How to Fix Windows Hello Error Code ‘0x80090011’?

If you see the 0x80090011 error while attempting to set up Windows Hello on Windows 10 or Windows 11, you are not the only one. This issue is way more common than Microsoft would care to admit and seems to be more widespread on Windows 11. 

Windows Hello Error 0x80090011

As it turns out, there are several different causes that will force your operating system to trigger this error when attempting to configure Windows Hello. After investigating various user reports, we’ve come up with a shortlist of potential culprits. Check it out below:

  • Transient Microsoft Account-related issue – According to a lot of affected users, this problem can be a simple glitch that can be resolved by logging out of the current Microsoft account and logging back in. After doing this and restarting their PC, a lot of affected users have confirmed that they were suddenly able to complete the process of creating a Hello Pin.
  • Azure AD inconsistency – Keep in mind that the Hello pin is highly dependent on the Azure Active Directory infrastructure. If you’re experiencing this issue due to an Azure AD inconsistency, the only thing you need to do to fix it (in the vast majority of cases) is to simply leave the Active Directory machine and then join it again.
  • Inconsistency inside the NGC folder – The vast majority of PIN setting information related to Windows Hello is stored inside the NGC folder. If you’re experiencing this issue due to some type of corruption affecting files in this folder, the only thing you need to do is clear the NGC folder. This will force your OS to generate new healthy files that won’t have the same kind of issue.
  • PIN creation is stuck in a limbo state – If your PC was interrupted and needed to restart (or shut down) during the process of creating a new PIN, there’s also a possibility that you’re experiencing this problem because the PIN was not actually created. In this case, simply start the process over and create a new PIN from scratch.
  • TPM is not prepared – Another underlying issue that might cause this error code is an undeployed TPM. You won’t be able to deploy Windows Hello (for security reasons) unless the hardware-layer encryption that comes with TPM is enabled. You can do this by adjusting the TPM settings via the TPM Management tool. 
  • Disabled IPsec Policy Agent – One important dependency of Windows Hello that is often overlooked is the IPsec Policy Agent. It’s critical to access the Settings menu, modify the startup type of IPsec Policy Agent and make sure the service is started. 
  • Incorrectly configured login policy – As it turns out, there is one group policy that might prohibit users from establishing Windows Hello pins. Unless this policy is enabled, you will not be able to complete this process (even from an admin account). You’ll need to make sure that the Group Policy setting is enabled inside the Local Group Policy Editor. 
  • Bad Windows Update – Microsoft has a history of releasing updates that end up interfering with security components that are already in place. If you only started to experience this problem recently, you should attempt to roll back the latest installed update and see if this allows you to fix the issue. 

1. Re-sign into your Microsoft account

The first thing you should do is try to remove the error message to log out of your Microsoft Account. Many users claimed that the problem was resolved simply by signing out and back in again. 

According to many afflicted customers, the problem is a minor bug that can be remedied by checking out and back into the current Microsoft account. Many impacted users have indicated that after doing so and restarting their PC, they were able to complete the process of creating a Hello Pin.

To log out of your Microsoft Account and then back in, follow these instructions:

  1. To access the start menu, use the Windows key.
  2. From the Start menu that just appeared, right-click on the profile picture in the Start Menu’s bottom left corner.
    Right-clicking on the profile picture
  3. From the context menu that just appeared, select Sign Out from the context menu.
  4. After you do this and you confirm the sign-out process, you will now be directed to the Windows lock screen.
  5. Once you get there, select your Microsoft account once again, type in your password, and then select Sign In.
  6. Insert your credentials once again and complete the process of signing back into your Microsoft account.
  7. Attempt to complete the process of setting up your PIN once again and see if the problem is now resolved.

In case the same problem is still occurring, move down to the next method below. 

2. Reconnect to Azure AD

Remember that the Hello pin relies heavily on the Azure Active Directory infrastructure. If you’re having this problem because of an Azure AD discrepancy, the only way to repair it (in the great majority of cases) is to disconnect from the Active Directory host and reconnect.

If you had joined Azure AD on your device, the Hello PIN Error 0x80090011 may also appear. If this is the case, you (as the administrator) must unjoin Azure AD and then rejoin it once everything appears to be working properly.

Here’s what you need to do:

  1. Press the Windows key + I key to open up the Settings menu. 
  2. Once you’re inside the Settings menu, click on System from the menu on the left, then move to the menu on the right to click on About from the menu that just appeared. 
    Accessing the About menu
  3. Next, scroll down through the About tab and locate your Azure AD connection, then click on the Disconnect from the organization hyperlink and confirm the choice at the next screen.
  4. Once you are successfully disconnected from the Azure AD connection, restart your PC as instructed, then reverse-engineer the steps above and rejoin the Azure AD connection once again.
  5. Attempt to set up a Windows Hello PIN once again and see if the problem is now fixed.

