Trusted Platform Module has Malfunctioned in Outlook or Teams with an error about the keyset – Error code 80090016 #TPM

 

I rarely post items unrelated to CRM (either product or technology). However, I recently had a challenge that took some effort to resolve with Windows 11 and the TPM. I even contacted Microsoft and Dell technical support, and neither could resolve it. So I want to put it out there for anyone else searching the web for a solution.

What is the TPM (Trusted Platform Module)?

The TPM is a secure crypto-processor. It’s a chip within your computer that adds hardware support for cryptographic functions like encryption and authentication. Using hardware for these makes the system more secure as it’s considerably more difficult for someone to hack the system than to interfere with the software. In addition, it is designed to be tamper-resistant, and malicious software should not be able to tamper with it.

It generates and stores cryptographic keys as well as having its own unique RSA key burnt in. Some areas that can use TPM include drive and network encryption routines (like BitLocker) or the authentication of accounts. Microsoft Work/School accounts use this now on Windows 11, where it is a requirement.

The Error.

If there is a problem with the keyset, you might get this error:

TPM keyset error with Office 365 Authentication

Your computer’s Trusted Platform Module has malfunctioned. If this error persists, contact your system administrator with the error code 80090016.
More information: https://www.microsoft.com/wamerrors

Unfortunately, like so many of Microsoft’s built-in links on errors, that link provides no helpful information or assistance.

The Cause.

As far as I can tell, the issue happens if you need to clear the TPM keys, which you might need for a firmware update, or if something damages its keyset.

The Solutions.

There were several recommended solutions I found online, though none of them worked for me. However, to be complete, I will include them here. I suggest you try them in the order listed, then reboot and test to see if it worked before trying the next.

Backup your data before trying any of these options!

Solution 1:

Note: You need to do this step with the affected user account logged off. This might mean using a different administrator account or sharing the parent folder temporarily and connecting via the network.

Rename the following folder:
C:\Users\[user]\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

To:
C:\users\[user]\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy.old

Reboot and try opening Outlook and/Teams.

Solution 2:

1. Open File Explorer.
2. Browse to C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC
3. Delete everything in this folder.
   Note: you need to grant yourself access to the folders.
4. Reboot and try Outlook and/or Teams with that account.

Solution 3:

Note: backup your registry before this step.

1. Sign out from Microsoft Office and MS Teams, and close all 365 apps.
2. In RegEdit, navigate to this key:
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity
3. Modify the key called EnableAdal and set it to 1.
   If it doesn’t exist, create it as a DWORD.
4. Delete the ADAL Authentication Profile for the afflicted user account.
1. Navigate to this key:
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity\Identities
2. Export that folder for a backup.
3. Look in each of the folders for the one with the email address of the account.
   When you click on the folder, you can see the key EmailAddress on the right.
4. Record the name of the folder. If you need Solution 4, you’ll need the GUID (the part of the folder name before “_ADAL”).
5. Delete the folder.
   
   

   

   ADAL Identity Profile Registry Key

   
   
5. Reboot and try logging in to Outlook and teams. It will ask you to activate the account again.

Solution 4:

The above steps worked on two machines, but with a third, I had to go further.

1. Navigate to this key:
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity
2. Use Ctrl-F to search for the email address and delete the appropriate folders.
3. Use Ctrl-F to search for the GUID (from Solution 3, 4d) and delete the appropriate folders.
4. Open the TPM console (Windows Key – R > TPM.msc).
5. Clear TPM.
6. This will automatically reboot, and you can then try Outlook, Teams, or any other 365 apps.

Please add a comment if you have any other questions or suggestions.

More Information on TPM at these links:

• https://en.wikipedia.org/wiki/Trusted_Platform_Module
• https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-top-node
• https://answers.microsoft.com/en-us/outlook_com/forum/all/error-code-80090016-trusted-platform-module-has/c0588197-a33a-423f-bcb0-4ab5cda58928
• https://www.dell.com/support/kbdoc/en-au/000190999/trusted-platform-module-frequently-asked-questions-for-windows-11
  

Fix: Issues when installing .Net Framework 3.5

One error that sometimes occurs when installing/upgrading Act!, and many other products, is during the install/upgrade of MS SQL Server.

