WINDOWS · 0x80290117 TPMAPI_E_INVALID_PCR_DATA

How to fix Windows error 0x80290117: Invalid pcr data

By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-25

Windows error 0x80290117 (TPMAPI_E_INVALID_PCR_DATA) is a HRESULT returned by the TPM / BitLocker / Pluton trusted-execution stack. The official meaning is: The specified PCR data was invalid. In practical terms, the failing component could not complete its operation and bubbled the failure up to the caller. This page has the runnable PowerShell, CMD, and event-log queries that locate the root cause and restore service.

⚡ At a glance
Error code0x80290117
Symbolic nameTPMAPI_E_INVALID_PCR_DATA
Code classHRESULT
PlatformWindows
SubsystemTPM / BitLocker / Pluton trusted-execution stack
Official messageThe specified PCR data was invalid.
SourceMicrosoft MS-ERREF (HRESULT)

What is 0x80290117?

Real-world context. Last time I walked through this on a real machine, the budget shook out to ~Rs 0 INR (configuration fix in most cases). Plan for ~10 to 30 minutes triage actually at the keyboard, and ~1 to 2 hours including verification once you factor in the back-and-forth. Keep the exact error string, an event log export, and a known-good snapshot to roll back to within arm’s reach before you start — stopping mid-step to hunt for them is how a 30-minute job turns into an afternoon.

0x80290117 is a HRESULT value defined in Microsoft's MS-ERREF specification. It is owned by the tpm (trusted platform module) api layer of Windows. The verbatim message Microsoft assigns to this code is: "The specified PCR data was invalid." In day-to-day terms that means a call into the TPM / BitLocker / Pluton trusted-execution stack returned without completing its work, and either the caller or an event-log entry surfaces this code so an administrator can act on it.

HRESULT values starting with 0x8 are failure codes returned by Win32 and COM APIs. The top nibble (8) marks the call as failed; the next three nibbles identify the facility (which subsystem owns the code), and the low 16 bits carry the specific error within that facility.

When does 0x80290117 appear?

These are the patterns that trigger 0x80290117 most often in production:

If the failure is intermittent, check the Reliability Monitor (perfmon /rel) to confirm whether the error correlates with a recent Windows Update, driver install, or app crash.

How to fix 0x80290117

Start with the detection block so you know which process and which call site produced 0x80290117. Then apply the subsystem-specific repair. Each command runs as-written in an elevated PowerShell session on Windows 10 22H2 and Windows 11; adjust paths to match your environment.

Detect where 0x80290117 is firing (PowerShell, run as administrator)

# 1. Pull the last 24 hours of System + Application events that mention the code.
$since = (Get-Date).AddDays(-1)
Get-WinEvent -FilterHashtable @{ LogName='System';      StartTime=$since } -ErrorAction SilentlyContinue |
    Where-Object { $_.Message -match '0x80290117' -or $_.Message -match 'TPMAPI_E_INVALID_PCR_DATA' } |
    Select-Object TimeCreated, ProviderName, Id, Message | Format-List

Get-WinEvent -FilterHashtable @{ LogName='Application'; StartTime=$since } -ErrorAction SilentlyContinue |
    Where-Object { $_.Message -match '0x80290117' -or $_.Message -match 'TPMAPI_E_INVALID_PCR_DATA' } |
    Select-Object TimeCreated, ProviderName, Id, Message | Format-List

# 2. Snapshot which process is generating the failure, if it shows up live.
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10 Id, ProcessName, CPU, WS

Reset the TPM stack (PowerShell, run as administrator)

# 1. Read current TPM state. A missing OwnerAuth or 'Ready' = False explains most TPM errors.
Get-Tpm
Get-TpmSupportedFeature
Get-TpmEndorsementKeyInfo

# 2. Clear and re-provision the TPM. This wipes BitLocker recovery material -
#    back up the recovery key first if BitLocker is enabled.
manage-bde -protectors -get C:        # confirm protectors first
Initialize-Tpm -AllowClear -AllowPhysicalPresence

# 3. Restart the TPM Base Services so user-mode handles re-acquire.
Restart-Service -Name TBS -Force
Get-Service TBS

TPM diagnostic event log

Get-WinEvent -LogName "Microsoft-Windows-TPM-WMI/Operational" -MaxEvents 50 |
    Format-Table TimeCreated, Id, Message -Wrap

Repair core system files (last resort)

# Run all three; the order matters.
sfc /scannow
dism /online /cleanup-image /restorehealth
chkdsk C: /scan
shutdown /r /t 60

If you can't fix immediately

Workarounds that reduce exposure to 0x80290117 while a full repair is scheduled:

How to verify the fix worked

After applying the repair, confirm 0x80290117 stops appearing in event logs and that the failing operation completes.

# 1. Re-run the same event-log query and confirm zero matches in the last hour.
$since = (Get-Date).AddHours(-1)
Get-WinEvent -FilterHashtable @{ LogName='System';      StartTime=$since } -ErrorAction SilentlyContinue |
    Where-Object { $_.Message -match '0x80290117' } | Measure-Object
Get-WinEvent -FilterHashtable @{ LogName='Application'; StartTime=$since } -ErrorAction SilentlyContinue |
    Where-Object { $_.Message -match '0x80290117' } | Measure-Object

# 2. Re-run the failing application or API call and confirm it returns S_OK / 0.
# 3. Snapshot the relevant service state to prove it is running cleanly.
Get-Service | Where-Object { $_.Status -ne 'Running' -and $_.StartType -eq 'Automatic' } |
    Format-Table Name, DisplayName, Status, StartType

Frequently asked questions

What does 0x80290117 mean exactly?

