Palo Alto Failed To Fetch Device Certificate Tpm Public Key Match Failed Updated Here

Set certificate template to "Renew with same key" (AD CS: Publish key in DS off, Renewal period shorter than validity). Avoid "Renew with new key".

Outdated TPM firmware can cause public key mismatches. Check with the OEM (Dell, Lenovo, HP).

Environment: Fortune 500 retail chain, 25,000 GlobalProtect endpoints (Dell Latitude 5430 with TPM 2.0, PAN-OS 11.0.2, GP 6.1.4). Set certificate template to "Renew with same key"

Symptom: After Windows Defender Credential Guard was enabled, 15% of users saw "failed to fetch device certificate tpm public key match failed updated" every 3 hours.

Root cause: Credential Guard virtualized the TPM’s platform crypto provider, creating a namespace conflict. The TPM public key hash for the same certificate differed between the hypervisor-protected and normal user contexts. After reboot, TPM attestation succeeded

Solution: Excluded GlobalProtect processes (PanGPA.exe, PanGPS.exe) from Credential Guard’s protected process list via Group Policy:

Computer Config > Admin Templates > Device Guard > Turn on Virtualization Based Security > Configure virtualization-based protection of code integrity: Disabled for listed applications

After reboot, TPM attestation succeeded. Then, extract the hash from the failed certificate

Obtain the TPM’s current public key hash:

> debug tpm show public-key | match sha256

Then, extract the hash from the failed certificate request (from your CA/panorama logs).
If they differ → proceed to Step 3.