Trusted Platform Module has malfunctioned, error code 80090016

Brass Contributor

"The server message is “Keyset does not exist Keyset does not exist”


I have a user that just received this error this AM. So far I’ve tried the steps here but nothing has worked. I think I’ll need to create him a new Windows profile but he’s a regional user and he’s at the airport which will make things more fun.


Disabled Bitlocker and cleared the TPM

Renamed the folder here “C:\users\$dir\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy”

Uninstalled the TPM driver

Disabled MFA for his 365 account


I’ve come across the two posts here but is there anything else I can do remotely once he is able to get his laptop connected other than creating him a new profile? I don’t mind doing that but he’s traveling all day/night and I won’t have access to his machine for long. He’s going to be using a hotspot.


Also, what would cause this out of the blue? It’s a new Dell Latitude that I set up for him two days ago???


14 Replies
best response confirmed by PS_83 (Brass Contributor)
He was waiting for a flight so I only had about 30 min. Cut my losses and created him a new user profile. Working fine but still curious to see what would cause this???

Open up the Windows Explorer and navigate to the following directory:C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\If you are not able to see the AppData folder, you will have to enable the hidden folders by clicking on File and then selecting ‘Change folder and search options’. Switch to the View tab and make sure ‘Show hidden files, folders, and drives’ option is checked. Hit Apply and then click OK.You will not be able to access the Ngc folder without taking over the ownership.To take over ownership, right-click on the folder and click Properties.Switch to the Security tab and click Advanced.Click Change in front of OwnerType in the username of the account that you are currently using.Afterward, click Check Names and then hit OKMake sure that the ‘Replace owner on subcontainers and objects’ box is checked.Click Apply and then hit OK.Open up the Ngc folder and delete the all the contents of the folder.Try adding a PIN again.@PS_83 



not sure if that has worked - will find out when using the computer tomorrow as it only does this randomly - I suddenly find that i have to login to an app such as office 365 and outlook again and again - also adobe DC- all this after the latest W10 update!   i use my computer 12+ hours aday and am very busy at the moment so do not have time for messing around with my computer.


Thank you for your input I will see if all is resolved.



I've been using these steps to clear the TPM error's

To clear the TPM

Open the Windows Defender Security Center app.

Click Device security.

Click Security processor details.

Click Security processor troubleshooting.

Click Clear TPM.

You will be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM.

After the PC restarts, your TPM will be automatically prepared for use by Windows 10.


we had to replace a motherboard in a staff members laptop and started to receive this error after the new one was installed. Fixed the issue using this site below. Basically just had to rename a AAD Broker folder.

@mcgoo2000 Yes that worked for me as well. 

Still got the same error, despite all above. Using a VM with Windows 10 and a virtual TPM. 

This didn't do it. The Ngc folder was empty.
This didn't work. I don't even have a Security processor (Sicherheitsprozessor, Standardardwaresicherheit in German)



Yes I found this with another computer that I bought that did not have a TPM - I specifically made sure that it did not have this due to the  error occuring  in my HP machine..    The solution that I have found is to connect your computer (W10) to your microsoft account (I had to create an account).  I had previously deliberately avoided this as I definitely do not want 'Big Brother' taking all my data etc.  However if I do not comply I will not be able to use my Office 365 or Adobe etc.   Yes there are alternatives, but as all the businesses that I work with also use these programs I am stuck.   ORWELL WAS RIGHT!!! - the message is  'suck it up' and do as you are told!     The Chinese republic of  Great Britain.


Ps :  I doubt Big Brother (Microsoft) will allow this post to be published.


We started facing TPM malfunctioning error when replacing motherboards on AutoPilot machines. No any suggested solutions helped. But we found an easy and effective solution. At least it worked in our case. Rejoining PC to domain. We have a hybrid AD. I did nothing with AAD account or Intune. Just join the affected PC to a workgroup, reset its account in on-prem AD, join the PC back to domain. It resolved the issue.


I tried this same thing described in SysInfoTools ( and it wouldn't allow me to empty contents of the NGC file. That didn't fix my Office activation and, at some point, it let me enter my account username and password but failed to let me create a Pin (not sure why that disappeared). Unfortunately, after a reboot and hoping it worked, I am now locked out of my computer--It reads "you'll need the internet for this" to login to my microsoft account, but it is connected to the WiFi network.


Once I can re-access my computer, I can try mcgood2000's solution since my motherboard was just replaced.


I had this weird problem and it turned out to be Zone Alarm Pro Firewall.

As soon as I (temporarily) disabled it and ran the Outlook 365 sign-in procedure again everything worked. I did notice that when Outlook started, even with the user signed in there it did not pick up his email account and I had to add it manually using 'Add Account'


@Vadim_Antonov Was the solution for me too! Thanks so much!


I tried renaming and deleting the AAD.Broker and Account.Control folders. I renamed the NGC folder, reset TPM, ran the SARA utility, and no success. Then I unjoined from the AD domain, rejoined, and signed in under the user's AD account. When opening the first O365 app I was prompted to register the device in O365. After that all the apps opened fine.


I will note that about two weeks ago the same error/issue appeared on a laptop that had just had the motherboard replaced, and all it took was renaming the AAD Broker folder to fix it.


Wish I knew more about the underlying connections between a device and O365 to figure out what is causing this, but at least now I have a growing list of things to try.

1 best response

Accepted Solutions
best response confirmed by PS_83 (Brass Contributor)
He was waiting for a flight so I only had about 30 min. Cut my losses and created him a new user profile. Working fine but still curious to see what would cause this???

View solution in original post