Fix NTE_KEYSET_NOT_DEF (0X80090019) Key Set Error
Your encryption key set is missing or corrupted. Usually hits after a Windows update or certificate change. Quick fix: clear your credential cache.
The 30-Second Fix: Clear Your Credential Manager
Most of the time, this error pops up because a stale or corrupted credential sits in Windows Vault. I've seen this on Outlook 2016 after a forced password reset, and on Remote Desktop connections where the saved password got mangled.
Hit Windows Key + R, type control keymgr.dll, and press Enter. That opens Credential Manager. Look for any entries related to the app giving you the error — usually Microsoft Office, Remote Desktop, or a VPN client. Delete them all. Restart the app. That fixes it maybe 60% of the time.
Had a client last month whose entire Outlook couldn't send encrypted emails after a domain password change. Deleting the Office 365 credential in Vault and re-entering the password solved it in under a minute.
The 5-Minute Fix: Repair Your Certificate Store
If clearing credentials didn't work, you've got a certificate problem. The error 0X80090019 specifically means the crypto key set — the place Windows stores private keys — isn't where Windows expects it. This often happens after a Certificate Services update or if someone moved or deleted machine certificates.
Open an admin Command Prompt (right-click, Run as Administrator). Run these two commands:
certutil -store -user My
certutil -store MyLook for expired certificates or ones with broken private keys (should show Private Key = TRUE). If you see FALSE, that certificate is dead. Delete it with:
certutil -delstore -user My "serialnumber"Where "serialnumber" is the serial number from the problematic cert. Then re-run the app that failed. If it's Outlook or RDP, the app will usually regenerate a new cert on the fly.
One trick: if you're using a VPN like AnyConnect and get this error, the machine certificate is likely toast. Uninstall and reinstall the VPN client — it'll pull a fresh certificate from the server.
The 15-Minute Fix: Rebuild the Vault and DPAPI
When the above fails, the Windows Data Protection API (DPAPI) is broken. This is the system that encrypts your private keys and credentials. A corrupt master key file will throw 0X80090019 every time.
First, back up your current master keys:
mkdir C:\BackupMasterKeys
copy %APPDATA%\Microsoft\Protect C:\BackupMasterKeysThen delete the master key folder:
rd /s /q %APPDATA%\Microsoft\ProtectReboot. Windows will generate a fresh master key the next time you log in. You'll need to re-enter passwords for saved credentials, Outlook profiles, and anything that uses encryption. This is nuclear — your saved WiFi passwords, browser logins, and network shares will all need re-authentication. But it fixes the error.
I've had to do this twice in the last year: once on a Windows 10 machine where the user's profile was corrupt, and once on a Server 2016 where a security update borked the DPAPI stack. Both times it was the only thing that worked.
When to Skip All This and Just Nuke the Profile
If none of these work, your user profile itself is corrupt. Create a new local admin account, log into it, then copy your files over. This is the last resort, but I've seen it fix a stubborn case where even the vault rebuild didn't help.
Quick way to test: log in as a different user on the same machine. If the error doesn't happen, it's your profile. Backup your Desktop, Documents, and AppData folders, then delete the old profile via System Properties > Advanced > User Profiles. Not elegant, but it works.
Short version: start with Credential Manager, then check certificates, then blow away the master keys. You'll be back up in under an hour.
Was this solution helpful?