What causes AADSTS130005?

Corrupted or rotated NGC key on the local device after a Windows Hello PIN/biometric reset. Device registration state in Microsoft Entra ID (Azure AD) is stale or out of sync with the local TPM-backed key. TPM was cleared, reset, or replaced without re-registering Windows Hello for Business. User profile corruption preventing access to the NGC container under %LOCALAPPDATA%\Microsoft\Ngc. Conditional Access or device compliance policy invalidated the device's primary refresh token (PRT)

How do I fix AADSTS130005?

Sign out and sign back in with username + password (skip Windows Hello) to confirm the account itself works — this isolates the problem to the NGC/Hello key.. Re-provision Windows Hello for Business: Settings → Accounts → Sign-in options → PIN (Windows Hello) → Remove, then add it back. This regenerates the NGC key pair and re-registers it with Entra ID.. Run `dsregcmd /status` in an elevated prompt and verify AzureAdJoined=YES, DeviceAuthStatus=SUCCESS, and NgcSet=YES. If NgcSet=NO or KeySignTest fails, the local key is broken.. If re-provisioning fails, leave and rejoin Microsoft Entra ID: `dsregcmd /leave` (as admin), reboot, then re-join via Settings → Accounts → Access work or school.. For persistent failures across multiple users on the same device, clear the TPM (tpm.msc → Clear TPM) and re-register — last resort, requires BitLocker recovery key.

Low severityauthentication

Power BI Error:
AADSTS130005

What does this error mean?

Windows Hello for Business / NGC key signature verification failed during Microsoft Entra ID (Azure AD) sign-in.

Common causes

1Corrupted or rotated NGC key on the local device after a Windows Hello PIN/biometric reset
2Device registration state in Microsoft Entra ID (Azure AD) is stale or out of sync with the local TPM-backed key
3TPM was cleared, reset, or replaced without re-registering Windows Hello for Business
4User profile corruption preventing access to the NGC container under %LOCALAPPDATA%\Microsoft\Ngc
5Conditional Access or device compliance policy invalidated the device's primary refresh token (PRT)

How to fix it

1Sign out and sign back in with username + password (skip Windows Hello) to confirm the account itself works — this isolates the problem to the NGC/Hello key.
2Re-provision Windows Hello for Business: Settings → Accounts → Sign-in options → PIN (Windows Hello) → Remove, then add it back. This regenerates the NGC key pair and re-registers it with Entra ID.
3Run `dsregcmd /status` in an elevated prompt and verify AzureAdJoined=YES, DeviceAuthStatus=SUCCESS, and NgcSet=YES. If NgcSet=NO or KeySignTest fails, the local key is broken.
4If re-provisioning fails, leave and rejoin Microsoft Entra ID: `dsregcmd /leave` (as admin), reboot, then re-join via Settings → Accounts → Access work or school.
5For persistent failures across multiple users on the same device, clear the TPM (tpm.msc → Clear TPM) and re-register — last resort, requires BitLocker recovery key.

Frequently asked questions

What does AADSTS130005 mean?

NGC ke

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes