You open a document in Microsoft 365 and Copilot starts, then a dialog box appears asking for a PFX certificate password. You enter the password, click OK, and the prompt returns immediately. This cycle continues until you cancel the dialog, which also stops Copilot from working. The root cause is a corrupted or misconfigured digital certificate in the Windows certificate store that Copilot or the Microsoft 365 app tries to use for signing or encryption. This article explains why the prompt loop happens and provides step-by-step methods to clear the faulty certificate and stop the loop without disabling Copilot.
Key Takeaways: Stopping the PFX Certificate Password Loop
- Windows Certificate Manager (certmgr.msc) > Personal > Certificates: Delete the faulty certificate that triggers the password prompt.
- Microsoft Management Console (mmc.exe) > Certificates snap-in: Remove certificates from the local machine store if the user store does not resolve the issue.
- Group Policy Editor (gpedit.msc) > Computer Configuration > Windows Settings > Security Settings > Public Key Policies: Disable automatic certificate enrollment to prevent re-import of the problematic certificate.
Why the Copilot PFX Certificate Password Prompt Loops
The prompt loop occurs because a PFX certificate stored in Windows has a password set, but Windows or the Microsoft 365 application cannot cache that password correctly. When Copilot initializes, it attempts to load the certificate for digital signing or decryption. The operating system requests the password, the user supplies it, but the certificate validation fails or the application does not persist the credential. This causes the system to prompt again each time Copilot tries to access the certificate.
Common scenarios that introduce the faulty certificate include:
Misconfigured Email or Document Signing Certificates
Microsoft 365 apps sometimes import certificates from a connected email account or from a document that contains a digital signature. If that certificate requires a password and the certificate is corrupted or expired, the prompt loop begins.
Third-Party Security Software Interference
Some antivirus or endpoint protection tools inject certificates into the Windows store for traffic inspection. If those certificates have password protection and the software does not manage them correctly, Copilot may repeatedly prompt for the password.
Corrupted User Profile Certificate Store
The Windows user profile certificate store can become corrupted after a failed certificate enrollment or after importing a PFX file with an incorrect password. Once corrupted, any application that queries the store may trigger the password prompt loop.
Steps to Remove the Faulty PFX Certificate and Stop the Loop
Follow these steps in order. Stop after each method and test if the prompt loop is resolved before moving to the next method.
Method 1: Delete the Certificate from the Current User Store
- Open Certificate Manager
Press Win + R, type certmgr.msc, and press Enter. - Navigate to Personal Certificates
In the left pane, expand Personal and select Certificates. - Identify the Problematic Certificate
Look for a certificate with Intended Purposes such as Secure Email, Code Signing, or Document Signing. The certificate may have a warning icon or show an expiration date in the past. Write down the certificate name and issuer before deleting. - Delete the Certificate
Right-click the certificate and select Delete. Confirm the deletion when prompted. - Restart the Microsoft 365 App
Close and reopen the app where Copilot was prompting. Test if the password dialog appears again.
Method 2: Delete the Certificate from the Local Machine Store
If the prompt persists after deleting the user store certificate, the certificate may reside in the local machine store. This store is visible only through the Microsoft Management Console.
- Open Microsoft Management Console
Press Win + R, type mmc.exe, and press Enter. - Add the Certificates Snap-in
Go to File > Add/Remove Snap-in. Select Certificates and click Add. Choose Computer account, then Local computer, and click Finish. Click OK. - Navigate to Personal Certificates
In the left pane, expand Certificates (Local Computer) > Personal > Certificates. - Delete the Matching Certificate
Find the certificate with the same name and issuer you noted in Method 1. Right-click it and select Delete. Confirm the deletion. - Close MMC and Restart the App
Exit the Microsoft Management Console. Restart the Microsoft 365 application and test for the prompt loop.
Method 3: Disable Automatic Certificate Enrollment via Group Policy
If the certificate reappears after deletion, automatic enrollment may be re-importing it. Disable this policy to prevent recurrence.
- Open Local Group Policy Editor
Press Win + R, type gpedit.msc, and press Enter. This tool is available on Windows 11 Pro, Enterprise, and Education editions. - Navigate to Certificate Services Policy
Go to Computer Configuration > Windows Settings > Security Settings > Public Key Policies. - Open Certificate Services Client – Auto-Enrollment
Double-click Certificate Services Client – Auto-Enrollment in the right pane. - Set the Policy to Disabled
Select Disabled and click OK. This stops Windows from automatically enrolling certificates from a domain or from the local machine. - Run gpupdate to Apply Changes
Open a Command Prompt as administrator and run gpupdate /force. Restart the Microsoft 365 app and verify the prompt loop is gone.
If Copilot Still Has Issues After Removing the Certificate
Copilot Prompts for Password After Each App Restart
If the prompt returns after you restart the app but not immediately after deletion, another certificate with the same purpose may be present. Repeat Method 1 and Method 2 and check the Intermediate Certification Authorities and Trusted Root Certification Authorities stores for any certificate with a matching name. Delete those as well.
Copilot Fails to Start After Certificate Removal
If Copilot stops working entirely after you delete the certificate, the certificate was required for a specific function such as email signing or document decryption. To restore functionality without the password loop, re-import the PFX file without a password. Open Certificate Manager, right-click Personal > All Tasks > Import, browse to the PFX file, and when prompted for the password, check Mark this key as exportable and leave the password field blank. Complete the import and restart the app.
Prompt Loop Occurs Only in One Microsoft 365 App
If the prompt appears only in Outlook but not in Word or Excel, the certificate is likely linked to a digital signature or encryption setting in that specific app. In Outlook, go to File > Options > Trust Center > Trust Center Settings > Email Security. Under Digital IDs (Certificates), click Choose and select the correct certificate. If no certificate is listed, click Import/Export and remove any faulty entries.
| Item | certmgr.msc (User Store) | mmc.exe (Local Machine Store) |
|---|---|---|
| Scope | Current Windows user only | All users on the computer |
| Access method | Win + R > certmgr.msc | Win + R > mmc.exe, add Certificates snap-in for Computer account |
| Typical cause of loop | User-imported PFX for email signing | Third-party security software or domain-enrolled certificate |
| Deletion effect | Affects only the signed-in user | Affects all users and services on the machine |
Now you can identify and remove the faulty PFX certificate that causes the Copilot password prompt loop. Start with Certificate Manager for the current user, then check the local machine store if the prompt returns. If the certificate reappears, disable automatic certificate enrollment through Group Policy. For persistent issues in a single app like Outlook, check the app-specific certificate settings under Trust Center.