Microsoft confirmed it provided BitLocker recovery keys to the FBI, allowing federal agents to decrypt three laptops in a Guam fraud investigation. The company receives approximately 20 such legal requests annually and complies when users store encryption keys in Microsoft cloud accounts.
Federal investigators served a warrant in early 2025 related to alleged pandemic unemployment benefits fraud in Guam. Microsoft handed over recovery keys for three encrypted laptops stored in its cloud infrastructure, according to court documents reviewed by Forbes. This marks the first confirmed instance of Microsoft providing BitLocker keys to law enforcement under a valid court order.
BitLocker, Windows' full-disk encryption feature enabled by default on modern PCs, scrambles data to prevent unauthorized access. During setup, Windows prompts users to back up recovery keys to their Microsoft account in the cloud. These unencrypted keys become accessible via legal process, bypassing the encryption protections users expect.
Microsoft spokesman Charles Chamberlayne told Forbes that while cloud key recovery offers convenience, it also carries risk of unwanted access. "Microsoft believes customers are in the best position to decide how to manage their keys," he said.
The company's transparency reports covering July to December 2024 noted 128 global law enforcement requests for BitLocker keys, with 77 coming from U.S. agencies, according to reports. Microsoft complies with approximately 20 FBI requests annually for BitLocker keys, though many cannot be fulfilled if users never backed up keys to Microsoft servers.
This approach contrasts sharply with Apple and Google's encryption policies. Apple designs FileVault so iCloud backups encrypt keys server-side, rendering them useless to authorities. Google does not store encryption keys off devices, making them inaccessible to law enforcement, and neither company has reportedly yielded encryption keys to authorities.
Matthew Green, a cryptography expert and professor at Johns Hopkins University, criticized Microsoft's architecture, noting that recovery keys stored in Microsoft's cloud aren't encrypted end-to-end in a way that prevents Microsoft access. "If law enforcement wants to access your encrypted drive, they can just ask Microsoft for the key," he said.
Green noted broader security risks beyond government access. "If Microsoft can easily produce this data to law enforcement, then anyone who compromises their cloud infrastructure can potentially access that data," he warned.
The Guam case involved suspects including Charissa Tenorio, who pleaded not guilty to fraud charges. Without Microsoft's assistance, the encrypted laptops would have remained impenetrable. An ICE forensic expert noted in 2025 that BitLocker's algorithms have thwarted prior law enforcement cracking attempts.
Senator Ron Wyden criticized Microsoft's approach. "It is simply irresponsible for tech companies to ship products in a way that allows them to secretly turn over users' encryption keys," he told Forbes.
Windows 11's push for Microsoft accounts automatically backs up BitLocker keys unless users intervene. The default setup may not provide clear notification that recovery keys upload to Microsoft's cloud during initial configuration. This comes as Microsoft continues to address Windows 11 security issues through emergency updates.
Users can avoid cloud storage by choosing local backup options during BitLocker setup. Windows offers alternatives including printing recovery keys, saving to USB drives, or storing in local files. Deleting cloud-stored keys and creating new ones manually removes Microsoft's access to that device's encryption.
Enterprise clients face similar considerations. Microsoft's law enforcement guidelines acknowledge storing customer keys even for large clients to avoid data loss, making the company a potential target for subpoenas in corporate investigations.
The incident echoes historical tensions between tech companies and government surveillance. In 2013, former Microsoft security engineer Peter Biddle described being approached by the FBI to add a backdoor to BitLocker during multiple meetings. Microsoft has long maintained that BitLocker doesn't have built-in backdoors, but cloud-accessible recovery keys create similar access points.
U.S. laws like the CLOUD Act compel American firms to disclose data worldwide upon valid orders, overriding foreign privacy rules. Microsoft's infrastructure was designed to retrieve and share recovery keys when faced with valid warrants, according to company documentation.
For users concerned about privacy, alternatives include VeraCrypt, a free open-source encryption tool with more control over key management. Some security experts recommend disabling BitLocker entirely for users without sensitive data, as software-based encryption can introduce performance impacts and complicate legitimate data recovery.
The revelation comes as Microsoft faces increasing scrutiny over its federal contracts and security practices. With billions in government contracts, the company's encryption policies raise questions about oversight and user privacy protections in an era of expanding digital surveillance.
