TBS_E_PPI_NOT_SUPPORTED (0X8028400C) – PPI not supported on this hardware
Shows when TPM 2.0 provisioning fails because the system's firmware doesn't support the Physical Presence Interface. Common on older boards with TPM 2.0 modules.
When this error hits
You're setting up BitLocker on a Windows 11 machine, or you open tpm.msc and see "Compatible TPM cannot be found." Maybe you're running Initialize-Tpm in PowerShell and it spits back TBS_E_PPI_NOT_SUPPORTED (0X8028400C). This happens most often on older motherboards that got a TPM 2.0 module retrofitted — think Z170 or X99 boards with a discrete TPM header, or certain HP/Dell business desktops from 2016–2018 that shipped with a TPM 2.0 module but never got firmware updates to support the Physical Presence Interface (PPI).
What's actually happening
The TPM Base Services (TBS) layer in Windows talks to the TPM through the firmware's PPI. PPI is a standard that lets the OS tell the BIOS to clear or prepare the TPM without a physical button press. When the BIOS doesn't implement this interface — or implements it wrong — Windows can't take ownership of the TPM. The error code 0X8028400C is TBS saying "I tried to use PPI, but the hardware/firmware said no." The TPM itself is probably fine. The problem is the handshake.
The real fix is to bypass PPI and use the TPM's own provisioning methods directly. You can do this from the BIOS itself, or by telling Windows to skip PPI and just initialize the damn thing.
Fix it step by step
Step 1: Check if your BIOS has a TPM configuration menu
Reboot and mash Del (or F2, depending on your board). Look for a section called "Security," "Trusted Computing," or "TPM Configuration." If it's missing entirely, your firmware doesn't support TPM 2.0 at all — you'll need a newer board. But if it's there, look for a setting like "Physical Presence Interface" or "PPI Support." Set it to Enabled or Auto. Some BIOSes also have a "TPM State" — set that to Enabled and Active.
Step 2: Clear the TPM from the BIOS itself
Still in the BIOS, find the option to "Clear TPM" or "Factory Reset TPM." This bypasses PPI entirely because the BIOS does the clear directly. After clearing, save and exit. Boot into Windows, then open PowerShell as admin and run:
Get-TpmIf it shows TpmReady: True, you're done. If it still shows TBS_E_PPI_NOT_SUPPORTED, move on.
Step 3: Force provisioning via Group Policy (the real fix)
Open gpedit.msc (Pro/Enterprise only) or use the registry directly. Navigate to Computer Configuration → Administrative Templates → System → Trusted Platform Module Services. Double-click "Turn on TPM backup to Active Directory Domain Services" — that's a red herring. The key setting is "Configure the level of TPM owner authorization information available to the operating system". Set it to Enabled and choose "None" or "Defer" under owner auth. This tells Windows to stop asking PPI for permission and just use the TPM directly.
If you're on Windows Home, use the registry:
reg add HKLM\SOFTWARE\Policies\Microsoft\TPM /v OSManagedAuthLevel /t REG_DWORD /d 2 /fReboot.
Step 4: Run the TPM initialization again
After reboot, open PowerShell as admin and run:
Initialize-Tpm -AllowClear -AllowPhysicalPresenceThe -AllowPhysicalPresence flag tells Windows to attempt PPI but fall back to the direct method if PPI fails. Most of the time this works after Step 3. Check with Get-Tpm again.
Step 5: If it still fails — flash your BIOS
This is the nuclear option, but it's the only cure for boards where the firmware has a partial or broken PPI implementation. Check your motherboard vendor's support page for a BIOS update. For example, ASUS Z170 boards got PPI support in BIOS version 3805 or later. Flashing the latest BIOS often adds the missing ACPI methods Windows needs. After the flash, repeat Steps 1–4.
What to check if it still fails
- TPM driver version — Open Device Manager, look under "Security devices" for "Trusted Platform Module 2.0." Right-click, Update driver → Browse my computer → Let me pick → choose "Trusted Platform Module 2.0" if it's showing a generic driver. Sometimes the OEM driver handles PPI differently.
- Secure Boot state — TPM 2.0 provisioning gets weird if Secure Boot is off. Turn it on in BIOS under the Boot section.
- TPM module revision — Some early TPM 2.0 modules (Rev 1.0) don't fully implement PPI. You might need a Rev 1.2 or later module. Check the part number on the module itself — if it ends in
-1.0, consider swapping it. - Windows version — This error is more common on Windows 10 builds before 20H2. Update to the latest Windows 11 build via Windows Update.
If you've done all this and Get-Tpm still says TbsServiceEnabled: False, go to Services.msc, find "TPM Base Services," set startup type to Automatic, start it, then run Initialize-Tpm again. That service has to be running for any of this to work.
Was this solution helpful?