I imported the root CA cert from our Windows PKI into our Palo, created a subordinate CA cert on the Palo under that, an SSL cert under that that is working to authenticate SAML with Azure AD which was configured with a cert from the same root CA. This is for the user tunnel of GlobalProtect. Our Windows CA is issuing machine/personal store certs to our PCs, but GlobalProtect prelogon isn't successful in using these certs to authenticate a machine tunnel. Manually exporting the Subordinate CA cert from the Palo an importing it into a PC works, but this isn't a scalable solution. The machine certs that are being issued to PCs have the machine name in the Subject of the certs and client authentication in it's attributes. The only red flag I see is that the issuer of the machine certs has the distinguished name for the CA, wheras the root and subordinate certs on the Palo only have the common name of the CA. I have a ticket submitted to Palo support and a techinician has helped me get to this point, but progress slowed and I am hoping others in the community might have some suggestions based on their own experience.