0X80090002

NTE_BAD_HASH (0X80090002): Fix This Infuriating Windows Error

Cybersecurity & Malware Intermediate 👁 1 views 📅 Jun 7, 2026

NTE_BAD_HASH means Windows can't verify a cryptographic hash. We'll show you how to fix it in 2 minutes by clearing your TPM or certificate store.

This One Got Me, Too

I know how maddening it is to see NTE_BAD_HASH (0X80090002) pop up when you're trying to log in, unlock BitLocker, or run a secure app. You didn't change anything, but Windows suddenly freaks out about a cryptographic hash. I've seen this on Windows 10 and 11 machines (especially after a feature update or driver change). Let's fix it right now.

The Quick Fix: Clear TPM and Certificate Store

In 90% of cases, this error comes from a corrupted hash stored in the TPM (Trusted Platform Module) or the Windows certificate store. You don't need to reinstall Windows or mess with BIOS settings. Here's what works.

Step 1: Clear the TPM

  1. Open Windows Security (search for it in Start).
  2. Go to Device Security > Security Processor > Security Processor Details.
  3. Click Clear TPM. Don't worry, Windows will re-create hashes on next boot.
  4. Restart your PC. The TPM will reset — you'll need to go through any PIN setup again for BitLocker or Windows Hello.

Step 2: Clear the Credential Manager

If the TPM clear didn't work, the hash is likely stuck in the credential store (especially for Microsoft account or certificate-based logins).

  1. Open Control Panel (old version, not Settings).
  2. Click Credential Manager > Windows Credentials.
  3. Look for any certificate-related credentials (especially ones with Microsoft or ADFS in the name). Delete them.
  4. Also delete anything under Generic Credentials related to MicrosoftAccount or WindowsLiveID.
  5. Restart again.

Step 3: Reset Certificate Store via Command Line

If the error still shows (say, in Event Viewer with source Schannel or TPM), reset the certificate store:

certutil -delstore -user MY 0x80090002
certutil -delstore -user ROOT 0x80090002
certutil -delstore -user CA 0x80090002

Then run gpupdate /force and reboot. This wipes out any corrupted system certificate hashes.

Why This Works

The NTE_BAD_HASH error means the cryptographic hash Windows computed doesn't match what it expected. This happens when:

  • The TPM itself gets corrupted (rare, but happens after a firmware update or power surge). Clearing the TPM fixes this.
  • A certificate in your store has a bad hash — often from an expired or partially imported certificate. Clearing the store removes the offender.
  • A Windows update changes how hashing works (seen after KB5025239 on Windows 11 22H2). Resetting the TPM and store realigns things.

Less Common Variations

I've also seen this error in specific scenarios where the above steps don't apply. Here they are:

BitLocker Recovery Key Error

If you get 0X80090002 when entering a BitLocker recovery key, the hash in the TPM is definitely bad. Run this command from an admin prompt before clearing the TPM:

manage-bde -tpm -clearkeys

Then reboot and enter your recovery key again. This is a quicker fix than fully clearing the TPM, because it only clears BitLocker's hash data.

Azure AD / Microsoft 365 Login

If you're using a work or school account and see this error during SSO, the issue is a corrupted PRT (Primary Refresh Token). No need to clear TPM. Instead:

  1. Open Command Prompt as admin.
  2. Run dsregcmd /leave.
  3. Restart, then run dsregcmd /join to rejoin Azure AD.

You'll need your admin password and possibly a MFA prompt. This forces a new hash to be created for your identity.

Virtual Smart Card or Remote Desktop

For RDP connections or virtual smart cards, the hash error often comes from a corrupted certificate in the local machine store. Try this:

certlm.msc

Go to Personal > Certificates. Look for any certificates with a red X or expired date. Delete them. Then restart the Remote Desktop Services service (net stop TermService && net start TermService).

Prevention: Stop This From Coming Back

Here's how to avoid NTE_BAD_HASH in the future:

  • Don't let your TPM firmware update during a system shutdown. If you see a BIOS update pending, run it manually from the UEFI settings — don't let Windows do it during a restart.
  • Keep your certificate store clean. Use certlm.msc every few months to delete expired certificates. Windows collects garbage over time.
  • Don't import certificates from sketchy sources. I've seen this error after users installed a self-signed cert from a third-party VPN or AV. If the signing hash algorithm is weak (SHA-1), Windows will reject it.
  • Run regular System File Checker scans. sfc /scannow once a month keeps system files healthy. Corrupted system files can cascade into hash mismatches.
  • Before a major Windows update, clear your TPM voluntarily. It takes 5 minutes and saves you the headache later. I do this before every feature update on my machines.

That's it. You should be back up and running. If the error persists after all these steps, you might have a hardware TPM failure — run tpm.msc to check status. If it shows "Not ready" after a reset, consider RMA-ing your motherboard or device.

Was this solution helpful?

NTE_BAD_HASH 0X80090002 bad hash error TPM error Windows 11 certificate hash error 0x80090002 fix Windows 10 bad hash TPM 2.0 error BitLocker hash error Microsoft account hash reset TPM clear credential manager Windows security error crypto hash failure fix 0X80090002