TPM_E_DAA_ISSUER_VALIDITY (0X80280056) – Fix in 10 Minutes

When This Error Hits

You're setting up BitLocker on a Dell Latitude 5430 running Windows 11 23H2. Everything's fine until the TPM attestation step—bam, you get 0x80280056 (TPM_E_DAA_ISSUER_VALIDITY). Or maybe you're running a remote attestation through Windows Defender System Guard and it fails with the same code. I've seen this on HP EliteBooks and Lenovo ThinkPads too, usually after a BIOS update or when the TPM firmware got corrupted by a failed power event.

What's Actually Going On

The TPM (Trusted Platform Module) stores a set of certificates called DAA (Direct Anonymous Attestation) credentials. These are used to prove your system is trustworthy without revealing which specific machine it is. The error means the issuer's certificate chain—the link between your TPM's credential and the manufacturer's root certificate—has an inconsistency. This happens when:

• The TPM firmware is outdated or got corrupted.
• A BIOS or TPM firmware update left stale data.
• The TPM's endorsement key (EK) or attestation identity key (AIK) is mismatched with the stored DAA issuer.

The real fix isn't digging through certificate stores—it's clearing the TPM and letting it regenerate everything fresh.

How to Fix It

You need to clear the TPM, then reinitialize it. This wipes all TPM keys and data—BitLocker, Windows Hello, and any virtual smart cards will need to be set up again. So if you're using BitLocker, have your recovery key handy.

Step 1: Clear the TPM

1. Press Win + R, type tpm.msc, hit Enter.
2. In the TPM Management console, look at the right panel. Click Clear TPM.
3. Your PC will restart. You'll see a prompt during boot—press F12 (or the key your OEM specifies) to confirm the clear.
4. The system reboots into Windows. TPM is now empty.

If that button is greyed out (some Lenovo systems lock it), you can do it via PowerShell:

Clear-Tpm

Reboot afterward.

Step 2: Reinitialize the TPM

After clearing, you need to let Windows reinitialize the TPM. This happens automatically on the next boot, but sometimes it gets stuck. Force it with:

1. Open PowerShell as Administrator.
2. Run Initialize-Tpm. This provisions the TPM with fresh EK and AIK keys.

You can verify with Get-Tpm. You want all properties to show True.

Step 3: Re-enroll TPM Attestation

If this error appeared during BitLocker setup or Windows Defender System Guard, you'll need to re-enroll the attestation identity:

1. Open PowerShell as Administrator.
2. Run Add-TpmAttestationIdentity. This generates a new AIK and registers it with Microsoft's attestation service.
3. Restart your PC.

Now try your original operation again. For BitLocker, it should pass the TPM attestation check. For System Guard, run msinfo32 and check that "System Guard" shows "Enabled."

What to Check If It Still Fails

If the error persists, you're dealing with a deeper firmware issue. Here's my checklist:

• Update your BIOS—go to your OEM's support page (Dell, HP, Lenovo) and flash the latest BIOS. Some old firmware versions introduced this bug.
• Check TPM firmware version—in tpm.msc, look at "Specification version." If it's 1.2, your system is ancient and may need a hardware TPM upgrade. For 2.0, note the firmware revision (e.g., 7.2.1.0). Compare against your OEM's release notes.
• Disable and re-enable TPM in BIOS—reboot into BIOS/UEFI, find the TPM setting (often under "Security" or "Trusted Computing"), disable it, save, reboot, then re-enable it. This forces a full reset.
• Run hardware diagnostics—some OEMs include a TPM test in their built-in diagnostics (Dell's ePSA, HP's PC Hardware Diagnostics). Run it to rule out a dead TPM chip.

I've only seen one case where none of this worked: a HP ProBook that had its TPM physically damaged by a power surge. Had to replace the motherboard. But that's rare—90% of the time, the clear-and-reinitialize fix does it.