Global Protect does not connect after computer installation

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect does not connect after computer installation

L7 Applicator

Hi community


During the still ongoing pandemic, this issue is a little painful...

We use sccm to install windows and additional software to computers. One of this additional software is global protect. The intention was to install the computer in the office by the client team and then send the device to the employees. With Pre-Logon actually it should be possible to log in to the computer directly even if this active directory account was not logged in at that time.

The problem now is that global protect does not connect after this computer installation. As msiexec params we use the following:




Does anyone know a sollution which makes global protect opening the connection directly after the installation or at least after a reboot after the installation? As soon as a user loggs in global protect connects and this setting then also persists for the next reboots - global protect then connects already prior to the user login (as it should with the pre-logon setting).


Btw: The firewall where the client should connect to is running PAN-OS 9.1.9 and the used Global Protect version is 5.2.6.





Hi @Remo ,

Couple of months ago we have some transparent upgrade from 5.0 to 5.1 failing on random computers. From the logs I noticed that the transparent upgrade client is running batch file msiexec to uninstall and install the new msi with all of the required parameters.


I am saying this because since that I am using the exact same command to re-install GP remotely  and it seems the pre-logon to work after reboot. This is what is working for me:


TARGETDIR="C:\Program Files\Palo Alto Networks\GlobalProtect"  CONNECTMETHOD="pre-logon" USESSO="yes" CERTIFICATESTORELOOKUP="user-and-machine" CACUNPLUGBEHAVE="yes" USEPROXY="yes" PORTAL="" BENICE="yes" /l+* "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPMsi.log


Comparing with what you have probably you can try where to look for the client certificate. Although looking at the docs it seems user-and-machine should be default and not need to specify it.

Community Team Member

Hi @Remo ,


Please check the following document which explains your requirement.  Step 11 more specifically:


Please correct me if I misunderstood you.


Cheers !


LIVEcommunity team member, CISSP
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L6 Presenter

You can also test the feature "Connect Before Logon" that is even before the user logs into his computer.




Another thing is if you are using "enforce network access" you may need to exclude some ip addresses from this:

Hi @nikoolayy1 

As we intend to use Windows Hello, we cannot use this connect button on the loginscreen (it is only available with the global protect login option).

At the moment the vpn connection is not enforced for network access.

  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!