How to fix Windows error 0x80290202: Invalid context handle
By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-25
Windows error 0x80290202 (TBSIMP_E_INVALID_CONTEXT_HANDLE) is a HRESULT returned by the TPM Base Services (tbs.dll). The official meaning is: The specified context handle is invalid. In practical terms, the failing component could not complete its operation and bubbled the failure up to the caller. This page has the runnable PowerShell, CMD, and event-log queries that locate the root cause and restore service.
| Error code | 0x80290202 |
|---|---|
| Symbolic name | TBSIMP_E_INVALID_CONTEXT_HANDLE |
| Code class | HRESULT |
| Platform | Windows |
| Subsystem | TPM Base Services (tbs.dll) |
| Official message | The specified context handle is invalid. |
| Source | Microsoft MS-ERREF (HRESULT) |
What is 0x80290202?
0x80290202 is a HRESULT value defined in Microsoft's MS-ERREF specification. It is owned by the tpm base services implementation layer of Windows. The verbatim message Microsoft assigns to this code is: "The specified context handle is invalid." In day-to-day terms that means a call into the TPM Base Services (tbs.dll) returned without completing its work, and either the caller or an event-log entry surfaces this code so an administrator can act on it.
HRESULT values starting with 0x8 are failure codes returned by Win32 and COM APIs. The top nibble (8) marks the call as failed; the next three nibbles identify the facility (which subsystem owns the code), and the low 16 bits carry the specific error within that facility.
When does 0x80290202 appear?
These are the patterns that trigger 0x80290202 most often in production:
- Enabling or re-keying BitLocker when the TPM has not been cleared after a motherboard swap
- Windows Hello for Business provisioning on a device whose TPM owner authorization is missing
- Attestation flows against Microsoft Pluton or a discrete TPM that returned an inconsistent state
- Group Policy that forces a TPM-backed credential when the chip is in failed or pending state
- Firmware updates that left the TPM in a half-initialised mode and required a clear
If the failure is intermittent, check the Reliability Monitor (perfmon /rel) to confirm whether the error correlates with a recent Windows Update, driver install, or app crash.
How to fix 0x80290202
Start with the detection block so you know which process and which call site produced 0x80290202. Then apply the subsystem-specific repair. Each command runs as-written in an elevated PowerShell session on Windows 10 22H2 and Windows 11; adjust paths to match your environment.
Detect where 0x80290202 is firing (PowerShell, run as administrator)
# 1. Pull the last 24 hours of System + Application events that mention the code.
$since = (Get-Date).AddDays(-1)
Get-WinEvent -FilterHashtable @{ LogName='System'; StartTime=$since } -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match '0x80290202' -or $_.Message -match 'TBSIMP_E_INVALID_CONTEXT_HANDLE' } |
Select-Object TimeCreated, ProviderName, Id, Message | Format-List
Get-WinEvent -FilterHashtable @{ LogName='Application'; StartTime=$since } -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match '0x80290202' -or $_.Message -match 'TBSIMP_E_INVALID_CONTEXT_HANDLE' } |
Select-Object TimeCreated, ProviderName, Id, Message | Format-List
# 2. Snapshot which process is generating the failure, if it shows up live.
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10 Id, ProcessName, CPU, WS
Reset the TPM stack (PowerShell, run as administrator)
# 1. Read current TPM state. A missing OwnerAuth or 'Ready' = False explains most TPM errors.
Get-Tpm
Get-TpmSupportedFeature
Get-TpmEndorsementKeyInfo
# 2. Clear and re-provision the TPM. This wipes BitLocker recovery material -
# back up the recovery key first if BitLocker is enabled.
manage-bde -protectors -get C: # confirm protectors first
Initialize-Tpm -AllowClear -AllowPhysicalPresence
# 3. Restart the TPM Base Services so user-mode handles re-acquire.
Restart-Service -Name TBS -Force
Get-Service TBS
TPM diagnostic event log
Get-WinEvent -LogName "Microsoft-Windows-TPM-WMI/Operational" -MaxEvents 50 |
Format-Table TimeCreated, Id, Message -Wrap
Repair core system files (last resort)
# Run all three; the order matters.
sfc /scannow
dism /online /cleanup-image /restorehealth
chkdsk C: /scan
shutdown /r /t 60
If you can't fix immediately
Workarounds that reduce exposure to 0x80290202 while a full repair is scheduled:
- Run the failing application as administrator (right-click, Run as administrator) if the call site needs a privilege Group Policy normally withholds.
