Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-15-2020 05:21 AM
I have tried for over a month to install Global Protect and have it work, and can't begin to count on how many installs/uninstalls of Global Protect I have done. Many people have tried to offer suggestions and it seems like the root cause is the PAN GP VNIC driver cannot be installed. When I try to install it manually via the inf, I get an Access Denied error in the UI. I am using an administrator account and have also tried installing with elevated privileges.
The latest PanGPS.log says:
Pan GlobalProtect Driver installation failed with error = 2
I have searched the web and also in this forum, and have tried every suggestion I could find. Nothing works.
The last thing I thought was since I am connected to a dock, perhaps there was something there conflicting. I undocked and went through all the installations again, but no luck.
Is there a way to get this driver installed?
06-15-2020 09:35 AM
Hello,
You can try;
$RE = 'GlobalProtect'
$Key = 'HKLM:\SOFTWARE\'
Get-ChildItem $Key -Rec -EA SilentlyContinue | ForEach-Object {
$CurrentKey = (Get-ItemProperty -Path $_.PsPath)
If ($CurrentKey -match $RE){
$CurrentKey|Remove-Item -Force
}
}
06-15-2020 12:16 PM
Thanks for the reply. I followed all your steps and unfortunately the same thing happens. The PAN GP driver does not get installed so GlobalProtect won't work. When I start GlobalProtect, I never get prompted for my email address in order for it to populate anything in the settings so the Connect button doesn't work.
06-15-2020 01:28 PM
Hello,
I noticed i forgot to mention, every change in regedit requires reboot.
Second option you can try,
Uninstall current installation
Remove all Program Files and Appdata Folders to related Palo Alto Networks.
Remove all Regedit entries HKLM and HKCU related to Palo Alto networks.
Reboot
Stop the wmi service. in windows service pane ( you can call it via starting a commad promt as admin rights than type services.msc)
Try installation
Reboot.
Use recommended version I thing 5.1.3
Good Luck.
06-17-2020 05:21 AM
Thanks for the additional suggestion. Unfortunately that didn't work either. Looks like GlobalProtect just doesn't want to install on my system.
08-04-2020 12:30 AM
I have encountered the same error and found it to be because the pangpd.inf has had it's software signing certificate revoked. If you look through the Windows Error Reporting log files you will find an entry similar to this:
\System32\DriverStore\Temp\{5b2e4739-521d-354e-a103-129ee6d06832}\pangpd.inf'.
sto: {DRIVERSTORE IMPORT VALIDATE} 14:53:01.668
sig: {_VERIFY_FILE_SIGNATURE} 14:53:01.717
sig: Key = pangpd.inf
sig: FilePath = C:\WINDOWS\System32\DriverStore\Temp\{5b2e4739-521d-354e-a103-129ee6d06832}\pangpd.inf
sig: Catalog = C:\WINDOWS\System32\DriverStore\Temp\{5b2e4739-521d-354e-a103-129ee6d06832}\pangpd64.cat
! sig: Verifying file against specific (valid) catalog failed.
! sig: Error 0x800b010c: A certificate was explicitly revoked by its issuer.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b010c)} 14:53:01.717
Windows sees the driver as unsigned/untrusted and so will not install the driver for the PAN-GP adapter.
You can prove this by disabling Windows driver signing enforcement although this is not recommended for production systems for obvious reasons. To test the installation with driver signing checks disabled:
1. Disable Secure Boot in the UEFI/BIOS. This may require you to disable BitLocker on your device first
2. From an admin elevated command prompt run "bcdedit /set testsigning on" and then restart your device to disable the Windows driver signing checks and restart your device in Test Mode
3. Install the GP client and verify the PAN GP adapter is installed correctly and the client connects to your infrastructure correctly.
Unfortunately this is not a viable production fix so I suggest you raise a support case with Palo Alto TAC including all available logs and request a fix for the pangpd.inf certificate signing revocation.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
