TPM_E_INVALID_KEYHANDLE (0X8028000C) Fix on Windows 11/10
This TPM error usually strikes after a BIOS update or TPM firmware change. The fix is to clear the TPM and reinitialize it from Windows or firmware.
Quick Answer
Clear the TPM from Windows Security (tpm.msc) or your BIOS/UEFI firmware, then reinitialize it via the TPM MMC snap-in or Group Policy.
Why This Error Happens
This error tripped me up the first time too. It usually appears after you've updated your motherboard's UEFI firmware, swapped the CPU, or applied a TPM firmware patch. Windows holds a key handle in the TPM's protected storage, but when the TPM's internal state changes (e.g., PCRs reset, or the endorsement key gets invalidated), that handle becomes garbage. The TPM literally says “I can't interpret this handle” because it no longer matches anything in its volatile memory. I've seen it most often on Dell OptiPlex 7080s and Lenovo ThinkPads after a BIOS update that resets the TPM to factory defaults. If you're running BitLocker, you'll also need your recovery key handy — without it, you're locked out.
The Fix: Clear and Reinitialize the TPM
This is the only reliable fix I've found across hundreds of tickets. Don't bother with driver reinstalls or registry hacks — they won't touch the TPM's internal state.
Step 1: Boot into Windows (if you can)
If you can still log in, open the TPM Management console: press Win + R, type tpm.msc, hit Enter. If you see “Compatible TPM cannot be found” or the status says “The TPM is ready for use” but the error persists, skip straight to Step 2.
Step 2: Clear the TPM from Windows Security
- Press Win + I to open Settings, go to Privacy & Security > Windows Security > Device Security > Security Processor Details.
- Click Security Processor Troubleshooting, then Clear TPM. Windows will warn you about losing BitLocker keys and credentials. Confirm.
- Your PC will restart. You'll see a UEFI prompt telling you to press a key to clear the TPM. Do it. This wipes all existing keys and handles.
Step 3: Reinitialize the TPM
After the reboot, Windows may automatically reinitialize the TPM. If not:
- Open
tpm.mscagain. You should see a message like “The TPM is ready for use.” If not, click Actions > Prepare the TPM. - Restart once more. The error 0X8028000C should be gone.
Step 4: If BitLocker Is Active
You'll need your 48-digit recovery key to unlock the drive after clearing the TPM. Find it in your Microsoft account, a printed copy, or Active Directory. Enter it at the BitLocker recovery screen. Once Windows loads, suspend BitLocker temporarily (manage-bde -protectors -disable C: from an admin command prompt), then re-enable it after the TPM reinit.
Alternative: Clear TPM from BIOS/UEFI
If you can't boot into Windows (common after a failed BIOS update), clear the TPM from firmware:
- Enter your BIOS/UEFI at startup (usually F2, Del, or F10).
- Look for a setting named TPM State, Security Chip, or AMD PSP fTPM. Set it to Disabled or Clear.
- Save and exit. The TPM is now wiped. Boot into Windows, then go back to Step 3 above.
Prevention Tip
Before any BIOS or TPM firmware update, suspend BitLocker (manage-bde -protectors -disable C:) and note down your TPM owner password if you set one. After the update, re-enable protection and let Windows reinitialize the TPM automatically. This avoids the “invalid keyhandle” mess entirely. I also recommend keeping a printout of your BitLocker recovery key in a safe place — not just in your Microsoft account. When this error hits, you'll thank yourself.
Was this solution helpful?