Update: It is resolved. We compared between Palo Alto generated cert and MS generated cert with a default template. We found out one difference between the two. MS generated Cert didn't have Subject (I mean subject value was blank). As soon as we added the subject (CN=FQDN) in the MS cert, Palo alto accepted the MS cert. I think Palo Alto should update the KB saying "subject is requirement" for machine cert Pre-logon.
... View more