Microsoft is Collecting Your Encryption Keys, Here’s How to Delete it

It is possible to prevent encryption keys from reaching Microsoft’s Servers – Learn how:

It is a known fact that for all new Windows devices, Microsoft secretly creates backups of encryption keys on its servers.

However, if you are one of those who like to maintain their privacy, we can guide you how to remove encryption keys from Microsoft servers.

Firstly, understand the difference between device encryption and BitLocker.

With Win8, Microsoft started offering standard, free encryption on those devices that were equipped with a tamper-resistant chip (TPM – Trusted Platform Module).

So, when Win8 or 8.1 or Win10 (Home Edition) is running, encryption is included-by-default.

For other versions of MS Windows like Pro and Enterprise, both device encryption and BitLocker are there.

Technically, there is no big difference between standard disk encryption that is provided for Home version users and BitLocker that features on Enterprise and Pro versions except for the fact that the Settings page is present in the Control Panel, which helps users decide what to do with the encryption key.

Disk encryption is already enabled-by-default on all new Windows devices and the first time a user logs into his account at Microsoft, the servers automatically save a copy of the encryption key.

It is true that not all Windows users log into their Microsoft accounts and obviously not many people have recently bought a new Windows device but it is definitely a useful information to keep in mind that how to eliminate this backup encryption key from the software manufacturer’s servers.

Now that you know Microsoft saves a copy of your encryption keys, it is possible to check it out at and delete all the existing keys.

You must write down the most recent key on a piece of paper or copy/paste it in a file.

Users can delete the encryption key from Microsoft’s servers from this page but there is no guarantee that when the same user will log into his account using Windows Home, the system won’t re-upload the encryption key.

Unfortunately, Home users cannot benefit from any other solution to use disk encryption without getting its copy saved at the servers.

If you think that Microsoft knows a lot about you already and disk encryption is just unnecessary then you may disable it through your Control Panel’s “PC and devices -> PC info -> Device Encryption”

You may alternately search for “Device Encryption.”

If you are okay with disk encryption but don’t want any involvement from Microsoft’s sneaky backup system then you can make use of open sources disk encryption system such as VeraCrypt or paid options like BestCrypt.

Windows Enterprise and Pro users can, however, delete this key and make it obsolete as well, unlike Home version users. For this, a few steps have to be taken.

Type BitLocker in your Control Panel’s search tab, if disk encryption is supported on your device then you will find BitLocker on-by-default. You can turn it off but this process takes time.

Once it is off, turn it on again to generate a new encryption key. However, this time, BitLocker will ask you whether you want to save this key or not instead of automatically sending it to Microsoft’s servers.

It will offer you three to four options and you need to choose the one that is most suitable for you such as save it to file or print to paper, etc. Just remember not to click on saving it on the servers.

Now, the BitLocker encryption will prompt you to restart your PC.

Check the same link again, that is, to confirm if your current key was again uploaded on Microsoft’s servers or not and to delete older encryption keys.

Thanks to The Intercept for bringing this to our notice.

Related Posts