How to Fix Copilot AADSTS500133 Assertion Not Valid Yet
🔍 WiseChecker

How to Fix Copilot AADSTS500133 Assertion Not Valid Yet

by

When you try to sign in to Copilot in Microsoft 365, you might see the error AADSTS500133: Assertion not valid yet. This error means the security token your device sent to Microsoft Entra ID was created with a time stamp that is before the current server time. The cause is almost always a clock mismatch between your Windows device and the Microsoft authentication servers. This article explains why the clock mismatch triggers this error and provides exact steps to synchronize your system clock so Copilot authentication succeeds.

Key Takeaways: Fixing the AADSTS500133 Assertion Error in Copilot

  • Windows Settings > Time & Language > Date & Time > Sync now: Forces an immediate clock synchronization with time.windows.com to correct the token time stamp.
  • Registry key HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type: Setting this to NTP ensures the Windows Time service uses the correct time source for automatic sync.
  • Microsoft 365 admin center > Health > Service health: Check for ongoing Microsoft Entra ID or Copilot service incidents that could cause token validation failures.

ADVERTISEMENT

Why the AADSTS500133 Assertion Not Valid Yet Error Occurs

The error AADSTS500133 is a token validation failure from Microsoft Entra ID formerly Azure Active Directory. When Copilot requests authentication, your device creates a security assertion that includes a time stamp. Microsoft Entra ID compares that time stamp to its own server clock. If your device clock is behind by more than five minutes, the server treats the assertion as not yet valid. The token appears to come from the future relative to the server time.

The most common root causes are:

  • Windows Time service is disabled or not running
  • System clock is set manually instead of automatically
  • Time zone is incorrect, causing the UTC offset to shift the token time stamp
  • Network firewall blocks NTP port 123, preventing time synchronization
  • Device is in a virtual machine or container where the host clock is unsynchronized

In rare cases, the error appears even when the local clock appears correct. This happens when the Microsoft Entra ID server itself has a temporary clock drift due to a load-balancing issue or a pending service update. In those situations, the fix is the same: force a resync and retry authentication after a few minutes.

Steps to Fix the AADSTS500133 Assertion Error in Copilot

Follow these steps in order. After each step, close all browser tabs and apps that use Copilot, then sign in again to test.

Method 1: Sync the Windows Clock Immediately

  1. Open Date & Time settings
    Press Windows key + I to open Settings. Select Time & Language then Date & Time.
  2. Turn on automatic time and time zone
    Toggle Set time automatically to On. Toggle Set time zone automatically to On.
  3. Sync the clock now
    Under Additional settings, click Sync now. Wait for the confirmation message that shows the last successful sync time.
  4. Verify the time is correct
    Check that the displayed time matches your local time. If the time is still wrong, proceed to Method 2.
  5. Restart Copilot and sign in again
    Close all Microsoft 365 apps and browser sessions. Open Copilot in Microsoft Teams, Word, or the browser. Sign in with your work or school account.

Method 2: Reset the Windows Time Service

If the sync button does not fix the error, the Windows Time service may be corrupted or misconfigured.

  1. Open Command Prompt as administrator
    Press Windows key, type cmd, right-click Command Prompt, and select Run as administrator.
  2. Stop the Windows Time service
    Type net stop w32time and press Enter.
  3. Unregister and re-register the service
    Type w32tm /unregister and press Enter. Then type w32tm /register and press Enter.
  4. Start the service and resync
    Type net start w32time and press Enter. Then type w32tm /resync and press Enter. You should see a message that the command completed successfully.
  5. Verify synchronization
    Type w32tm /query /status and press Enter. Look for Source: time.windows.com and Last Successful Sync Time showing a recent time.
  6. Test Copilot authentication
    Restart all Microsoft 365 apps and sign in to Copilot again.

Method 3: Adjust the Time Zone Manually

An incorrect time zone can cause the token time stamp to shift relative to UTC. Even if the clock shows the correct local time, the UTC offset may be wrong.

  1. Open Date & Time settings
    Press Windows key + I, then select Time & Language then Date & Time.
  2. Turn off automatic time zone
    Toggle Set time zone automatically to Off.
  3. Select the correct time zone
    From the Time zone dropdown, choose your actual time zone. For example, if you are in New York, select (UTC-05:00) Eastern Time (US & Canada).
  4. Turn automatic time zone back on
    Toggle Set time zone automatically to On again. This forces Windows to re-detect your location.
  5. Sync the clock
    Click Sync now under Additional settings.
  6. Test Copilot again
    Sign out of all Microsoft 365 sessions, then sign in to Copilot.

ADVERTISEMENT

If Copilot Still Shows AADSTS500133 After Clock Sync

Copilot error persists after all clock fixes

If you have completed Methods 1 through 3 and the error still appears, the issue may be on the Microsoft server side. Check the Microsoft 365 admin center for service incidents. Go to Health > Service health and look for any advisory under Microsoft Entra ID or Copilot. If a service degradation is listed, wait until Microsoft resolves it and then retry.

Copilot works on one device but fails on another

This indicates a device-specific clock problem. On the failing device, run the command w32tm /query /status to check the time source. If the source is not time.windows.com or another reliable NTP server, configure the time source manually. Open Command Prompt as administrator and run:

w32tm /config /manualpeerlist:"time.windows.com" /syncfromflags:manual /update

Then run net stop w32time && net start w32time && w32tm /resync to apply the change.

Copilot error appears in browser but not in desktop apps

Browser-based Copilot may rely on a different token cache. Clear the browser cache and cookies for the Microsoft 365 domain. In Microsoft Edge, go to Settings > Privacy, search, and services > Clear browsing data. Select Cookies and other site data and Cached images and files, then click Clear now. Restart the browser and sign in again.

Item Automatic time sync Manual time adjustment
Effectiveness for AADSTS500133 Resolves the error in 95% of cases Resolves the error only if automatic sync is broken
Ease of use One click in Settings Requires admin Command Prompt
Persistence after reboot Time stays correct automatically Clock drifts again after reboot if sync is not enabled
Best for All users with standard Windows setup Devices in isolated networks without NTP access

Now you can resolve the AADSTS500133 assertion error by synchronizing your Windows clock using one of the three methods described. Start with the automatic sync in Settings because it fixes the problem quickly without command-line tools. If the error returns after a reboot, run the Windows Time service reset to ensure the sync configuration is permanent. As an advanced tip, set a scheduled task to run w32tm /resync daily at a specific time to prevent clock drift from recurring.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You