Windows Autopilot with User-Driven Hybrid Azure AD Domain Join using Palo Alto GlobalProtect VPN: Part 2, using GlobalProtect PLAP with Basic Credentials

I recently had a call with another company attempting to setup Autopilot following my previous post (Windows Autopilot with User-Driven Hybrid Azure AD Domain Join using Palo Alto GlobalProtect VPN). While speaking to them I learned that are currently using basic credentials (LDAP+RADIUS) with GlobalProtect and are only attempting to setup certificate authentication to get Autopilot working. They were still planning on having the user perform two-factor basic authentication after the Autopilot-based deployment. This configuration was the perfect use-case for GlobalProtect’s new “Use Connect Before Logon” functionality. This functionality was introduced version 5.2 and works by registering a Pre-Login Access Provider (PLAP). With PLAP you now have interactive access to the GlobalProtect client at the logon screen. A huge plus with this method is that it requires NO back-end changes to your existing GlobalProtect configuration. The functionality is completely client-side and only really requires an additional step during installation. This PLAP functionality works with basic credentials, certificates, and even SAML! I will be using basic two factor credentials below.

The first step will be to create a new GlobalProtect package in Intune. I am using the newest version below, 5.2.7. You can use the same steps for creating the package that I laid out in my first post, but we will be using an alternate wrapper script, InstallGlobalProtect_PLAP.ps1. InstallGlobalProtect_PLAP.ps1, will install GlobalProtect, set our default GlobalProtect portal, and register the Pre-Login Access Provider (PLAP). Everything else non-certificate related in my original post will still apply (ex. IntuneHybridJoinHelperInstaller.ps1).

Once the machine has been deployed you will notice an extra button in the lower right. This is the PLAP.

When clicked, GlobalProtect will attempt to connect to the portal configured in the wrapper script and you will be presented with a screen like the one below. The prompts here will vary based on your authentication method. Here I am being prompted for my LDAP credentials to authenticate to the portal.

Once I passed the correct credentials here (and the correct second set of credentials at a second screen for two-factor) I was connected.

At this point you can click the ‘Back’ button and continue to log in to the device. That’s all there is to it! This is a great option for those of you who are lacking the desire to use certificates in your existing GlobalProtect configuration, but want to start using Autopilot.

11 thoughts on “Windows Autopilot with User-Driven Hybrid Azure AD Domain Join using Palo Alto GlobalProtect VPN: Part 2, using GlobalProtect PLAP with Basic Credentials

  1. Pingback: Windows Autopilot with User-Driven Hybrid Azure AD Domain Join using Palo Alto GlobalProtect VPN | Maniacal Methods

  2. RWarrick66

    Thanks so much for “Part 2”!! This put the work back in my hands and cut the security team loose from the additional certificate work.

    I only have one issue. The GP client attempts to connect upon login, after every reboot. It obviously fails since the client is now on the office network. Is this by design or did I miss something.

    1. Mark DePalma Post author

      I’m glad this could be helpful!

      So, one option for this is to configure internal host detection. This way GlobalProtect will detect you are internal to the network and won’t attempt to establish a connection (or will try to connect to the “internal” gateway if one is configured).

  3. lkg907

    Hey Mark, I ran into an issue with trying to get this setup. I’ve experienced a different behavior when AP runs it compared to when it runs when your login. Its not putting the icon in the bottom right corner and it adds it to the signin options but does nothing. This is my first time trying to set it up and I am using version 5.2.6.

      1. Mark DePalma Post author

        This is what GlobalProtect looks like if it is not installed with PLAP. Did you install it using the script I provided? In that script is a process that runs AFTER installation to enable PLAP (PanGPS.exe -registerplap).

        If you have done this and are still having the issue then check the ‘(Default)’ registry value under: ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\{20A29589-E76A-488B-A520-63582302A285}’. Verify that the value is set to ‘PanPlapProvider’. This registry should already be set if ‘PanGPS.exe -registerplap’ was already run.

        1. lkg907

          Yes, I used InstallGlobalProtect_PLAP.ps1. I did not setup a deployment for IntuneHybridJoinHelperInstaller.ps1 as I did not think it was necessary after my results of just installing using InstallGlobalProtect_PLAP.ps1 with a fresh autopilot device that was off the network. What I do see is that the portal address is not entered for the device. I have a cisco gateway so I just logged in with that to see what happened.

          1. lkg907

            It seems this is what failed for some reason. New-ItemProperty -Path ‘HKLM:\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup’ -Name ‘Portal’ -Value $PortalAddress -PropertyType String -Force | Out-Null

            Don’t see the portal address in the reg.

  4. kuvinod7

    Hi Mark – Great and very useful post. The only issue we have is with group polices that are not getting applied during the first time logon as we have enabled loopback replace mode. After we make a connection to VPN from the start up page and the user logs in we are seeing that specifically logon scripts and folder redirections from GPO are not getting applied. Any suggestions ?

    Thakns,
    Vinod

    1. Mark DePalma Post author

      Yes! Please take a look at my original post (https://blog.markdepalma.com/?p=763). I wrote a helper script (IntuneHybridJoinHelperInstaller.ps1) that helps resolve many GPO-related issues. Scripts *may* actually kick off after the refresh using this. Folder redirection may only kick in the second logon because of how Explorer actually applies it (I’m not 100% there).

      I’d love to hear your results after using the helper script. I’d be happy to look into enhancing it if either of those two settings still don’t work for you at first logon.

Leave a Reply