0X8028004B

Fix TPM_E_DELEGATE_LOCK (0X8028004B) – Delegate Admin Locked

Windows Errors Intermediate 👁 1 views 📅 May 28, 2026

Your TPM's delegate admin is locked — usually from failed PIN attempts or bad BIOS settings. Start with a quick clear, then check the TPM driver.

What’s Going On?

You hit TPM_E_DELEGATE_LOCK (0X8028004B), and Windows is telling you the TPM’s delegate administration is locked. This usually happens after a few wrong TPM PIN entries (like with BitLocker), or sometimes after a BIOS update or motherboard swap. The TPM locks itself to prevent brute-force attacks. Annoying, but fixable.

I’ve seen this on Dell Optiplex 7080s, Lenovo ThinkPads, and a bunch of custom builds. The culprit here is almost always a locked TPM state that needs a clear. Don’t bother with random registry tweaks — they rarely help.

30-Second Fix: Clear the TPM via Windows

This is the first thing you try. It works in maybe 70% of cases.

  1. Open Settings > Update & Security > Windows Security > Device Security.
  2. Click Security Processor Details (under Security Processor).
  3. Click Security Processor Troubleshooting.
  4. Click Clear TPM.

You’ll get a warning about losing BitLocker keys or other TPM-protected data. If you’re using BitLocker, suspend BitLocker first or have your recovery key handy. After the clear, reboot. The lock should be gone.

If you can’t get into Windows (maybe the error blocks login), skip to the next fix.

5-Minute Fix: Clear TPM from BIOS or PowerShell

Still locked? Hit the BIOS or use a command line.

Option A: BIOS Clear

  1. Restart and mash the key to enter BIOS (usually F2, Del, or F10 depending on the system).
  2. Find the TPM or Security section. On a Dell, it’s under Security > TPM 2.0 Security. On Lenovo, it’s Security > Security Chip.
  3. Look for an option like Clear TPM, Reset TPM, or Factory Reset TPM. Enable it, save, and exit.
  4. The system will reboot and clear the TPM. This might require pressing F12 or another key at the next boot to confirm.

I’ve done this on HP EliteBooks where you have to Reset TPM from OS in the BIOS — same idea. If the option’s grayed out, you might need to disable TPM, save, re-enable it, and then clear. Bit of a dance, but it works.

Option B: PowerShell (if you can get to an admin prompt)

# Suspend BitLocker first if needed
Manage-bde -protectors -disable C:

# Clear the TPM
tpmtool clear -force

# Reboot
Restart-Computer

Run this from an elevated PowerShell. The TPM clears on reboot. Re-enable BitLocker after with Manage-bde -protectors -enable C:.

15+ Minute Fix: Update TPM Driver or Check BIOS Settings

If the clear doesn’t stick, or the error comes back, you’ve got a deeper issue. Here’s the drill.

Update the TPM Driver

Windows might be using a generic driver that doesn’t handle delegate states right. Go to Device Manager > Security Devices > right-click Trusted Platform Module 2.0 > Update driver > Browse my computer > Let me pick > choose Trusted Platform Module 2.0 (Microsoft-provided) if it isn’t already selected. If you see a vendor-specific driver (like from Infineon or STMicro), try switching to the Microsoft one, or vice versa. I’ve seen Dell’s driver cause lockouts on XPS 13s — swapping to Microsoft’s fixed it.

Check BIOS TPM Settings

Some BIOS settings can trigger this lock. Go into BIOS and look for:

  • TPM Device: Should be TPM 2.0. Not firmware TPM unless you know what you’re doing.
  • TPM State: Should be Enabled. Disabled means the TPM isn’t accessible.
  • Delegation or Admin Delegation: Some BIOSes have a setting for this. Set it to Enabled or Auto.
  • Physical Presence Interface: Should be Enabled. Without it, the OS can’t clear the TPM.

On some Lenovo systems, there’s a Security Chip setting with Active, Inactive, and Disabled. Set it to Active. If you’ve been tinkering with TPM provisioning in Group Policy, check Computer Configuration > Administrative Templates > System > Trusted Platform Module Services — make sure Turn on TPM backup to Active Directory Domain Services isn’t interfering.

Last Resort: Reset the TPM from the OS with Recovery

If the BIOS clear and driver update didn’t work, boot into Windows Recovery Environment (WinRE). From the sign-in screen, hold Shift and click Restart. Go to Troubleshoot > Advanced options > Command Prompt. Run:

tpmtool clear -force

Then reboot. This bypasses any lock state the OS might be holding onto. I’ve used this on systems that wouldn’t clear from within Windows — it’s a solid workaround.

When to Replace the TPM (or the Board)

If none of these work, the TPM module itself might be physically failing. On desktops with a separate TPM module (like a TPM 2.0 module on a motherboard header), you can reseat it or swap it. On laptops where the TPM is on the CPU (Intel PTT or AMD fTPM), it’s a motherboard issue. I’ve replaced two TPM modules on Dell Precision towers because of permanent lockout — the module’s firmware had a bug that wouldn’t clear. Uncommon, but it happens.

Quick note: If you’re running Windows 10 version 1809 or older, there’s a known bug that can cause delegate lock on reboot. Update to at least 1903. I’ve seen it on a client’s Surface Pro 4 — one update and the problem never came back.

You should be good now. Try the 30-second fix first — you’ll be surprised how often it works.

Was this solution helpful?

TPM_E_DELEGATE_LOCK 0X8028004B delegate administration locked TPM error BitLocker TPM error TPM lockout clear TPM Windows 10 TPM fix Windows 11 TPM TPM driver update TPM BIOS settings PIN lock TPM TPM error code 0x8028004B fix TPM lock