show system state | match tpm
show system certificate tpm-status
debug tpm verify-certificate
Check:
When an IT administrator renews a device certificate via an internal CA (like Microsoft AD CS), the old certificate may still be referenced by the GlobalProtect client. If the new certificate was installed without properly re-associating it with the TPM’s key storage provider (KSP), the public key mismatch occurs. show system state | match tpm show system
Several scenarios can trigger this specific failure: Check: When an IT administrator renews a device
Even after a new certificate is issued, GlobalProtect may cache the old thumbprint. GlobalProtect may cache the old thumbprint.