Microsoft has confirmed it will provide BitLocker recovery keys to the Federal Bureau of Investigation when presented with valid legal requests. The confirmation follows reporting that the company supplied encryption keys to law enforcement during a criminal investigation in 2025.
BitLocker is Microsoft’s full-disk encryption feature built into Windows Pro, Enterprise, and Education editions, designed to protect data on business and personal computers from unauthorized access if devices are lost or stolen. The technology encrypts entire hard drives and requires authentication keys to decrypt data, targeting enterprise users and security-conscious consumers who need to comply with data protection regulations or safeguard sensitive information.
The situation stems from how Windows 11 handles device encryption by default. Microsoft’s latest operating system, released in 2021, targets both consumer and business users with enhanced security features and a redesigned interface. The OS requires TPM 2.0 chips and newer hardware, automatically enabling BitLocker device encryption on compatible systems when users sign in with Microsoft Accounts—a departure from previous Windows versions where encryption was often optional or required manual activation.
When users sign in with a Microsoft Account, the operating system automatically backs up the device’s BitLocker recovery key to Microsoft’s cloud unless users explicitly choose another option during setup. This design allows users to recover their data if locked out of their PC, preventing permanent data loss by tying the recovery key to the user’s Microsoft Account by default.
However, this design also means Microsoft can access keys stored in its cloud systems when required by law. The company told Forbes it receives around 20 requests per year from the FBI for BitLocker recovery keys, though in most cases Microsoft cannot comply because keys were never uploaded.
A Microsoft spokesperson stated the company only hands over recovery keys when presented with valid legal orders. “While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide how to manage their keys,” spokesperson Charles Chamberlayne said.
Forbes reported a case from early 2025 in which Microsoft provided BitLocker recovery keys to the FBI in response to a search warrant. This enabled agents to decrypt three laptops seized in Guam during a fraud investigation related to COVID unemployment assistance scams.
The approach differs from some other technology companies. Apple has publicly resisted law enforcement requests when it does not have technical access to encrypted data, while Microsoft’s design allows access because recovery keys are not end-to-end encrypted in a way that prevents the company from viewing them.
Microsoft’s BitLocker key-sharing practices align with broader industry scrutiny over encryption and law enforcement access. In recent years, federal agencies have increasingly sought digital evidence from technology companies, with encrypted devices becoming a focal point in criminal investigations. The Department of Justice has repeatedly called for tech companies to provide “lawful access” to encrypted communications and storage, though companies like Apple have maintained they cannot access end-to-end encrypted data even when legally compelled.
Windows 11’s automatic cloud backup of BitLocker keys represents a different approach from competitors who have moved toward zero-knowledge encryption models. Google’s Advanced Protection Program and similar services from other providers are designed so that even the companies themselves cannot access user data, making compliance with law enforcement requests technically impossible in many cases.
Windows 11’s mandatory Microsoft Account setup on most consumer editions makes cloud key backup the standard configuration. Users can check whether their BitLocker recovery keys are stored in Microsoft’s cloud by visiting their Microsoft Account device management page, where keys can be viewed or deleted. It is possible to configure Windows to store recovery keys locally or in other locations during setup, but this requires manual action and is not the default behavior when using a Microsoft Account.
Microsoft has not indicated plans to change how BitLocker recovery keys are stored by default, meaning users who want full control over their encryption keys must actively manage where those keys are saved.
