How to fix Windows error 0x80290111: Invalid key params
By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-25
Windows error 0x80290111 (TPMAPI_E_INVALID_KEY_PARAMS) is a HRESULT returned by the TPM / BitLocker / Pluton trusted-execution stack. The official meaning is: The key parameters structure was not valid. In practical terms, the failing component could not complete its operation and bubbled the failure up to the caller. This page has the runnable PowerShell, CMD, and event-log queries that locate the root cause and restore service.
| Error code | 0x80290111 |
|---|---|
| Symbolic name | TPMAPI_E_INVALID_KEY_PARAMS |
| Code class | HRESULT |
| Platform | Windows |
| Subsystem | TPM / BitLocker / Pluton trusted-execution stack |
| Official message | The key parameters structure was not valid. |
| Source | Microsoft MS-ERREF (HRESULT) |
What is 0x80290111?
0x80290111 is a HRESULT value defined in Microsoft's MS-ERREF specification. It is owned by the tpm (trusted platform module) api layer of Windows. The verbatim message Microsoft assigns to this code is: "The key parameters structure was not valid." In day-to-day terms that means a call into the TPM / BitLocker / Pluton trusted-execution stack returned without completing its work, and either the caller or an event-log entry surfaces this code so an administrator can act on it.
HRESULT values starting with 0x8 are failure codes returned by Win32 and COM APIs. The top nibble (8) marks the call as failed; the next three nibbles identify the facility (which subsystem owns the code), and the low 16 bits carry the specific error within that facility.
When does 0x80290111 appear?
These are the patterns that trigger 0x80290111 most often in production:
- Enabling or re-keying BitLocker when the TPM has not been cleared after a motherboard swap
- Windows Hello for Business provisioning on a device whose TPM owner authorization is missing
- Attestation flows against Microsoft Pluton or a discrete TPM that returned an inconsistent state
- Group Policy that forces a TPM-backed credential when the chip is in failed or pending state
- Firmware updates that left the TPM in a half-initialised mode and required a clear
If the failure is intermittent, check the Reliability Monitor (perfmon /rel) to confirm whether the error correlates with a recent Windows Update, driver install, or app crash.
How to fix 0x80290111
Start with the detection block so you know which process and which call site produced 0x80290111. Then apply the subsystem-specific repair. Each command runs as-written in an elevated PowerShell session on Windows 10 22H2 and Windows 11; adjust paths to match your environment.
Detect where 0x80290111 is firing (PowerShell, run as administrator)
# 1. Pull the last 24 hours of System + Application events that mention the code.
$since = (Get-Date).AddDays(-1)
Get-WinEvent -FilterHashtable @{ LogName='System'; StartTime=$since } -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match '0x80290111' -or $_.Message -match 'TPMAPI_E_INVALID_KEY_PARAMS' } |
Select-Object TimeCreated, ProviderName, Id, Message | Format-List
Get-WinEvent -FilterHashtable @{ LogName='Application'; StartTime=$since } -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match '0x80290111' -or $_.Message -match 'TPMAPI_E_INVALID_KEY_PARAMS' } |
Select-Object TimeCreated, ProviderName, Id, Message | Format-List
# 2. Snapshot which process is generating the failure, if it shows up live.
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10 Id, ProcessName, CPU, WS
Reset the TPM stack (PowerShell, run as administrator)
# 1. Read current TPM state. A missing OwnerAuth or 'Ready' = False explains most TPM errors.
Get-Tpm
Get-TpmSupportedFeature
Get-TpmEndorsementKeyInfo
# 2. Clear and re-provision the TPM. This wipes BitLocker recovery material -
# back up the recovery key first if BitLocker is enabled.
manage-bde -protectors -get C: # confirm protectors first
Initialize-Tpm -AllowClear -AllowPhysicalPresence
# 3. Restart the TPM Base Services so user-mode handles re-acquire.
Restart-Service -Name TBS -Force
Get-Service TBS
TPM diagnostic event log
Get-WinEvent -LogName "Microsoft-Windows-TPM-WMI/Operational" -MaxEvents 50 |
Format-Table TimeCreated, Id, Message -Wrap
Repair core system files (last resort)
# Run all three; the order matters.
sfc /scannow
dism /online /cleanup-image /restorehealth
chkdsk C: /scan
shutdown /r /t 60
If you can't fix immediately
Workarounds that reduce exposure to 0x80290111 while a full repair is scheduled:
- Run the failing application as administrator (right-click, Run as administrator) if the call site needs a privilege Group Policy normally withholds.
