This week’s big Windows story is about BitLocker. Microsoft handed over BitLocker encryption keys to the FBI after being served with a search warrant, allowing the FBI to access data on laptops it seized as part of an investigation.

I’ll cut through the hype and explain how disk encryption works on Windows 11, why the viral headlines are somewhat misleading, and why Microsoft’s PR response is also misleading.

Yes, BitLocker is uploading your keys (usually)

When you set up a new Windows 11 PC, it has something called “Device encryption.” After you sign in with a Microsoft account, Windows automatically encrypts your PC’s storage. Windows uploads a recovery key to your Microsoft account, and you can access it online.

This has some big benefits. If you forget your password, you can always access the recovery key from your Microsoft account. Let’s face it: Many Windows users would not store recovery keys and would lose access to their files.

But this also means anyone with access to the data in your Microsoft account can access your recovery key. And, when the government comes along with a warrant, Microsoft complies and hands keys over.

It’s worth noting that this key only helps if someone has physical access to the computer. So, in this case, the government (or a thief) needs both physical access to the drive and the recovery key to access the files.

You have to pay extra to not upload your keys

If you want to encrypt your Windows PC’s storage without uploading a recovery key to Microsoft, you could pay extra to upgrade to Windows 11 Professional.

Then, you can switch to the full BitLocker Drive Encryption feature, which lets you choose to print a recovery key or store it in another way. You don’t have to upload your key to Microsoft.

For a deeper dive into BitLocker, here’s a piece I wrote for PCWorld.

Should you care?

Here’s the funny and unfortunate thing: Prior to Device Encryption, Windows PCs had unencrypted storage out of the box. Anyone could steal a laptop and see the files on it.

The shift to Device Encryption, which meant that only the government could access the contents of the drive, and only with a warrant, is a big security upgrade!

Personally, I use a mix of both Device Encryption on some of my PCs and BitLocker Drive Encryption on others. I don’t go out of my way to pay extra for Windows 11 Professional on each PC I use.

This does mean that the government could get my files after confiscating my PC and getting a warrant. But they wouldn’t find anything interesting.

Whether you want to switch to BitLocker is up to you! But it does cost extra.

Also: The reality is that many Windows PC users avoid setting up BitLocker, preferring to use unencrypted storage to squeeze some more performance out of their desktop PCs.

If you were counting on Windows encrypting your data securely such that the government wouldn’t be able to access it with a warrant after confiscating your PC, Windows doesn’t offer that without some extra configuration.

But it is true that Apple and Google choose to store keys in a way that governments can’t access them with a warrant. Microsoft made a different philosophical decision here. That’s the real story — not that you should be personally concerned about your data.

But why can’t Microsoft PR just be honest?

I can’t stop thinking about a statement put out by Microsoft spokesperson Charles Chamberlayne. He’s also the founder of a “crisis communication agency” named Chamberlayne, Inc.

Their website pitches corporations on the threat of “news media reporters” during a crisis:

“We recognize that many news media reporters, government officials, political organizations and other individuals may attempt to use these unfortunate situations to create an opportunity for themselves.”

The Verge’s reporting has an interesting quote from Chamberlayne:

“Customers can choose to store their encryption keys locally… We recognize that some customers prefer Microsoft’s cloud storage”

I suppose I’m supposed to let statements like this pass by unchallenged. But this is textbook gaslighting.

People are not choosing to store their recovery keys on Microsoft’s servers because they “prefer it”!

This is how the vast majority of Windows PCs work out of the box. Most people don’t even know it. They’re not “preferring” Microsoft’s cloud storage.

Here’s something else Chamberlayne told Forbes:

“Microsoft believes customers are in the best position to decide... how to manage their keys.”

That’s a strange argument to put forward when PC users have to pay extra to make a different decision. Most people are not making a “decision” to store their key with Microsoft. It’s the unquestioned default.

Here’s what Microsoft’s crisis communication team should have said:

“PCs running Windows 11 Home edition store recovery keys on Microsoft’s servers to allow PC users to easily recover their files. PC users can upgrade to Windows 11 Professional and choose to store their own recovery keys. We only release recovery keys when presented with a warrant, as we’re legally obligated to.”

That would have been honest! It’s a fine, defensible statement. It’s how Windows actually works.

Why didn’t Microsoft PR say that? Why did Microsoft pretend there’s no financial cost to keeping your own BitLocker recovery key? Why is this story such a mess?

I really don’t know. But I wish we could all be honest.

Anyway, Microsoft has my recovery keys

The world these days seems to run on outrage and strong statements without nuance.

“Microsoft is handing over your encryption keys to the government!” (*with a warrant)

“We respect PC users who might prefer to keep their keys on our servers!” (*even though most PC users have no clue how this works)

Nuance doesn’t sell. No one’s going to click a story that says “Microsoft will hand over your encryption keys to the government with a warrant, but it’s probably fine, and you can pay extra if you’re concerned. And you may be the kind of PC user that isn’t even encrypting your storage in the first place.”

I’m publishing that story anyway. Someone has to. But this piece will never go viral on Google Discover!

What’s new at Thurrott.com

Microsoft announced its revenues were up, but that didn’t stop the company’s stock from plunging 10% on Thursday. Paul has a detailed writeup about Microsoft’s earnings for Thurrott Premium members. Investors seem concerned Microsoft’s AI spending is out of control.

But the big story is Windows 11 reaching over one billion users — faster than Windows 10 did? That’s surprising, considering more PCs could upgrade to Windows 10 than Windows 11 did! Despite the negative energy around Windows 11 and its “enshittification” online, people are still buying and using the operating system.