Microsoft's BitLocker encryption comes with a catch: the keys may be on Microsoft's servers

Daniel Sims

Posts: 2,460   +74
Staff
In context: Tech companies promote device encryption to reassure customers that their data remains private. Some, such as Apple, have resisted requests from authorities to bypass encryption. However, a case in Guam last year revealed that Microsoft's default encryption settings make keys accessible to law enforcement.

Forbes reports that Microsoft complied with an FBI request for decryption keys to a suspect's personal laptops last year. While the company said it cannot fulfill every request, the case suggests that Windows devices are less private than those with stricter encryption policies, such as iPhones.

Windows PCs typically protect their data with PINs or other sign-in methods using BitLocker encryption. While the system is not foolproof, the FBI, ICE, and other authorities acknowledge that bypassing it is difficult.

Apple devices use similar protections, a policy that has led to high-profile cases in which the company refused to help authorities unlock suspects' iPhones. However, unlike Apple, which makes device encryption keys unrecoverable even for itself, Microsoft stores BitLocker keys on its servers by default.

Windows users can manually back up their BitLocker keys and remove them from Microsoft's servers, but most are likely unaware of this option. If Redmond receives a court order for encryption keys and finds them linked to a user's account, the company typically complies.

Apple handles iCloud encryption keys in a similar way. Chief executive Tim Cook explained that users often forget their iCloud passwords, in which case the company can remotely unlock their accounts. While Microsoft keeps BitLocker keys on file for the same reason – errors can sometimes lock PCs into recovery mode – Apple secures personal devices with separate, unrecoverable keys.

The Guam case involved three laptops belonging to Charissa Tenorio, who allegedly embezzled nearly $2 million from Covid relief funds, according to a federal grand jury indictment. Tenorio has pleaded not guilty, and the case remains ongoing.

Microsoft said it receives roughly 20 BitLocker requests per year, but users often choose to store their keys separately, keeping the company out of the process. Still, security and privacy experts worry that, now that Microsoft is known to comply at times, authorities may make such requests more frequently.

The debate over encryption and law enforcement access is part of a broader concern about digital privacy and security. A Microsoft engineer revealed that in 2013, the company refused a request to install a backdoor in BitLocker. Security experts have repeatedly shown that hackers and cybercriminals inevitably exploit such backdoors. Last year, Apple faced a legal battle with the UK government after it demanded the company create a backdoor for iCloud.

Permalink to story:

 
If this article cared about this, it might have included a way to remove the keys from MS servers…

————
Here’s one way via powershell but there are others…

Open PowerShell as Administrator and
run: powershell
Disable-BitLocker -MountPoint "C:"
 
Well… yeah? I thought the default settings for BitLocker is to store the key in your Microsoft account?

I know if you push it out via Intune policy’s it’s automatically set to store the key in the Microsoft account.
 
They only get backed up to Microsoft servers if you have a Microsoft account (and the default backs up the keys there I believe) or you manually put them on Microsoft's servers. Using a local account solves the problem (of course, you might want to regenerate the keys, and thus re-encrypt the drive, if the keys were once stored on their servers, as a simple delete might not actually delete the information).
 
I am positive that Microsoft push for it’s online accounts will be a “vast success” from now on.

I for once got so excited by these wonderful capabilities of our beloved corporations that deleted everything from cloud and made sure nothing ever backs up there. Canceling cloud subscription along the way. Nothing to hide, just don’t like it when private info handled like public social media posts. No matter the pretense.
 
None of this is surprising. MicroSlop is part of PRISM, after all. Why do you think they want Recall to record everything you do, push you into online gated software, ece?

If you are at all concerned with privacy and the government having access to your files, you shouldnt be using Winblows at all.
If this article cared about this, it might have included a way to remove the keys from MS servers…

————
Here’s one way via powershell but there are others…

Open PowerShell as Administrator and
run: powershell
Disable-BitLocker -MountPoint "C:"
Nothing in that powershell command removes the key from MS servers.........Also, disabling Bitlocker means you.....dont have bitlocker. If your aim is to remove the key from MS' servers you have failed miserably.
 
Last edited:
I never install Windows with a Microsoft account. I, just, tried BitLocker on my Windows 11 Pro 25H2 operating system. I must confess, I was messing around with CMD and secure wiping the drive I had BitLocker on. I forgot to unlock it, before proceeding with the secure wipe. That, drive is toast! Yes, I'm an *****! Anyway, the point, I'm the only one with the Key to open the drive if I lost, or forgot my password. But, all my other drives are protected by Vera Crypt. The, only drive I don't protect, is my C drive. I've, read where people have had problems with both BitLocker and Very Crypt not allowing it to boot up.
 
Back