Microsoft says it will provide encryption keys for Windows PC data protected by BitLocker where it has access to it and has obtained a valid warrant.
getty
mAround last year, the FBI issued a search warrant to Microsoft, asking it to provide recovery keys to unlock encrypted data stored on three laptops. Federal investigators in Guam believed the devices had evidence that would help prove the people who operated the island’s Covid unemployment assistance program were part of a conspiracy to steal funds.
The data was protected with BitLocker, software that is automatically activated on many modern Windows computers to protect all data on the computer’s hard drive. BitLocker scrambles the data so that only those who have a key can decrypt it.
It is possible for users to store these keys on a device they own, but Microsoft also recommends that BitLocker users store their keys on its servers for convenience. While this means someone can access their data if they forget their password or if repeated failed login attempts lock the device, it also leaves them vulnerable to law enforcement subpoenas and warrants.
In the Guam case, he turned over the encryption keys to investigators.
Microsoft confirmed Forbes that it provides BitLocker recovery keys if it receives a valid legal order. “While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes that customers are in the best position to decide … how to manage their keys,” said Microsoft spokesman Charles Chamberlayne.
He said the company receives about 20 requests for BitLocker keys a year, and in many cases, the user hasn’t saved their key in the cloud, making it impossible for Microsoft to help.
“If Apple can do it, if Google can do it, then Microsoft can do it.”
The Guam case is the first known case where the Redmond, Washington company provided any encryption key to law enforcement. Back in 2013, a Microsoft engineer he claimed He had been approached by government officials to install backdoors in BitLocker, but had refused the requests.
Senator Ron Wyden said in a statement to Forbes that it is “simply irresponsible for tech companies to ship products in a way that allows them to secretly hand over users’ encryption keys.”
“Allowing ICE or other thugs to secretly obtain a user’s encryption keys gives them access to that person’s entire digital life and puts the personal safety and security of users and their families at risk,” he added.
This isn’t just an issue in the U.S. Jennifer Granick, surveillance and cybersecurity counsel at the ACLU, noted that foreign governments with questionable human rights records are also demanding data from tech giants like Microsoft. “Storing decryption keys remotely can be quite dangerous,” he said.
Have a tip on Big Tech’s role in surveillance? Contact the reporter, Thomas Brewster, at tbrewster@forbes.com or +1 929-512-7964 on Signal.
Law enforcement regularly asks tech giants to provide encryption keys, implement backdoor access or weaken their security in other ways. But other companies refused. In particular, Apple has repeatedly requested access to encrypted data in the cloud or on its devices. In a highly publicized showdown with the government in 2016, Apple fought an FBI order to help unlock phones belonging to terrorists who shot and killed 14 in San Bernardino, California. Eventually, the FBI found a contractor to hack the iPhones.
Privacy and encryption experts said Forbes Microsoft must provide stronger protections for consumers’ personal devices and data. Apple, with its comparable FileVault and Passwords systems, and Meta’s WhatsApp messaging app also allow users to back up data in their apps and store a key in the cloud. However, both also allow the user to place the key in an encrypted file in the cloud, rendering law enforcement requests for it useless. Neither is reported to have delivered encryption keys of any kind in the past.
“This is private data on a private computer, and they made an architectural choice to access that data. They absolutely need to treat it as something that belongs to the user,” said Matt Green, a cryptography expert and associate professor at Johns Hopkins University’s Information Security Institute.
“If Apple can do it, if Google can do it, then Microsoft can do it. Microsoft is the only company that doesn’t do that,” he added. “It’s a little strange. … The lesson here is that if you have access to the keys, eventually law enforcement will come.”
Granick raised concerns about the scope of information the FBI could obtain if agents accessed BitLocker-protected data. “The keys give the government access to information far beyond the time frame of most crimes, everything on the hard drive,” he said. “Then we have to believe that the agents are only looking for information relevant to the authorized investigation and are not taking advantage of the windfall to rummage.”
In the Guam case, the court document shows the warrant was successfully executed. The attorney for the defendant, Charissa Tenorio, who has pleaded not guilty, said the information provided to her by prosecutors in the case included information from her client’s computer and that it included references to BitLocker keys that Microsoft had given to the FBI. The case is ongoing.
Both Green and Granick said Microsoft could ask users to install a key on a piece of hardware such as a thumb drive, which would act as a backup or recovery key. Microsoft allows this option, but it is not the default setting for BitLocker on Windows computers.
Without the encryption keys from Microsoft, the FBI would have a hard time getting useful data from the computers. BitLocker’s encryption algorithms have proven impervious to past law enforcement break-in attempts, according to Forbes review of historical cases. In early 2025, a forensic expert with ICE’s Homeland Security Investigations unit he wrote in a court filing that his agency “did not have the forensic tools to break into devices encrypted with Microsoft BitLocker or any other style of encryption.” In an earlier case, federal investigators obtained keys by discovering that a The suspect had stored them on unencrypted drives.
Now that the FBI and other agencies know that Microsoft will comply with warrants similar to the Guam case, they will likely make more demands for encryption keys, Green said. “My experience is that once the US government gets used to having a capability, it’s very difficult to get rid of it.”
