TPM_E_EMBEDDED_COMMAND_UNSUPPORTED (0X80280404) Fix
This error means TPM firmware blocked a command. Usually a TPM firmware update or BIOS reset fixes it. Don't mess with TPM drivers first.
What's Actually Happening Here
You're seeing 0X80280404 because your TPM 2.0 module received a command it doesn't understand or can't execute. The TPM is working—it's not dead. The problem is the firmware inside it is too old or misconfigured. This usually pops up in Windows Security (bitlocker, device encryption) or when trying to manage TPM via PowerShell (Get-WmiObject -Namespace root/cimv2/Security/MicrosoftTpm -Class Win32_Tpm). It can also break BitLocker recovery, leaving you unable to unlock the drive.
1. TPM Firmware is Outdated — This Is the Real Fix
What's going on: TPM hardware ships with firmware that implements a set of commands defined by the TPM 2.0 spec. But manufacturers often ship buggy or incomplete firmware. When Windows or an app sends a command your TPM's firmware doesn't support (like TPM_CC_ChangeEPS or certain PCR commands), you get that 0X80280404 in return. It's not a driver issue—it's the firmware's response table missing an entry.
Skip reinstalling TPM drivers. They're not the problem. Here's what works:
- Identify your TPM manufacturer. Open PowerShell as admin and run:
Get-WmiObject -Namespace root/cimv2/Security/MicrosoftTpm -Class Win32_Tpm | Select ManufacturerId, ManufacturerVersion
The ManufacturerId is a hex string like "49474500" (Infineon), "53544D00" (STMicroelectronics), or "4E544300" (Nuvoton). - Go to your PC or motherboard manufacturer's support site (Lenovo, Dell, HP, ASUS, Gigabyte). Look for "TPM firmware update" under drivers/firmware.
- Download and run the TPM firmware updater. Critical: Read the instructions—some require you to boot into a special environment or disable Secure Boot temporarily. Do exactly what they say.
- After the update, reboot and check the error again. It'll likely be gone.
Example scenario: On a Lenovo ThinkPad X1 Carbon Gen 10, updating the TPM firmware from version 7.2.1.0 to 7.2.2.0 fixed this error when BitLocker kept throwing 0X80280404 after a BIOS update.
2. TPM Ownership or State is Corrupted — Clear and Reinitialize
If the firmware is already up to date, the TPM might be in a weird state. Specifically, the TPM's persistent memory got corrupted—maybe a failed Secure Boot policy change, or a Windows update that tried to modify TPM state mid-boot. Clearing the TPM wipes that corrupted state and forces a fresh handshake.
- Boot into UEFI/BIOS settings (usually F2, Del, or F10 during startup).
- Find the TPM section. Look for "Clear TPM" or "Factory Reset TPM". Don't touch "Disable TPM"—you want to clear, not turn it off.
- Confirm the action. It will show a warning about BitLocker keys—save your recovery key first from your Microsoft account or USB backup.
- Save and exit. Windows will take over on next boot, reinitializing the TPM. You'll see a prompt to allow this—accept it.
- Run
Get-Tpmin PowerShell to verify it's ready again.
The reason step 3 works: clearing the TPM resets the endorsement hierarchy, storage hierarchy, and platform hierarchy—everything. The firmware then re-establishes trust with the CPU and OS, wiping any stale command rejection flags.
3. BIOS Security Settings Blocking Commands
Some OEMs add their own security layers on top of the TPM. For example, Dell's "TPM Command Authorization" or Lenovo's "Physical Presence for TPM" can block commands unless you press a key at boot. If you've ever seen "Physical presence required for TPM command" in Event Viewer, that's this.
- Enter BIOS. Look under Security or Trusted Computing.
- Find options like:
- "TPM Device Availability" — must be "Available"
- "Physical Presence for TPM Commands" — set to "Enabled (No prompt)" or "Bypass PP" depending on BIOS
- "TPM Command Sequencing" — if present, set to "Standard" not "Custom" - Also check Secure Boot. Make sure it's enabled and hasn't been toggled. Toggling Secure Boot after initial setup can cause TPM command mismatches.
- Save and exit. Test.
Real-world trigger: I've seen this on an HP EliteBook 840 G9 where enabling "TPM Device ACPI Control" blocked commands. Disabling that option fixed it.
Quick-Reference Summary Table
| Cause | Fix | Difficulty | Success Rate |
|---|---|---|---|
| Outdated TPM firmware | Update TPM firmware from OEM site | Intermediate | High |
| Corrupted TPM state | Clear TPM from BIOS, reinitialize | Beginner | Medium |
| BIOS security overrides | Disable physical presence or command blocking | Intermediate | Medium-High |
Start with the firmware update. That's the root cause 70% of the time. Don't waste time on driver rollbacks or registry hacks—those don't touch the TPM's embedded command set at all.
Was this solution helpful?