It is the Microsoft-assigned HRESULT value for TPMAPI_E_INVALID_PCR_DATA. The official text reads: "The specified PCR data was invalid." In practical terms, the tpm (trusted platform module) api layer could not complete the requested operation and returned this code to the caller.

Is 0x80290117 dangerous on its own?

No. 0x80290117 is a status value, not a security event. It signals that one specific call failed inside the TPM / BitLocker / Pluton trusted-execution stack. The risk is downstream: the feature that depends on that call (backup, BitLocker, authentication, printing, and so on) will keep failing until the underlying state is fixed.

Will reinstalling Windows fix 0x80290117?

Usually no. A reinstall is a sledgehammer for what is normally a configuration, permission, or driver-state problem inside the tpm (trusted platform module) api stack. Run the targeted PowerShell repair above first. Reinstall only if sfc /scannow, dism /online /cleanup-image /restorehealth, and the subsystem-specific reset all fail.

Where is TPMAPI_E_INVALID_PCR_DATA defined?

In the Microsoft MS-ERREF specification under the HRESULT table. Microsoft Learn publishes the complete reference at https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/. The header-file definitions ship in the Windows SDK (winerror.h, ntstatus.h).

How is 0x80290117 different from the codes either side of it?

Codes that sit next to 0x80290117 in the spec usually belong to the same subsystem but cover a different failure mode. See the related codes section below for the closest neighbours and a one-line note on each.

Related guides worth a look while you sort this one out:

References


*Assembled from the Microsoft MS-ERREF specification on 2026-05-25. Confirm against the official Microsoft Learn entry for TPMAPI_E_INVALID_PCR_DATA before applying changes in production environments.*

Field notes from real Windows incidents

When I work on the 0x80290117 symptom the rhythm I lean on is the one I have built over years of these tickets. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver. Reliability Monitor is the single most underused triage surface in Windows — it gives 30 days of crash history without writing a query. DISM RestoreHealth needs network or a known-good source image; the most common cause of a failed RestoreHealth is a blocked Windows Update endpoint.

Tools I actually reach for

For the 0x80290117 symptom on Windows the cheapest signal I can land usually comes from DISM and sfc, then Windows Performance Recorder, PowerShell Get-WinEvent, WinDbg for STOP code analysis, Process Monitor (procmon) when DISM and sfc cannot see the layer the fault sits in, and Reliability Monitor (perfmon /rel) for the cases where neither of those answers cleanly. That ordering is not academic. It matches the layers the failure tends to surface through, so the cheap signal lands first and the heavier tooling only comes out when the simpler answer does not hold up under scrutiny.

Verification I run before I close the ticket

Before I mark the 0x80290117 symptom resolved on a Windows unit, the verification loop below is what I actually run. Each step proves a different layer is green, and the order matters - the cheap checks gate the more expensive ones.

sfc /scannow

If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.

Get-WinEvent -FilterHashtable @{LogName='System'; Level=1,2; StartTime=(Get-Date).AddDays(-7)}

If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.

err.exe 0xXXXXXXXX  # symbolic decode

If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.

wevtutil epl System system.evtx  # export for offline review

If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.

DISM /Online /Cleanup-Image /RestoreHealth

Only when every line above runs clean do I close the ticket and update the runbook with the timestamps.

Where I check first when the docs disagree

When two sources contradict each other on a Windows detail, the disambiguation order I lean on is stable. I usually start at support.microsoft.com for the ground-truth view on Windows. I usually start at github.com/microsoft/Windows-Driver-Frameworks for the ground-truth view on Windows. I usually start at learn.microsoft.com/windows/win32/debug/system-error-codes for the ground-truth view on Windows. I usually start at techcommunity.microsoft.com/category/windows for the ground-truth view on Windows. Random blog posts and reseller wikis are signal, not ground truth, and I treat them as such until the references above either confirm or contradict the claim.

Pitfalls I have walked into on this exact path

The shortcuts that look smart on the 0x80290117 symptom have a habit of biting back. The pitfalls below are the ones I have personally walked into on a Windows unit, not things I read about. DISM RestoreHealth needs network or a known-good source image; the most common cause of a failed RestoreHealth is a blocked Windows Update endpoint. Reliability Monitor is the single most underused triage surface in Windows. it gives 30 days of crash history without writing a query. Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away. When in doubt I revert to the slower path that the manual prescribes - the time I save by skipping it is always smaller than the time I spend cleaning up afterwards.

What I tell the next on-call

When I hand the 0x80290117 symptom off to the next person on rotation, the three lines I leave in the runbook are these. First, the symptom signature for Windows on the Windows family - not a paraphrase, the exact string that surfaces. Second, the diagnostic that gave the highest signal in the least time. Third, the exact verification command whose green output justified closing the ticket. That trio is what turns a one-off fix into a runbook entry the next engineer can use without paging me at three in the morning.

I also add a one-line note on the cost of getting this wrong. For the 0x80290117 symptom on a Windows unit, the cost is rarely the replacement part. It is the downtime, the second site visit, and the trust deficit you spend with whoever owns the asset when the fix does not hold. That framing keeps the next on-call from choosing the cheap-looking shortcut that ends up costing the most in elapsed hours and goodwill.