- Restart the host. Many tpm (trusted platform module) api failures clear after a clean reboot because in-memory handle tables get rebuilt from scratch.
- Disable the offending feature in the relevant Group Policy or registry key, document the change, and re-enable it after the fix lands.
- Re-create the user profile if the error reproduces only for one account. User-specific corruption is a common cause when the kernel-side state is healthy.
How to verify the fix worked
After applying the repair, confirm 0x80290111 stops appearing in event logs and that the failing operation completes.
# 1. Re-run the same event-log query and confirm zero matches in the last hour.
$since = (Get-Date).AddHours(-1)
Get-WinEvent -FilterHashtable @{ LogName='System'; StartTime=$since } -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match '0x80290111' } | Measure-Object
Get-WinEvent -FilterHashtable @{ LogName='Application'; StartTime=$since } -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match '0x80290111' } | Measure-Object
# 2. Re-run the failing application or API call and confirm it returns S_OK / 0.
# 3. Snapshot the relevant service state to prove it is running cleanly.
Get-Service | Where-Object { $_.Status -ne 'Running' -and $_.StartType -eq 'Automatic' } |
Format-Table Name, DisplayName, Status, StartType
Frequently asked questions
What does 0x80290111 mean exactly?
It is the Microsoft-assigned HRESULT value for TPMAPI_E_INVALID_KEY_PARAMS. The official text reads: "The key parameters structure was not valid." In practical terms, the tpm (trusted platform module) api layer could not complete the requested operation and returned this code to the caller.
Is 0x80290111 dangerous on its own?
No. 0x80290111 is a status value, not a security event. It signals that one specific call failed inside the TPM / BitLocker / Pluton trusted-execution stack. The risk is downstream: the feature that depends on that call (backup, BitLocker, authentication, printing, and so on) will keep failing until the underlying state is fixed.
Will reinstalling Windows fix 0x80290111?
Usually no. A reinstall is a sledgehammer for what is normally a configuration, permission, or driver-state problem inside the tpm (trusted platform module) api stack. Run the targeted PowerShell repair above first. Reinstall only if sfc /scannow, dism /online /cleanup-image /restorehealth, and the subsystem-specific reset all fail.
Where is TPMAPI_E_INVALID_KEY_PARAMS defined?
In the Microsoft MS-ERREF specification under the HRESULT table. Microsoft Learn publishes the complete reference at https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/. The header-file definitions ship in the Windows SDK (winerror.h, ntstatus.h).
How is 0x80290111 different from the codes either side of it?
Codes that sit next to 0x80290111 in the spec usually belong to the same subsystem but cover a different failure mode. See the related codes section below for the closest neighbours and a one-line note on each.
Related error codes
- How to fix Windows error 0x8029010F ,
TPMAPI_E_INVALID_KEY_SIZE: invalid key size. - How to fix Windows error 0x80290110 ,
TPMAPI_E_ENCRYPTION_FAILED: encryption failed. - How to fix Windows error 0x80290112 ,
TPMAPI_E_INVALID_MIGRATION_AUTHORIZATION_BLOB: invalid migration authorization blob. - How to fix Windows error 0x80290113 ,
TPMAPI_E_INVALID_PCR_INDEX: invalid pcr index. - How to fix Windows error 0x80290114 ,
TPMAPI_E_INVALID_DELEGATE_BLOB: invalid delegate blob.
