Office TPM error 80090016

Michael Sheppard
Michael Sheppard used Ask the Experts™
on
We recently migrated a lot of users from one domain to a new domain using profwiz. This tool was great, however, one thing that we're coming across is an issue with authenticating fully into office. When the user authenticate after the first credential pass, it prompts again and then errors out to:

"Your computer's Trusted Platform Module has malfunctioned"
"Error code: 80090016"
"Keyset does not exist Keyset does not exist"

Then the app is fine whether it's Outlook, Excel, Word, etc...

Where the big issue arises is in OneDrive because that leverages cached credentials and syncing can get very wonky under these circumstances.

This also appears to be profile specific (specific to the profile that was migrated to the new domain) as any new user can log in to the machine and Auth and TPM works fine.

I've tried clearing TPM, resetting TPM and deleting TPM.
I've tried the EnableADAL regfix and that doesn't work (I also don't want to employ this as it is a hack workaround and not a fix)
I also came across renaming the following folders to no avail:

C:\Users\<user>\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
C:\Users\<user>\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy

This problem is killing me and if someone knows of a bullet proof process to get this sorted out you'd be forever idolized here!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Matt KendallTech / Business owner operator

Commented:
Yes, if you watch when Profwiz3 sets up the new profile, it looks like it doesn't actually move or copy the data.  The data stays in the same place and it changes a bunch of SAM and SID settings--probably in the registry.  This seems to cause O365 to throw a fit and tell you--wait, there's something not right here.  I think that your solution is to rename those two files in the old profile location and then see if that fixes your problem.

Author

Commented:
I did change them and it didn't seem to have an effect unfortunately. What's interesting is I am not seeing Microsoft.AccountsControl_cw5n1h2txyewy being recreated (I rename and move it just for good measure). I only see Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy being recreated. Any thoughts on that?
Matt KendallTech / Business owner operator

Commented:
I had the exact same issue and I though FOR SURE that I was in the right profile directory.  Then, I started going into other profile directories and changing the names in there.  Also, make sure that you're not logged into that profile while you're making the change.  I even restarted after I made the changes.  You'll get it--keep trying and you'll find the right one.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I am definitely in the correct profile, I mean literally, there can't be another profile this user would be mapped to. Unless any profile (even though they are not valid any longer in any way) that exists on the machine from the old domain would need to be changed as well. It is literally

Otheruser1 (old domain)
Otheruser2 (old domain)
Otheruser3 (current domain)
Default
Otheruser4 (old domain)
Otheruser5 (localaccount)
Otheruser6 (current domain)
Public
TARGETUSER (curent domain)
Otheruser7 (current domain)

I don't see in this instance that it could be any other user that TARGETUSER, I know you don't see the names, but they are entirely different identities.

You don't think it's weird that Microsoft.AccountsControl_cw5n1h2txyewy doesn't get recreated? Did you see that in any of your cases?
Matt KendallTech / Business owner operator

Commented:
Yes, when I saw that it wasn't being recreated I started to wonder if I was in the right profile.  I went into an old profile that wasn't even listing the domain.  I though that for sure it couldn't be it but I figured what do I have to lose.  So, I changed the name on both files, restarted the computer and logged in as the user with the problem and it was like magic--it worked!  I was so glad to be done with that annoying problem.  What version of Windows are you on?  The system I was working on didn't have the 1903 update yet.  Maybe your problem is different if you're on 1903?

Author

Commented:
It is 1803

I can go through and rename the two folders in all the old domain profiles and see if that has any effect.

I've also seen deleting the contents of the following directory could help (though it seemingly is associated with this same error code, but just for PIN use)

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC
Matt KendallTech / Business owner operator

Commented:
Yes, I initially tried that fix and it didn't help at all.  From now on, I won't be using Profwiz3 to migrate profiles.  It used to work so well but now with all of the stuff it affects, it's easier to use Onedrive to help migrate profiles.  If I'm working with non-O365 computers--I'll probably still use Profwiz.

Author

Commented:
Here is another interesting thing I see. I mentioned it earlier, but I am sure it got lost in all the details, there were as an additional directory that caught my eye in this users profile:

Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy_131944540950521545

It could have nothing to do with anything, but I also see this in the other user I am testing with. I do not see this in any of the other profiles on either machine. Have you seen this? Wondering if I should get rid of this as well.

Thoughts?
Matt KendallTech / Business owner operator

Commented:
You can always try to change the name of the folder and then see what happens.  It might be the solution.

Author

Commented:
Jeez Matt I really want you to guarantee me lifelong happiness, can't you do that!?! ;)
Matt KendallTech / Business owner operator

Commented:
Yes...well, happiness is being a tech but I'd say that being a dad and husband makes me happier than being a tech.  But I love both.  

I also love it when Microsoft releases a Windows update like 1903 that breaks everything and then I have a lot of business (job security).  Thanks Microsoft!  :)  I love Microsoft.

Author

Commented:
Hey Matt,

Unfortunately, this solution does not work for us at all. What's interesting is Microsoft.AccountsControl_cw5n1h2txyewy never gets recreated, though I am not sure it matters.

I tested with a local account and deleting both the folders (logged out from that account). Rebooting, signing back in to the local account. Then I signed into O365 (with the affected users creds for this machine) and it worked like a charm, though it would have worked fine either way, I just wanted to see if Microsoft.AccountsControl_cw5n1h2txyewy was not recreated and it wasn't.

Additionally, I removed every single profile outside of the one domain profile and the one local profile. So I don't think it's pointed to an incorrect profile.

The issue clearly lies within the profile but for us, sadly, this does not work.

Which is a huge bummer, I was very hopeful. If you have any other thoughts I am all ears.

Thanks,
Mike

Author

Commented:
Hey Matt,

Just wanted to follow up here. The TPM issue appears to be more of an indicator more than anything else. Looks like the O365 account just needs to be re-connected to Windows.

This can be done in either:

Settings>Accounts>Access work or school

or

Settings>Accounts>Email & Acctounts

Either should work, but if the o365 account is not attached at all I prefer to connect via Acces work or school.

This solved our issue.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial