80090016 Error | Fix Outlook And Teams TPM Issue

Guide / By

The 80090016 error points to a Trusted Platform Module or keyset problem that blocks Microsoft 365 sign-in until local credentials are repaired.

What Does The 80090016 Error Mean In Microsoft 365?

This error appears when Microsoft 365 apps such as Outlook or Teams cannot read cryptographic keys that live on your device. Those keys are stored and protected by the Trusted Platform Module, or TPM. When that chip, its driver, or the related certificates stop working as expected, the sign-in flow fails and the app shows 80090016 instead of opening your mailbox or chat list.

Most users see a message that mentions the Trusted Platform Module and a keyset that does not exist. The app expects a secure identity token on the device, but that token is missing, damaged, or tied to hardware that changed.

This problem sits on the local machine. Your mailbox in Exchange Online or your Teams data in the cloud still works. That is why Outlook on the web and Teams on the web often sign in without trouble while the desktop apps throw the same code on the same account.

Where You Usually See 80090016 Code In Outlook And Teams

This code tends to appear in a handful of patterns. Matching your case to one of them points you to the best fix.

  • New Device Or Motherboard Swap — Outlook or Teams starts to complain right after a system board replacement or a move of your system disk into another computer.
  • PIN Or Windows Hello Sign-In — You sign in to Windows with a PIN, fingerprint, or face recognition and the app suddenly starts to show a Trusted Platform Module message.
  • Work Or School Account On A Personal PC — You added a work or school account to a home computer through Access work or school, and only that account fails with 80090016.
  • Domain Or Azure AD Joined Device — Company laptops that are joined to a domain or Entra ID may show the code when device registration or token caching breaks.

In every case the link between your Windows profile, the hardware TPM, and the encrypted keys that prove your identity breaks. The fixes here rebuild that link without touching mailbox or Teams data.

Quick Checks Before You Change Any Settings

Before you touch the registry or TPM, run a short set of safe checks that often bring Outlook or Teams back to life.

  • Confirm Time And Date — Open Date & time settings and make sure the clock, time zone, and calendar are correct, then try Outlook or Teams again.
  • Test The Account On The Web — Sign in to Outlook on the web or Teams on the web with the same account to confirm the account works in the cloud.
  • Restart Apps And Then Windows — Fully exit Outlook and Teams from the system tray, restart Windows, and launch the apps once more.
  • Switch To Password Sign-In Once — If you use a PIN or Windows Hello, switch to a normal password just for the next sign-in, then open the app.

If the code still appears after these checks, move on to the fixes that reset credentials or repair TPM settings on the device.

Step-By-Step Fixes On A Single Computer

These steps suit cases where the 80090016 error appears on one device while the same mailbox opens normally elsewhere.

Disconnect And Reconnect Your Work Or School Account

Microsoft 365 links device tokens to the Access work or school entry in Windows, so refreshing that link often clears broken keys.

  1. Open Accounts Settings — Press Windows + I, go to Accounts, then choose Access work or school.
  2. Disconnect The Affected Account — Select the work or school account that fails and choose Disconnect, then confirm.
  3. Restart Windows — Reboot the device so cached tokens tied to that account are cleared from memory.
  4. Add The Account Again — Return to Access work or school and choose Connect, then sign in with the same email.
  5. Launch Outlook Or Teams — Open the app and sign in when prompted, then check whether the message still appears.

Clear Cached App Credentials

Outdated tokens in Outlook or Teams can trigger the error even when the device entry looks fine.

  1. Sign Out From Microsoft 365 Apps — In Outlook, open File > Office Account and choose Sign out for every listed account.
  2. Remove Work Or School Accounts From Settings — In Settings > Accounts > Email & accounts, remove any duplicate work entries.
  3. Clear Windows Credentials — Open Credential Manager, choose Windows Credentials, and remove entries related to Outlook, Teams, or Office.
  4. Restart And Sign In Again — Reboot, then launch Outlook or Teams and sign in using your work or school email.

Reset The Microsoft AAD Broker Plugin Data

The Microsoft.AAD.BrokerPlugin folder stores tokens that join Windows sign-in and cloud accounts; a damaged file inside can block new keys.

  1. Close Microsoft 365 Apps — Exit Outlook, Teams, and other Office apps from the taskbar and system tray.
  2. Open The Packages Folder — In File Explorer, paste %localappdata%\Packages into the path field and press Enter.
  3. Find The Broker Plugin Folder — Look for a folder named Microsoft.AAD.BrokerPlugin… in the list.
  4. Rename The Folder — Right click it, choose Rename, and add .old to the end of the folder name.
  5. Restart Outlook Or Teams — Open the app again, sign in, and allow Windows to create a fresh BrokerPlugin folder and tokens.

