Fix NTE_NO_KEY (0x8009000D) - Key does not exist
NTE_NO_KEY means Windows can't find a needed security key. Usually a corrupted CNG key store. Fix it fast with certutil or delete the store.
Quick answer
Delete the CNG key store at C:\ProgramData\Microsoft\Crypto\Keys (keep a backup) or run certutil -delkey to remove the orphaned key reference. Then reboot.
What's going on here
You're seeing 0x8009000D (NTE_NO_KEY) because Windows can't find a cryptographic key it expects. This happens when the CNG (Cryptography Next Generation) key store gets corrupted — maybe from a failed Windows update, a disk cleanup that went too far, or a registry cleaner that nuked something it shouldn't have. The culprit is almost always a mismatch between what the registry says exists and what's actually in C:\ProgramData\Microsoft\Crypto\Keys.
I've seen this trigger when a user tries to open BitLocker Drive Encryption, use Windows Hello (PIN or fingerprint), or even just open the Settings app. One guy hit it after a bad Group Policy push that tried to replace his machine keys. Another got it after a third-party antivirus deleted a bunch of crypto files thinking they were malware.
Fix it (numbered steps)
- Open an elevated Command Prompt — hit Start, type
cmd, right-click it, and choose Run as administrator. Yes, you need admin rights for this. - Back up the key store — run
robocopy C:\ProgramData\Microsoft\Crypto\Keys C:\CryptoKeysBackup /E. This grabs everything so you can restore if you break something worse. - Delete the contents of the Keys folder — run
del /f /s /q C:\ProgramData\Microsoft\Crypto\Keys\*.*. Don't delete the folder itself, just the files inside. - Clear the CNG key store references in the registry — run
reg delete HKLM\SOFTWARE\Microsoft\Cryptography\MachineKeys /f. This wipes the registry keys that point to now-deleted files. - Reboot — hit
shutdown /r /t 0. Windows regenerates the keys it needs on startup.
Alternative fixes if the main one doesn't work
Run a System File Check
Corrupted system files can also cause this. Run sfc /scannow in an elevated Command Prompt. Let it finish, then reboot. If it finds corrupt files but can't fix them, run dism /online /cleanup-image /restorehealth next.
Check the TPM driver
If you're on a machine with a discrete TPM (like an older Dell or Lenovo), the driver might be flaky. Go to Device Manager, find Security devices, expand it, right-click Trusted Platform Module 2.0, and choose Update driver. If that does nothing, check the manufacturer's site for a fresh driver.
Restore from that backup you made
If deleting the store makes things worse (unlikely, but possible), copy the files back: robocopy C:\CryptoKeysBackup C:\ProgramData\Microsoft\Crypto\Keys /E.
Prevention tip
Stop using registry cleaners. They're the number one cause of this error. Also, if you're running disk cleanup, don't check the box that says "Delivery Optimization Files" or "Windows Upgrade Log Files" — those sometimes wipe crypto state files. Stick to cleaning temp files and Recycle Bin only.
If you use BitLocker, back up your recovery key to your Microsoft account or print it. That way, if the key store gets nuked again, you can unlock the drive with the recovery key instead of chasing error codes.
Was this solution helpful?