The story surfaced a few months ago, but it has since spread beyond the island of Guam: Microsoft provided BitLocker recovery keys to the FBI.
On the ground, seven individuals have been charged with organized unemployment insurance fraud under a federal program introduced during the Covid crisis.
In October 2025, local press reported a court warrant. The recipient: Microsoft, which complied… by releasing the BitLocker recovery keys for three computers seized six months earlier.
The decrypting seems to have worked, or so reports say. At least according to statements relayed by one of the defense counsel. The prosecutor allegedly supplied her with materials including data from her client’s computer and references to the keys in question.
Microsoft’s servers, the default backup option
Microsoft confirmed it had complied with the request—and noted that it receives about twenty such requests each year. Its message, essentially: users are best placed to decide how to manage their BitLocker keys.
Saving to Microsoft’s servers is not the only option… even if it is prominently featured on consumer editions of Windows. It is also possible to save it to a text file, create it on removable media (format .bek), or simply print it. In enterprise environments, it can be stored in Active Directory.
This key—a 48-digit password, split into eight groups—is the final layer of an envelope-style encryption. It protects another key (the “volume master key”), which in turn protects yet another (the “volume encryption key”). One and the other remain on the encrypted drive.
Since Windows 11 24H2, BitLocker automatically activates for users who go through the system’s default setup experience. If a Microsoft account is available, saving the BitLocker recovery key there is the first option offered. It does not appear if you opt for a local account — which is nonetheless becoming increasingly difficult, at least on the Home and Pro editions.
