NTE_BAD_KEYSET (0x80090016) – Key set does not exist fix

Quick answer

Open an elevated Command Prompt and run: certutil -user -delstore my then reboot. If that doesn't work, run certutil -repairstore my "*".

What's happening here

The 0x80090016 error means Windows can't locate a private key that belongs to a certificate in your user store. I see this most often after a Windows feature update (like 22H2 to 23H2) or when someone migrates a user profile to a new machine. Another common trigger: enabling or disabling BitLocker, or messing with TPM settings. The system holds onto certificate references that point to key containers that got wiped or never migrated.

This error pops up in all sorts of places. Outlook might refuse to open encrypted mail. Windows Hello might fail to set up. Microsoft Office activation can throw it. Even random apps that use DPAPI (Data Protection API) will crash. The root cause is always the same: something corrupted or deleted the key set in the Microsoft Software Key Storage Provider.

Fix steps – try these in order

1. Open an elevated Command Prompt. Click Start, type cmd, right-click Command Prompt, choose Run as administrator. Yes, you need admin rights for this.
2. Delete your personal certificate store. Type this and press Enter: certutil -user -delstore my. You'll see a warning that this removes all user certificates. Type Y to confirm.
3. Reboot the machine. Not a logoff, a full restart. After the reboot, Windows recreates the store with fresh key containers. Test your app again.
4. If the error returns, run this from the same admin prompt: certutil -repairstore my "*". This repairs every certificate in your personal store. It won't delete anything, it just fixes the key mappings.
5. Check the certificate store after repair. Open certmgr.msc (press Win+R, type it in). Expand Personal > Certificates. If you see any certificates with a red X or a message about missing private key, right-click them and choose Delete. Reboot again.

Alternative fixes when the main method flops

If the steps above don't clear the error, here's the next tier of fixes. I'd skip anything involving sfc /scannow or DISM – those rarely touch certificate stores.

• Recreate the DPAPI master key. Run certutil -csp MS_KEY_PROTECTOR -key -export from an admin prompt. That forces Windows to rebuild the master key encryption. Reboot after.
• Clear the TPM if the error ties to Windows Hello or BitLocker. Go to Settings > Update & Security > Windows Security > Device security > Security processor details > Security processor troubleshooting > Clear TPM. Warning: This wipes all TPM-stored keys, including BitLocker recovery keys. Have your recovery key handy. Reboot and re-enroll your PIN.
• Reissue your user certificate if you're in a corporate domain. Contact your IT admin to revoke and reissue your user certificate from your CA. Sometimes the original key pair got lost during profile migration, and a fresh cert with a new key pair fixes it.
• Create a new Windows user profile as a last resort. The old profile's certificate store may be too damaged to repair. Create a new local user, migrate your data, and delete the old profile. This almost always works but it's a pain.

Prevention tip

Before you do a Windows feature update or migrate to a new PC, back up your certificates. Open certmgr.msc, right-click Personal > All Tasks > Export. Choose Yes, export the private key and set a strong password. Store that .pfx file on a USB drive or in a password manager. If you ever hit this error, you can import that file back with certutil -importpfx and skip the whole repair dance.

Also, never manually delete folders inside C:\Users\[username]\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates – I've seen users do that to free space. That's a direct line to this error.