Using one of these options, you can prevent remote users from being locked out when they forget their password or when their password expire.
A remote user may try to change or update their password at 2 different times:
Pre-logon is one of the Connect Methods supported by GlobalProtect. Pre-logon enables GlobalProtect to establish a VPN tunnel using a machine certificate on the user’s endpoint (computer, laptop, or notebook). This connection method establishes a pre-logon tunnel immediately after the system boots up and before the user logs in. If the enterprise AD is accessible over this pre-logon tunnel, remote users can log in to the domain with a temporary password or use the Change Password option that's natively available on the Windows login screen to update their passwords.
With this configuration, even if the password has expired, a remote user will still be able to get connected to this gateway using the cookie as long as it is still valid. After the tunnel is established, remote users can reach the enterprise Active Directory and change their passwords by pressing Ctrl + Alt + Delete and using the change password option.
For more information on cookie-based authentication, refer to Enhanced Two-FactorAuthentication.
For more information on GlobalProtect, please see the following articles: