TPM can only have one owner. If another application (BitLocker, Windows Hello for Business, or a third-party security tool) took ownership of the TPM and changed its storage root key (SRK), previously issued certificates become orphaned. The client attempts to use a certificate whose private key is no longer accessible under the new TPM hierarchy.
Upgrading to a PAN-OS version that includes fixes for the known bugs related to TPM certificate handling is the most definitive solution. TPM can only have one owner
If the firewall is holding onto stale or corrupted certificate data, clearing the cache forces it to generate a clean request. Upgrading to a PAN-OS version that includes fixes
(needs reboot, backup first):
If you're encountering the error "Palo Alto failed to fetch device certificate: TPM public key match failed" while trying to set up or manage a Palo Alto Networks device, you're not alone. This error can occur due to a mismatch between the TPM (Trusted Platform Module) public key stored on the device and the one associated with the device certificate. This error can occur due to a mismatch