MS Defends Windows 10 Policy to Copy Hard Drive Keys

John Lister's picture

Microsoft has confirmed it automatically uploads Windows 10 disk encryption keys to its servers. The company says it was a deliberate decision based on weighing up the worst case scenarios.

The encryption key in question is not related to logging into and running Windows itself. Instead its an encryption of the entire hard drive of the device running Windows 10. This means that if somebody physically steals your computer, they can't make any sense of the data, even if it's been copied to another device (using a disk image backup, for example).

Encryption Key Would Help Computer Thieves

The encryption system Microsoft uses includes a recovery key: literally a string of characters which allow access to the files in decrypted form. For users of the Pro and Enterprise editions of Windows 10, there's an option to store the key in a place of your choice, such as on an external hard drive or USB stick, or simply to print it out for future reference.

However, on the ordinary Home edition of Windows 10, the key is automatically uploaded to Microsoft's servers, where it can be accessed via the user's Microsoft log-in. It's possible to delete the key but not to stop it being uploaded to begin with. It's worth noting that the encryption system cannot be enabled unless Windows 10 Pro or higher is running on the system. So, Home users would need to upgrade to Pro to enable the encryption.

In theory at least, having the keys stored on Microsoft's servers could be a security risk if somebody was able to gain physical access to a computer and find the associated encryption key. This could happen if the wrongdoer was able to get hold of the user's Microsoft log-in and access their account. Alternatively, it's possible - though highly unlikely - that Microsoft's server could be compromised, exposing encryption keys in bulk.

Microsoft Defends Automatic Upload

The chances are this is more likely to be a problem for specific targeted attacks on individuals, such as those who deal with particularly sensitive information. Microsoft says it chose this set-up to avoid the problem of a user's computer getting stuck in recover mode and them neither remembering nor being able to get hold of their encryption key. In this case the content of the computer would effectively be lost for good unless backed up.

However, security experts aren't convinced. A professor of cryptography told The Intercept that having encryption keys automatically stored on Microsoft servers "fundamentally changes the security properties of a disk encryption system." (Source:

Meanwhile Business Insider notes that in some judicial systems, governments may be able to demand a third party such as Microsoft hand over the encryption key, thus allowing officials to access a seized drive without the user's permission. (Source:

What's Your Opinion?

Were you aware of the encryption settings in Windows 10? Should Microsoft upload the keys automatically or make it an opt-in system? Is it right to argue that the practical benefits to users outweigh any security concerns?

Rate this article: 
Average: 4.6 (7 votes)


mra_6110's picture

Time to buy an Apple.

Terrible breach of privacy.

Bye-Bye Microsoft.

ronbh's picture

This sounds very useful for government agency's that would like to get a users data.
I have no knowledge of this but is a user is backing up encrypted data to Microsoft servers having this key would allow Microsoft to monitor all the data that is uploaded.
Very useful for looking for copy write violations of software, music, video. Also could be used for data mining of email and subject matter for marketing purposes etc.
I read an article that mentioned that a young man was arrested for possession of child pornography, he was caught because he uploaded images to a cloud storage and the operators monitored the data being sent and then notified authorities. This guy wasn't encrypting his images but I could see a similar scenario in which a person stored encrypted data and it was monitored.
This is just the way things are going with nothing being secure and everything monitored. The future appears to be very dystopian.

Tradesman1's picture

More of MS playing God and telling people what they want rather than (God forbid) asking users and oft times paying customers what they would like - not to mention invading their privacy.

joe_6113's picture

MS has overstepped it's boundaries. I will NEVER USE WIN 10.

Lets boycott MS

doug_6114's picture

In regards to the " option to store the key in a place of your choice"...

Where, how do we do that?

Thanks Dennis.

Jack Cracker's picture

MS has always had something, some explanation or other to justify their actions, when it comes to the "good of the customer"..... Non-Configurable Windows Updates (You get it or you don't..) ..... the many calls home.... the many hits on your PC JUST making sure you STILL have a legit copy (or for any number of reasons)... selling buggy, unfinished software and more or less waiting for those calls,letters and emails describing how their latest and by all means Greatest product is hosed up. Then we wait for the issue of another "SP1"... Now, it is the Encryption Keys that they figure they should be able to help themselves to. None of this is really new, and despite the manifold complaints and such to the contrary, MS is going to do whatever it wants to, and just get away with it.

Tex Dad's picture

Lots of questions:
-- If the Home version of Windows 10 does not have hard drive encryption included, then why are encryption keys being created?
-- Are there not third party programs available to do your own hard drive encryption?
-- If you install Windows 10 Pro (or above), can you change the encryption key and prevent the new encryption key from being sent to Microsoft before encrypting the hard drive, thereby preventing Microsoft from having a copy of the new encryption key?
-- And how can you be sure Microsoft does not already include a way for the new encryption key to be sent to them automatically?

That last item is the #1 reason I am still not installing Windows 10.

See 'GWX Control Panel' at