Trusted Platform Module has Malfunctioned in Outlook or Teams with an error about the keyset – Error code 80090016 #TPM

 

I rarely post items unrelated to CRM (either product or technology). However, I recently had a challenge that took some effort to resolve with Windows 11 and the TPM. I even contacted Microsoft and Dell technical support, and neither could resolve it. So I want to put it out there for anyone else searching the web for a solution.

What is the TPM (Trusted Platform Module)?

The TPM is a secure crypto-processor. It’s a chip within your computer that adds hardware support for cryptographic functions like encryption and authentication. Using hardware for these makes the system more secure as it’s considerably more difficult for someone to hack the system than to interfere with the software. In addition, it is designed to be tamper-resistant, and malicious software should not be able to tamper with it.

It generates and stores cryptographic keys as well as having its own unique RSA key burnt in. Some areas that can use TPM include drive and network encryption routines (like BitLocker) or the authentication of accounts. Microsoft Work/School accounts use this now on Windows 11, where it is a requirement.

The Error.

If there is a problem with the keyset, you might get this error:

TPM keyset error with Office 365 Authentication

Your computer’s Trusted Platform Module has malfunctioned. If this error persists, contact your system administrator with the error code 80090016.
More information: https://www.microsoft.com/wamerrors

Unfortunately, like so many of Microsoft’s built-in links on errors, that link provides no helpful information or assistance.

The Cause.

As far as I can tell, the issue happens if you need to clear the TPM keys, which you might need for a firmware update, or if something damages its keyset.

The Solutions.

There were several recommended solutions I found online, though none of them worked for me. However, to be complete, I will include them here. I suggest you try them in the order listed, then reboot and test to see if it worked before trying the next.

Backup your data before trying any of these options!

Solution 1:

Note: You need to do this step with the affected user account logged off. This might mean using a different administrator account or sharing the parent folder temporarily and connecting via the network.

Rename the following folder:
C:\Users\[user]\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

To:
C:\users\[user]\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy.old

Reboot and try opening Outlook and/Teams.

Solution 2:

1. Open File Explorer.
2. Browse to C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC
3. Delete everything in this folder.
   Note: you need to grant yourself access to the folders.
4. Reboot and try Outlook and/or Teams with that account.

Solution 3:

Note: backup your registry before this step.

1. Sign out from Microsoft Office and MS Teams, and close all 365 apps.
2. In RegEdit, navigate to this key:
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity
3. Modify the key called EnableAdal and set it to 1.
   If it doesn’t exist, create it as a DWORD.
4. Delete the ADAL Authentication Profile for the afflicted user account.
1. Navigate to this key:
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity\Identities
2. Export that folder for a backup.
3. Look in each of the folders for the one with the email address of the account.
   When you click on the folder, you can see the key EmailAddress on the right.
4. Record the name of the folder. If you need Solution 4, you’ll need the GUID (the part of the folder name before “_ADAL”).
5. Delete the folder.
   
   

   

   ADAL Identity Profile Registry Key

   
   
5. Reboot and try logging in to Outlook and teams. It will ask you to activate the account again.

Solution 4:

The above steps worked on two machines, but with a third, I had to go further.

1. Navigate to this key:
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity
2. Use Ctrl-F to search for the email address and delete the appropriate folders.
3. Use Ctrl-F to search for the GUID (from Solution 3, 4d) and delete the appropriate folders.
4. Open the TPM console (Windows Key – R > TPM.msc).
5. Clear TPM.
6. This will automatically reboot, and you can then try Outlook, Teams, or any other 365 apps.

Please add a comment if you have any other questions or suggestions.

More Information on TPM at these links:

• https://en.wikipedia.org/wiki/Trusted_Platform_Module
• https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-top-node
• https://answers.microsoft.com/en-us/outlook_com/forum/all/error-code-80090016-trusted-platform-module-has/c0588197-a33a-423f-bcb0-4ab5cda58928
• https://www.dell.com/support/kbdoc/en-au/000190999/trusted-platform-module-frequently-asked-questions-for-windows-11
  

Emailing from #ActCRM via Gmail and SMTP on other ports.

