Follow ZDNET: Add us as a favorite source On Google.
ZDNET Highlights
- BitLocker encrypts your hard drive and requires a key to decrypt it.
- Microsoft may release your key to law enforcement upon lawful request.
- Don’t save your keys on the cloud; Instead, store it locally or print it.
Microsoft’s BitLocker is a security feature built into Windows that encrypts the entire hard drive. The idea is to protect your private files from prying eyes if your PC is ever lost or stolen. The BitLocker recovery key is required to decrypt the data, which is supposed to be protected from access by other people. Ah, but not so fast.
Microsoft has Forbes confirmed If it receives a valid legal order it will provide your BitLocker recovery key. However, for this to happen, that key must be backed up to the cloud, not just stored on one of your own local devices. Forbes suggested that this scenario has already played out in a specific case that may be the first of its kind for Microsoft.
Also: The first big Windows update of 2026 is a mess — here’s the full list of bugs and fixes
FBI agents in Guam were investigating a case in which some individuals who were in charge of the island’s COVID unemployment assistance program were actually trying to steal the funds. To prove their case, federal authorities needed access to BitLocker-encrypted files on the suspects’ computers. Microsoft felt the request was reasonable and handed over the necessary keys to the agents.
Microsoft recommends backing up to the cloud
Microsoft encourages Windows users to back up their BitLocker recovery keys to the cloud. Otherwise, you may be unable to recover the key to unlock Windows in the event of a hardware change, bootup problem, or suspicious access. In any such circumstances, you can simply sign in Your Microsoft Account page To find the key associated with your PC. But there is risk in this also.
“With BitLocker, customers can choose to store their encryption keys locally, in a location inaccessible to Microsoft, or in Microsoft’s cloud,” a Microsoft spokesperson told ZDNET. “We recognize that some customers prefer Microsoft’s cloud storage so that we can help them recover their encryption keys if needed. While key recovery provides convenience, it also carries the risk of unwanted access, so Microsoft believes customers are in the best position to decide whether to use key escrow and how to manage their keys.”
Also: Is it a bad idea to turn off Windows Security in 2026? A PC Expert’s Bottom Line
Microsoft’s Charles Chamberlain told Forbes that the company receives about 20 requests for BitLocker keys each year. But in many cases, Microsoft can’t comply because the user hasn’t stored the keys in the cloud.
The case involving FBI agents in Guam is the first known instance in which Microsoft has provided encryption keys to law enforcement, Forbes reports. In Another case of 2013The FBI reportedly asked Microsoft engineers to build a backdoor into BitLocker so the agency could bypass its security controls. But this request was rejected.
When are our encryption keys turned over to law enforcement?
Microsoft’s policy on sharing encryption keys with a federal agency gives rise to a never-ending debate. We all want law enforcement to be able to catch and stop the real criminals so they can’t hurt more victims. But we also want our personal files and information to be protected from illegal or trivial access. This is especially true these days when government overreach is so rampant and dangerous.
Furthermore, how does Microsoft decide whether it feels comfortable handing over secure encryption keys to law enforcement? And if the company is willing to share the combination to our personal safe how can we trust it to keep our data safe?
Also: Microsoft said my Windows 10 PC no longer supports updates — but this software saved it
“Microsoft treats this as a legitimate process issue, not a ‘back door’ issue,” Jason Sorocco, senior fellow at lifecycle management firm Sectigo, told ZDNET. “Its transparency materials say it reviews legal demands, discloses data only when legally compelled, and does not give governments direct access or provide ‘our encryption keys’ to break encryption.
“Yet when a company stores your recovery key, they can be forced to hand it over, so the security you thought was ‘only me’ becomes ‘me,’ along with whoever else can legitimately access my cloud account provider, and the same concentration of keys also increases breach risk.”
It is difficult to strike a balance between catching criminals and protecting our privacy. We must adopt certain rules and safeguards to ensure that the two goals do not cancel each other out.
“The broader trade-off is inconvenient but clear,” Soroko said. “We want criminals brought to justice and we can still insist on tougher security, stronger due process, narrower warrants, and defaults that don’t silently turn personal devices into escrow encryption, because those defaults shape everyone’s privacy, not just the privacy of people under investigation.”
Also: How to find your BitLocker recovery key – and save a secure backup copy before it’s too late
BitLocker is a powerful and effective tool that Microsoft has deliberately designed to protect your private files from unwanted access. For this reason, you may not want to give up the technology just because the company may decide that your data can be obtained upon request.
“For the average Windows user, BitLocker still meaningfully protects you from a very common threat, a lost or stolen powered-off laptop,” Sorocco said. “The hold is key custody. If your recovery key is uploaded to your Microsoft account for convenience, Microsoft maintains a copy and has confirmed that it can provide that recovery key when provided with a valid legal order, which enabled the FBI to unlock the drive in the case reported.”
How to check your BitLocker settings
BitLocker is available in Windows 11 Pro, 10 Pro, Enterprise, and Education. To check your BitLocker settings and address any privacy concerns about storing keys in the cloud, follow these steps.
In Windows 11, go to Settings, select System, and then click About. Scroll down the page to the corresponding section and select Settings for BitLocker.
Also: After installing Windows 11, these 9 steps are irrelevant to me
In Windows 10, go to Settings, select System, and then click About. Look for the Related Settings section on the right or below and click on the link for BitLocker Settings.
If BitLocker is turned off, consider turning it on, especially on a laptop you take with you when you travel. If it’s already on, click the link to back up your recovery key.
Here, Microsoft offers several options. Saving it to your Entra ID account or Microsoft account causes it to be stored in the cloud, which is something you want to avoid. Instead, choose to save it to a file or print it.
The most secure way to store your recovery key
If you save it, store it on a USB stick or another external drive. The key is stored in a plain-text file. Keep the USB stick in a safe location, or encrypt the text file and protect it with a password. Windows won’t let you do this, so you’ll have to use a third-party compression tool. 7-zip Or WinRAR. If you print the file with the key, make sure you store the printout in a safe place.
Also: Windows 11 Home vs. Windows 11 Pro: I compared both versions, and this one is best for your PC
Next, delete the BitLocker key from the cloud if you saved it there previously. Sign in to your Microsoft account pageThen see the section on BitLocker recovery keys. Check the page for your computer’s name, select the three-dot More options icon at the end of the entry, and click Delete. Check the box to indicate that you have saved a copy of your recovery key, then click Delete.
“If you want encryption without third-party key escrow, keep the recovery key out of the cloud and back it up yourself,” Sorocco advised. “Microsoft’s own guidance includes saving the key to a USB drive, saving it as a file, or printing it, and it explicitly warns against storing USB key backups with the computer. In practice, a printed copy in a home safe or safe deposit box and an additional copy stored in a well-secured password manager is a practical balance for many people.”