For Act! installs/upgrades, the typical error you might receive is as per this knowledgebase article: "Act! pre-requisite has encountered a problem and needs to close." When Installing Act!

This error is not an Act! issue, but an issue installing MS-SQL on Windows operating systems from Windows 8 onwards, when the .Net Framework v3.5 isn’t enabled or has a problem with its setup.

You can also get similar issues updating SQL Server 2014 or adding Roles when the .Net 3.5 install lacks the right service pack.

The first step is to try enabling the Framework manually via the Control Panel.

Installing .Net 3.5 via Control Panel

As per this Microsoft article, you can enable the .NET Framework 3.5 through the Windows Control Panel. This option requires an Internet connection.

1. Press the Windows key Windows on your keyboard, type "Windows Features", and press Enter. The Turn Windows features on or off dialogue box appears.

2. Select the .NET Framework 3.5 (includes .NET 2.0 and 3.0) check box, select OK, and reboot your computer if prompted.

You don't need to select the child items for Windows Communication Foundation (WCF) HTTP Activation and Windows Communication Foundation (WCF) Non-HTTP Activation unless you're a developer or server administrator who requires this functionality.

Troubleshooting .Net 3.5 Installation Failure

During installation, you may encounter one of these errors 0x800f0906, 0x800f0907, 0x800f081f, or 0x800F0922.

Or you might get the error “The following feature couldn’t be installed, The source files could not be found”.

Or, on Server 2012, you might get “Do you want to specify an alternate source path? One or more installation selections are missing source files on the destination server”

Microsoft covers some of the basics in this article. However, as it misses fixes for some of the errors and is, in my opinion, incomplete, I thought I would document my preferred solutions.

Check the System and Security Action Centre

1. Hold the Windows Key and press R
2. In the Run dialogue, type: wscui.cpl
3. If you see any warnings, you should resolve them.

Using DISM and an SFC/DISM Scan

Try installing via DISM to enable the .Net 3.5 Framework:

1. Open a Command or PowerShell Prompt as an Administrator – Press Windows Key + X to open Win + X menu and choose Command Prompt (Admin) or PowerShell (Admin) from the menu.
2. When the Command Prompt starts, changing “X” for the drive of your Windows ISO.
   DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:X:\sources\sxs
3. The operation will now start. Keep in mind that it can take a while to finish, so don’t interrupt it.

If that fails, perform an SFC scan, by doing the following:

1. From an Administrator Command Prompt
2. sfc /scannow and press Enter.
   
3. SFC scan will now start. Keep in mind that SFC scan can take about 15 minutes to finish, so don’t interrupt it.

Once the SFC scan is finished, try to install .NET Framework 3.5 again.

If it doesn’t work, you might have to perform DISM scan as well.

To do that, just follow these steps:

1. Open Command Prompt as administrator.
2. Now run each of the following commends:
1. DISM /Online /Cleanup-Image /CheckHealth
2. DISM /Online /Cleanup-Image /ScanHealth
3. DISM /Online /Cleanup-Image /RestoreHealth

The scans can take more than 15 minutes to complete, so be sure not to interrupt them

Once you complete the DISM scan, reboot and try to install .NET Framework 3.5 again.

Installing from a Clean ISO

Sometimes, the Windows files you have can be damaged. In that case, you need to follow these steps

Download the Windows Media Creation Tool

1. For Windows 10 users, download the Windows Media Creation Tool, which is a tool that helps you create a Windows 10 ISO. If running Windows 8.1, download the Windows 8.1 Installer.
2. Use the Windows Media Creation Tool to create a Windows ISO image locally.
3. When the download is complete, mount the ISO by double-clicking on it.

For Windows Server 2012 R2, you can download the appropriate Evaluation ISO

Copy the SXS folder

1. Open the mounted ISO, and go into the Sources folder.
2. There should be a folder named sxs.
3. Copy the folder to another location on your computer.
4. Right click on the copied folder, and choose Properties from the drop-down menu.
5. When the Properties window opens, click on the Security tab.
6. Select your username from the Group or user names box; check if there is a checkmark next to Read and Write in the Permissions for [Your Username] box. You could also add “Everyone” or “Domain Users” if wanting to store and run from a network share.
   
