STATUS_FVE_TPM_SRK_AUTH_NOT_ZERO (0XC0210017) Fix

When This Error Hits You

You're booting your Windows 11 or Windows 10 machine — maybe a Dell Latitude 5430 or a Lenovo ThinkPad X1 Carbon — and instead of the login screen, you get a blue BitLocker recovery screen. The error code is 0XC0210017, and the message says something about the TPM's SRK authorization data not being zero. This usually happens right after a BIOS update, a TPM firmware update, or if someone ran tpm.msc and cleared the TPM without disabling BitLocker first. I've seen it on systems with TPM 2.0 that had Secure Boot enabled and BitLocker using TPM-only protection (no PIN or USB key).

What's Actually Going On

The TPM (Trusted Platform Module) has a key called the Storage Root Key, or SRK. BitLocker needs that SRK to have empty authorization data — a zero-length password. When something changes that auth data (like a TPM clear that sets a non-zero value, or a BIOS update that resets TPM state), BitLocker can't unlock the drive. The error code 0XC0210017 is Windows shouting, "Hey, the SRK auth isn't null anymore, I can't use this TPM."

The root cause is almost always: someone or something tweaked the TPM without suspending BitLocker first. A BIOS update that re-provisions the TPM is the #1 trigger. Another common one: IT pushed a TPM reset via Group Policy or a management tool like SCCM, and BitLocker wasn't suspended beforehand.

Don't panic. This fix is straightforward, and you won't lose data. But you will need to clear the TPM, which means you'll need your BitLocker recovery key.

The Fix: Clear the TPM and Re-enable BitLocker

Here's the step-by-step. I've done this on dozens of machines — it works every time if you follow the order.

Step 1: Get Your BitLocker Recovery Key

Before we touch the TPM, you need the 48-digit recovery key. Without it, you'll lock yourself out. Check:

• Your Microsoft account at account.microsoft.com/devices/recoverykey — sign in with the same account tied to the device.
• Work or school account via myaccount.microsoft.com if it's a corporate device.
• Your IT department or a printed copy if you saved it.

If you can't find the key, you're stuck at the recovery screen. Reboot with Shift and select "Skip this drive" — but that won't get you past the error. You'll need to use the key to boot once, then fix the TPM from inside Windows.

Step 2: Boot Using the Recovery Key (If You're Locked Out)

On the blue recovery screen, type the 48-digit key. Press Enter. Windows will boot normally. Log in.

Step 3: Suspend BitLocker

Open an elevated Command Prompt (right-click Start, select "Terminal (Admin)" or "Command Prompt (Admin)"). Run:

manage-bde -protectors -disable C:

This suspends BitLocker protection on the C: drive. You'll get a confirmation. Without this step, clearing the TPM could make your drive permanently unreadable.

Step 4: Clear the TPM

Now we reset the TPM to factory state. In the same admin Command Prompt, run:

tpm.msc

This opens the TPM Management console. In the right pane, click "Clear TPM...". You'll need to restart. The system will reboot twice. Alternatively, you can use PowerShell:

Clear-Tpm

That does the same thing without the GUI. The TPM will reset, clearing the SRK and setting its auth data back to zero.

Step 5: Reboot and Let Windows Initialize the TPM

After the TPM clear, the system will restart. Windows will automatically initialize the new TPM state. This takes about 30 seconds. You'll see a prompt about TPM ownership — let it complete.

Step 6: Re-enable BitLocker

Once you're back on the desktop, open an admin Command Prompt again and run:

manage-bde -protectors -enable C:

This turns BitLocker back on. Windows will use the new TPM state (with zero SRK auth) and create fresh protectors. You might need to reboot once more for it to apply.

If It Still Fails

Three things can go wrong. First, if you didn't suspend BitLocker before clearing the TPM, the drive might be in a state where BitLocker thinks protection is off but the TPM is misconfigured. In that case, use the recovery key to boot, then run manage-bde -status to check drive state. You may need to do a full decryption first: manage-bde -off C: (this takes hours). Then clear the TPM again, then encrypt with manage-bde -on C:.

Second, if the TPM clear fails with an error, you might have a locked TPM due to too many failed attempts. Reboot and go into BIOS. Look for TPM settings (often under Security or Advanced). Set TPM to "Clear" or "Reset to Factory Defaults." Save and exit.

Third, if BitLocker still throws the same error after re-enabling, check if your BIOS version is known-buggy. I've seen this on Dell systems with BIOS 1.8.x on Latitude 5430s. Update to the latest BIOS from the manufacturer's site. After the update, you'll likely hit this error again — just repeat steps 1-6.

One more thing: if you're on a corporate laptop managed by Intune or SCCM, the TPM might be owned by the management agent. In that case, you'll need IT to either push a script to clear the TPM or provide you with the proper authority to do it yourself. Don't skip that step — you'll brick the device's management chain otherwise.

That's it. This error is annoying, but it's a one-time fix. Once the TPM is reset and BitLocker is re-enabled, it won't come back unless someone messes with the TPM again — and now you know how to handle it.