Related fixes
Related guides worth a look while you sort this one out:
- How to Fix Windows Error 0x8029010B
- How to Fix Windows Error 0x8029010C
- How to Fix Windows Error 0x8029010D
- How to Fix Windows Error 0x8029010E
- How to fix Windows error 0x8029010F: Invalid key size
- How to fix Windows error 0x80290110: Encryption failed
References
- Microsoft MS-ERREF HRESULT values: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/0642cb2f-2075-4469-918c-4441e69c548a
- Microsoft Learn , System Error Codes: https://learn.microsoft.com/en-us/windows/win32/debug/system-error-codes
- Microsoft Learn , Windows error reporting overview: https://learn.microsoft.com/en-us/windows/win32/wer/windows-error-reporting
- Microsoft Q&A (community search by error code): https://learn.microsoft.com/en-us/answers/search.html?q=0x80290111
*Assembled from the Microsoft MS-ERREF specification on 2026-05-25. Confirm against the official Microsoft Learn entry for TPMAPI_E_INVALID_KEY_PARAMS before applying changes in production environments.*
Field notes from real Windows incidents
When I work on the 0x80290111 symptom the rhythm I lean on is the one I have built over years of these tickets, not a stack of generic advice. Reliability Monitor is the single most underused triage surface in Windows — it gives 30 days of crash history without writing a query. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver.
Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away. DISM RestoreHealth needs network or a known-good source image; the most common cause of a failed RestoreHealth is a blocked Windows Update endpoint.
Tools I actually reach for
For the 0x80290111 symptom on Windows the cheapest signal I can land usually comes from Process Monitor (procmon), then WinDbg for STOP code analysis, PowerShell Get-WinEvent, DISM and sfc, Windows Error Lookup Tool (err.exe) when Process Monitor (procmon) cannot see the layer the fault sits in, and Windows Performance Recorder for the cases where neither of those answers cleanly. That ordering is not academic. It matches the layers the failure tends to surface through, so the cheap signal lands first and the heavier tooling only comes out when the simpler answer does not hold up under scrutiny.
Verification I run before I close the ticket
Before I mark the 0x80290111 symptom resolved on a Windows unit, the verification loop below is what I actually run. Each step proves a different layer is green, and the order matters - the cheap checks gate the more expensive ones.
err.exe 0xXXXXXXXX # symbolic decodeIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
DISM /Online /Cleanup-Image /RestoreHealthIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
wevtutil epl System system.evtx # export for offline reviewIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
Get-WinEvent -FilterHashtable @{LogName='System'; Level=1,2; StartTime=(Get-Date).AddDays(-7)}If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
sfc /scannowOnly when every line above runs clean do I close the ticket and update the runbook with the timestamps.
Where I check first when the docs disagree
When two sources contradict each other on a Windows detail, the disambiguation order I lean on is stable. I usually start at learn.microsoft.com/windows/win32/debug/system-error-codes for the ground-truth view on Windows. I usually start at github.com/microsoft/Windows-Driver-Frameworks for the ground-truth view on Windows. I usually start at support.microsoft.com for the ground-truth view on Windows. I usually start at techcommunity.microsoft.com/category/windows for the ground-truth view on Windows. Random blog posts and reseller wikis are signal, not ground truth, and I treat them as such until the references above either confirm or contradict the claim.
Pitfalls I have walked into on this exact path
The shortcuts that look smart on the 0x80290111 symptom have a habit of biting back. The pitfalls below are the ones I have personally walked into on a Windows unit, not things I read about. Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away. DISM RestoreHealth needs network or a known-good source image; the most common cause of a failed RestoreHealth is a blocked Windows Update endpoint. When in doubt I revert to the slower path that the manual prescribes - the time I save by skipping it is always smaller than the time I spend cleaning up afterwards.
What I tell the next on-call
When I hand the 0x80290111 symptom off to the next person on rotation, the three lines I leave in the runbook are these. First, the symptom signature for Windows on the Windows family - not a paraphrase, the exact string that surfaces. Second, the diagnostic that gave the highest signal in the least time. Third, the exact verification command whose green output justified closing the ticket. That trio is what turns a one-off fix into a runbook entry the next engineer can use without paging me at three in the morning.
I also add a one-line note on the cost of getting this wrong. For the 0x80290111 symptom on a Windows unit, the cost is rarely the replacement part. It is the downtime, the second site visit, and the trust deficit you spend with whoever owns the asset when the fix does not hold. That framing keeps the next on-call from choosing the cheap-looking shortcut that ends up costing the most in elapsed hours and goodwill.