diff --git a/man/man8/swtpm.pod b/man/man8/swtpm.pod
index 955f64b40..44d8127ed 100644
--- a/man/man8/swtpm.pod
+++ b/man/man8/swtpm.pod
@@ -473,8 +473,8 @@ enables.
 
 The profile can only be set the very first time that a TPM 2 instance is
 started and for as long as no state file exists. The profile cannot be changed
-anymore afterwards and, if passed again using this option, will be silently
-ignored.
+anymore afterwards and, if passed again using this option, an error will
+occur.
 
 Note that profiles may disable algorithms that are considered mandatory for
 a TPM 2, such as RSA-PSS. However, FIPS-enforcement on the host disables
diff --git a/src/swtpm/ctrlchannel.c b/src/swtpm/ctrlchannel.c
index 8000c2841..eac5acfcf 100644
--- a/src/swtpm/ctrlchannel.c
+++ b/src/swtpm/ctrlchannel.c
@@ -580,6 +580,7 @@ int ctrlchannel_process_fd(int fd,
                       "Error: Could not initialize the TPM\n");
         } else {
             *tpm_running = true;
+            SWTPM_G_FREE(mlp->json_profile);
         }
 
         *res_p = htobe32(res);
diff --git a/src/swtpm/cuse_tpm.c b/src/swtpm/cuse_tpm.c
index fb36c3516..37860e2ab 100644
--- a/src/swtpm/cuse_tpm.c
+++ b/src/swtpm/cuse_tpm.c
@@ -1186,6 +1186,7 @@ static void ptm_ioctl(fuse_req_t req, int cmd, void *arg,
                           "Error: Could not initialize the TPM.\n");
             } else {
                 tpm_running = true;
+                SWTPM_G_FREE(g_json_profile);
             }
             init_p->u.resp.tpm_result = res;
             fuse_reply_ioctl(req, 0, init_p, sizeof(*init_p));
@@ -1900,6 +1901,7 @@ int swtpm_cuse_main(int argc, char **argv, const char *prgname, const char *ifac
             goto err_unlock;
         }
         tpm_running = true;
+        SWTPM_G_FREE(g_json_profile);
     }
 
     if (param.startupType != _TPM_ST_NONE) {
diff --git a/src/swtpm/swtpm.c b/src/swtpm/swtpm.c
index d87b5e41f..f7ff18a91 100644
--- a/src/swtpm/swtpm.c
+++ b/src/swtpm/swtpm.c
@@ -58,6 +58,7 @@
 #include "swtpm_debug.h"
 #include "swtpm_io.h"
 #include "swtpm_nvstore.h"
+#include "swtpm_utils.h"
 #include "server.h"
 #include "common.h"
 #include "logging.h"
@@ -567,6 +568,7 @@ int swtpm_main(int argc, char **argv, const char *prgname, const char *iface)
                                mlp.json_profile)))
             goto error_no_tpm;
         tpm_running = true;
+        SWTPM_G_FREE(mlp.json_profile);
     }
 
     if (install_sighandlers(notify_fd, sigterm_handler) < 0)
diff --git a/src/swtpm/swtpm_chardev.c b/src/swtpm/swtpm_chardev.c
index fe857b149..2cc4752f8 100644
--- a/src/swtpm/swtpm_chardev.c
+++ b/src/swtpm/swtpm_chardev.c
@@ -58,6 +58,7 @@
 #include "swtpm_debug.h"
 #include "swtpm_io.h"
 #include "swtpm_nvstore.h"
+#include "swtpm_utils.h"
 #include "common.h"
 #include "locality.h"
 #include "logging.h"
@@ -615,6 +616,7 @@ int swtpm_chardev_main(int argc, char **argv, const char *prgname, const char *i
                                mlp.json_profile)))
             goto error_no_tpm;
         tpm_running = true;
+        SWTPM_G_FREE(mlp.json_profile);
     }
 
     if (install_sighandlers(notify_fd, sigterm_handler) < 0)
diff --git a/src/swtpm/tpmlib.c b/src/swtpm/tpmlib.c
index 245c47250..9f52ef5fc 100644
--- a/src/swtpm/tpmlib.c
+++ b/src/swtpm/tpmlib.c
@@ -255,6 +255,13 @@ TPM_RESULT tpmlib_start(uint32_t flags, TPMLIB_TPMVersion tpmversion,
         return res;
     }
 
+    if (json_profile != NULL && tpmversion == TPMLIB_TPM_VERSION_2 &&
+        !TPMLIB_WasManufactured()) {
+        logprintf(STDERR_FILENO,
+                  "Error: Profile could not be applied to an existing TPM 2 instance.\n");
+        return TPM_FAIL;
+    }
+
     if (lock_nvram && (res = SWTPM_NVRAM_Lock_Storage(0)) != TPM_SUCCESS)
         goto error_terminate;