Fix NTE_INVALID_HANDLE (0x80090026) Error on Windows 10/11

1. Corrupt or missing TPM keys (most common)

I've seen this error pop up most often after a Windows update or a BIOS change that resets the TPM. The error reads "NTE_INVALID_HANDLE (0x80090026) - The supplied handle is invalid". It usually hits when you try to unlock a BitLocker drive, sign into Windows Hello, or use a certificate tied to the TPM.

The fix: clear and reinitialize the TPM. This doesn't erase your data, but it will invalidate any existing PIN or biometric data tied to Windows Hello — so have your Microsoft account password handy.

1. Press Win + R, type tpm.msc, and hit Enter.
2. In the TPM Management console, look under Status. If it says "The TPM is ready for use," click Clear TPM in the Actions pane. If it's not ready, you might need to reboot into UEFI/BIOS and enable TPM there (more on that in a sec).
3. Windows will prompt you to restart. After reboot, the TPM will reinitialize automatically.
4. Once you're back in Windows, go to Settings > Accounts > Sign-in options and reconfigure Windows Hello (PIN, fingerprint, etc.).

If TPM is disabled in BIOS: Reboot and smash F2 or Del (varies by manufacturer) to enter BIOS. Look for Security > TPM or Intel Platform Trust Technology. Enable it, save and exit. Then follow steps above.

I've fixed dozens of machines this way. The TPM clear wipes the slate clean and Windows regenerates the handles automatically.

2. Corrupted certificate store or user profile

If the error shows up when using certificate-based authentication (e.g., VPN, email signing, or smart card login), the problem is likely a corrupted certificate store tied to your user profile. This happened to me once after a failed group policy update — drove me crazy until I narrowed it down.

The quickest fix: rebuild the certificate store by deleting the machinekeys folder. Yes, you read that right — Windows re-creates it on next login.

1. Close all apps. Open an elevated Command Prompt (right-click Start > Windows Terminal (Admin) or CMD (Admin)).
2. Run these commands in order:

   net stop certsvc
   ren "%ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys" "MachineKeys.old"
   net start certsvc

3. Reboot your computer. Windows will create a fresh MachineKeys folder.
4. If the error persists, try the same for the user-specific store. Run:

   certutil -user -store my

   If it throws errors, backup and delete the store by running certmgr.msc, find your personal certificates, export them, then delete the store and reimport.

This fix is intermediate-level because you're messing with system folders, but it's safe if you follow the steps exactly. I've used it countless times for enterprise VPN issues.

3. Damaged BitLocker protector or TPM driver conflict

Sometimes the error arises when BitLocker can't read the TPM protector because of a driver glitch. This is the third most common cause I've seen — typically after a Windows feature update that botched the TPM base driver.

Here's the fix: remove and re-add the TPM protector for your BitLocker drive.

1. Open an elevated Command Prompt.
2. Check your BitLocker status:

   manage-bde -status C:

   Take note of the drive's protection status. If it's suspended, unsuspend it first with manage-bde -resume C:.

3. Remove the TPM protector:

   manage-bde -protectors -delete C: -type tpm

   This removes only the TPM-based protector, not your recovery key.

4. Add it back:

   manage-bde -protectors -add C: -tpm

5. Reboot and test. The error should be gone.

Still stuck? You might need a TPM driver update. Go to your PC manufacturer's support site and grab the latest chipset driver, or run Windows Update and check for optional driver updates under Settings > Windows Update > Advanced options > Optional updates. I've seen Lenovo and Dell machines benefit from this especially.

Quick-reference summary table