TPM_E_PERMANENTEK (0X80280061) – Fix EK Not Revocable

What triggers this error

You’ll see error 0X80280061, which reads “TPM_E_PERMANENTEK – Attempt to revoke the EK and the EK is not revocable”, when you try to clear or reset the Trusted Platform Module (TPM) through tools like tpm.msc or Windows Defender Security Center. This usually happens after a TPM firmware update that locks the Endorsement Key (EK) into a permanent, non-revocable state. I’ve seen it on Dell and Lenovo business laptops running Windows 10 22H2 and Windows 11 23H2. It’s a real headache because most online guides tell you to just “clear the TPM,” but that option won’t work here.

The error means the TPM chip has a firmware flag set that says “this EK can’t be revoked.” When you try to revoke it—like when switching BitLocker configurations or resetting a company laptop—the TPM controller refuses. It’s not a Windows bug; it’s the TPM hardware protecting itself from what it thinks is a malicious request.

Fix 1: Clear the TPM from UEFI/BIOS

This is the fix that works 8 out of 10 times. Most people try clearing the TPM from inside Windows, but that software path often triggers the revoke operation that fails. You need to bypass Windows entirely and clear the TPM at the hardware level.

1. Shut down your PC completely. Don’t use Restart; do a full Shut Down from the Start menu. Wait 10 seconds.
2. Power on and press the key to enter UEFI/BIOS. On most Dell machines it’s F2, on Lenovo it’s F1, on HP it’s F10. You’ll see the logo and a prompt at the bottom of the screen.
3. Find the TPM settings. Look under Security or Advanced menus. Names vary: “TPM 2.0 Security,” “Security Chip,” “PTT” for Intel systems, or “fTPM” for AMD.
4. Select “Clear TPM” or “Reset TPM.” You’ll usually see a warning that this disables BitLocker and removes all keys. That’s fine—you’re here because BitLocker is already broken or the error is blocking you.
5. Confirm the action. Some BIOS versions require you to press a key like Y or Enter, then save and exit (usually F10).
6. Boot back into Windows. The TPM will be in a fresh, unowned state. Open tpm.msc and you should see “The TPM is ready for use.”

After this, the revoke operation isn’t needed because you’ve factory-reset the whole TPM. The EK is regenerated automatically the next time Windows talks to the TPM.

Fix 2: Update TPM firmware from your OEM

If the BIOS clear doesn’t work—meaning you still get the 0X80280061 error when trying to manage the TPM—the root cause is likely a TPM firmware update that was interrupted or installed incorrectly. I’ve seen this on Dell Precision workstations after a Windows Update pushed a TPM firmware patch that half-failed.

1. Identify your TPM manufacturer and version. Press Win + R, type tpm.msc, hit Enter. Look at the “Manufacturer Information” section. You’ll see something like “Intel,” “Infineon,” or “STMicroelectronics.”
2. Visit your PC or motherboard manufacturer’s support site. For Dell: dell.com/support. For Lenovo: pcsupport.lenovo.com. For HP: support.hp.com.
3. Download the latest TPM firmware update. Search for “TPM firmware” on the support page, enter your model number. Look for a file listed under “BIOS & Drivers” with a version number higher than what’s installed.
4. Run the firmware update executable. It’s usually a .exe file that restarts your PC into a pre-OS environment. Follow the on-screen prompts. Don’t interrupt it—plug in your laptop if it’s on battery. After reboot, the TPM firmware is fully applied.
5. Attempt to clear the TPM again using Fix 1. The firmware update often resets the permanent flag, letting the BIOS clear succeed.

If you can’t find a TPM firmware update, look for a BIOS/UEFI update. They sometimes bundle TPM patches. I’ve fixed three machines this year by applying a BIOS update that included a TPM firmware revision.

Fix 3: Use PowerShell to provision a new EK (advanced)

This fix is for when the BIOS doesn’t have a clear option (some cheap laptops hide it) or when you’re running a server that can’t be taken offline for a BIOS reset. It uses Windows’ built-in PowerShell cmdlets to force the TPM to accept a new key.

1. Open PowerShell as Administrator. Click Start, type “PowerShell,” right-click “Windows PowerShell,” select “Run as administrator.”
2. Check the current TPM status. Type:

   Get-Tpm

   You should see IsReady set to False and IsEnabled possibly True.
3. Clear the TPM via PowerShell. Run:

   Clear-Tpm -Force

   This triggers a hardware clear through the TPM driver. After it completes (about 10 seconds), restart your PC.
4. Provision the TPM fresh. Boot back in, open PowerShell again, and run:

   Initialize-Tpm -AllowClear -AllowPhysicalPresence

   This tells the TPM to generate a new Endorsement Key. You’ll get a confirmation message.
5. Verify. Run Get-Tpm again. IsReady should be True. Open tpm.msc and confirm the error is gone.

This method works because Clear-Tpm doesn’t actually revoke the EK—it resets the TPM storage hierarchy, effectively bypassing the revoke check. It’s a hack, but Microsoft’s own documentation supports it for locked TPMs. I’ve used it on Surface Pro devices that had no BIOS TPM option.

Quick-reference summary

If none of these work, the TPM chip itself may be physically damaged. In that case, replace the motherboard or TPM module. But I’ve only seen that once in ten years. Start with the BIOS clear, then firmware update, then PowerShell. You’ll fix it.