tpm2_getcap handles-persistent
If the issue persists, verify these standard environment requirements: The new owner's storage root key (SRK) differs,
| | Explanation | |----------------|-----------------| | Stale TPM Key Handle | The TPM has multiple key slots. The OS referenced the wrong handle (e.g., an old, deleted key). | | TPM Ownership Change | TPM was cleared (via BIOS or tpm.msc ). The new owner's storage root key (SRK) differs, invalidating all previous certificates. | | Certificate/Key Pair Mismatch | The X.509 certificate in the Windows Certificate Store or Linux filesystem contains a public key that does not correspond to the private key inside the TPM. This happens after manual cert imports. | | Cloned VM or Disk Image | VMs with virtual TPMs (vTPM) cloned without re-keying cause duplicate public keys. Palo Alto sees two devices claiming the same key. | | Firmware Update changed TPM Persistent State | Some TPM firmware updates reset key persistence (rare but seen on Infineon TPMs). | | | Cloned VM or Disk Image |
: If your management traffic passes through another firewall that does SSL inspection, it can "warp" the certificate during transit. The TPM chip detects this change and immediately rejects the "tampered" key. the status flips to
Once the TPM and the Cloud finally agree on the key, the status flips to , and the vault is secure once more.