What causes AADSTS130008?

Device was removed or disabled in Entra ID (Devices > All devices) but the local NGC container still holds the key. Windows Hello for Business was provisioned against a tenant the device is no longer joined to (Azure AD Join / Hybrid Join broken). Stale NGC container on the client after a domain rejoin, OS reinstall image, or user profile migration. Conditional Access / device compliance policy invalidated the device registration. NGC key on the client points to a deleted user object or the user's UPN changed

How do I fix AADSTS130008?

On the affected client, run `dsregcmd /status` and confirm AzureAdJoined / DomainJoined and NgcSet are YES — if NgcSet is NO or the device record is missing, the NGC key is orphaned. Reset the NGC container: sign in with password, run `certutil -DeleteHelloContainer` (or delete %LOCALAPPDATA%\Microsoft\Ngc as SYSTEM), reboot, and re-enroll Windows Hello via Settings > Accounts > Sign-in options. In the Entra admin center, verify the device exists under Devices > All devices and is Enabled; if it was deleted, re-join the device (Azure AD Join or Hybrid Join via AD Connect). If the user's UPN or immutableId changed recently, force an AD Connect delta sync and have the user re-register Windows Hello against the new identity. For fleet-wide occurrences, check Conditional Access sign-in logs for the AADSTS130008 correlation IDs to confirm whether a CA policy or device compliance change triggered the invalidation

Low severityauthentication

Power BI Error:
AADSTS130008, Windows Hello / NGC device not registered

What does this error mean?

Azure AD/Entra ID can't find the NGC (Next Generation Credentials) device tied to the Windows Hello key used to sign in.

Common causes

1Device was removed or disabled in Entra ID (Devices > All devices) but the local NGC container still holds the key
2Windows Hello for Business was provisioned against a tenant the device is no longer joined to (Azure AD Join / Hybrid Join broken)
3Stale NGC container on the client after a domain rejoin, OS reinstall image, or user profile migration
4Conditional Access / device compliance policy invalidated the device registration
5NGC key on the client points to a deleted user object or the user's UPN changed

How to fix it

1On the affected client, run `dsregcmd /status` and confirm AzureAdJoined / DomainJoined and NgcSet are YES — if NgcSet is NO or the device record is missing, the NGC key is orphaned
2Reset the NGC container: sign in with password, run `certutil -DeleteHelloContainer` (or delete %LOCALAPPDATA%\Microsoft\Ngc as SYSTEM), reboot, and re-enroll Windows Hello via Settings > Accounts > Sign-in options
3In the Entra admin center, verify the device exists under Devices > All devices and is Enabled; if it was deleted, re-join the device (Azure AD Join or Hybrid Join via AD Connect)
4If the user's UPN or immutableId changed recently, force an AD Connect delta sync and have the user re-register Windows Hello against the new identity
5For fleet-wide occurrences, check Conditional Access sign-in logs for the AADSTS130008 correlation IDs to confirm whether a CA policy or device compliance change triggered the invalidation

Frequently asked questions

What does AADSTS130008 mean?

The d

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes