Your computer’s Trusted Platform Module has malfunctioned – error code 800900B
Something went wrong… don’t we all love to see that message!
Your computer’s Trusted Platform Module has malfunctioned. If this error persists, contact your system administrator with the error code 800900B
Something went wrong [7q6ch]
If you see this error when trying to sign in to Microsoft 365 applications such as Teams, OneDrive for Business, Word etc then you can try either of these solutions. Please note these suggested solutions may not work for your specific use case for why you ran into the issue. These solutions are provided for your reference and are used at your own risk.
Using solution 2 may require additional steps like running dsregcmd /leave and deleting the enrollments registry keys (see end of blog) to remove the device from Entra and Intune and require it to be re-joined and/or re-enrolled which could of course cause a different set of issues.
Solution 1
Step 1
First, sign out of Edge profiles, Microsoft Word, Microsoft Teams. Unlink OneDrive for Business and quit. You may have to click through some error screens, but ultimately you should be able to do this.it.
Step 2
AAD.BrokerPlugin – You need to delete Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy folder and all sub folders and files e.g.
“C:\Users\[username]\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy”
Chances are that this will be in use, so you can either log in as a different user that is a local admin and do it, or kill the Microsoft.AAD.BrokerPlugin.exe task in the current session and try again.
Stop the tokenbroker service and set to disabled from an admin powershell:
Set-Service TokenBroker -StartupType DisabledStop-Service TokenBroker -Force -PassThru
or use: taskkill /F /IM Microsoft.AAD.BrokerPlugin.exe
Delete all the files and folders. You will almost certainly need to work your way up from lowest in the directory upwards until they are all gone.
Start with:
C:\Users\[username]\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\*.*C:\Users\[username]\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\*.*Step 3
Registry Keys
Delete the WorkplaceJoin registry key (and all subs). As this is for CURRENT_USER you need to be logged on as the user, or again, log in as a local admin and load that users’ hive and do it.
Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\WorkplaceJoin
Delete the Identity key from the registry
Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity (and all subs)
Rename (or delete) the IdentityCRL registry key:
Computer\HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\TokenBroker\DefaultAccount
Step 4
Files and Folders – Delete these folders and files:
“C:\Users[username]\AppData\Local\Microsoft\Identity” and “C:\Users[username]\AppData\Local\Microsoft\OneAuth”
Step 5 – REBOOT
Restart the tokenbroker service (from admin cmd)
Set-Service TokenBroker -StartupType Manual
Start-Service TokenBroker -PassThruSign in to Word, and sign in to update license. You may need to quit Teams and OneDrive before attempting to connect.
If you successfully sign-in and activate, then the issue is resolved.
Solution 2 Clear the TPM from Defender
Important Notes
- Ensure BitLocker recovery keys are securely backed up.
- Clearing TPM is typically done to resolve TPM errors or secure boot issues.
- If your environment uses Defender for Endpoint policies involving TPM, consider reviewing device health status in the Defender portal after clearing the TPM
Step 1: Open Windows Security
Go to Start > Settings > Privacy & Security > Windows Security.
Click Device Security.
Step 2: Manage Security Processor (TPM)
Under “Security Processor”, click “Security Processor details”.
In the Security Processor window, click “Security Processor troubleshooting”.
Step 3: Clear the TPM
Click the Clear TPM button.
⚠️ Warning: Clearing the TPM will reset its cryptographic keys, which may affect features like BitLocker. Ensure you have recovery keys for BitLocker or other dependent services before proceeding.
Confirm the action when prompted.
Step 4: Reboot the System
The system will prompt for a reboot. After rebooting, the TPM will reinitialize.
Step 5: Reboot Again if Necessary
Some issues require an additional reboot for the system to stabilize
Script to clear enrollments on a Workstations
Write-Host -foregroundcolor Green "Unregistering the device from Entra…"
dsregcmd /leave
Write-Host -foregroundcolor Green "Clearing Enrollments keys…"
$TrackedERMs = Get-ChildItem HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked
foreach( $TrackedERM in $TrackedERMs ) {
$GUID = $TrackedERM.PSChildName
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\$GUID" -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\Providers\$GUID" -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\$GUID" -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Logger\$GUID" -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions\$GUID" -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\$GUID" -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\Enrollments\$GUID" -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue
}
Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Enrollments" | Remove-Item -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue
Remove-Item -Path "$env:WINDIR\System32\Tasks\Microsoft\Windows\EnterpriseMgmt" -Recurse -Force -ErrorAction SilentlyContinue
Remove-Item -Path "$env:WINDIR\System32\Tasks\Microsoft\Windows\EnterpriseMgmtNonCritical" -Recurse -Force -ErrorAction SilentlyContinue
Get-ChildItem 'Cert:\LocalMachine\My\' | ? { $_.Issuer -eq "CN=Microsoft Intune MDM Device CA" } | % { Remove-Item $_.PSPath } -ErrorAction SilentlyContinue
