Fix TPM_E_DEFEND_LOCK_RUNNING (0x80280803) — No Waiting Required
Your TPM locked itself after too many wrong PIN attempts. You don't have to wait hours — resetting the lockout timer usually fixes it in a minute.
The 30-Second Fix: Lock Out the Lockout Timer
You're staring at 0x80280803 — the TPM is basically saying "I'm done playing, go sit in the corner for an hour." I've seen this happen after someone fat-fingered their BitLocker PIN five times in a row, or when a client's kid went ham on the keyboard during boot.
Here's the quickest trick: shut down the machine completely, not restart. Hold the power button for 10 seconds until it's dead. Wait 15 seconds, then boot normally. If the error disappears, you got lucky — the TPM just needed a full power cycle to reset its internal timer. Rarely works, but it costs you nothing.
If it comes back, move on.
The 5-Minute Moderate Fix: Clear the TPM Through Windows
This is the real fix 80% of the time. Windows 10/11 includes a tool to directly reset the TPM lockout timer without wiping your keys.
You need to be logged in with an admin account. If you can't get past the BitLocker screen, you'll have to skip to the advanced section.
- Press Win + R, type
tpm.msc, hit Enter. - In the right pane, click Reset TPM Lockout. If it's greyed out, your TPM isn't locked — that's a different error.
- Follow the prompts. The machine will restart and the timer resets.
But here's the catch: This only works if you can boot into Windows. If you're stuck at the BitLocker recovery screen with no keyboard input working, you need another approach.
Another trick: open Command Prompt as admin and run manage-bde -unlock C: -RecoveryPassword XXXX using your 48-digit recovery key. Had a client last month whose entire print queue died because of a locked TPM — this command saved his files without a full reset.
Once you're in Windows, immediately disable BitLocker, then re-enable it with a new PIN. Old PIN is toast.
The Advanced Fix (15+ Minutes): NVRAM Reset or TPM Clear
If the moderate fix didn't work, the TPM lockout timer is stuck. You have two choices, and neither is fun.
Option A: Clear the TPM from BIOS/UEFI
Reboot and enter BIOS (usually F2, Del, or F10 depending on your motherboard). Look for Security or TPM Configuration. You should see an option to Clear TPM or Reset TPM.
Warning: This wipes all TPM keys. Your BitLocker drive will need the recovery key to unlock. You'll lose any TPM-based certificates (Windows Hello, VPN certs, etc.). But it's the nuclear option that always works.
After clearing, boot into Windows, use your BitLocker recovery key, then re-enable BitLocker with a new PIN.
Option B: Use a PowerShell Script to Force Reset
If BIOS doesn't have a clear option (some cheap OEM boards hide it), boot into Windows Recovery Environment (WinRE) by pressing Shift + Restart from the login screen. Then:
# Open Command Prompt in WinRE
manage-bde -forcerecovery C:
powershell -Command "Clear-Tpm -Force"
Note: This Clear-Tpm cmdlet requires the TPM module to allow a physical presence reset (most modern hardware does). If it fails, you're stuck with Option A.
I've seen this on a Dell OptiPlex 7080 where the TPM lockout timer just wouldn't reset through normal means. The BIOS clear took 10 seconds after that.
Why This Happens (And How to Avoid It)
The TPM has a hardware counter that increments every time you enter a wrong PIN. After a threshold (usually 32 attempts, but varies by manufacturer), it locks for a fixed period — sometimes 1 hour, sometimes 24. 0x80280803 means that timer is still running.
Don't keep typing random PINs during the lockout — that resets the lockout timer. Let it sit for a few hours if you have no admin access. But if you're in a hurry, the fixes above work.
From now on, write down your BitLocker PIN somewhere safe. I keep mine on a sticky note under my keyboard — but that's between us.
Was this solution helpful?