Resolve Invalid Key ID when requesting BitLocker Recovery Key


MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options. As well as monitor compliance with these policies. Kindly refer to the following similar guides on BitLocker. how to fix missing BitLocker Recovery Tab in Active Directory Users and Computers, how to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines, how to view BitLocker disk encryption status in Windows, how to backup existing and new BitLocker recovery keys to Active Directory, and BitLocker Drive Encryption architecture and implementation types on Windows. In this guide, I will show you how to Regain Access to a PC via the Self-Service Portal: Resolve Invalid Key ID when requesting BitLocker Recovery Key.

Why Would the BitLocker Recovery Key Window be prompted?

There are multiple reasons for this. You will have to troubleshoot specifically to pinpoint what could have happened in your case. We have outlined them in this guide “Reasons for BitLocker Recovery Mode Prompt“. BitLocker Recovery Key restores access to a BitLocker-protected device when locked. Since I administer BitLocker via MBAM, I can save the recovery keys to the MBAM Database and Active Directory.

EnterRecoveryKeyID scaled
EnterRecoveryKeyID scaled

Note: You will only be able to perform the self-service recovery or recovery via the MBAM helpdesk. If the keys have been successfully escrowed in the MBAM database. If this does not happen, and you do not have the recovery keys saved to Active Directory. In this case, you have to re-install your device.

Why was this “error “Invalid Key ID, Unable to get BitLocker Recovery Key” Prompted?

The Invalid Key ID was prompted because the user requesting the key isn’t an end-user on the device! Below are the prerequisites for recovery BitLocker Recovery Key via the SelfService Portal.

  • You must be the end user of the system to recover the key through the Self-Service Portal *
  • You must use your usual login credentials for that PC when logging into the Self-Service Portal. Else you will not be able to perform the recovery.

Note:  If the IT administrator configured an IIS Session State time-out. A message is displayed in the Self-Service Portal 5 Minutes prior to the time-out etc.

Resolve Invalid Key ID by Requesting BitLocker Recovery Key in AD

Lastly, if you have BitLocker Recovery Keys saved to Active Directory. You can log in Active Directory and get the recovery key. You may need to fix the missing BitLocker Recovery Tab in Active Directory Users and Computers before being able to view the recovery key in AD. Here is how Backup existing and new BitLocker recovery keys to Windows Active Directory if you are not using GPO.

I really do not recommend AD, if you are using MBAM. As there will not be any form of auditing in place when keys are accessed by the Active Directory. See Enterprise Compliance, Computer Compliance, and Recovery Audit Report: Understanding the Microsoft BitLocker Administration and Monitoring (MBAM) reports fields, and how to query MBAM to display the BitLocker Recovery report.

BitLocker RecoveryinAD
BitLocker RecoveryinAD

Resolve Invalid Key ID when requesting BitLocker Recovery Key

This section covers how to unlock your PC that is encrypted using the MBAM (Microsoft BitLocker Administration and Monitoring) client.  It is assumed that the MBAM client is installed on your device. And that the drive has already been encrypted by the MBAM client. Else, you should look at this guide how and where to find your BitLocker recovery key in Windows

Important   An end user must have physically logged on to the computer (not remotely) at least one time successfully to be able to recover their key using the Self-Service Portal. Otherwise, they must use the Helpdesk Portal for key recovery.

Regain Access to a PC via the Self-Service Portal

The Self-Service Portal is a website that IT administrators configure as part of Microsoft BitLocker Administration and Monitoring (MBAM) deployment. The portal allows end users to individually regain access to their PCs without bothering the helpdesk or System (AD) Administrators if they get locked out of Windows. Learn about how to deploy MBAM for Bitlocker Administration.

To use the Self-Service Portal to regain access to a computer, kindly access the Self Srvice Portal URL of your Company.


In the Recovery KeyId field, enter a minimum of eight of the 32-digit BitLocker Key ID that is displayed on the BitLocker recovery screen of your computer. If the first eight digits match multiple keys, a message displays that requires you to enter all 32 digits of the recovery key ID.

In the Reason field, select a reason for your request for the recovery key. Next, click on Get Key. Your BitLocker recovery key is displayed in the Your BitLocker Recovery Key field.

Enter the 48-digit code into the BitLocker recovery screen on your computer to regain access to the computer

I hope you found this blog post helpful on how to Regain Access to a PC via the Self-Service Portal: Resolve Invalid Key ID when requesting BitLocker Recovery Key. If you have any questions, please let me know in the comment session.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x