One of the long standing issues in Act! has been the inability for the email clients (Windows Internet Mail and Act! Premium for Web email merges) to use alternate ports. You can record History from email sent via Gmail and you can sync the contacts and activities between act! and Gmail, but you can’t use it directly as your email server as stated in this Act! knowledge base article: What email systems are compatible with Act!?

Recently an Act! Consultant came to me to help find a workaround for an Act! Premium for Web (APFW) User who needed to do emails with Templates. They are using Google’s G-Suit as their corporate mail server.

The user did have Outlook on their users’ machines, but the APFW email merge only works from the server, direct to an SMTP server.

Always up for a challenge, I looked into a few options (both free and paid) and came up with the idea of setting up a simple IIS SMTP server on their server and having it route the emails via the Google servers.

As I thought this might be useful to many of you, I thought I’d describe the process.

Please note: These instructions are of a technical nature and should only be done by those with the appropriate skills and understanding. Should you need assistance with this, please contact your Act! Consultant or send me a message via the GL Computing Contact Form

Google Setup

Note: This section is only necessary for those wanting to email via Google.

First, you need to determine which Google system you’re using and what authentication is necessary to allow the SMTP traffic. There are three supported options to do this:

• G-Suite SMTP relay (recommended) – Only for G-Suite customers
• Gmail SMTP server
• Restricted Gmail SMTP server – Only allows emails to other Gmail or G-Suite users, so probably not suitable for our use and won’t be covered.

G-Suite SMTP relay (recommended)	Gmail SMTP server
Sending Limits
A registered G Suite user can't relay messages to more than 10,000 recipients per day. For full SMTP relay limits, see Sending limits for the SMTP relay service.	2,000 Messages per day. See Gmail sending limits.
Anti-spam filters
Suspicious emails may be filtered or rejected
Fully qualified domain name of SMTP service
smtp-relay.gmail.com	smtp.gmail.com
Configuration options
Options: Port 25, 465, or 587 Secure Socket Layer (SSL)/Transport Layer Security (TLS) protocols. Dynamic IPs are allowed, but a static IP might be required due to authentication requirements.	Port 465 (SSL required) Port 587 (TLS required) Dynamic IPs allowed
Authentication requirements
Either a static IP address or a valid G Suite user login	Your full Gmail or G Suite email address is required for authentication.

Please Note: I recommend selecting TLS and port 587 for security

Please Note: If selecting Gmail SMTP server or not using a reasonably stable IP, you can only authenticate with a single user account at Gmail and emails will go from that account. However, it is possible to assign multiple IP addresses to your server and configure each account to use a separate one.

Once you’ve decided on your preferred option, you need to enable that function.

• For G-Suite SMTP relay, you need to add the IP address (or address range) for the machine(s) you’ll be setting up with SMTP server. To do that, follow the instructions at:
• Step 1: Route outbound mail using the SMTP relay service
• Use the external IP address of the SMTP server for #7/8
• Note: We’ll do step two when we’ve set-up the IIS SMTP server
  
• To use the Gmail SMTP server, you need to allow less secure apps access.
  The method you need to use will depend on if you are using a G-Suit account or a plain Gmail one. See the appropriate link::
• G-Suite - Allow or disallow less secure apps to access accounts
• Gmail - Allow less secure apps to access your account
  Note: If using two-step authentication, you’ll need to create an app password, as per
  Sign in using App Passwords

Setting up your SMTP server

To workaround the problem with sending to SMTP on different ports, we’re going to setup our own private SMTP server which will then relay the emails to your ISP or Corporate server.

While there are many free or inexpensive SMTP server options available, I’m going to just cover the IIS one as every Act! user would have access to it.

While this can be setup on a Windows Desktop system, I wouldn’t advise doing this because of a number of limitations and reliability factors.

So, I’m going to include instructions for Windows 2008 R2 and Windows 2012.

Install Internet Information Services (IIS)

If you already have IIS installed (eg on your APFW server), you might be able to skip this section and go to “Install SMTP”.