- Restart the host. Many tpm base services implementation failures clear after a clean reboot because in-memory handle tables get rebuilt from scratch.
- Disable the offending feature in the relevant Group Policy or registry key, document the change, and re-enable it after the fix lands.
- Re-create the user profile if the error reproduces only for one account. User-specific corruption is a common cause when the kernel-side state is healthy.
How to verify the fix worked
After applying the repair, confirm 0x80290202 stops appearing in event logs and that the failing operation completes.
# 1. Re-run the same event-log query and confirm zero matches in the last hour.
$since = (Get-Date).AddHours(-1)
Get-WinEvent -FilterHashtable @{ LogName='System'; StartTime=$since } -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match '0x80290202' } | Measure-Object
Get-WinEvent -FilterHashtable @{ LogName='Application'; StartTime=$since } -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match '0x80290202' } | Measure-Object
# 2. Re-run the failing application or API call and confirm it returns S_OK / 0.
# 3. Snapshot the relevant service state to prove it is running cleanly.
Get-Service | Where-Object { $_.Status -ne 'Running' -and $_.StartType -eq 'Automatic' } |
Format-Table Name, DisplayName, Status, StartType
Frequently asked questions
What does 0x80290202 mean exactly?
It is the Microsoft-assigned HRESULT value for TBSIMP_E_INVALID_CONTEXT_HANDLE. The official text reads: "The specified context handle is invalid." In practical terms, the tpm base services implementation layer could not complete the requested operation and returned this code to the caller.
Is 0x80290202 dangerous on its own?
No. 0x80290202 is a status value, not a security event. It signals that one specific call failed inside the TPM Base Services (tbs.dll). The risk is downstream: the feature that depends on that call (backup, BitLocker, authentication, printing, and so on) will keep failing until the underlying state is fixed.
Will reinstalling Windows fix 0x80290202?
Usually no. A reinstall is a sledgehammer for what is normally a configuration, permission, or driver-state problem inside the tpm base services implementation stack. Run the targeted PowerShell repair above first. Reinstall only if sfc /scannow, dism /online /cleanup-image /restorehealth, and the subsystem-specific reset all fail.
Where is TBSIMP_E_INVALID_CONTEXT_HANDLE defined?
In the Microsoft MS-ERREF specification under the HRESULT table. Microsoft Learn publishes the complete reference at https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/. The header-file definitions ship in the Windows SDK (winerror.h, ntstatus.h).
How is 0x80290202 different from the codes either side of it?
Codes that sit next to 0x80290202 in the spec usually belong to the same subsystem but cover a different failure mode. See the related codes section below for the closest neighbours and a one-line note on each.
Related error codes
- How to fix Windows error 0x80290200 ,
TBSIMP_E_BUFFER_TOO_SMALL: buffer too small. - How to fix Windows error 0x80290201 ,
TBSIMP_E_CLEANUP_FAILED: cleanup failed. - How to fix Windows error 0x80290203 ,
TBSIMP_E_INVALID_CONTEXT_PARAM: invalid context param. - How to fix Windows error 0x80290204 ,
TBSIMP_E_TPM_ERROR: tpm error. - How to fix Windows error 0x80290205 ,
TBSIMP_E_HASH_BAD_KEY: hash bad key.
