Microsoft gave Windows users’ BitLocker encryption keys for to US law enforcement officers, providing access to encrypted data, according to a news report.
The US Federal Bureau of Investigation approached Microsoft with a search warrant in early 2025, seeking keys to unlock encrypted data stored on three laptops in a case of alleged fraud involving the COVID unemployment assistance program in Guam. As the keys were stored on a Microsoft server, Microsoft adhered to the legal order and handed over the encryption keys, Forbes reported on Friday.
Microsoft did not immediately respond to a request for comment.
There have been instances in the past where the big tech companies were approached by law enforcement for access to devices but have resisted handing encryption keys to authorities.
BitLocker is a widely used tool for securing data at rest, whether by individuals or enterprises managing hundreds or thousands of Windows devices. By default, many Windows installations back up BitLocker recovery keys to Microsoft’s cloud services, where Microsoft can retrieve them if legally compelled with a valid order.
Custody issue, not BitLocker
BitLocker is designed to provide encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. As BitLocker is bunded with Windows 10 and Windows 11, it has effectively become the default full-disk encryption layer across Windows endpoints, say experts.
“BitLocker itself does not fail here. The software does what it is built to do, encrypts the disk, integrates into Windows, allows for easy recovery,” said Sanchit Vir Gogia, chief analyst at Greyhound Research.
While the encryption of BitLocker is robust, enterprises need to be mindful of who has custody of the keys, as this case illustrates.
“The encryption engine in BitLocker, using AES-128 or AES-256 in XTS mode, is built to resist modern cryptanalysis. Even the US Department of Homeland Security has admitted they lack the forensic tooling to break it directly. However, most enterprise fleets running Windows use tools like Intune and Autopilot to roll out and manage devices. In that flow, unless explicitly disabled, recovery keys are automatically backed up to Microsoft Entra ID. These keys are then viewable via the admin centre or retrievable through scripts,” Gogia said.
Where most enterprises go wrong
Enterprises using BitLocker should treat the recovery keys as highly sensitive, and avoid default cloud backup unless there is a clear business requirement and the associated risks are well understood and mitigated.
The safest configuration is to redirect those keys to on-premises Active Directory or a controlled enterprise key vault. Even if stored in corporate-controlled directory or service such as Microsoft Entra ID or Intune, there should be strong governance on who can read the keys, with effective logging and just-in-time access, said Amit Jaju, a global partner at Ankura Consulting. This can cut Microsoft out of the recovery loop, he said.
If keys have to reside in Microsoft’s cloud, use strong multi-factor authentication for admin roles, with conditional access and privileged-access workstations so a compromise of admin credentials does not automatically become a compromise of all keys, he said.
Enterprises should ensure strict access control and separation of duties. “Only a small, vetted group such as security operations, endpoint engineering, should have rights to view or export recovery keys. Approvals should be workflow-based, not ad hoc. Every key retrieval should leave an auditable, immutable trail, and ideally be tied to an incident or ticket ID,” said Jaju.
CISOs should also ensure that when devices are repurposed, decommissioned, or moved across jurisdictions, keys should be regenerated as part of the workflow to ensure old keys cannot be used.
Gogia warned of the long tail of insecure setups. Personal accounts linked during provisioning, or BYOD devices that silently sync keys to consumer dashboards, are invisible pathways for leakage. “If those keys sit outside your boundary, you no longer have a clean chain of custody. That’s not a theoretical risk. It’s something auditors are now actively checking,” he said.
As many breaches are not cryptographic but procedural, enterprises should have a formal playbook for when a recovery key can be used (lost PIN, internal investigation with legal approval, lawful order) and when it cannot (informal manager request to access an employee’s data), noted Jaju.
Geopolitics reshaping enterprise data and key control
Geopolitical tensions are also reshaping global trade and technology policies, something enterprises increasingly need to factor into their security strategies. As governments assert greater control over data, trade secrets and proprietary information risk becoming entangled in broader state interests.
Gogia warned, “The US CLOUD Act allows law enforcement to compel US-based providers to hand over data and keys, even if that data is hosted in Europe or Asia. Similarly, Chinese data localisation rules require keys and data to be accessible to state regulators. In India, recent legislation has introduced broad access rights for security agencies. And the EU is debating whether sovereignty must include key custody by design, not just data residency.”
If recovery keys are stored with a cloud provider, that provider may be compelled, at least in its home jurisdiction, to hand them over under lawful order, even if the data subject or company is elsewhere without notifying the company. This becomes even more critical from the point of view of a pharma company, semiconductor firm, defence contractor, or critical-infrastructure operator, as it exposes them to risks such as exposure of trade secrets in cross‑border investigations.
Jaju added, “Enterprises should assume that where keys are held, they can potentially be compelled. So where practical, ensure that the entities controlling keys are legally anchored in the jurisdiction whose laws and due-process standards you trust most. Establish board-level oversight on cross-border data access, including a register of government data-access requests, where legally permitted. For multinational companies, legal and security teams must work together to understand mutual legal-assistance treaties, CLOUD Act implications, and local interception laws.”
This article first appeared on Computerworld.