| | Explanation | |----------------|-----------------| | Stale TPM Key Handle | The TPM has multiple key slots. The OS referenced the wrong handle (e.g., an old, deleted key). | | TPM Ownership Change | TPM was cleared (via BIOS or tpm.msc ). The new owner's storage root key (SRK) differs, invalidating all previous certificates. | | Certificate/Key Pair Mismatch | The X.509 certificate in the Windows Certificate Store or Linux filesystem contains a public key that does not correspond to the private key inside the TPM. This happens after manual cert imports. | | Cloned VM or Disk Image | VMs with virtual TPMs (vTPM) cloned without re-keying cause duplicate public keys. Palo Alto sees two devices claiming the same key. | | Firmware Update changed TPM Persistent State | Some TPM firmware updates reset key persistence (rare but seen on Infineon TPMs). | 4. Step-by-Step Troubleshooting & Fixes Below are ordered diagnostics from least to most intrusive. Always back up your TPM owner password and certificate chains before proceeding. Step 1: Verify the TPM is Operational On the endpoint (Windows):
The fix invariably involves either re-synchronizing the certificate with the existing TPM key or—if corruption is confirmed—clearing the TPM and rebuilding the identity. Always test in a lab environment first, especially if BitLocker or other TPM-bound services are in use. The new owner's storage root key (SRK) differs,
Palo Alto’s official “Device Certificate Management with TPM 2.0” whitepaper (available on the live portal) provides additional API-level controls for automation. This article was accurate as of PAN-OS 11.0 and Windows 11 23H2. Always test TPM changes in a non-production group before scaling. | | Cloned VM or Disk Image |
A Deep Dive into TPM, Device Certificates, and Authentication Failures checking for duplicate certificates
Windows 11 22H2 changed the default TPM key storage algorithm from RSA-2048 to ECC (elliptic curve) for new requests. The existing certificates were RSA. The TPM attempted to present the new ECC public key, but the old certificate still contained the RSA public key.
By following the structured approach above—verifying TPM health, checking for duplicate certificates, adjusting GlobalProtect settings, and knowing when to reset—you can resolve this error in under 30 minutes and restore secure, hardware-backed authentication to your Palo Alto environment.