with questionable human rights records also demand data from tech giants like Microsoft. “Remote storage of decryption keys can be quite dangerous,” she said.
Got a tip on Big Tech’s role in surveillance? Contact the reporter, Thomas Brewster, at [email protected] or +1 929-512-7964 on Signal.
Law enforcement regularly asks tech giants to provide encryption keys, implement backdoor access or weaken their security in other ways. But other companies have refused. Apple in particular has repeatedly been asked for access to encrypted data in its cloud or on its devices. In a highly publicized showdown with the government in 2016, Apple fought an FBI order to help open phones belonging to terrorists who shot and killed 14 in San Bernardino, California. Ultimately, the FBI found a contractor to hack into the iPhones.
Privacy and encryption experts told Forbes the onus should be on Microsoft to provide stronger protection for consumers’ personal devices and data. Apple, with its comparable FileVault and Passwords systems, and Meta’s WhatsApp messaging app also allow users to backup data on their apps and store a key in the cloud. However, both also allow the user to put the key in an encrypted file in the cloud, making law enforcement requests for it useless. Neither are reported to have turned over encryption keys of any kind in the past.
“This is private data on a private computer and they made the architectural choice to hold access to that data. They absolutely should be treating it like something that belongs to the user,” said Matt Green, cryptography expert and associate professor at the Johns Hopkins University Information Security Institute.
“If Apple can do it, if Google can do it, then Microsoft can do it. Microsoft is the only company that’s not doing this,” he added. “It’s a little weird… The lesson here is that if you have access to keys, eventually law enforcement is going to come.”
Granick raised concerns about the breadth of information that the FBI could obtain if agents get access to data protected by BitLocker. “The keys give the government access to information well beyond the time frame of most crimes, everything on the hard drive,” she said. “Then we have to trust that the agents only look for information relevant to the authorized investigation, and do not take advantage of the windfall to rummage around.”
In the Guam case, the court docket shows the warrant was successfully executed. The lawyer for defendant Charissa Tenorio, who pleaded not guilty, said the information provided to her by the case’s prosecutors included information from her client’s computer and that it included references to BitLocker keys that Microsoft had provided the FBI. The case is ongoing.
Both Green and Granick said Microsoft could have users install a key on a piece of hardware like a thumb drive, which would act as a backup or recovery key. Microsoft does allow for that option, but it’s not the default setting for BitLocker on Windows PCs.
Without the encryption keys from Microsoft, the FBI would’ve struggled to get any useful data from the computers. BitLocker’s encryption algorithms have proven impenetrable to prior law enforcement attempts to break in, according to a Forbes review of historical cases. In early 2025, a forensic expert with ICE’s Homeland Security Investigations unit wrote in a court document that his agency did “not possess the forensic tools to break into devices encrypted with Microsoft BitLocker, or any other style of encryption.” In one previous case, federal investigators obtained keys by discovering that a suspect had stored them on unencrypted drives.
Now that the FBI and other agencies know Microsoft will comply with warrants similar to the Guam case, they’ll likely make more demands for encryption keys, Green said. “My experience is, once the U.S. government gets used to having a capability, it’s very hard to get rid of it.”
MORE ON FORBES
