Low severityauthentication
Power BI Error:
AADSTS130006, NGC transport key missing on device
What does this error mean?
Windows Hello / WHfB sign-in fails because the device's NGC transport key isn't registered in Entra ID (Azure AD).
Common causes
- 1Windows Hello for Business provisioning didn't complete (TPM unavailable, locked, or cleared after enrollment)
- 2Device's Entra ID / Hybrid join state is broken — the device record exists but the NGC key was never written back to Entra ID
- 3User profile or NGC container on the device is corrupted or was wiped (e.g. after a TPM reset, in-place upgrade, or roaming profile mismatch)
- 4WHfB Group Policy / Intune policy was disabled or scoped away after the user was provisioned, leaving stale credentials
- 5Tenant key rolled or device fell out of sync after a long offline period and the transport key wasn't re-uploaded
How to fix it
- 1On the affected device, run `dsregcmd /status` and verify AzureAdJoined / DomainJoined and NgcSet=YES; if NgcSet=NO the transport key is genuinely missing.
- 2Re-provision Windows Hello: Settings → Accounts → Sign-in options → remove the existing PIN/Face/Fingerprint, sign out, sign back in, and let WHfB enrollment run again (this generates and uploads a fresh NGC transport key).
- 3If re-provisioning fails, delete the NGC container: from an elevated prompt run `certutil -DeleteHelloContainer`, reboot, then sign in again to force a clean WHfB enrollment.
- 4Check TPM health (`tpm.msc` → ensure TPM is ready, not in reduced functionality mode); clear and re-own the TPM only if hardware diagnostics confirm it's stuck.
- 5In the Entra admin center, locate the device under Devices → All devices and confirm it's not Stale/Disabled; if it is, remove it and re-join (Azure AD join or Hybrid join) so a new device key + transport key pair is registered.