Trusted Platform Module has Malfunctioned in Outlook or Teams with an error about the keyset – Error code 80090016 #TPM

By GLComputing . - November 16, 2021

 

I rarely post items unrelated to CRM (either product or technology). However, I recently had a challenge that took some effort to resolve with Windows 11 and the TPM. I even contacted Microsoft and Dell technical support, and neither could resolve it. So I want to put it out there for anyone else searching the web for a solution.

What is the TPM (Trusted Platform Module)?

The TPM is a secure crypto-processor. It’s a chip within your computer that adds hardware support for cryptographic functions like encryption and authentication. Using hardware for these makes the system more secure as it’s considerably more difficult for someone to hack the system than to interfere with the software. In addition, it is designed to be tamper-resistant, and malicious software should not be able to tamper with it.

It generates and stores cryptographic keys as well as having its own unique RSA key burnt in. Some areas that can use TPM include drive and network encryption routines (like BitLocker) or the authentication of accounts. Microsoft Work/School accounts use this now on Windows 11, where it is a requirement.

The Error.

If there is a problem with the keyset, you might get this error:

TPM keyset error: Your computer’s Trusted Platform Module has malfunctioned. If this error persists, contact your system administrator with the error code 80090016.
TPM keyset error with Office 365 Authentication

Your computer’s Trusted Platform Module has malfunctioned. If this error persists, contact your system administrator with the error code 80090016.
More information: https://www.microsoft.com/wamerrors

Unfortunately, like so many of Microsoft’s built-in links on errors, that link provides no helpful information or assistance.

The Cause.

As far as I can tell, the issue happens if you need to clear the TPM keys, which you might need for a firmware update, or if something damages its keyset.

The Solutions.

There were several recommended solutions I found online, though none of them worked for me. However, to be complete, I will include them here. I suggest you try them in the order listed, then reboot and test to see if it worked before trying the next.

Backup your data before trying any of these options!

Solution 1:

Note: You need to do this step with the affected user account logged off. This might mean using a different administrator account or sharing the parent folder temporarily and connecting via the network.

Rename the following folder:
C:\Users\[user]\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

To:
C:\users\[user]\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy.old

Reboot and try opening Outlook and/Teams.

Solution 2:

  1. Open File Explorer.
  2. Browse to C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC
  3. Delete everything in this folder.
    Note: you need to grant yourself access to the folders.
  4. Reboot and try Outlook and/or Teams with that account.

Solution 3:

Note: backup your registry before this step.

  1. Sign out from Microsoft Office and MS Teams, and close all 365 apps.
  2. In RegEdit, navigate to this key:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity
  3. Modify the key called EnableAdal and set it to 1.
    If it doesn’t exist, create it as a DWORD.
  4. Delete the ADAL Authentication Profile for the afflicted user account.
    1. Navigate to this key:
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity\Identities
    2. Export that folder for a backup.
    3. Look in each of the folders for the one with the email address of the account.
      When you click on the folder, you can see the key EmailAddress on the right.
    4. Record the name of the folder. If you need Solution 4, you’ll need the GUID (the part of the folder name before “_ADAL”).
    5. Delete the folder.

      ADAL Identity Profile Registry Key
      ADAL Identity Profile Registry Key

  5. Reboot and try logging in to Outlook and teams. It will ask you to activate the account again.

Solution 4:

The above steps worked on two machines, but with a third, I had to go further.

  1. Navigate to this key:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity
  2. Use Ctrl-F to search for the email address and delete the appropriate folders.
  3. Use Ctrl-F to search for the GUID (from Solution 3, 4d) and delete the appropriate folders.
  4. Open the TPM console (Windows Key – R > TPM.msc).
  5. Clear TPM.
  6. This will automatically reboot, and you can then try Outlook, Teams, or any other 365 apps.

Please add a comment if you have any other questions or suggestions.

More Information on TPM at these links:


No comments:

Post a Comment

Subscribe to: Post Comments (Atom)