If you’re still experiencing the same 0x80090011 while attempting to set up the Windows Hello PIN, move down to the next method below. 

3. Refresh the NGC folder

The NGC folder contains a vast amount of PIN setup information for Windows Hello. The only thing you need to do if you’re having this problem because files in this folder are corrupted is to empty the NGC folder. This will compel your operating system to create new, healthy files that will not have the same problem.

Note: The NGC folder is responsible for keeping information connected to the current sign-in options on your PC, such as PIN, password, and retina, as well as any other type of sign-in technique.

But keep in mind that in order to be able to enforce this method, you will need to boot in Safe Mode (without networking) and delete the contents of the NGC folder.

Follow the instructions below for specific instructions on how to do this:

  1. Start by clicking the power icon on the signup screen that causes the issue, then press and hold the Shift key while clicking Restart.

    Install the Recovery menu

    Note: If you do this, your Windows 11 computer will restart from the Recovery menu.

  2. To access the Advanced Options menu, click Troubleshoot on the first screen when your PC boots into the Recovery menu.
    Accessing the Troubleshoot menu
  3. Select Startup Settings from the list of available choices in the Advanced Options menu.
    Open up the Startup Settings menu
  4. Your PC will restart right into the Startup Settings screen if you select this option and confirm your selection.
  5. To force your PC to boot in Safe mode, hit the F4 or the Num 4 keys when in the Startup Settings window.
    Boot Windows 11 in Safe Mode with Networking
  6. Wait until your Windows 11 PC launches into Safe Mode after answering Yes to the confirmation window.
  7. Open File Explorer and navigate to the following place once the boot sequence is complete:
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft
  8. Simply right-click the NGC folder in the desired location and select Delete from the context menu.
    Deleting the NGC folder
  9. After you’ve deleted the NGC folder, restart your computer normally, and you should be able to sign in without having to enter a PIN.
    Note: The NGC folder will be regenerated after this, so you can establish a new PIN.
  10. Attempt to establish a new Windows Hello PIN and see if you can complete the operation without encountering the same 0x80090011 error.

If the problem is still not fixed, move down to the next method below. 

4. Adjust the TPM

An undeployed TPM is another underlying issue that could generate this error code. You won’t be able to use Windows Hello until the hardware-layer encryption provided by TPM is enabled (for security reasons). You can do this by using the TPM Management tool to change the TPM settings.

Note: A lot of affected users have confirmed that once they go through the steps below and prompted the enforcement of the TPM component, they we’re finally able to complete the process of creating a Windows Hello PIN.

Here’s what you need to do:

  1. Using the Windows + R shortcut key, open the Run dialogue box.
  2. Press the Enter key after typing ‘tpm.msc’ inside the dialog box. 
  3. If you are prompted by the User Account Control (UAC), click Yes to grant admin access.  
  4. In the top left corner of the screen, select the Action option from the ribbon bar at the top.
  5. From the context menu that just appeared, select Prepare the TPM from the context menu.
    Preparing the TPM

    Note: If TPM is already configured, the Prepare the TPM option will be greyed out.

  6. To make changes, close the window and restart the computer.
  7. Attempt to complete the process of creating the Hello PIN once again and see if the problem is now fixed.

If you’re still experiencing the same 0x80090011 error, move down to the next method below. 

5. Adjust the IPsec Policy Agent

The IPsec Policy Agent is a crucial Windows Hello requirement that is sometimes forgotten. It’s necessary to go to the Settings menu, change the IPsec Policy Agent startup type, and make sure the service is running.

Several affected users have confirmed that once they used the Services utility to alter the current behavior of the IPsec Policy Agent so that the Startup type is set to Automatic. 

If you suspect that this scenario is applicable, follow the instructions below for specific instructions on changing the Startup type of the IPsec Policy agent.

Here’s what you need to do:

  1. Press Windows key + R to open up a Run dialog box. 
  2. Next, type ‘services.msc’ and press Ctrl + Shift + Enter to open up the Services screen with administrative privileges.
    Accessing the Services screen
  3. At the User Account Control (UAC), click Yes to grant admin access. 
  4. Once you’re inside the Service screen, move over to the right-hand side and locate the IPsec Policy Agent service entry. 
  5. When you see the IPsec Policy Agent service, right-click on it and choose Properties from the context menu. 
    Accessing the Properties screen of IPsec Policy Agent
  6. Once you’re inside the Properties screen of the IPsec Policy Agent service, access the General tab at the top, then change the drop-down menu associated with Startup type to Automatic. 
    Changing the startup type to Automatic
  7. Click Apply to save the changes. 
  8. Restart your PC and wait until the next startup is complete.
  9. Attempt to set up a Windows Hello PIN once again and see if the problem is now fixed.

In case the same kind of issue is still occurring, move down to the next method below. 

