Looking for a bit of help here. I am trying to automate the deployment of Globalprotect and the relevant VPN profile through Intune to windows 10 laptops, however, whatever I have tried I cannot get it working although all Palo Alto / Microsoft documentation states it should work without issue.
I have ensured that on my test device I can access the server and I can connect through to the vpn when using the app on from the portal.
When automating through Intune the issue seems to be that you have to use the windows 10 store version of global protect rather than the executable from the portal. The windows 10 version uses the VPN profile from Intune which sets up the VPN as sstp which does not seem to work. The globalprotect app from the portal installs the VPN as a PANGP Virtual Ethernet Adapter.
Does anyone have a clue what I am doing wrong or what I am missing? Any help at this point would be appreciated.
Have you tried creating a Win32 app in Intune for GlobalProtect?
You’ll need to prep the .msi using the Microsoft Win32 Content Prep Tool to create the app as Win32 rather than LOB. The below configuration has worked well for me so far and takes into account agent auto-upgrade. Hope this helps!
We deploy the MSI via intune and use switches to configure the gateway\pre-logon settings etc and it seems to work fine. Any reason why you aren’t using the MSI installer?
I can’t help with Intune. What I can say is deploying GP via Kace has proved to be a nightmare (according to the Kace people trying to do it). They get a 30% failure rate, in which the client fails to run in some way on the endpoint, with various issues. As they put it, (and I’m not a Kace person, so I must take their word for it) they have to install it, uninstall it, and reinstall it all as part of the process, I don’t know enough to call bullshit on it or not.
I will say for me, putting it on the Palo portal for download and running the autoupdate manually seems to work for me. But we don’t allow local admin, and we’ve run into issues with that in the past, and now the support team on the helpdesk doesn’t want to use that (although the last couple of times I’ve done it without local admin it seems to work), I think it was only the initial install that didn’t. I only manage the firewalls, I don’t support the clients.
Hi People, as a follow on to this, we are experiencing an issue where GP associates itself with “Unidentified Network” (Public) where the device is Azure AD Joined. Do I need to configure Azure AD Named Network Locations with the VPN IP Range (as part of Azure AD Conditional Access Policy) so that GP will associate itself with a Trusted/Known Location based on compliant device?
Can you help me with one question??? I am using the following MSI installation command: msiexec /i “GlobalProtect64-5.2.2.msi” /q PORTAL=URL.com CONNECTMETHOD=on-demand PRELOGON=1
What I am hoping to get is the connection method to be on-demand (user initiates the connection when they are ready), but at the same time give a user the ability to establish the connection before logging into their laptop. Do I still need to to issue the registry edits on the laptop or will using the PRELOGON=1 switch enable it for me during the installation process?
I know this is a few months old but have you ever had issues where the shortcut in the start menu tries reinstalling the app and gives errors like:
The feature you are trying to use is on a network resource that is unavailable.
click ok to try again, or enter an alternate path to a folder containing the installation package for GlobalProtect64.msi in the box below
The app is installed and I can see it in the taskbar but searching for it in the start menu does this.
Question, does this autoupdate the previous version of Global protect? or do we need to uninstall the previous version in order to install the new version?
I’m having the same issue on my InTune devices. GlobalProtect launches automatically upon login and runs on the taskbar, but if you try to launch the program from the Start Menu the same error is thrown.
Are you assigning the install of GlobalProtect via a device group or a user group?
Sounds interesting. Do you guys have any example scripts that you are using for this? Have got it working with the msi previously but could not figure out how to automatically put in the gateway etc.
On mobile so the formatting is a bit ugly but basically I just change the installer to whatever version I’m pushing, wrap this script up with the .msi in .intunewin file then set the install command to run the script. I also use supersedence to remove previous versions of GlobalProtect. The key to having this working is to set the detection rule to the version number in registry.