Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- BitLocker encrypts your hard drive and requires a key to decrypt it.
- Microsoft may give your key to law enforcement upon a valid request.
- Don’t save your key to the cloud; instead, store it locally or print it out.
Microsoft’s BitLocker is a security feature built into Windows that encrypts the entire hard drive. The idea is to protect your personal files from prying eyes in case your PC is ever lost or stolen. Decrypting the data requires a BitLocker recovery key, which is supposed to be safe from access by other people. Aah, but not so fast.
Microsoft has confirmed to Forbes that it will provide your BitLocker recovery key if it receives a valid legal order. For that to happen, though, that key must be backed up to the cloud and not just stored on one of your own local devices. This scenario has already played out in one specific case that may be the first of its kind for Microsoft, suggested Forbes.
Also: The first big Windows update of 2026 is a glitchy mess – here’s the full list of bugs and fixes
FBI agents in Guam were investigating a case in which certain individuals who had been in charge of the island’s COVID unemployment assistance program were actually looking to steal the funds. To prove their case, the feds needed access to the BitLocker-encrypted files on the suspects’ computers. Microsoft felt the request was justified and turned over the necessary keys to the agents.
Microsoft recommends backing up to the cloud
Microsoft encourages Windows users to back up their BitLocker recovery keys to the cloud. Otherwise, you may be unable to retrieve the key to unlock Windows in the event of a hardware change, bootup problem, or suspicious access. Under any such circumstances, you can simply sign in to your Microsoft account page to find the key associated with your PC. But therein lies the risk.
“With BitLocker, customers can choose to store their encryption keys locally, in a location inaccessible to Microsoft, or in Microsoft’s cloud,” a Microsoft spokesperson told ZDNET. “We recognize that some customers prefer Microsoft’s cloud storage so we can help recover their encryption key if needed. While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide whether to use key escrow and how to manage their keys.”
Also: Is turning off Windows Security a bad idea in 2026? A PC expert’s bottom line
The company receives around 20 requests for BitLocker keys each year, Microsoft’s Charles Chamberlayne told Forbes. But in many cases, Microsoft can’t comply because the user hasn’t stored the keys in the cloud.
The case involving the FBI agents in Guam is the first known instance in which Microsoft has provided encryption keys to law enforcement, Forbes reported. In another case from 2013, the FBI reportedly asked Microsoft engineers to build a backdoor into BitLocker so the agency could bypass its security controls. But this request was turned down.
When are our encryption keys handed over to law enforcement?
Microsoft’s policy on sharing encryption keys with a federal agency triggers a never-ending debate. We all want law enforcement to be able to catch and stop actual criminals so they can’t hurt more victims. But we also want our personal files and information to be protected from unlawful or frivolous access. That’s especially true these days with government overreach so rampant and dangerous.
Further, how does Microsoft decide if and when it feels comfortable handing over secure encryption keys to law enforcement? And how can we trust the company to keep our data secure if it’s willing to share the combinations to our personal vaults?
Also: Microsoft said my Windows 10 PC no longer supported updates – but this software saved it
“Microsoft frames this as a lawful process problem, not a ‘back door’ problem,” Jason Soroko, senior fellow at lifecycle management firm Sectigo, told ZDNET. “Its transparency materials say it reviews legal demands, discloses data only when legally compelled, and does not give governments direct access or provide ‘our encryption keys’ to break encryption.
“Yet when a company stores your recovery key, it can be compelled to hand it over, so the protection you thought was ‘only me’ becomes ‘me, plus whoever can lawfully reach my cloud account provider,’ and the same concentration of keys also raises breach risk.”
The balance between catching criminals and protecting our privacy is tricky. We’re supposed to have certain rules and safeguards in place to ensure the two goals don’t cancel each other out.
“The broader trade is uncomfortable but clear,” Soroko said. “We can want criminals brought to justice and still insist on tighter guardrails, strong due process, narrow warrants, and defaults that do not silently turn personal devices into escrowed encryption, because those defaults shape everyone’s privacy, not only the privacy of people under investigation.”
Also: How to find your BitLocker recovery key – and save a secure backup copy before it’s too late
BitLocker is a powerful and effective tool that Microsoft designed purposely to protect your private files from unwanted access. For that reason, you don’t want to give up on the technology simply because the company could decide that your data may be up for grabs upon request.
“For the average Windows user, BitLocker still meaningfully protects you against a very common threat, a lost or stolen powered-off laptop,” Soroko added. “The catch is key custody. If your recovery key is uploaded to your Microsoft account for convenience, Microsoft holds a copy and has confirmed it can provide that recovery key when served with a valid legal order, which is what enabled the FBI to unlock drives in the reported case.”
How to check your BitLocker settings
BitLocker is available in Windows 11 Pro, 10 Pro, Enterprise, and Education. To check your BitLocker settings and address any privacy concerns about storing the key in the cloud, follow these steps.
In Windows 11, go to Settings, select System, and then click About. Scroll down the page to the Related section and select the setting for BitLocker.
Also: After setting up Windows 11, these 9 steps are non-negotiable for me
In Windows 10, go to Settings, select System, and then click About. Look for the Related settings section on the right or bottom and click the link for BitLocker Settings.
If BitLocker is off, consider turning it on, especially on a laptop you carry when traveling. If it’s already turned on, click the link to back up your recovery key.
Here, Microsoft offers several options. Saving it to your Entra ID account or Microsoft account stores it in the cloud, which you want to avoid. Instead, choose the option to save it to a file or print it.
The safest way to store your recovery key
If you save it, store it on a USB stick or another external drive. The key is stored in a plain-text file. Keep the USB stick in a secure place, or encrypt the text file and password-protect it. Windows won’t let you do that, so you’ll need to use a third-party compression tool like 7-Zip or WinRAR. If you print the file with the key, make sure you store the printout in a safe and secure place.
Also: Windows 11 Home vs. Windows 11 Pro: I compared both versions, and this one’s best for your PC
Next, remove the BitLocker key from the cloud if you previously saved it there. Sign in to your Microsoft account page, then look for the section on BitLocker recovery keys. Check the page for the name of your computer, select the three-dot More Options icon at the end of the entry, and click Delete. Check the box to indicate that you’ve saved a copy of your recovery key, then click Delete.
“If you want encryption without third-party key escrow, keep the recovery key out of the cloud and back it up yourself,” Soroko advised. “Microsoft’s own guidance includes saving the key to a USB drive, saving it as a file, or printing it, and it explicitly warns not to store a USB key backup with the computer. In practice, a printed copy in a home safe or a safe deposit box plus an additional copy stored in a well-secured password manager is a workable balance for many people.”