1. In Server Manager, select Add Roles
2. On the Before you begin page in the Add Roles Wizard, select Next.
3. For Windows Server 2008 R2:
1. On the Select Server Roles page, select Web Server (IIS) and select Install.
2. Select Next until you get to the Select Role Services page.
3. In addition to what is already selected, make sure that ODBC Logging, IIS Metabase Compatibility, and IIS 6 Management Console are selected and then select Next.
4. When you’re prompted to install IIS, select Install. You may need to restart the server after the installation is finished.
4. For Windows Server 2012
1. On the Select Installation Type page, select Role-based or Feature-based installation.
2. On the Select destination server page, choose Select a server from the server pool, and select the server that will be running SMTP services. Select Next.
3. On the Select Server Roles page, select Web Server (IIS), and then select Next. If a page that requests additional features is displayed, select Add Features and then select Next.
4. On the Select Role Services page, make sure that Basic Authentication under Security is selected, and then select Next.
5. On the Confirm Installation Steps page, select Install.

Install SMTP

1. Open Server Manager and select Add Roles and Features. On Windows Server 2012, you might also need to select the correct server.
2. On the Select Features screen, choose SMTP Server. You may be prompted to install additional components. If that’s the case, select Add Required Features and select Next.
3. Select Install. After the installation is finished, you may have to start the SMTP service by using the Services snap-in for the Microsoft Management Console (MMC) – Windows Key + R > Services.msc

Setup SMTP

SMTP is an IIS6 feature, so the above steps will have installed that version and we’ll use it for setting up

1. Start IIS 6 Manager – Start > Run > inetmgr6
2. Expand the current server, right-click the SMTP Virtual Server, and then select Properties.
3. We only need to worry about the Access and Delivery Tabs
4. On the Access Tab:
1. Select Authentication and make sure only “Anonymous” is checked. Click OK
   
2. Select Relay. Select “Only the list below” then use the “Add” button to add the IP addresses (or ranges) of all your machines that are allowed to send emails. Click OK.
   
5. Go to the Delivery Tab:
1. Select Outbound Security.
• If using G-Suite SMTP Relay with IP authentication, select Anonymous access and check TLS encryption. Click OK.
• If using G-Suit SMTP with SMTP Authentication, or if using the Gmail SMTP, then select Basic authentication and check TLS encryption. Click OK.
  
2. Select “Outbound connections” and set the port to 587. Click OK.
   
3. Select “Advanced” and enter:
• Fully-qualified domain name – The correct DNS entry to identify the public IP you’re server is on
• Smart host
• If using G-Suite SMTP Relay - smtp-relay.gmail.com
• If using Gmail SMTP Server – smtp.gmail.com
6. Close the dialog box and the Properties.
7. Right Click on the SMTP Server in IIS6 and select “Start”

Test your setup

You can do a simple test from the command prompt. Windows Key + R > cmd.

1. telnet
2. set localecho
3. o <your smtp server IP or FQDN> 25
4. EHLO <your email domain>
5. MAIL FROM:<sender@gmail.com>
6. RCPT TO:<recipient@gmail.com>
7. DATA
8. <Type some text>
9. Enter, type a period (.) and then Enter again
10. If the server is working properly, you should get a response like this indicating that the message is queued for delivery:
    250 2.6.0 <INET-IMC-01UWr81nn9000fbad8@mail1.glcomputing.com.au.

Finally

Please Note: Make sure you correctly adjust your SPF records if using custom domains. This is essential if you don’t want your messages treated as spam.

Now you’re ready to set up your applications like Act! Internet Mail, Act! Premium for Web Email Merge, and Premium Mobile.

As always, you can let me know if you have any trouble with this or would like to book me to help you.

To Cloud your #CRM or Not to Cloud. For that is the question

How to make users feel that using cloud can like trekking through a Brazilian jungle.

I’m guessing that many you might be aware of the issue with Amazon’s S3 cloud storage service which led to massive outages across the internet.

So far, Amazon has not given an indication as to the cause.

 

The only news on their site at this time is that the problems have been resolved: https://status.aws.amazon.com/

But why did it take down so much of the internet?

Yes, many applications were down for some hours. Buffer, Slack, Trello, and a great many more were unusable (or barely usable) during the time that Amazon had their outage.