7. If you do not find the check marks, you should click on the Edit button, select your username, and check both the Read and the Write box.

Edit the Group Policy

Press Windows Key + R and enter gpedit.msc. Now press Enter or click OK. Keep in mind that this tool is available only on Pro versions of Windows 10, but there’s a way to run Group Policy Editor on the Home version of Windows.

1. When Group Policy Editor starts, in the left pane go to:
   Computer Configuration > Administrative Templates > System.
2. In the right pane, double-click on
   Specify settings for optional component installation and component repair.
3. A new window opens.
4. Select Enabled.
5. In the Alternate source file path, enter the address of the sxs.
6. Then click on Apply and OK.
   
   Optional: Check Download repair content and optional features directly from Windows Update instead of Windows Server Update Services.
7. After making these changes, you just need to start Command Prompt as administrator and run gpupdate /force command to apply the changes.

Finally

Now it should install from an Admin Command Prompt with the command:
DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:X:\sources\sxs
Remember to change “X:\sources\sxs” to the correct location of the sxs folder.

It’s also advisable to backup your system and, if you’ve had issues like this, you might also consider:
Repairing your Windows Image

Please post to the comments if these worked for you, or if you’ve encountered this problem and these solutions didn’t help.

Backup Act! CRM Data to the Cloud with @Dropbox as a Service

A couple of years ago, in an article called Taking your ACT! on Holiday, I discussed the use of Dropbox to help with off-site backups. One of the issues with this is that Dropbox only uploads the files when you’re logged into the system and that means it’s not a great option for backing up the database on your server.

A little research and some testing later, and I have the solution for you –

Run Dropbox as a Windows service

What this means is that, when Windows is running, Dropbox will also be running without you needing to be logged in to the server. The benefit of this is that Dropbox will be able to keep uploading backups created by the Act! Scheduler to the cloud.

So, how do we go about this? Well, we need to install Dropbox and set it up as a service.

Setting up

1. Log into your Windows Server as a local administrator
2. Download the Windows Server 2003 Resource Kit, which you can download from:
   https://www.microsoft.com/en-au/download/details.aspx?id=17657 
   Note: There isn’t a later version of the Resource Kit. Don’t worry about that if on 2008
   You just need the files INSTSRV.EXE and SRVANY.EXE from this kit
3. Install the Server Resource Kit or just copy the two files (INSTSRV and SRVANY) to:
   C:\Program Files (x86)\Windows Resource Kits\Tools
   Note: You only need the two files mentioned. They can be in any folder – I’ve used the location from the default install. If you change the location, you’ll need to adjust those paths in a few spots.
4. Download Dropbox from: https://db.tt/82ZOShy 

Install and setup Dropbox

1. Install Dropbox as per normal
2. Select a folder for Dropbox to use – I prefer not to use the user folder for this, so create C:\Dropbox or add a Dropbox folder to your Data folder on the local system.
   You’ll set the Act! Scheduler to save the backups into this folder (or a sub-folder)
   
   
   
3. Open the Dropbox Preferences, by clicking on the icon in the SysTray, and turn off
   • Show desktop notifications
   • Start Dropbox on system startup
   
   
   
4. Exit Dropbox from the SysTray
   
   
   

Setting up the Service

1. There are two options here, depending on which Operating System you’re using:
   • If Windows 2003 or 2008,
     Open a command prompt, change directory to
     C:\Program Files (x86)\Windows Server 2003 Resource Kit\
     and type:
     instsrv Dropbox "c:\Program Files (x86)\Windows Resource Kits\Tools\srvany.exe"
     If it worked, you should get: The service was successfully added! .
   • If Windows 2008 R2, open an elevated command prompt (Run As Administrator) and type:
sc create Dropbox binPath= "C:\Program Files (x86)\Windows Server 2003 Resource Kit\srvany.exe" DisplayName= "Dropbox Service"
If all ok, you’ll get: [SC] CreateService SUCCESS.
2. Next open the Services applet – Start > Run > services.msc
3. Scroll to the Dropbox item in the list. Right-click and select Properties
4. Switch to the “Log On” tab
5. Click “This account”, and enter an Admin account with Full Access to the Dropbox folder. Set the appropriate password for that account.
6. Click Apply
7. Switch back to the “General” tab
8. Change “Startup type” to Automatic
9. Click Apply and OK
10. If this is the first time you have done this procedure for the administrator user, you may get an notification saying that the “Administrator user has been granted log on as service rights”.
    DO NOT START THE SERVICE AT THIS TIME.
    
