This recent news highlights a critical point: if your BitLocker recovery keys are in Microsoft’s cloud, law enforcement can access them with a warrant, even if your company’s data is encrypted.
It’s been reported that Microsoft handed over BitLocker encryption keys belonging to Windows users to US law enforcement, effectively giving them access to encrypted data.
In early 2025, the US Federal Bureau of Investigation (FBI) used a search warrant to request these keys from Microsoft. They needed to unlock encrypted data on three laptops related to a suspected COVID unemployment assistance fraud case in Guam. Since these keys were stored on a Microsoft server, the company complied with the legal order and provided them, as Forbes reported last Friday.
Microsoft hasn’t yet responded to our request for comment on the matter.
While big tech companies have been asked by law enforcement for device access before, some, like Apple, have actually resisted handing over encryption keys in the past.
BitLocker is a very popular tool for keeping data secure when it’s not actively being used, whether you’re an individual or a large company managing tons of Windows devices. What’s important to know is that many Windows installations automatically back up these BitLocker recovery keys to Microsoft’s cloud. This means if a valid legal order comes through, Microsoft can access and retrieve those keys.
It’s About Key Custody, Not BitLocker Itself
BitLocker’s main purpose is to encrypt entire storage drives, protecting your data from theft or exposure if a device gets lost, stolen, or improperly disposed of. Experts point out that because BitLocker comes built into Windows 10 and 11, it’s pretty much become the standard full-disk encryption method for Windows devices.
Sanchit Vir Gogia, chief analyst at Greyhound Research, explains, “BitLocker isn’t the problem here. The software does exactly what it’s supposed to: it encrypts the disk, integrates smoothly with Windows, and provides easy recovery options.”
Even though BitLocker’s encryption is strong, this situation clearly shows that businesses really need to pay attention to who actually holds those crucial keys.
Gogia clarifies, “BitLocker’s encryption, which uses AES-128 or AES-256 in XTS mode, is designed to be incredibly tough against modern attacks. Even the US Department of Homeland Security has said they don’t have the tools to crack it directly. But here’s the catch: most companies using Windows manage their devices with tools like Intune and Autopilot. If you don’t specifically turn it off, recovery keys are automatically saved to Microsoft Entra ID. From there, these keys can be seen in the admin center or fetched using scripts.”
Common Mistakes Companies Make
Companies using BitLocker need to consider these recovery keys extremely sensitive. It’s best to avoid the default cloud backup option unless there’s a strong business reason and you’ve thoroughly understood and dealt with all the potential risks.
According to Amit Jaju, a global partner at Ankura Consulting, the most secure approach is to send those keys to your own on-premises Active Directory or a specially managed enterprise key vault. Even if you store them in a corporate-controlled service like Microsoft Entra ID or Intune, you absolutely need strict rules about who can access them, along with robust logging and ‘just-in-time’ access. He notes that this strategy helps to remove Microsoft from the recovery process.
Jaju also advises that if keys must be kept in Microsoft’s cloud, it’s vital to implement strong multi-factor authentication for administrators. Combine this with conditional access and privileged-access workstations. This way, if an admin’s login details are ever compromised, it won’t automatically lead to all your encryption keys being exposed.
Businesses must enforce strict access controls and ensure that duties are separated. Jaju emphasized, “Only a small, thoroughly vetted team, like security operations or endpoint engineering, should have the authority to view or export recovery keys. Approvals should follow a defined workflow, not be granted on the fly. And every single time a key is retrieved, there needs to be an unchangeable, auditable record, ideally linked to a specific incident or ticket ID.”
CISOs should also make it a standard practice to regenerate keys whenever devices are repurposed, decommissioned, or moved to different legal areas. This prevents older keys from being used to access data.
Gogia raised a red flag about the lasting consequences of insecure configurations. Things like personal accounts getting linked during device setup, or ‘Bring Your Own Device’ (BYOD) devices silently syncing keys to consumer dashboards, create hidden routes for data leaks. He explained, “If those keys are stored outside your control, you lose a clear chain of custody. This isn’t just a hypothetical danger; it’s something auditors are now scrutinizing very closely.”
Jaju pointed out that a lot of security breaches aren’t due to encryption failures, but rather procedural errors. Because of this, companies should have a clear, formal plan outlining exactly when a recovery key can be used (for example, a lost PIN, an internal investigation with legal consent, or a lawful court order) and when it absolutely cannot be used (such as a casual request from a manager to access an employee’s data).
How Global Politics is Changing How Companies Manage Data and Keys
Global political tensions are significantly altering international trade and technology policies. This is a crucial factor that companies increasingly need to build into their security plans. With governments demanding more control over data, sensitive trade secrets and proprietary information are at risk of getting caught up in wider national interests.
Gogia cautioned, “The US CLOUD Act, for instance, gives law enforcement the power to force US-based cloud providers to surrender data and encryption keys, even if that data is stored in places like Europe or Asia. Likewise, China’s data localization rules mean keys and data must be accessible to their state regulators. India recently passed laws that grant broad access rights to security agencies. Meanwhile, the EU is currently discussing whether true data sovereignty should inherently include control over encryption keys, not just where the data physically resides.”
If your recovery keys are with a cloud provider, that provider could be legally forced, at least in their home country, to hand them over under a lawful order. This can happen even if your company or the data’s owner is in a different country, and often without your company being notified. This issue is particularly critical for industries like pharmaceutical companies, semiconductor firms, defense contractors, or critical infrastructure operators, as it opens them up to risks like trade secret exposure during international investigations.
Jaju further advised, “Businesses should operate on the assumption that wherever their keys are stored, they could potentially be subject to a legal demand. Therefore, whenever possible, make sure the entities managing your keys are legally based in the jurisdiction whose laws and due-process standards you trust the most. It’s also essential to have board-level supervision over requests for cross-border data access, including maintaining a record of government data-access requests where legally allowed. For multinational corporations, it’s crucial for legal and security teams to collaborate to fully grasp mutual legal-assistance treaties, the implications of the CLOUD Act, and local interception laws.”