Related fixes
Related guides worth a look while you sort this one out:
- How to fix Windows error 0x80290115: Invalid context params
- How to fix Windows error 0x80290116: Invalid key blob
- How to fix Windows error 0x80290117: Invalid pcr data
- How to fix Windows error 0x80290118: Invalid owner auth
- How to fix Windows error 0x80290200: Buffer too small
- How to fix Windows error 0x80290201: Cleanup failed
References
- Microsoft MS-ERREF HRESULT values: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/0642cb2f-2075-4469-918c-4441e69c548a
- Microsoft Learn , System Error Codes: https://learn.microsoft.com/en-us/windows/win32/debug/system-error-codes
- Microsoft Learn , Windows error reporting overview: https://learn.microsoft.com/en-us/windows/win32/wer/windows-error-reporting
- Microsoft Q&A (community search by error code): https://learn.microsoft.com/en-us/answers/search.html?q=0x80290202
*Assembled from the Microsoft MS-ERREF specification on 2026-05-25. Confirm against the official Microsoft Learn entry for TBSIMP_E_INVALID_CONTEXT_HANDLE before applying changes in production environments.*
Field notes from real Windows incidents
When I work on the 0x80290202 symptom the rhythm I lean on is the one I have built over years of these tickets, not a stack of generic advice. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver. Reliability Monitor is the single most underused triage surface in Windows — it gives 30 days of crash history without writing a query.
DISM RestoreHealth needs network or a known-good source image; the most common cause of a failed RestoreHealth is a blocked Windows Update endpoint. Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away.
Tools I actually reach for
For the 0x80290202 symptom on Windows the cheapest signal I can land usually comes from Windows Error Lookup Tool (err.exe), then Event Viewer (eventvwr.msc), PowerShell Get-WinEvent, Reliability Monitor (perfmon /rel), Windows Performance Recorder when Windows Error Lookup Tool (err.exe) cannot see the layer the fault sits in, and Process Monitor (procmon) for the cases where neither of those answers cleanly. That ordering is not academic. It matches the layers the failure tends to surface through, so the cheap signal lands first and the heavier tooling only comes out when the simpler answer does not hold up under scrutiny.
Verification I run before I close the ticket
Before I mark the 0x80290202 symptom resolved on a Windows unit, the verification loop below is what I actually run. Each step proves a different layer is green, and the order matters - the cheap checks gate the more expensive ones.
Get-WinEvent -FilterHashtable @{LogName='System'; Level=1,2; StartTime=(Get-Date).AddDays(-7)}If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
DISM /Online /Cleanup-Image /RestoreHealthIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
sfc /scannowOnly when every line above runs clean do I close the ticket and update the runbook with the timestamps.
Where I check first when the docs disagree
When two sources contradict each other on a Windows detail, the disambiguation order I lean on is stable. I usually start at techcommunity.microsoft.com/category/windows for the ground-truth view on Windows. I usually start at learn.microsoft.com/windows/win32/debug/system-error-codes for the ground-truth view on Windows. I usually start at support.microsoft.com for the ground-truth view on Windows. Random blog posts and reseller wikis are signal, not ground truth, and I treat them as such until the references above either confirm or contradict the claim.
Pitfalls I have walked into on this exact path
The shortcuts that look smart on the 0x80290202 symptom have a habit of biting back. The pitfalls below are the ones I have personally walked into on a Windows unit, not things I read about. Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver. Reliability Monitor is the single most underused triage surface in Windows, it gives 30 days of crash history without writing a query. When in doubt I revert to the slower path that the manual prescribes - the time I save by skipping it is always smaller than the time I spend cleaning up afterwards.
What I tell the next on-call
When I hand the 0x80290202 symptom off to the next person on rotation, the three lines I leave in the runbook are these. First, the symptom signature for Windows on the Windows family - not a paraphrase, the exact string that surfaces. Second, the diagnostic that gave the highest signal in the least time. Third, the exact verification command whose green output justified closing the ticket. That trio is what turns a one-off fix into a runbook entry the next engineer can use without paging me at three in the morning.
I also add a one-line note on the cost of getting this wrong. For the 0x80290202 symptom on a Windows unit, the cost is rarely the replacement part. It is the downtime, the second site visit, and the trust deficit you spend with whoever owns the asset when the fix does not hold. That framing keeps the next on-call from choosing the cheap-looking shortcut that ends up costing the most in elapsed hours and goodwill.