Microsoft has confirmed that it works with law enforcement agencies when it gets a valid court order or warrant, even to the extent of providing BitLocker recovery keys to law enforcement agencies. Forbes uncovered this disclosure following a federal fraud investigation in Guam where the FBI successfully used keys supplied by Microsoft to unlock three encrypted laptops linked to a COVID-19 unemployment assistance scheme.
The Redmond giant revealed that it receives around 20 requests for BitLocker keys annually. It is not new information that Microsoft complies with lawful government requests and hands over keys that are within its cloud infrastructure. However, this is the first publicly confirmed instance that the company has surrendered keys to federal investigators.
For those not familiar, BitLocker encryption is turned on by default on most modern Windows PCs and encrypts drives to keep data safe. However, Windows frequently tells users to backup their 48-digit recovery keys to a Microsoft cloud account. This choice allows Microsoft to retain technical access to the keys, making them accessible if law enforcement comes knocking.
In the Guam case the FBI used the keys it received from Microsoft to bypass encryption that federal forensic experts previously said were “impenetrable.” The court documents said that agencies like Homeland Security Investigations (HSI) lacked the tools to break BitLocker without the specific recovery keys.
Microsoft’s decision to hand over keys to law enforcement contrasts with its competitors like Apple and Meta which use zero-knowledge architectures where recovery keys are end-to-end encrypted or stored on the user’s device, meaning the company can’t comply with requests, even under subpoena.
Legal experts are now anticipating more law enforcement requests for BitLocker keys now that Microsoft’s compliance has been reported. Users that do not want to allow Microsoft to store their keys can audit their accounts at account.microsoft.com/devices/recoverykey. From there, you can see if keys are stored in the cloud. If you want more security, it is recommended to move to local-only key storage, such as a physical USB drive or a printed document, to regain full control over encrypted data.