0X80090316 SEC_E_BAD_PKGID – Fix Security Package Missing

What's Actually Happening Here

The 0x80090316 error, also known as SEC_E_BAD_PKGID, means Windows tried to load a security support provider (SSP) — like Schannel or Kerberos — but the package identifier it passed didn't match anything in the system's registered list. This error shows up in application logs, event ID 36888 or 36874, and you'll see it when apps try to make HTTPS connections, remote desktop connections fail, or PowerShell remoting dies with "The requested security package does not exist."

The most common trigger is a Windows Update that partially failed, or an aggressive antivirus removal that deleted registry entries for the default security packages. I've also seen it after someone manually disabled Schannel via Group Policy trying to "harden" TLS.

Fix 1: 30-Second Check – Verify Security Package Registration

This is the first thing you try. It takes 30 seconds and fixes it about 60% of the time.

1. Press Win + R, type regedit, hit Enter.
2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
3. Look at the SecurityProviders value (a REG_SZ or REG_MULTI_SZ string).
4. It should contain credssp.dll and schannel.dll at minimum. On Windows 10/11, the default is: credssp.dll,schannel.dll
5. If it's empty, or missing one of those — that's your problem. Right-click the value, select Modify, and paste this in: credssp.dll,schannel.dll

Why this works: The SecurityProviders registry key is a comma-separated list of DLL names that Windows loads at boot. If it's blank, Windows has no security packages to offer to any application. Adding credssp.dll (Credential Security Support Provider) and schannel.dll (Secure Channel) covers RDP and TLS.

After editing, restart the service using the failing app, or reboot the machine if you're not sure what service it is.

Fix 2: 5-Minute Fix – Reinstall Schannel via DISM

If the registry key looks fine but the error persists, the security package DLL itself might be corrupted or the system catalog is missing its registration. This happens after a failed cumulative update that partially installed the Schannel feature.

1. Open Command Prompt as Administrator (search cmd, right-click, Run as administrator).
2. Run these two commands in order:

DISM /Online /Cleanup-Image /RestoreHealth

sfc /scannow

3. Wait for DISM to finish — it downloads fresh system files from Windows Update.
4. Then run SFC — it replaces any corrupted system files with the clean versions.
5. Reboot.
6. Check if the error is gone. If not, the problem is deeper.

The real fix here is DISM. Most people run SFC first, but SFC only checks files it knows about. DISM actually rebuilds the component store, including the security package registry entries that SFC doesn't touch. Run DISM first, then SFC. It's the correct order.

Fix 3: 15+ Minute Fix – Manually Restore Security Package Registration

Sometimes DISM fails because the update source itself is broken. Or you're on an offline machine that can't download from Windows Update. This fix rebuilds the registration manually.

Step 1: Export and Compare with a Healthy Machine

On a working Windows machine (same version, same build), export this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\

Copy the exported .reg file to the broken machine, double-click it, and merge it. Reboot.

Why step 1 works: The SecurityProviders key is small — just a few values. Replacing it wholesale from a healthy machine is faster and more reliable than guessing which subkey is wrong.

Step 2: Rebuild Schannel DLL Registration

Open an elevated Command Prompt and run:

regsvr32 schannel.dll

Then restart the Cryptographic Services service:

net stop CryptSvc && net start CryptSvc

If regsvr32 fails with "The module "schannel.dll" failed to load", the DLL itself is missing or damaged. Copy schannel.dll from a healthy machine's C:\Windows\System32 folder to the broken one. Overwrite the existing file (you'll need to take ownership first). Then run regsvr32 again.

Step 3: Check for Group Policy Blocking Packages

Open gpedit.msc and go to: Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication settings

Look for "Turn off automatic root certificates update" — if it's enabled, that can interfere with Schannel. Set it to Not Configured.

Also check Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options for any policy named something like "Network security: Configure encryption types allowed for Kerberos" — if it's set to only allow specific types, it might block Schannel's default offering.

When You Should Skip All This

If you get this error on a brand new Windows install, your ISO was bad. Don't waste time — download a fresh ISO from Microsoft's official tool and reinstall. The error 0x80090316 on a clean install means the install media was corrupted during download or writing.

If the error only shows in one specific application (like an old VPN client or a legacy browser), the app is passing a security package name that doesn't exist on modern Windows. Update the app or contact the vendor — don't hack your system registry for a single app.

Final Thought

The 0x80090316 error always comes down to one thing: Windows doesn't know about the security package you're asking for. Fix the registration and the error vanishes. The registry key is the root cause 90% of the time — start there and you'll save yourself an hour of frustration.