{"id":763,"date":"2021-07-19T11:13:08","date_gmt":"2021-07-19T15:13:08","guid":{"rendered":"https:\/\/blog.markdepalma.com\/?p=763"},"modified":"2021-07-19T11:41:40","modified_gmt":"2021-07-19T15:41:40","slug":"windows-autopilot-with-user-driven-hybrid-azure-ad-domain-join-using-palo-alto-globalprotect-vpn-part-2-using-globalprotect-plap-with-basic-credentials","status":"publish","type":"post","link":"https:\/\/blog.markdepalma.com\/?p=763","title":{"rendered":"Windows Autopilot with User-Driven Hybrid Azure AD Domain Join using Palo Alto GlobalProtect VPN: Part 2, using GlobalProtect PLAP with Basic Credentials"},"content":{"rendered":"\n

I recently had a call with another company attempting to setup Autopilot following my previous post (Windows Autopilot with User-Driven Hybrid Azure AD Domain Join using Palo Alto GlobalProtect VPN<\/a>). While speaking to them I learned that are currently using basic credentials (LDAP+RADIUS) with GlobalProtect and are only attempting to setup certificate authentication to get Autopilot working. They were still planning on having the user perform two-factor basic authentication after the Autopilot-based deployment. This configuration was the perfect use-case for GlobalProtect’s new “Use Connect Before Logon<\/a>” functionality. This functionality was introduced version 5.2 and works by registering a Pre-Login Access Provider (PLAP)<\/a>. With PLAP you now have interactive access to the GlobalProtect client at the logon screen. A huge plus with this method is that it requires NO back-end changes to your existing GlobalProtect configuration. The functionality is completely client-side and only really requires an additional step during installation. This PLAP functionality works with basic credentials, certificates, and even SAML! I will be using basic two factor credentials below.<\/p>\n\n\n\n

The first step will be to create a new GlobalProtect package in Intune. I am using the newest version below, 5.2.7. You can use the same steps for creating the package that I laid out in my first post<\/a>, but we will be using an alternate wrapper script, InstallGlobalProtect_PLAP.ps1<\/a>. InstallGlobalProtect_PLAP.ps1, will install GlobalProtect, set our default GlobalProtect portal, and register the Pre-Login Access Provider (PLAP). Everything else non-certificate related in my original post will still apply (ex. IntuneHybridJoinHelperInstaller.ps1<\/a><\/strong>).<\/p>\n\n\n\n

Once the machine has been deployed you will notice an extra button in the lower right. This is the PLAP.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

When clicked, GlobalProtect will attempt to connect to the portal configured in the wrapper script and you will be presented with a screen like the one below. The prompts here will vary based on your authentication method. Here I am being prompted for my LDAP credentials to authenticate to the portal.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Once I passed the correct credentials here (and the correct second set of credentials at a second screen for two-factor) I was connected.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

At this point you can click the ‘Back’ button and continue to log in to the device. That’s all there is to it! This is a great option for those of you who are lacking the desire to use certificates in your existing GlobalProtect configuration, but want to start using Autopilot.<\/p>\n","protected":false},"excerpt":{"rendered":"

I recently had a call with another company attempting to setup Autopilot following my previous post (Windows Autopilot with User-Driven Hybrid Azure AD Domain Join using Palo Alto GlobalProtect VPN). While speaking to them I learned that are currently using basic credentials (LDAP+RADIUS) with GlobalProtect and are only attempting to setup certificate authentication to get […]<\/p>\n","protected":false},"author":1,"featured_media":768,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[64,66,136,124,72,67,65],"tags":[161,159,55,184,160,156,162],"class_list":["post-763","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory","category-azure","category-intune","category-networking","category-powershell","category-scripting","category-security","tag-autopilot","tag-certificate","tag-palo-alto","tag-plap","tag-pre-logon","tag-vpn","tag-win32"],"_links":{"self":[{"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/posts\/763","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=763"}],"version-history":[{"count":3,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/posts\/763\/revisions"}],"predecessor-version":[{"id":770,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/posts\/763\/revisions\/770"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/media\/768"}],"wp:attachment":[{"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=763"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=763"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=763"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}