SEATTLE, January 16, 2026 — Microsoft has updated its BitLocker encryption policies in Windows 11, prompting renewed scrutiny over user privacy and potential law enforcement access to encrypted drives.

The change, rolled out quietly in a recent cumulative update for Windows 11 version 24H2, requires users to store a recovery key in their Microsoft account when enabling BitLocker on devices with modern hardware. Previously, users could opt to save the key locally or on a USB drive without linking it to a cloud account.

Microsoft stated the update improves recovery options and security: “Storing the recovery key in your Microsoft account ensures you can regain access if you forget your PIN or password, while maintaining strong encryption.”

The company emphasized that keys are encrypted and only accessible with user authentication, and that Microsoft does not hold decryption capabilities.

Privacy advocates and security researchers criticized the shift, arguing it reduces user control and creates a single point of failure. The Electronic Frontier Foundation noted that mandating cloud storage of recovery keys could enable government access through legal orders without user notification.

“When the recovery key is tied to a Microsoft account, it becomes subject to U.S. jurisdiction and potential compelled disclosure,” EFF senior staff attorney Kurt Opsahl said.

The FBI has previously sought access to encrypted devices in criminal investigations, often through court orders compelling suspects to provide passwords or recovery keys. Microsoft has complied with lawful requests in the past but maintains it cannot decrypt BitLocker-protected drives without the key.

The policy applies to new BitLocker setups on devices meeting Microsoft’s modern standby requirements. Existing configurations remain unaffected unless users re-enable the feature. Microsoft added that enterprise and education editions retain local key storage options through group policy settings.

The controversy echoes broader debates over encryption backdoors and lawful access. Microsoft has resisted direct government pressure to weaken encryption, but the account-linked recovery requirement has raised concerns about indirect vulnerabilities.

Users can still bypass cloud storage by using a local USB key or printing the recovery key during setup. Security experts recommend backing up keys offline and using strong PINs or passwords.

Microsoft has not commented on specific law enforcement implications or whether the change was influenced by government requests.