Clear And Rebuild TPM Keys Through Windows Security

When cached credentials look fine but the Trusted Platform Module still reports trouble, resetting its stored keys often restores sign-in on a personal device.

  1. Open Device Security — Go to Settings > Update & Security > Windows Security, then pick Device security.
  2. Open Security Processor Details — Under Security processor, choose Security processor details.
  3. Run Security Processor Troubleshooting — Select Security processor troubleshooting and follow any offered actions.
  4. Use The Clear TPM Option If Offered — If you see a Clear TPM button, read the warning and accept only when you can sign in again with your Microsoft 365 account if needed.
  5. Restart And Test Sign-In — Reboot when prompted, then open Outlook or Teams to see whether sign-in now works.
Fix When To Try It Risk Level
Reconnect work or school account Single device affected, account works on web Low
Clear app and Windows credentials Token prompts repeat or accounts changed Low
Reset BrokerPlugin data Error began after profile or device changes Medium
Clear TPM through Windows Security TPM messages appear across apps Medium

Advanced Repairs For Persistent 80090016 Code

If earlier steps do not remove this error, the issue may sit in the Windows profile, registry entries, or the TPM driver. These methods suit experienced users or administrators.

Adjust Protection Policy Registry Settings

A missing ProtectionPolicy value in the Cryptography branch can keep apps from reading device keys; adding it restores a safer default setting.

  1. Create A Restore Point First — Use System Protection to create a restore point so you can roll back if something goes wrong.
  2. Open Registry Editor — Press Windows + R, type regedit, and press Enter.
  3. Browse To The Cryptography Path — Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb.
  4. Create Or Edit ProtectionPolicy — If a value named ProtectionPolicy does not exist, create a new DWORD (32-bit) Value with that name.
  5. Set ProtectionPolicy To 1 — Double click the value and set Value data to 1, then restart Windows and test Outlook or Teams.

Set Identity Values For Office In The Registry

Two identity values for Office can redirect Outlook and other apps away from failing sign-in paths that rely on Web Account Manager.

  1. Open Registry Editor Again — With regedit still open, move to the key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity.
  2. Create DisableADALatopWAMOverride — Add a new DWORD (32-bit) Value named DisableADALatopWAMOverride and set it to 1.
  3. Create DisableAADWAM — Add another DWORD (32-bit) Value named DisableAADWAM and set it to 1.
  4. Restart And Test Outlook — Reboot the device, open Outlook, and sign in again when asked.

Reset Windows Hello PIN And The Ngc Folder

A damaged Ngc folder that stores Windows Hello data often sits behind stubborn TPM messages; resetting it and creating a new PIN brings identity files back in sync with hardware.

  1. Switch To Password Sign-In In Windows — Sign out, then sign in using your normal account password instead of a PIN or biometrics.
  2. Open The Ngc Folder — In File Explorer, browse to C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC.
  3. Take Ownership If Needed — If you cannot open it, change folder owner to your account through Properties > Security.
  4. Delete Folder Contents — Remove all files and subfolders inside NGC while leaving the folder itself in place.
  5. Set Up A New PIN — Go to Settings > Accounts > Sign-in options and create a new PIN, then try Outlook or Teams again.

Update Or Reinstall The TPM Driver

On some devices the Trusted Platform Module driver in Device Manager causes sign-in failures until it is refreshed.

  1. Open Device Manager — Right click the Start button and choose Device Manager.
  2. Expand Security Devices — Find Security devices in the list and expand it.
  3. Update The TPM 2.0 Entry — Right click Trusted Platform Module 2.0, choose Update driver, and let Windows search automatically.
  4. Uninstall And Reboot If Needed — If no update appears and errors continue, right click the same entry, choose Uninstall device, confirm, and restart Windows so it reinstalls the driver.

How To Lower The Odds Of TPM Errors Returning

Once Outlook and Teams open again, a few habits make this type of problem less likely to come back on the same device.

  • Keep Windows And Firmware Updated — Install monthly Windows updates and vendor firmware updates so TPM fixes from Microsoft and the device maker reach your system.
  • Avoid Forced Power Cuts — When possible shut the device down through Start > Power instead of holding the power button until the screen goes dark.
  • Plan Ahead For Hardware Swaps — After a motherboard change, expect to sign in again and re-register the device with work or school services.
  • Use One Primary Sign-In Method — Stick with either password plus multi factor prompts or Windows Hello, instead of switching methods every few days.
  • Back Up User Data Regularly — Use OneDrive, SharePoint, or another trusted storage location so a profile or driver issue never risks your only copy of work files.

With these steps in place you cut down on more TPM surprises, and when a message does appear you now have a clear path to bring Outlook, Teams, and other Microsoft 365 apps back to normal again quickly.