In early 2025, Microsoft provided the FBI with BitLocker recovery keys that enabled federal investigators to unlock and decrypt the hard drives of three Windows laptops involved in a fraud investigation regarding the misuse of COVID-19 unemployment assistance funds in Guam.
According to reporting by Forbes, the FBI served Microsoft with a valid federal search warrant after determining that the encrypted devices were believed to contain evidence tied to the alleged scheme. Because the laptops were running Windows 11 and the users had signed in with Microsoft Accounts, the BitLocker recovery keys had been automatically backed up to Microsoft’s cloud systems as part of the operating system’s default key-recovery and account-protection process.
This process allowed Microsoft, rather than just the device owners, to technically possess copies of the keys needed to unlock the drives. Microsoft confirmed that it complied with the warrant and supplied the recovery keys, enabling law enforcement to access full disk contents that would otherwise have remained encrypted and unreadable. The company told Forbes that it receives roughly 20 requests per year from law enforcement agencies for BitLocker recovery keys, though many cannot be fulfilled because some users choose to store their keys only locally rather than in Microsoft’s cloud.
The Guam case appears to be one of the first publicly confirmed instances in which Microsoft successfully turned over BitLocker keys in response to a legal order, allowing investigators to bypass device-level encryption. The disclosure triggered criticism from privacy advocates and lawmakers, including Senator Ron Wyden, who argued that cloud-stored recovery keys undermine the practical strength of device encryption and create a pathway for broad access to personal data beyond what many users expect.
After seizing three laptops in Guam, the FBI later obtained a federal search warrant directing Microsoft to provide BitLocker recovery keys linked to the devices. Reporting cited by Forbes shows the request came after the laptops were already in law enforcement custody. The warrant targeted Microsoft as the third-party holder of account-linked recovery information, not the device owners themselves.
The case drew attention to how Windows 11 devices signed in with Microsoft Accounts and how BitLocker commonly has back up keys to users’ online accounts. In that configuration, Microsoft can access and produce recovery keys in response to a valid legal process.
Investigators, therefore, did not bypass or crack BitLocker encryption, but instead obtained access by compelling Microsoft to turn over keys stored in its systems. Microsoft has confirmed that it will provide BitLocker recovery keys when served with a valid legal order and says it receives roughly 20 such requests each year, though many cannot be fulfilled when keys are not stored in the cloud.
According to a Microsoft spokesperson in Forbes, “While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide... how to manage their keys.”
A large 2025 survey of healthcare delivery organizations Third-Party Access Cybersecurity Threats and Precautions: A Survey of Healthcare Delivery Organizations found that “third-party access is becoming their weakest attack surface” and that “more than half (56%) reported a breach involving a third party in the last 12 months,” with respondents citing loss or theft of sensitive information and regulatory exposure as direct consequences. The study further notes that “providing such access creates risks” because third parties often hold privileged access to systems and data, increasing the likelihood of unauthorized or compelled access pathways.
Another study evaluating HIPAA technical safeguards A comparative study on HIPAA technical safeguards assessment of android mHealth applications identifies “authorization to access sensitive resources, data encryption–decryption, and data transmission security” as among the most vulnerable features in healthcare systems, underscoring that control over decryption mechanisms is central to privacy and security outcomes. When encryption keys or recovery credentials are held by external entities, effective control shifts away from the covered organization.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
BitLocker is Microsoft’s full-disk encryption feature that protects data on Windows devices by encrypting the entire drive.
BitLocker uses strong encryption to make data unreadable without the correct credentials or recovery key.
A recovery key is a special code that can unlock an encrypted drive if a user forgets their password or cannot access the device normally.