    
11. Next is to set up some registry settings for the service. Open the registry editor
    Start > Run > regedit
12. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dropbox
13. Create a new key “Parameters”
14. Add a new string value “Application”, (type REG_SZ). Set the value to the path to the dropbox.exe binary.
    Find the location by right clicking the Dropbox icon on the desktop. Select Properties and copy the Target.
    .
    
15. Close the Registry Editor
16. Start the service either from Services.msc or by:
    Run > Net start Dropbox
17. If you check your Task Manager, you will find both Dropbox and srvany running
    Files saved by you or the Act! Scheduler to this folder should be automatically uploaded.

Important Notes and References

• If you want to make changes to the Dropbox preferences:
  You MUST stop the service first, make the changes, exit Dropbox and then restart the service
• These methods should also work with the desktop operating systems if you want to do this on XP, Vista, Windows 7 or Windows 8.
• Reference from Microsoft on INSTSRV and SRVANY: How to Create a User-Defined Service
• Reference from Microsoft on: How to Create a Windows Service by Using SC.exe
• There are also some third-party tools that can be more stable in a production system. I haven’t tested them, but here are three I’ve found:
  • NSSM - http://nssm.cc/
  • SRVStart - http://rozanski.org.uk/software
  • AlwaysUp - http://www.coretechnologies.com/products/AlwaysUp/srvany.html
• You should regularly check the backups as I mentioned in my original article:
  Taking your Act! on Holiday

Please post in the comments if you have any questions.

 

Technorati Tags: Act!,Act! CRM,Backup,Dropbox,SaaS,Cloud,Service,Server

Looking ahead with #SageACT! 2013

Welcome to the new year, I hope you all had a wonderful time over the festive season are are looking forward to making the most of your contacts in the new year.

I am feeling more positive for the direction of Sage ACT! at this time than I have been for a few years. Those of you who have seen some of my posts in the LinkedIN ACT! Fanatics Group will know that I have had some issues over the past 5 years with the way that Sage management has been developing the product and especially with their head-in-the-sand approach in avoiding any communication with the users.

ACT! is still one of the best and most loved products in its class. Its millions of users worldwide depend on its operation and ease-of-use to run and grow their businesses by maintaining and tracking the relationships we have with our contacts.

Well, last year, there was a change at the top and Dan Wilzoch took over as General Manager for the product. My conversations with him have so far been quite positive. The best sign that this is a positive change, is that, while there has been a loss of a number of staff who really knew the product and the needs of it’s users … this time they have promoted one of the ACT! stars, Benjamin Lederer, to the position of Product Manager.

For those who don’t know Ben, he’s been with Sage since 2005 (and Symantec before that) in a variety of technical, development and product management roles. I have spoken to him many times and I can tell you he knows the product. He talks to those that deal with the users and he understands how to make the technology work. I have had situations where I had explained a bug to a number of Sage staff and nothing was done. A 10 minute call from Ben for me to explain the cause I had identified and he had it fixed quickly in a patch.

His first responsibility as Product Manager will be ACT! 2013 Service Pack 1 – due January 8th.

The best thing about the management change, so far, has been that Ben has already been communicating the intended road map publicly …

For Service Pack 1, Ben has stated the following:

