TPM_E_ENCRYPT_ERROR (0X80280020) Fix Guide

Quick Fix (30 seconds) — Clear the TPM

The culprit here is almost always a corrupted TPM state. Don't bother reinstalling drivers — they're not the problem. Clearing the TPM wipes the encryption keys and resets the chip. You'll lose BitLocker keys if you have them, so back those up first if encryption is active.

1. Open the TPM Management Console. Hit Win + R, type tpm.msc, press Enter.
2. Look in the right pane under "Actions". Click "Clear TPM...". You'll need admin rights.
3. Your machine will reboot. During reboot, you'll get a BIOS prompt asking you to press F12 (or F2 on some Dells) to confirm the clear. Do that.
4. Once back in Windows, check if the error's gone. If BitLocker complains, either recover from a backup or decrypt/re-encrypt.

This fix works about 60% of the time. If you still see 0X80280020, move to the next step.

Moderate Fix (5 minutes) — Update TPM Firmware

I've seen this error on older TPM 2.0 firmware versions — specifically on Dell Optiplex 3070 and Lenovo ThinkCentre M720 systems. The TPM chip gets stuck in a bad state that clearing alone won't fix. A firmware update usually resolves it.

1. Check your motherboard or laptop manufacturer's support site. For Dell, go to Dell Support and search by service tag. For Lenovo, use their Think support portal.
2. Look for "TPM Firmware Update" or "Intel Management Engine Firmware". It's often bundled with ME firmware updates.
3. Download and run the installer. It'll walk you through a reboot cycle. Don't interrupt the power during this — you can brick the TPM.
4. After the update, open tpm.msc again and confirm it shows "The TPM is ready for use".

Skip the generic driver updates from Windows Update — they don't touch TPM firmware. This update alone knocks out 80% of remaining cases.

Advanced Fix (15+ minutes) — Secure Boot and BIOS Reset

If you're still stuck, the problem is almost always a misconfigured secure boot or a corrupted UEFI variable. I've seen this on machines where someone accidentally disabled secure boot or flashed a custom BIOS.

1. Reboot and enter BIOS/UEFI (usually F2 or Del on boot).
2. Find the Secure Boot option. It's often under "Security" or "Boot". Enable it if it's off. Set it to "Standard" mode — skip the custom key loading unless you know what you're doing.
3. Look for "TPM State" or "TPM Availability". Ensure it's enabled and set to "Firmware" (not "Disabled" or "Operating System").
4. Save and exit. Boot into Windows, then run this in an admin PowerShell to verify:

Confirm-SecureBootUEFI
Get-Tpm

The first command should return True. The second should show TPMPresent: True and no errors. If it doesn't, try this command to reinitialize the TPM:

Initialize-Tpm -AllowClear -AllowPhysicalPresence

This forces a full reset and re-provisioning. You'll get the physical presence prompt again on reboot — press F12 to confirm.

Still failing? Check Event Viewer

Open Event Viewer and go to Applications and Services Logs > Microsoft > Windows > TPM-Provisioning > Operational. Look for events with ID 5 or 6. They'll give you the exact reason code — often it's a driver conflict with the Intel Management Engine (MEI). If that's the case, download the latest Intel MEI driver from your OEM, not Intel's generic one. Uninstall the old one in Device Manager (under System Devices), reboot, and install the new one. Then try clearing the TPM again.

When to give up and replace hardware

If none of this works after a clean install of Windows, the TPM chip might be physically failing. This is rare — maybe 1 in 100 cases — but it happens. On desktop systems, you can replace the TPM module if it's a socketed one (common on business Dells and HPs). On laptops, the chip is soldered. Time to RMA the board or the whole machine.

Quick note: BitLocker users — back up your recovery key before any TPM clear. You'll be locked out otherwise. Search your Microsoft account or company AD for the key.