TPM lockout occurs unexpectedly in Windows 8.1 or Windows RT 8.1

S'aplica a: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Server 2012 R2 Essentials

This article describes an issue in which Trusted Platform Module (TPM) lockout occurs unexpectedly in Windows 8.1, Windows RT 8.1, or Windows Server 2012 R2. An update is available to fix this issue. Before you install this update, see the Prerequisites section.

Note This update is re-released on October 13, 2015, with a smaller boot loader file bootmgfw.efi.


When this issue occurs, applications that depend on TPM won't function until you reset the TPM lockout.

Note You can enter a 48-digit BitLocker recovery key to continue using the computer after TPM is locked out.


When the start command is received without a prior shutdown command, the lockout count increments. This causes the TPM lockout to occur if you turn on the device accidentally and repeatedly.

How to get this update

Important If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Method 1: Windows Update

This update is provided as an Optional update on Windows Update. For more information about how to run Windows Update, see How to get an update through Windows Update.

Method 2: Microsoft Download Center

The following files are available for download from the Microsoft Download Center:

Operating systemUpdate
All supported x86-based versions of Windows 8.1Download Download the package now.
All supported x64-based versions of Windows 8.1 Download Download the package now.
All supported x64-based versions of Windows Server 2012 R2Download Download the package now.
Note The update for Windows RT 8.1 can be got only from Windows Update.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to get Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Update detail information


To install this update, install April 2014, update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (2919355) in Windows 8.1 or Windows Server 2012 R2.

Registry information

To apply this update, you don't have to make any changes to the registry.

Restart requirement

You may have to restart the computer after you apply this update.

Update replacement information

This update doesn't replace a previously released update.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


See the terminology that Microsoft uses to describe software updates.

More Information

Known issues about this update

Some Windows 8.1-based computers that installed the first version of this update may experience Secure Boot failures. Microsoft is aware of the issue and has re-released this update to fix this problem.

Affected devices that are known to Microsoft:
  • The Dell Venue line (Dell Venue 8, Dell Venue 10, Dell Venue 11 are known to be affected).
  • Other AMI BIOS-based systems, including the Linx 7 inch tablet.  

The firmware in these devices can't handle a larger code signing signature that was applied to the boot loader file bootmgfw.efi.


Devices experience boot failures after you install this update.The firmware on these devices produces an error message that looks something like:

Secure Boot Violation

Invalid signature detected. Check Secure Boot Policy in Setup. 


To work around this problem, use the following methods:
  • Turn off Secure Boot temporarily, and enter the BitLocker recovery key during startup.
  • Install the re-release of this update.
  • Re-enable Secure Boot.