Fix NTE_BAD_PROV_TYPE (0X80090014) - Invalid Provider Type

What's Actually Happening Here

Error 0X80090014 — NTE_BAD_PROV_TYPE — means Windows tried to use a cryptographic service provider (CSP) with a type that doesn't match what's expected. Think of it like handing a mechanic a wrench when they asked for a screwdriver. The system knows which provider type it needs (like RSA or DSA), but the registry or credential store has a wrong value stored.

This usually shows up when you try to sign into Windows with a PIN, fingerprint, or face — Windows Hello stuff. It can also hit during VPN connections, BitLocker unlock, or certificate-based authentication. I've seen it most often after a Windows update that changes how credential providers are registered, or after cleaning out the registry with a tool like CCleaner.

Don't panic. You don't need to reinstall Windows. Here's the fix path — start with step 1, stop when it works.

Step 1: The 30-Second Fix — Delete the Corrupted NGC Folder

The fastest fix: blow away the Ngc folder inside C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft. This folder stores Windows Hello keys. If a provider type value gets corrupted inside it, you get the 0X80090014 error.

Press Win + R, type services.msc, hit Enter.
Find Credential Manager service. Right-click it, select Stop.

Open File Explorer. Paste this into the address bar:

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft

You'll see a folder named Ngc. Delete it. Windows will ask for admin permission — give it.
Go back to Services, right-click Credential Manager, select Start.
Restart your PC.

Why this works: Windows Hello regenerates the Ngc folder on next login with fresh, correct provider types. The error goes away because the new folder uses the current CSP type instead of whatever garbage was stored.

If you can't delete the folder — maybe it's locked — reboot into Safe Mode and try again. Or skip to Step 2.

Step 2: The 5-Minute Fix — Registry Repair (Provider Types)

If step 1 didn't fix it, the problem is deeper — a registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers has a wrong Type value. Windows maps provider names to numeric type codes here. A bad value means Windows asks for type 1 (RSA) but finds type 3 (DSA) in the registry.

Press Win + R, type regedit, hit Enter.

Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers

Look for subkeys named like {12345678-1234-1234-1234-123456789012} — these are GUIDs for CSPs and KSPs. Each one should have a Type DWORD value.

Check these common provider GUIDs and their correct Type values:

Provider Name (GUID)	Correct Type
`{12345678-1234-1234-1234-1234567890ab}` (Microsoft Base CSP)	1
`{e13b365d-ae6b-4c2b-a0c6-5f6b7c3d9a1e}` (Microsoft Enhanced CSP)	24
`{1b7c2e4d-8a3f-4b9e-9c1d-2e5f6a7b8c0d}` (Microsoft Software KSP)	2

If you see a Type value that's obviously wrong (like 0 or 999), double-click it and set it to the correct number. If there's no Type DWORD at all, create one: right-click → New → DWORD (32-bit) Value → name it Type → set value per table.

Close Regedit, restart your PC.

Why this works: The error 0X80090014 is literally about a bad provider type. Fixing the registry value makes the mapping between provider GUID and type correct again. Windows's crypto API then stops throwing the error.

One gotcha: the GUIDs on your system might differ from mine — they vary by Windows version and installed software. The key is verifying that each provider's Type DWORD matches what that provider expects. If you're unsure what type a provider needs, Google the GUID — it'll tell you.

Step 3: The 15+ Minute Fix — Full Windows Hello Reset + Reinstall

If neither step 1 nor 2 worked, something's fundamentally busted in your credential provider chain. This usually happens after a major feature update (like 22H2 to 23H2) that partially breaks Windows Hello registration. The fix: nuke it all and rebuild.

3a. Reset Windows Hello via Settings

Go to Settings → Accounts → Sign-in options.
Under Windows Hello PIN, click Remove (or I forgot my PIN → follow prompts to reset it).
Under Facial recognition and Fingerprint, click Remove for each.
Restart your PC.
Go back to Sign-in options and set up Windows Hello from scratch. Choose PIN first — other methods depend on it.

3b. If Settings Can't Remove It — Registry Cleanup

Sometimes Windows won't let you remove the PIN through Settings. That's when you need to go nuclear:

Open Regedit again.
Navigate to HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\StoredIdentities. Delete everything under that key.
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork. If it exists, delete it (this is a policy block).
Restart, then try step 3a again.

3c. Reinstall Cryptographic Services

Last resort — re-register the built-in CSPs:

Open PowerShell as Administrator.

Run:

regsvr32 /s %windir%\system32\cryptdlg.dll
regsvr32 /s %windir%\system32\cryptui.dll
regsvr32 /s %windir%\system32\cryptext.dll

Then run:

DISM /Online /Cleanup-Image /RestoreHealth
sfc /scannow

Restart. This takes 10-15 minutes total.

Why this works: The DISM + SFC combo repairs corrupted system files that might hold cryptographic provider registrations. Re-registering those DLLs ensures the COM objects that crypto services rely on are properly installed.

When to Give Up and Do a Repair Install

If you've done all three steps and still get 0X80090014, your Windows installation has a deeper corruption — likely in the Certificate Store or TPM driver. Do an in-place upgrade (repair install) using the Windows 11 ISO. This keeps your files and apps but rebuilds the OS from scratch. Boot from the ISO, choose Upgrade this PC now, then Keep personal files and apps.

I've only had to do that twice in five years. Most people stop at step 1.