TPM_E_BADINDEX (0X80280002) - PCR index error fix

You just updated your BIOS, and now this

You boot up, and instead of the usual Windows login screen, you get hit with TPM_E_BADINDEX (0X80280002) — "The index to a Platform Configuration Register (PCR), DIR, or other register is incorrect." Maybe BitLocker throws it, or your system refuses to start. Had a client last month who upgraded his Dell Precision's firmware from version 1.8 to 2.1. Next boot? Black screen with that error. The real trigger is almost always a BIOS update, a TPM firmware flash, or a motherboard swap. The TPM has memory slots called PCRs that store hashes of your boot components. When the BIOS changes, those stored hashes don't match what Windows expects. The index is wrong.

Why the TPM loses track of PCRs

Think of PCRs as numbered buckets. Bucket 0 holds the BIOS hash, bucket 2 holds the bootloader hash, and so on. After a firmware update, the BIOS might reorganize those buckets — bucket 0 becomes bucket 3, or the system expects a PCR that no longer exists. The TPM chip itself is fine, but the mapping between your boot chain and the stored hashes is corrupted. That's 0X80280002. It's not a hardware failure, it's a logical mismatch. Don't waste time scanning for malware or reinstalling drivers. The fix is clear: reset the TPM and let Windows rebuild the PCRs.

The quick fix: clear the TPM

Before you start, backup anything encrypted with BitLocker. You'll lose the keys. Yes, it's a pain, but it's the only reliable way.

1. Boot into UEFI/BIOS settings. Usually spam F2, F10, Del during startup. Look for "Security" or "TPM" section. My client's Dell had it under "Security > TPM 2.0 Security".
2. Disable the TPM. Set it to "Disabled" or "Hidden". Save and exit. Let the system boot fully into Windows (or whatever OS is left).
3. Shut down completely. Not restart — full shutdown. A restart doesn't clear the TPM cache.
4. Boot back into BIOS and re-enable TPM. Set it back to "Enabled" or "Available". Save and exit.
5. Enter the OS. Windows 10/11 should detect the hardware change and prompt you to initialize the TPM. Accept it. It'll clear the old PCRs and create fresh ones.
6. Re-enable BitLocker on your drives if you use it. Use manage-bde -on C: in an admin Command Prompt, or the GUI.

If your system won't even let you into BIOS, you're stuck. You'll need to remove the CMOS battery (or short the clear CMOS jumper) to force the motherboard back to defaults. That resets the TPM too. I've done that on a Lenovo ThinkPad — popped the battery, waited 10 minutes, and it booted clean.

Alternative: use PowerShell to clear TPM

If you can get into Windows but the error pops up during boot or in Event Viewer, try this from an elevated PowerShell:

Clear-Tpm

You'll get a prompt asking for confirmation. This does the same as the BIOS method — wipes all owner authorization and PCR values. You'll need to reboot and let Windows reinitialize. I've seen this work on a Surface Pro 7 that refused to load BitLocker after a firmware update. Saved a reinstall.

Still failing? Check these things

If the error persists after clearing the TPM, you've got a deeper issue:

• Check the TPM firmware version. Use Get-Tpm -Supported in PowerShell. If it's an old 1.2 version on a system that needs 2.0, you might need a manufacturer update. HP had a batch of EliteBooks with TPM 1.2 that threw this error with Windows 11 — had to flash to 2.0.
• Look for corrupted boot files. Boot from a Windows install USB and run sfc /scannow and bootrec /fixboot. Rare, but a buddy's custom PC had a bad boot sector that mimicked a TPM error.
• Replace the motherboard or TPM module. If the chip is fried (clicking sounds, physical damage), no software fix will work. That's a hardware swap.

I've fixed this error a dozen times. Nine times out of ten, it's the BIOS update issue. The clear TPM dance is your best bet. Don't panic. Your data is safe as long as you have recovery keys. And always make a backup before poking the TPM.