Microsoft Handed FBI BitLocker Keys in a Criminal Probe

The original story by Thomas Brewster for Forbes.

Microsoft quietly gave the FBI encrypted-disk recovery keys after a federal warrant in a criminal case in Guam, revealing a durability problem in how the company handles BitLocker keys – and reminding users that “cloud convenience” can come with a big privacy trade-off.

Here’s what happened, in plain terms: early last year federal agents in Guam wanted the contents of three laptops that were locked with BitLocker, Microsoft’s full-disk encryption that’s automatic on many modern Windows PCs. BitLocker protects data by scrambling it so only someone with the right key can read it. Microsoft will let customers store their recovery keys in the cloud for convenience – and in this case, prosecutors served Microsoft with a warrant. The company handed over the keys and investigators were able to unlock the machines.

Microsoft later confirmed to Forbes that it does hand over BitLocker recovery keys when served with a valid court order. A company spokesperson said Microsoft gets about 20 requests for BitLocker keys a year and will comply with lawful orders – a process the company said is meant to balance convenience and risk.

The issue isn’t that the FBI got a warrant in a criminal probe; it’s the architecture. Storing recovery keys on a company server necessarily creates a choke point. If a tech company holds the keys, governments with legal authority (or those without it, in other countries) can seek access – and, according to experts, that access is blunt and broad.

“This is simply irresponsible for tech companies to ship products in a way that allows them to secretly turn over users’ encryption keys,” Sen. Ron Wyden told Forbes.

That’s the blunt political take – and security researchers agree on the technical point: remote storage of decryption keys makes a massive pile of private data trivially discoverable once a legal request lands.

Jennifer Granick, surveillance and cybersecurity counsel at the ACLU, warned that remote key storage “can be quite dangerous,” especially since foreign governments also make similar demands on companies. And cryptographer Matt Green of Johns Hopkins put it even more bluntly: if other big players can architect systems so keys are useless to governments, Microsoft can too.

“If Apple can do it, if Google can do it, then Microsoft can do it,” he said.

That comparison matters because some peers have deliberately designed their cloud backup options to avoid exactly this scenario. Apple and Meta (for certain services) let users keep their own keys or keep backups in forms that aren’t practically accessible to the company – meaning companies can’t hand over a master key even if served with a warrant. Microsoft’s default is more convenient for most users, but also more useful to law enforcement.

This Guam case appears to be the first publicly known instance of Microsoft handing over BitLocker keys. That’s partly why it’s getting extra attention now. Law enforcement agencies have historically struggled to access devices protected by strong encryption; a 2025 ICE filing even said forensic teams “do not possess the tools to break into devices encrypted with Microsoft BitLocker.” So when a key is available from the vendor, it’s a tempting shortcut.

Security experts worry that once agencies learn a company will comply in one case, similar requests will follow.

“Once the US government gets used to having a capability, it’s very hard to get rid of it,” Green warned.

Microsoft does offer options that reduce the risk: users can store BitLocker’s recovery key locally (on a thumb drive or a printed copy) instead of the cloud. That makes it far harder for law enforcement or anyone else to get the key without direct access to the physical device or whatever media holds the backup.

But that’s a usability trade-off – many people rely on cloud recovery when they forget a password or get locked out. Microsoft’s stance is effectively: customers choose the convenience or the control. Critics say that’s not good enough.

The debate is part policy, part engineering and part politics. For everyday users, the story is a reminder that security architecture matters: who holds your keys often determines who can access your data. For civil liberties advocates, it’s another red flag about mass access possibilities in the era of cloud backups. And for companies, it’s a nudge to reexamine whether convenience features are worth centralized access to user data.

The Guam prosecution is ongoing; defense filings apparently reference keys Microsoft provided. That case will likely be watched closely – not for courtroom theater, but for precedent. If courts keep ordering keys from vendors, engineers and policymakers will be forced to decide whether encryption should default to convenience or to privacy.