Palo Alto Failed To Fetch Device Certificate Tpm Public Key Match Failed -

Sometimes, Windows’ TPM key isolation service causes the public key mismatch. Apply this registry change (backup first):

HKLM\SYSTEM\CurrentControlSet\Services\TPM\Parameters
Create DWORD: "IgnoreKeyMismatch" = 1

Note: This is a diagnostic workaround, not a permanent fix. Use only to confirm the root cause. Sometimes, Windows’ TPM key isolation service causes the

Even after a new certificate is issued, GlobalProtect may cache the old thumbprint. Note: This is a diagnostic workaround, not a permanent fix

This error occurs on a Palo Alto Networks firewall (or possibly Panorama) when the device attempts to retrieve its device certificate from the Trusted Platform Module (TPM). The “public key match failed” part indicates that the TPM-stored key does not match the expected public key for the certificate being requested. Submit the on-device CSR to your CA and

---

Submit the on-device CSR to your CA and obtain a reissued certificate.

Install the reissued certificate onto the device. Verify the certificate fingerprint and public key match the TPM key.

If TPM is corrupted/missing: follow vendor guidance to reinitialize TPM or open a support case; re-enroll device afterward.

Reboot device if required and verify that certificate fetch succeeds and errors stop.