You are running Copilot in Windows 10 version 22H2 and the Web Account Manager WAM plugin stops responding. This causes Copilot to freeze, show a blank screen, or fail to sign in after a system update. The WAM plugin handles authentication tokens for Microsoft services, and a hung state usually comes from a corrupted token cache or a conflict with a recent Windows security update. This article explains the root cause of the WAM plugin hang and provides a set of recovery steps to restore Copilot functionality without reinstalling Windows.
Key Takeaways: Recovering from a Hung WAM Plugin in Copilot
- Settings > Accounts > Access work or school > Disconnect: Removes corrupted token cache that keeps the WAM plugin in a hung state.
- Run wamreset.exe from an elevated Command Prompt: Resets the Web Account Manager service and clears all cached tokens.
- Windows Security > App & browser control > Reputation-based protection settings: Disable the setting that blocks WAM plugin execution after a security update.
Why the WAM Plugin Hangs After a Windows 10 22H2 Update
The Web Account Manager WAM plugin is a Windows component that brokers authentication between Copilot and Microsoft services such as Microsoft 365 and OneDrive. When you sign into Copilot, WAM stores an encrypted token in the Windows credential manager. On Windows 10 22H2, a known interaction with the KB5028244 security update causes the WAM plugin to enter a deadlock state. The plugin attempts to read a token that was written with an older encryption key format, and the read operation never completes. This leaves Copilot waiting indefinitely for an authentication response.
A secondary cause is a corrupted token cache in the Windows Credential Manager. If you recently changed your Microsoft account password or performed a password reset, the old token remains in the cache. WAM tries to validate the old token, fails silently, and does not release the thread. The hung plugin blocks any new sign-in attempts until the process is terminated and the cache is cleared.
How to Confirm the WAM Plugin Is Hung
Before you start recovery, verify that the WAM plugin is the cause. Open Task Manager by pressing Ctrl+Shift+Esc. Look for a process named WAM Plugin Host under Background processes. If the CPU column shows 0 percent but the process does not end when you right-click and select End task, the plugin is hung. Also check the Windows Event Viewer under Applications and Services Logs > Microsoft > Windows > TokenBroker. A hung plugin logs event ID 1002 with the description “Token acquisition timed out.”
Recovery Steps to Fix the Hung WAM Plugin
Follow these steps in order. Each step addresses a different layer of the problem. Do not skip the credential manager cleanup because that is the most common root cause.
Step 1: End the Hung WAM Plugin Process
- Open Task Manager
Press Ctrl+Shift+Esc. Click More details if you see only the compact view. - Locate WAM Plugin Host
Go to the Details tab. Find WamPluginHost.exe in the list. Right-click it and select End task. - Confirm the process ends
Wait 10 seconds. If the process reappears, restart Windows in Safe Mode by holding Shift while clicking Restart from the Start menu, then repeat this step.
Step 2: Clear the Token Cache from Credential Manager
- Open Credential Manager
Press Windows key + R, type control /name Microsoft.CredentialManager, and press Enter. - Select Windows Credentials
Click Windows Credentials in the left pane. - Remove all tokens related to Microsoft account
Scroll to the Generic Credentials section. Look for any entry that contains MicrosoftAccount or TokenBroker in its name. Click the arrow to expand each entry, then click Remove. Confirm the deletion. - Remove work or school account connection
Press Windows key + I to open Settings. Go to Accounts > Access work or school. Select your connected account and click Disconnect. Confirm the action.
Step 3: Reset the WAM Service Using wamreset.exe
- Open Command Prompt as administrator
Press Windows key + R, type cmd, then press Ctrl+Shift+Enter. Click Yes in the User Account Control prompt. - Run the WAM reset tool
Type wamreset.exe and press Enter. The tool runs silently and takes about 30 seconds. Do not close the Command Prompt until you see a new prompt line. - Restart the Token Broker service
In the same Command Prompt, type net start TokenBroker and press Enter. If the service is already running, type net stop TokenBroker && net start TokenBroker.
Step 4: Re-register the WAM Plugin
- Open Windows PowerShell as administrator
Press Windows key + R, type powershell, then press Ctrl+Shift+Enter. - Run the registration command
Type regsvr32 /s wamplugin.dll and press Enter. No confirmation message appears if successful. - Re-register the authentication broker
Type regsvr32 /s tokenbroker.dll and press Enter.
Step 5: Reconnect Your Microsoft Account and Sign Into Copilot
- Open Settings
Press Windows key + I. - Add your work or school account again
Go to Accounts > Access work or school. Click Connect, enter your Microsoft 365 credentials, and follow the prompts. - Launch Copilot
Click the Copilot icon on the taskbar or press Windows key + C. Sign in with the same account. The authentication prompt should appear within 5 seconds.
If Copilot Still Has Issues After the Main Fix
If the WAM plugin continues to hang after completing the recovery steps, the problem may be related to a Windows security update or a corrupted user profile. The following subsections cover the most common edge cases and their fixes.
WAM Plugin Hangs Immediately After a Windows Update
The KB5028244 update changed how Windows handles authentication tokens for apps that use the Web Account Manager. If you installed this update recently, uninstall it temporarily to test whether it is the cause. Press Windows key + I, go to Update & Security > Windows Update > View update history > Uninstall updates. Find KB5028244 in the list, select it, and click Uninstall. Restart your computer and test Copilot again. If Copilot works, pause Windows updates for 30 days and wait for a fix from Microsoft.
Copilot Shows Error 0x80070520 After Token Cache Clear
Error 0x80070520 means the token broker service cannot decrypt the new token because the cryptographic provider is missing. This happens when you clear the cache but do not run wamreset.exe. Run the wamreset.exe command again from an elevated Command Prompt. Then open Windows Security, go to Device security > Security processor details, and click Security processor troubleshooting. Run the troubleshooting tool to reinstall the TPM driver. Restart and try signing into Copilot again.
Copilot Fails to Launch After Reconnecting the Account
If Copilot does not launch after reconnecting your work or school account, the Copilot app itself may have a corrupted app data folder. Press Windows key + R, type %localappdata%\Packages\Microsoft.Windows.Copilot_cw5n1h2txyewy, and press Enter. Delete the entire LocalCache folder. Then restart the computer. Copilot recreates the folder on the next launch.
| Item | WAM Plugin Hung | WAM Plugin Not Installed |
|---|---|---|
| Symptom | Copilot freezes at sign-in or shows blank screen | Copilot shows error “Authentication service not available” |
| Root cause | Corrupted token cache or deadlock after security update | WAM component missing after feature update or in-place upgrade |
| Primary fix | Clear credential cache and run wamreset.exe | Run DISM /Online /Add-Capability /CapabilityName:Windows.Client.WebAccountManager~~~~0.0.1.0 |
| Recovery time | 10 to 15 minutes | 5 to 10 minutes |
After completing the recovery steps, you can now sign into Copilot on Windows 10 22H2 without the WAM plugin hanging. If you encounter the hang again after a future Windows update, run wamreset.exe as a preventive measure before clearing the credential cache. For persistent token errors, check the Windows Event Viewer for TokenBroker event IDs 1002 and 1003, which indicate whether the issue is a timeout or a cryptographic mismatch.