According to the Synergy Research Group’s 2017 report, Amazon Web Services owns more than a whopping 40 percent share of the global public cloud services market.Other providers, such as Google, Microsoft and IBM are small players by comparison.

So maybe you can understand that when Amazon coughs, we all get colds.

What does this have to do with CRM?

Remember: There is no cloud, it’s just someone else’s computer

More and more, the major (and not so major) CRM providers have been pushing users to move their data to the vendors’ cloud systems. Even Swiftpage has been doing this with Act!.

Of course, there is a big advantage to the vendor to push for these subscriptions – They don’t have to add any real value to the product in order to keep getting your money. A case in point for this is the lack of any new serious functionality in Act! v19. Something I blogged about, here: What’s coming in Act! v19 – Good, bad or very ugly?

Although, more recently, the vendors have even put their on-premises products on the subscription model (Microsoft’s Office 365 and Swiftpage’s Act! are examples of this strategy to get users paying every year. They’ve both overly inflated the pricing of the “outright purchase” or “perpetual” licenses. They’ve also come down hard on the users who would consider buying outright, by making some features only available on subscription and (as Swiftpage says they’ll be doing for Act!) refusing to provide bug-fix updates within the version you purchased.

What are the advantages and disadvantages to you?

 

Advantages of cloud implementations:

• No need for server hardware CAPEX
• The IT costs can be reduced
• Maintenance, upgrades and support are handled by the vendor
  • This can be an issue when they update their version and break things that you use
• Can be easier to access from anywhere – This requires extra work for on-premises
• You, or your IT, are responsible for security if you make it available externally.
• There used to be a reduced upfront cost for the cloud, when compared to on-premises. But, with more vendors moving their on-premises versions to subscription, this is nolonger an advantage

 

Advantages of on-premises implementations:

• Retain 100% ownership of your data
  • How well do you trust the vendor to stay in business?
  • What happens to your data if they close?
• Retain 100% of the integrity of your data
  • About 6 months ago, Salesforce lost 4-5 hours of client data in May 2016
    The outage was caused by a problem with the database. So the folks at Salesforce restored the database back to the time before the problem occurred, four hours earlier, which deleted the previous data, Salesforce explained in a report on its Salesforce Trust page.
• Retain 100% of the security of your data
  • In 2007, a salesforce.com employee fell victim to a targeted phishing scam and was tricked into providing admin credentials to the perpetrators.
  • Last year, LinkedIn, had 117Million accounts hacked with details up for sale
  • Also last year, Yahoo disclosed a hack of more than 1Billion accounts
  • Does your cloud vendor use two-step authentication?
    If not, run (don’t walk) away to use something else.
    Hacks will get more common. If your vendor hasn’t made this a priority, they simply do not care about your data and you shouldn’t be giving it to them
• Less susceptible to external connectivity
  • Not all areas have great internet access
  • Because Handheld Contact for Act! stores the data on the device, I regard it as the best solution for Act! users with iPhones, iPads, Androids or Blackberrys
• Less susceptible to an issue like the recent Amazon one
• Sometimes greater functionality is available in the desktop version
• Often a wider range of integration possibilities
• Ability to customise your CRM solution with add-ons or custom written code that might not be possible in a cloud version

 

How about a hybrid solution?

One of the areas that Act! does best at, is the hybrid solution of using both delivery systems.

This can be a useful compromise:

• You still need your own IT – In-house or out-sourced
• You might still be susceptible to the security issues above … at both sides.
• You can pull your data out in any way you choose
• You are not constrained by internet access and can use the data via an app on your phone or laptop even when out of range.
• Access to both sets of integration and customisation options.
• You’d barely notice an outage from Amazon or the software vendor

 

After all this, what’s best for you?

And that’s really the question to ask. Each person will have a quite different view on this.

• You need to properly document your needs. This article might help: What’s the best CRM?
• You should try to find a VAR or Consultant who’s unbiased in this area so they can look at YOUR needs, rather than selling you something when there were better options. For some assistance in this area, read: How to pick the right CRM consultant for you

Please add a comment to this post with any thoughts you might have on the subject.

 

Technorati Tags: Act,Act!,Act CRM,CRM,cloud,security,smartphone,mobile crm,Swiftpage,LinkedIn,Hacked