0X8028000B

TPM_E_INSTALL_DISABLED (0X8028000B) fix for Windows 10/11

Windows Errors Intermediate 👁 0 views 📅 Jun 7, 2026

This error pops up when trying to take ownership of a TPM that's set to disabled or blocked by a local policy. Real pain when enabling BitLocker.

You're sitting there, trying to set up BitLocker or maybe configure TPM for Windows Hello, and you get slapped with error 0X8028000B. The exact message reads TPM_E_INSTALL_DISABLED - The ability to install an owner is disabled. This happens most often on Windows 10 and 11 machines that either came with TPM 2.0 pre-disabled or after a BIOS update resets TPM settings. I've also seen it on systems where a domain policy or local security policy blocked TPM ownership without telling anyone.

The root cause is simple: Windows can't take ownership of the TPM chip because someone—either the BIOS, a group policy, or a previous failed attempt—has locked down the TPM's owner authorization. Think of it like being told you can't have the keys to a car because the dealer hasn't set them up yet. The TPM itself is physically there, but its owner install function has been turned off at the hardware or software level.

What you need to check first

Before diving into fixes, open the TPM Management console. Press Win + R, type tpm.msc, hit Enter. If you see Compatible TPM cannot be found, you've got a hardware issue—skip to the BIOS section. If you see the TPM listed but with status Not owned or Disabled, you're in the right place.

Fix 1: Check the Local Group Policy (most common)

  1. Press Win + R, type gpedit.msc, press Enter. (If you're on Windows 10 Home or 11 Home, you might need to install it manually.)
  2. Go to Computer Configuration > Administrative Templates > System > Trusted Platform Module Services.
  3. Double-click Turn on TPM backup to Active Directory Domain Services. Make sure it's set to Not Configured or Disabled. If it's Enabled, you'll need to configure it, but that's rare.
  4. Check Configure the level of TPM owner authorization information available to the operating system. Set that to Not Configured as well.
  5. Close Group Policy Editor. Now open Command Prompt as administrator and run gpupdate /force. Wait for it to complete—you'll see a success message.

After this, try taking TPM ownership again. Go back to tpm.msc, click Prepare the TPM on the right panel. If it works, you're golden. If not, move on.

Fix 2: Clear the TPM from the BIOS or UEFI

Sometimes the TPM got into a bad state from a previous failed ownership attempt. Clearing it from the firmware is the nuclear option. Note: this will wipe any TPM-sealed data (like saved encryption keys). If you're on a company-managed device, check with IT first.

  1. Restart your computer. As soon as the screen lights up, smash the key for entering BIOS setup—usually F2, F10, Del, or Esc. On some Lenovos it's F1. Look briefly at the screen for a message like "Press F2 to enter Setup".
  2. Once in BIOS, find the Security tab or Advanced tab. Look for TPM, Trusted Platform Module, Intel Platform Trust Technology (IPTT), or AMD Platform Security Processor.
  3. There should be an option to Clear, Reset, or Set to defaults. Select that. If you see TPM State set to Disabled, change it to Enabled first, then save and restart, then go back and clear it.
  4. After clearing, save the changes and exit. The system will likely restart twice. Wait for it fully boot into Windows.
  5. Open tpm.msc again. The status should now show Not owned and the TPM version. Click Prepare the TPM.

I've seen this fix work on Dell OptiPlex 7080s and Lenovo ThinkPad T14s after a failed BitLocker setup. Takes about 3 minutes.

Fix 3: Use PowerShell to force provisioning

If the GUI methods fail, let's go command line. This is my go-to for stubborn systems.

  1. Right-click the Start button and select Windows PowerShell (Admin) or Terminal (Admin).
  2. Run Get-Tpm. Look at the output. If TpmReady is False and TpmEnabled is False, the TPM is disabled in firmware. Go back to Fix 2.
  3. If OwnerInstallationAllowed is False, run: 
    Enable-TpmAutoProvisioning
    This tells Windows to set up TPM ownership automatically.
  4. Then run: 
    Initialize-Tpm
    You'll get a prompt. Type Y to confirm. Watch the output—it should say Success after a few seconds.
  5. Close PowerShell and open tpm.msc to verify. You should see Status: The TPM is ready for use.

If it still fails

Check your BIOS for a setting called TPM Device Select or TPM Presence. On some HP ProBooks, you have to change it from Discrete TPM to Firmware TPM or vice versa. On Asus boards, look for fTPM under Advanced > CPU Configuration. A wrong setting can cause the exact 0X8028000B error.

Also, if you're on a corporate network, group policy might be pushed from a domain controller. Run rsop.msc to see what policies are actually applied. If the TPM policy says Disabled, you'll need to talk to your admin.

One more thing: if you recently upgraded from Windows 10 to 11, and the TPM was set up under the old OS, sometimes the ownership gets corrupted. In that case, clearing the TPM from BIOS (Fix 2) and starting fresh almost always fixes it.

Was this solution helpful?

TPM_E_INSTALL_DISABLED 0X8028000B TPM ownership disabled TPM error 0x8028000B fix TPM install disabled Windows TPM blocked BitLocker TPM error enable TPM ownership TPM provisioning disabled clear TPM Windows TPM management console Windows 10 TPM error Windows 11 TPM error TPM not letting me take ownership local group policy TPM