Hello, I'm working on implementing a TPM2_Sign operation protected by a PCR policy. I have discovered that the policy digest appears to be zeroed out as part of the sign operation. The initial symptom of this was a 0x99d return code on a second sign operation (in a test suite), TPM_RC_POLICY_FAIL. In order to debug, I placed TPM2_PolicyGetDigest commands immediately before and after the first sign. The preceding policy digest is as expected a random-looking hash; the policy digest immediately following the sign command is all zeroes. I realized at that point that I had forgotten to set the continueSession bit in the session attribute flags of the auth structure I passed to TPM2_Sign. I fixed this, but it had no impact on the outcome or my observations. The first sign operation returns RC_SUCCESS as expected, and after making I see the continueSession bit set both in the command and response auth structures; however the subsequent policy digest is still zeroed out. I had considered that a PCR was possibly being changed somehow, invalidating the PCR policy; however, I would expect TPM_RC_PCR_CHANGED to be returned in this case, not TPM_RC_POLICY_FAIL. Is there another reason that this *successful* sign operation would be invalidating the session? Thanks for your insight. *Nick Meyer* Verizon Media