Registry Setting when Deploying GlobalProtect Client with Microsoft Group Policy Object

Printer Friendly Page


In order to mass deploy the GlobalProtect Client with the Microsoft Group Policy Object (GPO), define the GPO to push the installation of the GlobalProtect Client using the GlobalProtect.msi. The GlobalProtect.msi installer can be downloaded from the Palo Alto Networks Customer Support Portal under Software Updates.


After completing installing of the GlobalProtect Client onto the endpoint devices, another GPO is required to push the registry entry for the GlobalProtect Portal FQDN or IP address. This information is required by the GlobalProtect Clients to retrieve GlobalProtect configurations.


Configure the GPO to assign the "Portal" String Value under HKEY_LOCAL_MACHINE\Software\Palo Alto Networks\GlobalProtect\PanSetup with the GlobalProtect Portal hostname (or IP address). The following example shows the Portal String Value set to




owner: gcapuno


It seems that once the client is installed it's not possible to push out an upgrade silently. When I try to send out a new msi after it is already installed the install will fail. If the client is not installed then everything works fine. Any switches or anything to allow an "upgrade"

will someone reply to this?

upgrades are performed in-app and can be set to prompt, silent or manual in the portal configuration