Windows 11 changes the way cloud accounts manage encryption keys
Microsoft has confirmed that it will provide BitLocker recovery keys Federal Bureau of Investigation If a valid legal request is submitted. The confirmation follows reports that Microsoft provided encryption keys to law enforcement during a criminal investigation in 2025.
The situation is directly related to how windows 11 The device handles encryption by default. When a user signs in with a Microsoft account, the operating system automatically backs up the device’s BitLocker recovery key to Microsoft’s cloud, unless the user explicitly chooses another option during setup.
Why can Microsoft access BitLocker keys?
BitLocker keys are stored with Microsoft accounts
BitLocker Windows encrypts data on the PC to keep it safe if the device is lost or stolen. To prevent permanent data loss, Windows 11 links the recovery key to the user’s Microsoft account by default.
This design allows users to recover their data from their PC when it is locked. It also means that Microsoft can access keys stored in its cloud systems if required by law.
Microsoft told Forbes that it receives about 20 requests per year from the FBI for BitLocker recovery keys. In most cases, Microsoft cannot comply because the key was never uploaded. However, when the key is stored in the cloud, Microsoft can provide it.
Legal requests and privacy implications
Microsoft says it hands over recovery keys only when presented with valid legal orders. A company spokesperson said that while cloud key recovery provides convenience, there are trade-offs involved, and customers are ultimately responsible for deciding how their encryption keys are managed.
The approach differs from some other technology companies. For example, Apple has publicly resisted law enforcement requests when it does not have technical access to encrypted data. In contrast, Microsoft’s design allows access because recovery keys are not end-to-end encrypted in a way that prevents the company from viewing them.
How to check and manage your BitLocker recovery key
Users can check whether their BitLocker recovery keys are stored in Microsoft’s cloud by visiting their Microsoft account device management page. From there, keys can be viewed or deleted.
It is also possible to configure Windows to store recovery keys locally or in other locations during setup, but this requires manual action and is not the default behavior when using a Microsoft account.
What does this mean for Windows 11 users
Mandatory Microsoft account setup of Windows 11 makes cloud key backup the standard configuration on most consumer editions. For users concerned about data access by third parties, this setup can warrant close inspection of encryption and account settings.
Microsoft has not stated any plans to change the way BitLocker recovery keys are stored by default. For now, users who want full control over their encryption keys will have to actively manage where those keys are saved.
