Microsoft is under scrutiny after it emerged that the company shared encryption keys with US law enforcement, an uncommon move that has alarmed privacy experts and reignited the debate over who truly controls encrypted data.
According to Forbes staffer Thomas Brewster, Microsoft provided the FBI with BitLocker recovery keys that allowed investigators to unlock data on three encrypted laptops. The request came through a valid search warrant issued in a federal investigation in Guam into alleged fraud in the island’s COVID-19 unemployment assistance program.
The laptops were protected by BitLocker, Microsoft’s full-disk encryption software that is enabled by default on many modern Windows PCs. While BitLocker is designed to keep data safe from unauthorized access, the case shows that protection depends heavily on where the recovery key is stored.
Why Microsoft could access the keys
BitLocker users can store recovery keys locally on a USB drive or another device, but Microsoft also encourages users to back them up to its cloud for convenience. That option makes it easier to regain access if a password is forgotten, but it also means Microsoft can access the keys if served with a legal order.
In the Guam case, the recovery keys were stored in Microsoft’s cloud, making it possible for the company to comply with the warrant.
Microsoft confirmed the practice to Forbes. “While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide… how to manage their keys,” Microsoft spokesperson Charles Chamberlayne said.
Chamberlayne added that Microsoft receives around 20 requests for BitLocker keys each year, though many cannot be fulfilled because users did not upload their keys to the cloud.
A rare and notable disclosure
Forbes reports this is the first publicly known case in which Microsoft has handed over BitLocker encryption keys to law enforcement. That detail alone has raised concern among security researchers, who say the decision highlights a design choice that could give Microsoft access to user data.
“This is private data on a private computer and they made the architectural choice to hold access to that data. They absolutely should be treating it like something that belongs to the user,” said Matt Green, associate professor at the Johns Hopkins University Information Security Institute, in comments to Forbes.
Critics call out ‘irresponsible’ design
The news has drawn criticism from privacy advocates and lawmakers who argue that Microsoft is lagging behind its peers in protecting user data. Senator Ron Wyden expressed his disapproval to Forbes, calling the situation a major security lapse.
“It is simply irresponsible for tech companies to ship products in a way that allows them to secretly turn over users’ encryption keys,” Wyden said.
Experts note that while companies like Apple and Meta offer cloud backups, they often rely on “zero-knowledge” architectures. This means the keys themselves are encrypted before they reach the cloud, making it impossible for the company to hand them over to the FBI even if they wanted to.
“If Apple can do it, if Google can do it, then Microsoft can do it. Microsoft is the only company that’s not doing this.” Green said.
He warned that if Microsoft has access to the keys, “eventually law enforcement is going to come.”
The BitLocker Illusion
For many Windows users, especially those on Windows 11, this cloud backup happens by default during setup. Without these keys, the FBI would likely be stuck; a 2025 court document from an ICE forensic expert admitted that the agency did “not possess the forensic tools to break into devices encrypted with Microsoft BitLocker.”
The concern now is that this case sets a precedent. Jennifer Granick, surveillance and cybersecurity counsel at the ACLU, told Forbes that “remote storage of decryption keys can be quite dangerous,” especially when foreign governments with poor human rights records begin making similar demands.
As the case in Guam continues, the tech world is left to wonder whether Microsoft will change its “architectural choice” or whether users will have to take their privacy into their own hands by moving their keys off the cloud and onto physical thumb drives.
Also read: Microsoft is making Teams secure by default in January 2026 by automatically enabling key protections.
