Group Policy Objects (GPOs) that enforce TPM-based key attestation or Windows Credential Guard can sometimes intercept and modify the certificate selection logic, causing the Palo Alto client to see a public key mismatch.
Run a test authentication certificate-profile command: Group Policy Objects (GPOs) that enforce TPM-based key
show system state | match tpm show system certificate tpm-status debug tpm verify-certificate mocking loop of failure:
For specific research papers or documentation on this topic, you might want to explore: Group Policy Objects (GPOs) that enforce TPM-based key
: Some administrators have resolved this by performing a "Force Commit" in the firewall GUI.
For three days, the firewall had been a ghost. The logs were a repetitive, mocking loop of failure: