Navigate to C:\Users\%username%\AppData\Local\Packages and rename the Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy folder to add _old suffix. Restart your computer and launch Microsoft 365 apps to test authentication.
Fix Guide80090016Trusted Platform Module
Fix Trusted Platform Module Error 80090016 – Windows 11 2026
TPM error 80090016 prevents Microsoft 365 apps from authenticating properly. Fix by renaming the AAD BrokerPlugin folder, reinstalling WAM plugin, or clearing TPM data.
Emanuel DE ALMEIDA 80090016Trusted Platform Module 5 methods 12 min
Instant Solution
Understanding TPM Error 80090016
Trusted Platform Module (TPM) error 80090016 is a critical authentication failure that prevents Microsoft 365 applications from properly validating user credentials through Windows' hardware security chip. This error typically manifests when launching Teams, Outlook, Word, Excel, PowerPoint, or OneDrive for Business, displaying the message "Your computer's Trusted Platform Module has malfunctioned."
The TPM 2.0 chip serves as a hardware-based security foundation for Windows 11, storing cryptographic keys and certificates essential for secure authentication. When this component fails or becomes corrupted, it disrupts the entire authentication chain between Windows and Microsoft cloud services, effectively blocking access to productivity applications that millions of users depend on daily.
This issue has become increasingly prevalent in enterprise environments running Windows 11, particularly after major system updates or hardware changes. The error often correlates with corrupted Azure Active Directory broker plugin data, which handles the secure handshake between local applications and Microsoft's cloud authentication services. Understanding the root cause is crucial for implementing the most effective solution and preventing recurrence in your environment.
Diagnostic
Symptoms
- Microsoft 365 apps (Teams, Outlook, Word, Excel, PowerPoint) fail to launch with TPM malfunction message
- Error message: "Your computer's Trusted Platform Module has malfunctioned" with code 80090016
- Repeated authentication prompts in Microsoft 365 applications
- OneDrive for Business sync failures with authentication errors
- Azure AD single sign-on (SSO) not working properly
- Applications redirect to sign-in page repeatedly without successful authentication
Analysis
Root Causes
- Corrupted Microsoft AAD BrokerPlugin data preventing proper authentication handshake
- Outdated or damaged Microsoft Entra WAM (Web Account Manager) plugin components
- TPM firmware corruption or hardware malfunction affecting cryptographic key storage
- Windows 11 system updates that modified TPM security policies or registry settings
- Conflicting security software interfering with TPM communication protocols
- Hardware changes (motherboard replacement) invalidating stored TPM certificates
- Group Policy settings blocking TPM access for Microsoft 365 authentication
Resolution Methods
Solutions
01
Rename Microsoft AAD BrokerPlugin Folder
This method resolves authentication issues by forcing Windows to recreate the corrupted AAD BrokerPlugin data.
- Press Windows + R and type
%localappdata%\Packages, then press Enter - Locate the folder named Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
- Right-click the folder and select Rename
- Add
_oldto the end of the folder name:Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy_old - If you get an error that the folder is in use, open Task Manager (Ctrl+Shift+Esc)
- Go to the Details tab and end any processes related to Microsoft 365 apps
- Try renaming the folder again
- Restart your computer completely
- Launch any Microsoft 365 application (Teams, Outlook, Word)
- Sign in with your credentials when prompted
Pro tip: If the folder recreates successfully and authentication works, you can safely delete the _old folder after a few days.
Verification: Open Outlook or Teams and confirm you can sign in without seeing error 80090016. Check that the new BrokerPlugin folder was created in the Packages directory.
02
Reinstall Microsoft Entra WAM Plugin
The Web Account Manager plugin handles authentication between Windows and Microsoft services. Reinstalling it can resolve TPM authentication issues.
- Open PowerShell as Administrator (right-click Start button → Windows PowerShell (Admin))
- List installed WAM packages:
Get-AppxPackage *Microsoft.AAD.BrokerPlugin*- Remove the existing WAM plugin package:
Get-AppxPackage Microsoft.AAD.BrokerPlugin | Remove-AppxPackage- Download and reinstall the latest WAM plugin from Microsoft Store:
Add-AppxPackage -RegisterByFamilyName -MainPackage Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy- If the above command fails, try this alternative method:
wsreset.exe- Wait for the Microsoft Store to open, then search for "Microsoft Entra" and install any available updates
- Restart your computer
- Test Microsoft 365 app authentication
Warning: This method will require users to re-authenticate to all Microsoft 365 applications.
Verification: Run Get-AppxPackage Microsoft.AAD.BrokerPlugin in PowerShell to confirm the package is installed. Launch Microsoft 365 apps to test authentication.
03
Clear TPM and Reset Authentication Cache
This method clears the TPM security chip data and resets Windows authentication cache to resolve hardware-level authentication issues.
- Open Settings → Privacy & security → Windows Security
- Click Device security → Security processor details
- Click Security processor troubleshooting
- Select Clear TPM and follow the prompts
- Restart your computer when prompted
- Open Command Prompt as Administrator
- Clear the Windows authentication cache:
rundll32.exe keymgr.dll,KRShowKeyMgr- In the Stored User Names and Passwords dialog, remove any Microsoft-related entries
- Clear the credential manager cache:
cmdkey /list
cmdkey /delete:target=MicrosoftOffice16_Data:SSPI:*
cmdkey /delete:target=MicrosoftOffice16_Data:*- Reset the Windows Security Center:
Get-Service wscsvc | Restart-Service -Force- Restart your computer
- Launch Microsoft 365 apps and re-authenticate
Warning: Clearing TPM will remove all stored certificates and encryption keys. BitLocker recovery may be required.
Verification: Open Settings → Privacy & security → Windows Security → Device security and confirm TPM status shows as "Ready for use". Test Microsoft 365 app sign-in.
04
Run Microsoft 365 Activation Troubleshooter
Microsoft provides a dedicated troubleshooter that can resolve authentication and activation issues with Office applications.
- Download the Microsoft 365 Support and Recovery Assistant from the official Microsoft website
- Run the downloaded SaRASetup.exe file as Administrator
- Select Office from the application list
- Choose I'm having trouble signing in to Office
- Follow the on-screen prompts to detect and fix authentication issues
- When prompted, select Advanced diagnostics
- Allow the tool to scan for TPM-related authentication problems
- Apply any recommended fixes automatically
- If manual intervention is required, the tool will provide specific steps
- Restart your computer after the troubleshooter completes
- Test Microsoft 365 applications
Alternative manual registry fix if the troubleshooter doesn't resolve the issue:
- Open Registry Editor (regedit) as Administrator
- Navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity- Delete the Identity key entirely
- Navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet- Delete any entries related to authentication tokens
- Restart your computer
Pro tip: The Support and Recovery Assistant can also fix other Office-related issues and should be your first stop for Microsoft 365 problems.
Verification: Launch Word or Excel and check if the sign-in process completes without error 80090016. Verify your subscription status appears correctly in File → Account.
05
Update TPM Firmware and Windows Security Components
Outdated TPM firmware or Windows security components can cause authentication failures. This method ensures all security-related components are current.
- Check your current TPM version in Device Manager:
- Press Windows + X → Device Manager
- Expand Security devices → right-click Trusted Platform Module 2.0 → Properties
- Note the firmware version in the Details tab
- Visit your computer manufacturer's website to check for TPM firmware updates
- Download and install any available TPM firmware updates
- Update Windows Security components via PowerShell:
Update-MpSignature -UpdateSource MicrosoftUpdateServer
Update-Module -Name WindowsDefender -Force- Force Windows Update to check for security updates:
Install-Module PSWindowsUpdate -Force
Get-WindowsUpdate -AcceptAll -Install -AutoReboot- Update Microsoft 365 apps to the latest version:
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /update user- Restart your computer after all updates complete
- Verify TPM functionality:
Get-Tpm- Test Microsoft 365 authentication
Warning: TPM firmware updates can be risky. Ensure your computer has stable power and don't interrupt the update process.
