Device Certificate Tpm Public Key Match Failed Updated | Palo Alto Failed To Fetch

Run these commands on the affected Palo Alto device (CLI):

> show system info | match hostname
> show device-certificate status
> debug tpm show status
> debug tpm show public-key

From Panorama/Cortex Data Lake:
Check the enrollment logs for the specific device serial number.

Environment: Fortune 500 retail chain, 25,000 GlobalProtect endpoints (Dell Latitude 5430 with TPM 2.0, PAN-OS 11.0.2, GP 6.1.4).

Symptom: After Windows Defender Credential Guard was enabled, 15% of users saw "failed to fetch device certificate tpm public key match failed updated" every 3 hours. Run these commands on the affected Palo Alto

Root cause: Credential Guard virtualized the TPM’s platform crypto provider, creating a namespace conflict. The TPM public key hash for the same certificate differed between the hypervisor-protected and normal user contexts.

Solution: Excluded GlobalProtect processes (PanGPA.exe, PanGPS.exe) from Credential Guard’s protected process list via Group Policy:

Computer Config > Admin Templates > Device Guard > Turn on Virtualization Based Security > Configure virtualization-based protection of code integrity: Disabled for listed applications

After reboot, TPM attestation succeeded. From Panorama/Cortex Data Lake: Check the enrollment logs

Before troubleshooting, you must decode the terminology:

In plain English: Your device (laptop, IoT sensor, or even a PA-400 series firewall acting as a client) has a TPM chip that securely stores a private key. Something caused that key to become out of sync with the certificate that Palo Alto expects. The firewall sees the mismatch and blocks access.

> configure
# set deviceconfig system tpm reset
# commit
> request restart system

After reboot:

> debug tpm init
> request certificate fetch device-certificate

Your firewall is configured with Machine Certificate under Network > GlobalProtect > Portals > Authentication > Client Certificate. If you updated the portal’s trusted CA list but did not update the Certificate Profile, the firewall expects a public key from an old issuer.

On the endpoint (Windows):

Get-Tpm

Expected: TpmReady: True. If False, clear or initialize the TPM via BIOS. Expected: TpmReady: True . If False

On Linux (with tpm2-tools):

tpm2_getcap handles-persistent