TPM 2.0 – A protocol error was detected between the driver and the device

We unearthed an unusual bug during our latest Autopilot deployment that seemed to be introduced by KB4517211 (18362.387\ September 2019 9D) running Windows 10 Enterprise x64 1903.

The symptom was once that patch was applied any of our devices with an Intel PTT TPM chip, the TPM itself would stop working and BitLocker would suspend.

Device manager showing TPM issue

After a lengthy support case we have got to the bottom of the issue and it relates to a new Windows feature called System Guard Secure Launch . This feature is only supported on very new hardware and turning it on causes the issue to manifest.

This is set via

Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security > Secure Launch Configuration.

The interesting part is if this is combined with Credential Guard and UEFI lock then the settings get persisted into the firmware, this means if you rebuild to try and fix the issue, the problem will still occur. Similarly if you set the setting to not configured, it will not get turned off!

The Fix

Microsoft have confirmed the issue and have worked with Intel to line up a fix which will be coming out in a future release and being back-ported to 1903/1909. In the interim to fix:

  • Ensure the Group Policy is not set, and you have your BitLocker key handy (or suspend if possible)
  • Reboot the machine into the BIOS\Firmware settings
  • Turn off Secure Boot
  • Boot back into Windows (important OS needs to come up!)
  • Reboot the machine into the BIOS\Firmware settings
  • Turn Secure Boot back on
  • Boot back into Windows

Leave a Reply

Your email address will not be published. Required fields are marked *