Kevin BeaumontJan 23

I was wondering when a reporter would uncover this.

So BitLocker is super secure, right? Well... BitLocker recovery keys are backed up to Microsoft's Cloud - and they give them out to law enforcement on request. Using the BitLocker recovery key, you can just unlock the device without a PIN etc.
https://www.forbes.com/sites/thomasbrewster/2026/01/22/microsoft-gave-fbi-keys-to-unlock-bitlocker-encrypted-data/

Microsoft Gave FBI BitLocker Encryption Keys, Exposing Privacy Flaw

The tech giant said providing encryption keys was a standard response to a court order. But companies like Apple and Meta set up their systems so such a privacy violation isn’t possible.

Forbes
Show threadNiknukemJan 23
@GossiTheDog You can save Key as a file.
Show threadjesterchen42Jan 23

@niknukem Which doesn't help if the key is additionally and automatically synced to MS. You have a MS account to login, don't you? So it's easy to connect...

And afaik the sync can only be deactivated using GPOs - but perhaps even this is no longer a possibility...

Show threadNiknukemJan 23
@jesterchen So is there peoof they sync the key even if you select sace as file? Yeah no MS account in windows. But guess most do use intune, than key is cloud based. Welcome back veracrypt. Xd
Show thread Dirty AnCom

@niknukem @jesterchen you cannot use bitlocker with a local Windows account, you have to have a linked account. BitLocker automatically uploads your encryption keys to you MS account, whether or not you choose to save it as a file. It is possible to log in and remove your keys from your MS account, but it's not very simple and I don't know if that will prompt Windows to take it upon itself to decrypt your drives.

Edit: apparently this only applies to Windows Home edition, not professional.

Jan 23 at 2:58pmWeb
Show threadPaul KingtigerJan 23

@DirtyAnCom @niknukem @jesterchen

You can use Pi-Hole to block the MS servers so the key isn't uploaded.

Source: When I have tried to upload the key to MS I have had to disable Pi-Hole to do so. I'm not sure what address you need to block but it shouldn't be too hard to work out.

Show threadjesterchen42Jan 23
@PaulKingtiger Good to know, thanks.
Show thread πšœπšŽπš•πšŽπšŠ Jan 23

@PaulKingtiger

And what about the time when you leave your home network that does not block M$ networks?

@DirtyAnCom @niknukem @jesterchen

Show threadNiknukemJan 23
@selea @PaulKingtiger @DirtyAnCom @jesterchen Than we are completly lost. Xd
Show thread Dirty AnComJan 23
@selea @PaulKingtiger @niknukem @jesterchen that is a prudent question. I wonder if one could make an outbound rule to block it in Windows firewall, itself, lol.
Show threadPaul KingtigerJan 24

@selea @DirtyAnCom @niknukem @jesterchen

That's a good point. We'd need to check if MS tries to upload the key when you select a different option and if it keeps trying until it is successful.

Show threadSam StephensJan 23
@DirtyAnCom @niknukem @jesterchen that's not true, I have Windows installs with local accounts and Bitlocker. I think you may have to have Windows Professional to do this.
Show thread Dirty AnComJan 23
@chopsstephens
That's a good point. I hadn't considered that. Gonna have to upgrade my windows install.
@niknukem @jesterchen