Microsoft 365 Apps activation error: “Trusted Platform Module malfunctioned”

  • Article
  • Applies to:
    Microsoft 365

When you try to activate Microsoft 365 apps, you encounter the error:

Trusted Platform Module malfunctioned

Try the following troubleshooting methods to solve the problem.

Note Some of these troubleshooting methods can only be performed by a Microsoft 365 admin. If you aren’t an admin, see How do I find my Microsoft 365 admin?


Reset Microsoft 365 activation state

Run the Microsoft Support and Recovery Assistant (SaRA) to reset the Microsoft 365 activation state.

For manual steps or more information, see Reset Microsoft 365 Apps for enterprise activation state.

Remove Office credentials
  1. From Start, type credential manager, and then select Credential Manager from the search results.
  2. Select Windows credentials.
  3. If there are any credentials for MicrosoftOffice16, select the arrow next to them and then select Remove.
  4. Close Credential Manager.
  5. From Start, select Settings (the gear icon) > Accounts > Access work or school.
  6. If the account you use to sign in to office.com is listed there, but it isn’t the account you use to sign in to Windows, select it, and then select Disconnect.
  7. Restart the device and try to activate Microsoft 365 again.

Check BrokerPlugin process

Some antivirus, proxy, or firewall software might block the following plug-in process:

Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

Temporarily disable your antivirus software. Contact your system administrator to find out if you are behind a proxy or firewall that is blocking this process. If so, you will also need to temporarily disable your proxy or firewall connection. If you connect through a Virtual Private Network (VPN), you might need to temporarily disable your VPN also.

If the process isn’t blocked, but you still can’t activate Microsoft 365, delete your BrokerPlugin data and then reinstall it using the following steps:

  1. Open File Explorer, and put the following location in the address bar: %LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts
  2. Press CTRL + A to select all.
  3. Right-click in the selected files and choose Delete.
  4. Put the following location in the File Explorer address bar: %LOCALAPPDATA%\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\TokenBroker\Accounts
  5. Select all files and delete them.
  6. Restart the device.
  7. Download and run the SaRA package for sign in issues.

For manual troubleshooting for step 7, or for more information, see Fix authentication issues in Office applications when you try to connect to a Microsoft 365 service.

Clear the Trusted Platform Module (TPM)
  1. From Start, select Settings (the gear icon) > Update & Security > Windows Security > Device Security.
  2. Under Security processor, select Security processor details > Security processor troubleshooting.
  3. Select Clear TPM.
  4. Restart the device and try to activate Microsoft 365 again.

Troubleshoot Microsoft Entra hybrid join

  1. Open a Command Prompt window as an administrator. From Start, type cmd.exe in the search box, right-click Command Prompt in the list, and then select Run as administrator.

  2. Type the following command, and then press Enter:

    dsregcmd /status

If EventID 220 is present in User Device Registration event logs, see Troubleshoot Microsoft Entra hybrid joined devices.

If error code 0x801c001d is present, configure a service connection point.

Enable Office Protection Policy
  1. Open an Office app, such as Word.
  2. Select your name and profile picture at the top, then select Sign out.
  3. Close the Office app.
  4. From Start, select Settings (the gear icon) > Accounts > Access work or school.
  5. Select the account you use to sign in to office.com is listed there, and then select Disconnect.
  6. From Start, type regedit, and then select Registry Editor from the search results.
  7. Use the arrows to expand selections and navigate to: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
  8. Right-click the registry value and select New, then select DWORD.
  9. Name the DWORD ProtectionPolicy and set the value to 1.
  10. Restart the device and try to activate Microsoft 365 again.

Disconnect from and then connect to Microsoft Entra ID
  1. From Start, select Settings (the gear icon) > Accounts > Access work or school.
  2. Select the Microsoft Entra ID connection.
  3. Select Disconnect.
  4. Restart the device.
  5. Return to the Access work or school page as described in step 1.
  6. Select Join this device to Microsoft Entra ID.
  7. Enter your credentials.
  8. Select Let my organization manage my device.
  9. Restart the device and try to activate Microsoft 365 again.

Enable Memory integrity
  1. From Start, select Settings (the gear icon) > Update & Security > Windows Security > Device Security.
  2. Under Core isolation, select Core isolation details.
  3. Turn Memory integrity on.
  4. Restart the device and try to activate Microsoft 365 again.

Enable or add the device in Microsoft Entra ID

If the device was disabled in Microsoft Entra ID, an administrator who has sufficient privileges can re-enable it from the Microsoft Entra admin center, as follows:

  1. Sign in to the Azure portal.
  2. Select Microsoft Entra ID > Devices.
  3. Examine the disabled devices list in Devices, by searching on the username or device name.
  4. Select the device, and then select Enable.

For more information, see Manage device identities using the Azure portal.

If the device was deleted in Microsoft Entra ID, you have to re-register it manually. For detailed steps to do this, see Re-enable or re-register the device.

Update your device’s BIOS

Update the BIOS for your device. If you need more information about doing so, contact the manufacturer of your device. If you are using a Microsoft Surface device, see Download drivers and firmware for Surface.

Make sure the TPM is set to Active
  1. Restart your device. Before Windows loads, press F1.
  2. Under the Security tab, check if TPM 1.2 is selected.
  3. If TPM 1.2 is selected, make sure that Security Chip is set to Active.
  4. Save and exit. When Windows starts, try to activate Microsoft 365 again.

Note Microsoft recommends using TPM 2.0 whenever possible.

Create a new Windows user account
  1. Perform a clean boot of Windows. For instructions, see How to perform a clean boot in Windows.
  2. Create a new user account, and then make that account an administrator. For instructions, see Create a local user or administrator account in Windows.
  3. Sign in to Windows with the new account.
  4. Download and install Office.
  5. Try to activate Microsoft 365 again.