diff --git a/src/include/tcs_utils.h b/src/include/tcs_utils.h
index 0f0f4ce..ad8d633 100644
--- a/src/include/tcs_utils.h
+++ b/src/include/tcs_utils.h
@@ -159,6 +159,8 @@ struct tcs_context *get_context(TCS_CONTEXT_HANDLE);
 TSS_RESULT ctx_req_exclusive_transport(TCS_CONTEXT_HANDLE);
 TSS_RESULT ctx_set_transport_enabled(TCS_CONTEXT_HANDLE, TPM_TRANSHANDLE);
 TSS_RESULT ctx_set_transport_disabled(TCS_CONTEXT_HANDLE, TCS_HANDLE *);
+TSS_RESULT ctx_get_transport_flags(TCS_CONTEXT_HANDLE tcsContext, UINT32 *flags);
+
 
 #ifdef TSS_BUILD_KEY
 #define CTX_ref_count_keys(c)	ctx_ref_count_keys(c)
diff --git a/src/tcs/tcs_context.c b/src/tcs/tcs_context.c
index 905567b..b27856c 100644
--- a/src/tcs/tcs_context.c
+++ b/src/tcs/tcs_context.c
@@ -313,3 +313,31 @@ ctx_set_transport_disabled(TCS_CONTEXT_HANDLE tcsContext, TCS_HANDLE *transHandl
 
 	return result;
 }
+
+TSS_RESULT
+ctx_get_transport_flags(TCS_CONTEXT_HANDLE tcsContext, UINT32 *flags)
+{
+	TSS_RESULT result = TSS_SUCCESS;
+	struct tcs_context *tmp, *self = NULL;
+
+	MUTEX_LOCK(tcs_ctx_lock);
+
+	tmp = tcs_context_table;
+	while (tmp) {
+		if (tmp->handle == tcsContext) {
+			self = tmp;
+			break;
+		}
+
+		tmp = tmp->next;
+	}
+
+	if (self)
+		*flags = self->flags;
+	else
+		result = TCSERR(TCS_E_INVALID_CONTEXTHANDLE);
+
+	MUTEX_UNLOCK(tcs_ctx_lock);
+
+	return result;
+}
diff --git a/src/tcs/tcsi_transport.c b/src/tcs/tcsi_transport.c
index ce47e09..e738075 100644
--- a/src/tcs/tcsi_transport.c
+++ b/src/tcs/tcsi_transport.c
@@ -436,21 +436,29 @@ TCSP_ReleaseTransportSigned_Internal(TCS_CONTEXT_HANDLE      hContext,
 				     BYTE**                  prgbSignature)
 {
 	TSS_RESULT result;
-	UINT32 paramSize;
+	UINT32 paramSize, flags;
 	UINT64 offset;
 	TPM_KEY_HANDLE keySlot;
 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
 
-	if ((result = ctx_verify_context(hContext)))
+	if ((result = ctx_get_transport_flags(hContext, &flags)))
 		return result;
 
-	if (pKeyAuth) {
-		if ((result = auth_mgr_check(hContext, &pKeyAuth->AuthHandle)))
+	/* if the transport session is exclusive, we cannot send any commands to the TPM except
+	 * those sent though the tunnel, such as a getcap for keys loaded. To prevent this, call
+	 * get_slot_lite() instead of ensureKeyIsLoaded() */
+	if (flags & TSS_CONTEXT_FLAG_TRANSPORT_EXCLUSIVE) {
+		if ((result = get_slot_lite(hContext, hSignatureKey, &keySlot)))
 			return result;
-	}
+	} else {
+		if (pKeyAuth) {
+			if ((result = auth_mgr_check(hContext, &pKeyAuth->AuthHandle)))
+				return result;
+		}
 
-	if ((result = ensureKeyIsLoaded(hContext, hSignatureKey, &keySlot)))
-		return result;
+		if ((result = ensureKeyIsLoaded(hContext, hSignatureKey, &keySlot)))
+			return result;
+	}
 
 	offset = TSS_TPM_TXBLOB_HDR_LEN;
 	LoadBlob_UINT32(&offset, keySlot, txBlob);