Federal investigators obtained access to encrypted computers for the first time through Microsoft’s own recovery keys, a move that has intensified long-standing concerns about how much control the company retains over user data.
The development emerged from United States v. Tenorio, a fraud case in Guam tied to alleged misuse of pandemic unemployment funds. Investigators believed three laptops contained evidence of the scheme. When they discovered the machines were protected with BitLocker, the encryption system built into Windows, they turned to Microsoft.
BitLocker is designed to shield all files on a drive by scrambling the data so it can’t be read without a recovery key.
Since Windows 10, the system has been enabled automatically on many new PCs.
When users sign in with a Microsoft account, those recovery keys are usually uploaded to Microsoft’s servers for convenience. That same design, however, quietly gives the company the technical ability to hand those keys over when faced with a lawful demand.
Microsoft confirmed that it complied with the FBI’s warrant, saying it provides recovery keys only when required by law. “While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide… how to manage their keys,” a spokesperson said.
According to the spokesperson, the company receives roughly 20 such requests each year, though it cannot always fulfill them because many users never upload their keys to the cloud.
The disclosure is believed to be the first known case where Microsoft has given any encryption key to US law enforcement. For years, company engineers had maintained that BitLocker contained no “backdoors” or secret access methods. One engineer publicly stated in 2013 that he had refused a government request to add such capabilities.
The incident sets Microsoft apart from other major technology companies that have built systems designed to prevent themselves from accessing user encryption keys.
Apple, for instance, faced down the FBI in 2016 after the agency tried to compel it to unlock the iPhones of the San Bernardino shooters. Apple refused, and the FBI ultimately paid a private contractor to break into the device.
Google and Meta have taken similar steps to encrypt user backups with keys the companies cannot retrieve. By contrast, Microsoft’s account-based key storage keeps the door open for government access.
When encryption keys are saved to Microsoft’s cloud, they are effectively within reach of legal orders from any government with jurisdiction over the company.
Users can avoid this by setting up a local Windows account and manually storing their keys offline, but that process has become less visible and less encouraged with newer versions of Windows.
Court filings confirm that the search warrant was executed and that prosecutors later disclosed data from one defendant’s computer referencing BitLocker keys Microsoft had provided.
Charissa Tenorio, one of the defendants, has pleaded not guilty.
Without Microsoft’s cooperation, the FBI would have faced steep technical barriers. Internal documents from Homeland Security Investigations have previously acknowledged that agents “do not possess the forensic tools to break into devices encrypted with Microsoft BitLocker, or any other style of encryption.”
The Guam disclosure reveals the fragility of user control when cloud-based systems hold decryption power. Once Microsoft complied with the warrant, investigators gained full visibility into each device’s contents, something privacy advocates view as far beyond the intent of a targeted search.
