This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 30%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
PC got a message at login saying the pin needed to be reset, but when attempting to do so there's a dialog saying try again later with the given error code 0x8028009f. Removed and readded machine to domain, reset users password, deleted device from intune, no change in behavior.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 36%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETL%3C/text%3E%3C/svg%3E)
Hi Ben,
Just doing a quick follow-up to see if you managed to get the Windows Hello PIN working again for your user.
Did nuking the Hello Container via the certutil command do the trick, or did you have to go all the way and clear the TPM to shake off that 0x8028009f error?
If the user is still locked out of setting their PIN or if you hit any roadblocks, just drop a comment. I'm always happy to help!
Tracy.
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
Hi Ben,
Stop wasting time with domain rejoins and Intune syncs. Error 0x8028009f is strictly a local hardware/crypto issue. It means the local Windows Hello key container is corrupted or the TPM chip is locked up.
Here is the exact way to fix this locally without rebuilding the machine:
1. Nuke the corrupted Hello Container: Open Command Prompt as Administrator on the affected machine and run this exact command: certutil.exe -DeleteHelloContainer Reboot the machine and ask the user to set up the PIN again. This fixes the issue 90% of the time by clearing out the corrupted local cache.
2. Clear the TPM (If Step 1 fails): If the TPM itself is stuck or locked out, you must wipe it.
Suspend BitLocker first (this is critical so you don't lock them out of the drive).
Press Win + R, type tpm.msc and hit Enter.
Click Clear TPM... on the right-hand Actions pane.
Reboot the machine (the user may be prompted to press F1/F12 on the BIOS boot screen to confirm the TPM clear).
Once the TPM is fresh, Windows Hello will finally accept and save the new PIN. If this resolves your issue, please click "Accept Answer".
Tracy.
