TPM 2.0 – A protocol error was detected between the driver and the device

We unearthed an unusual bug during our latest Autopilot deployment that seemed to be introduced by KB4517211 (18362.387\ September 2019 9D) running Windows 10 Enterprise x64 1903.

The symptom was once that patch was applied any of our devices with an Intel PTT TPM chip, the TPM itself would stop working and BitLocker would suspend.

Device manager showing TPM issue

After a lengthy support case we have got to the bottom of the issue and it relates to a new Windows feature called System Guard Secure Launch . This feature is only supported on very new hardware and turning it on causes the issue to manifest.

This is set via

Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security > Secure Launch Configuration.

The interesting part is if this is combined with Credential Guard and UEFI lock then the settings get persisted into the firmware, this means if you rebuild to try and fix the issue, the problem will still occur. Similarly if you set the setting to not configured, it will not get turned off!

The Fix

Microsoft have confirmed the issue and have worked with Intel to line up a fix which will be coming out in a future release and being back-ported to 1903/1909. In the interim to fix:

  • Ensure the Group Policy is not set, and you have your BitLocker key handy (or suspend if possible)
  • Reboot the machine into the BIOS\Firmware settings
  • Turn off Secure Boot
  • Boot back into Windows (important OS needs to come up!)
  • Reboot the machine into the BIOS\Firmware settings
  • Turn Secure Boot back on
  • Boot back into Windows

3 thoughts on “TPM 2.0 – A protocol error was detected between the driver and the device”

    1. Hi, the fix is the one listed in the article (disabling the setting in Group Policy and turning SecureBoot off and on).I’m still speaking to Microsoft and there are some minor fixes to prevent the issue occuring baked in to versions later than 1909 but a complete fix is still being developed

      1. Thank you for the update.

        If its of any help we managed to script it in our particular case (you may need to test it for use in your own environment) by downloading the DG_Readiness_Tool Powershell script from: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool

        Then the steps to fix it:

        Powershell -ep Bypass -File DG_Readiness_Tool_v3.7.1.ps1 -Disable
        Reboot
        Press F3 to confirm twice
        Powershell -ep Bypass -File DG_Readiness_Tool_v3.7.1.ps1 -Enable
        manage-bde -protectors -enable c: (this is optional you can just reboot instead)

        That then “reactivated” the TPM and Bitlocker.

Leave a Reply

Your email address will not be published. Required fields are marked *