Verification: Run Get-Tpm in PowerShell and confirm TpmReady and TpmEnabled both show as True. Launch Microsoft 365 apps to verify authentication works without error 80090016.
Validation
Verification
After applying any of the above solutions, verify the fix by performing these steps:
- Launch Microsoft Teams or Outlook and attempt to sign in
- Confirm you don't see the TPM malfunction error 80090016
- Check TPM status by running this PowerShell command:
Get-Tpm | Select-Object TpmReady, TpmEnabled, TpmActivatedAll three values should return True. If any show False, the TPM may need additional configuration.
- Verify Microsoft 365 authentication by opening Word → File → Account
- Confirm your user account and subscription status display correctly
- Test OneDrive sync functionality to ensure cloud authentication works
If it still fails
Advanced Troubleshooting
If the above methods didn't resolve error 80090016, try these advanced troubleshooting steps:
Hardware-Level TPM Issues
If the TPM chip itself is malfunctioning, you may need to:
- Contact your computer manufacturer for TPM replacement or repair
- Check if your organization's Group Policy allows TPM bypass for Microsoft 365 authentication
- Consider using alternative authentication methods like FIDO2 security keys
Enterprise Environment Solutions
For domain-joined computers, administrators should:
- Check Azure AD Connect synchronization status
- Verify Conditional Access policies aren't blocking TPM authentication
- Review Windows Hello for Business configuration
- Deploy the fix via Group Policy or Microsoft Intune
Advanced Registry Cleanup
If authentication issues persist, manually clean these registry locations:
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPCDelete these keys, restart, and test authentication again.
Frequently Asked Questions
What does TPM error 80090016 specifically mean in Windows 11?+
TPM error 80090016 indicates that the Trusted Platform Module hardware security chip cannot properly authenticate Microsoft 365 applications. This occurs when the TPM fails to provide or validate the cryptographic keys required for secure communication between your local apps and Microsoft's cloud services. The error specifically points to a malfunction in the hardware security subsystem that Windows 11 relies on for authentication.
Why does this error only affect Microsoft 365 apps and not other applications?+
Microsoft 365 applications use Azure Active Directory (Azure AD) for authentication, which relies heavily on TPM-stored certificates and keys for security. Other applications may use different authentication methods that don't require TPM validation. The Microsoft AAD BrokerPlugin specifically handles this TPM-based authentication for Office apps, Teams, and OneDrive, which is why the error is isolated to Microsoft's ecosystem.
Can I permanently disable TPM to avoid this error in the future?+
Disabling TPM is not recommended as it significantly reduces your system's security posture and may violate your organization's security policies. TPM provides essential security features like BitLocker encryption, Windows Hello, and secure boot. Instead of disabling TPM, focus on keeping your system updated and maintaining clean authentication data. If you must disable TPM temporarily, do so through BIOS/UEFI settings, but re-enable it after resolving the authentication issue.
How often should I clear the AAD BrokerPlugin folder to prevent this error?+
You should only clear the AAD BrokerPlugin folder when experiencing authentication issues, not as preventive maintenance. Regular clearing can cause unnecessary re-authentication prompts and may indicate an underlying system problem. If you find yourself clearing this folder frequently (more than once every few months), investigate potential causes like outdated drivers, conflicting security software, or Group Policy issues that might be corrupting the authentication data.
Will fixing TPM error 80090016 affect my BitLocker encryption or other security features?+
Most solutions for error 80090016 (like renaming the BrokerPlugin folder or reinstalling WAM) won't affect BitLocker or other TPM-dependent security features. However, clearing the TPM entirely (Method 3) will require BitLocker recovery and may reset Windows Hello settings. Before clearing TPM, ensure you have your BitLocker recovery keys and are prepared to reconfigure biometric authentication. Always backup important data and recovery keys before performing TPM operations.
Written by
Emanuel DE ALMEIDA
Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.
Further Intelligence
Deepen your knowledge with related resources
Discussion
Share your thoughts and insights
You must be logged in to comment.
Loading comments...