The Redmond-based tech giant is not pushing back against US authorities, meaning BitLocker protection can in some cases be worked around.

Microsoft has confirmed that it will provide law enforcement with encryption keys for data protected by BitLocker on Windows PCs if served with a valid court order. In early 2025, the FBI obtained a warrant compelling the company to hand over keys for encrypted data stored on three laptops. Federal officials claimed the machines contained evidence related to pandemic-era fraud carried out in Guam. The data was secured with BitLocker, which encrypts the drives of most modern Windows PCs and is typically enabled by default. Users can choose to store recovery keys on a separate device or in Microsoft’s cloud, which is the standard configuration. In the Guam case, the keys were stored on Microsoft servers and were provided to investigators.

According to Microsoft spokesperson Charles Chamberlayne, while key recovery is a useful feature, it also introduces the possibility of unauthorized access. Microsoft’s position is that users should decide how their recovery keys are handled. The company receives roughly 20 such requests each year. If a decryption key is not stored within Microsoft’s infrastructure, the company says it cannot assist. Allegations that Microsoft had been asked by the FBI and other agencies to include a back door date back to 2005, when BitLocker was first introduced.

Democratic Senator Ron Wyden argued that it is irresponsible for tech firms to sell products that allow them to secretly surrender users’ encryption keys. He warned that if agencies such as ICE or other political actors can quietly obtain these keys, they could gain access to a person’s entire digital life, creating serious risks for users and their families.

Apple previously challenged an FBI order seeking assistance in accessing the iPhones of the attackers involved in the 2015 San Bernardino shooting. In the end, the FBI managed to unlock the devices without Apple’s help. Apple and Meta both support server-side key storage but place stronger emphasis on end-user encryption, where third parties cannot read the data.

“This is private data on a private computer, and companies chose an architecture where they still retain access. If Apple and Google can design around that, Microsoft could too. Microsoft is the only major company not doing so, which is unusual. The lesson is that if someone has access to the keys, law enforcement will eventually come asking. In my experience, once the US government gets used to a capability, it is extremely hard to take it away,” said Matt Green, a cryptography specialist at Johns Hopkins University.

In the Guam case, the order was executed successfully. Proceedings are still ongoing. The lawyer for the defendant, Charissa Tenorio, who has pleaded not guilty, said prosecutors possess computer data referencing BitLocker keys that were turned over to the FBI.

Source: PCGamer, Mashable, Forbes