• Microsoft Windows 8 and IE10 certification.
  Note: IE10 works in 2 modes, Regular and Metro.In Metro (the full-screen app), Microsoft has not included ActiveX controls, so ACT! won’t have word processing or reports in that mode
• Microsoft Windows Small Business Server 2011 and Windows Server Server 2012
  This includes improving the APFW installer to work in SBS environments. This will have a positive effect on any deployment that has existing 64 bit web services (SharePoint, Exchange) and reduce the setup problems after ACT! is installed
• Microsoft Office version 15 (2013)
  Note: This will be unofficial support at first. They have removed the code that would prevent you from using this product. It will still require Office to be installed in 32bit as Microsoft still hasn’t added the ActiveX controls to the 64bit version. But, this really doesn’t make a difference unless needing spreadsheets larger than 3GB and Microsoft recommends the 32bit install as I posted in a comment to this blog article
  Microsoft has added a new feature in Outlook that will create some problems. Now you can reply to emails within the preview pane. Actions performed in the preview pane do not trigger any add-ons. The Microsoft third party developer groups are looking for ways around this, but as of now no workarounds are available. If you use Outlook the way you always have, we suspect there will be no problems. If you use the preview pane to reply to messages history will not be recorded.
• Other Enhancements
  • All record type checkboxes are now checked by default in the Copy/Move Data wizard
  • Database Startup view preference can now be any relevant view
• Significant changes to the social media integration – see the Screencast demo Ben posted here
• Over 25 customer reported bug fixes

This is a big improvement on the previous management who didn’t add Office 2010 support till the next paid upgrade rather than patching it in the current build.

There are still a number of issues with international data (phone numbers, dates and currency) both in the core product and in Premium Web. I have suggested to Ben that he calls me so I can properly explain these. Hopefully he’ll take me up on the offer as soon as he has time.

I will be posting some articles soon on mobility and social media for ACT! users as well as data security and a look at how hosted or SaaS. I think these are areas that are becoming more important to all of us.

Please add a comment to this article if there’s any topic you’d like me to address in a future article or if there are specific areas you think Sage needs to improve in the product. But remember that not all feature requests can be added as I explain in the article: How Are Product Management Decisions Made?

Well, that’s all for now … I hope you all have a successful 2013 and that Sage ACT! continues to help grow your business.

 

Technorati Tags: Sage,Sage ACT!,Sage ACT! 2013,Windows 8,Office 2013

Upgrading ACT!, especially when you are using add-ons

It is important to note that many add-on products will require updated versions in order to work with different versions of ACT!. If you are using any specific add-on(s), you should check with the add-on vendors to see if they support the new version and the procedures to get an updated build, if required.

For ACT! 2010 some add-ons (like Handheld Contact) just require a new download while others may charge an upgrade fee for the new version.

When upgrading ACT!, it is usually a good idea to uninstall any add-ons first. Then perform the ACT! upgrade and then install the latest versions of the add-ons after checking they support the new version.

This also applies if you want to upgrade your MS-Office version or your operating system – you should confirm that your version of ACT! supports this or if you need an upgrade.

Checking these things first reduces potential disappointment if you later find out you need other upgrades that might not yet be available or that you hadn’t budgeted for.

Technorati Tags: ACT,ACT!,ACT! by Sage,Upgrade

Improve calendar performance in ACT! and other applications

Microsoft have a hotfix for Windows systems that will improve application that uses UTC dates and times - including Outlook, the Windows Event Viewer and many third-party applications.

Most date and time stamps that are created and displayed in Windows and in many applications are stored as UTC. Then, they are rendered in local time by using system APIs. Examples of these include Windows file time stamps, Outlook sent and received dates, and event logging time stamps.

Not all built-in, Windows-based applications use these newly updated APIs. However, they are available to all applications, including third-party applications. These functions are useful in many scenarios, such as a user auditing scenario in which the ability to use DST rules for previous years on a current Windows service pack is important.

Generally, if an application requires historically accurate time stamps, these functions should be used.
This update improves the performance of the functions, and enables historically accurate time-stamp lookup functionality where the application uses these APIs

Tests that have been conducted with an ACT! by Sage database have found loading 16,000 activities reduced in time from 4 minutes to 9 seconds!

The update applies to the following Windows operating systems:

• Windows XP Service Pack 3 (SP3)
• Windows Server 2003 Service Pack 2 (SP2)
• Windows Vista Service Pack 1 (SP1)
• Windows Server 2008

You can read more about this update and obtain it from this Microsoft knowledge base article: Description of updates to APIs that enable Windows-based applications to retrieve historically accurate time stamps

If you download it, feel free to post here with any tests to verify improvements.

* With thanks to Sage’s Benjamin Lederer for directing me to this.

Technorati Tags: ACT,ACT!,ACT! by Sage,Outlook,Performance,Windows