6. Modify the Logon policy

It turns out that there is one group policy that may prevent users from setting up Windows Hello pins. You won’t be able to finish this procedure until this policy is activated (even from an admin account). You must ensure that the Group Policy setting in the Local Group Policy Editor is enabled.

Note: You will find the Group Policy Editor pre-installed on every Windows 10 and Windows 11 version except for Home versions. You can use it to modify existing policies and establish new ones (depending on your need).

If you suspect that this method is applicable, follow the instructions below to modify the  Turn on convenience PIN sign-in policy so that your PC is allowed to use PIN sign in:

  1. Press Windows key + R to open up a Run dialog box. 
  2. Next, type ‘gpedit.msc’ inside the text box, then press Ctrl + Shift + Enter to open up the Local Group Policy Editor with admin access. 
    Open up the Gpedit utility
  3. At the User Account Control (UAC), click Yes to consent to admin access. 
  4. Once you’re finally inside the Local Group Policy Editor, use the menu on the left to go to System > Logon.
  5. With the Logon folder selected, move over to the right-hand side and double-click on Turn on convenience PIN sign-in. 

    Editing the Turn on convenience PIN sign-in
  6.  From the settings menu of the Turn on convenience PIN sign-in policy, simply change the status of the policy to Enable and click on Apply or Ok to save the changes. 
    Enable the Turn on convenience PIN sign-in policy
  7. Once the status of the policy has been edited, simply restart your PC and wait for the next startup to complete.
  8. After the next startup is complete, repeat the process of setting up a Windows PIN and see if the problem is now fixed.

If you’re still experiencing the same ‘0x80090011’ error, move down to the next method below. 

7. Uninstall the latest Windows Update

Microsoft has a history of delivering upgrades that end up interfering with already installed security components. If you’ve only recently begun to experience this issue, you should try rolling back the most recent installed update to see if it resolves the problem.

However, this is unlikely to be sufficient, as the Windows Update component would almost certainly re-install the faulty update. As a result, you’ll need to utilize the Microsoft Show or Hide troubleshooter to hide the update that’s giving you problems.

Keep in mind that if you installed the update weeks ago, you won’t be able to delete it at this time. The only thing we can do in this situation is waiting.

To attempt to resolve the Windows Hello 0x80090011 error, follow the steps below to remove and conceal the possibly harmful update:

  1. To launch the Run dialog box, press Windows key + R.
  2. To launch the Programs and Features screen, put ‘appwiz.cpl’ into the text box and hit Enter.

    Open up the Programs and Features menu
  3. From the Programs and Features menu, select View installed updates from the vertical menu on the left.
    View the Installed Updates
  4. From the Installed Updates screen, right-click the problematic update and select Uninstall from the context menu.
    Uninstall the problematic update
  5. Click Yes at the confirmation screen, then wait for the uninstallation to finish.
  6. Once the problematic update is uninstalled, don’t restart your computer. Instead, visit the official download page of the Microsoft Show or Hide troubleshooter.
    Note: The download should start automatically.
  7. After the download is complete, open the .diagcab file and click on the Advanced button at the first prompt. Next, check the box associated with Apply Repairs Automatically before clicking on Next. 
     
  8. Wait until the utility scans your system to figure out which pending updates are not installed. Once the next screen appears, click on Hide Updates from the list of available options.
    Hiding the Updates
  9. From the next screen, check the box associated with the problematic update, then click on Next to hide it – this will prevent the Windows Update from attempting to install the update once again.
  10. Reboot your computer one last time to test if you now establish a Windows Hello PIN without being halted by the 0x80090011 error.

If the problem persists or this procedure proved ineffective, go to the final possible solution listed below.

8. Establish a new PIN

If you went through every method featured above and you’re still experiencing the same 0x80090011 error, one final thing that you should try before getting specialized help is to attempt and create a new PIN.

Several users have confirmed that once they went this route and used the Accounts sub men to establish new Sign-in options by utilizing the I forgot my PIN hyperlink.

Here’s how you can do this:

  1. Start by pressing the Windows key + I to open up the Settings menu. This shortcut works on both Windows 10 and Windows 11. 
  2. Next, use the menu on the left and click on Accounts. 
  3. Move over to the right-hand section of the screen and click on Sign-in options (under Account settings). 
    Accessing the Sign-in Options
  4. Next, from the drop-down menu present next to your pin, click on I forgot my PIN from the context menu.
  5. Follow the remaining instructions to complete the creation of a new PIN.

If the problem is still not fixed, move down to the next method below. 

ABOUT THE AUTHOR

Kamil Anwar


Kamil is a certified MCITP, CCNA (W), CCNA (S) and a former British Computer Society Member with over 9 years of experience Configuring, Deploying and Managing Switches, Firewalls and Domain Controllers also an old-school still active on FreeNode.