GlobalProtect Client Startup Windows 10

cancel
Showing results for 
Search instead for 
Did you mean: 

GlobalProtect Client Startup Windows 10

L1 Bithead

GlobalProtect Version 4.1.0-98

PAN OS 8.0.10

Login mode: on-demand

 

Hi there, 

we've roll-out the GP-Software on everyone's PCs.

Everytime a Windows (10) Client is rebooting the "GlobalProtect" pop-up Gui is showing up. Is there a way to stop loading the "GlobalProtect" pop-up Gui after rebooting Windows? 

 

Thank you.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Cyber Elite
Cyber Elite

@Hodor,

GlobalProtect by default installs itself to run at startup, as most VPN clients do. This ARTICLE goes in-depth with how you would disable this if it isn't a required action in your enviroment. There are ways to script this with Group Policy that I would suggest looking into unless this is a really small installation. 

View solution in original post

Community Team Member

OK, 

I will try to help out here a little.. 

The article was archived.. for many reasons..  which is why no one is able to access the link. 

Not only that, it was shared many years ago.. 

 

I am very sorry for the inconvenience that this may cause.. but my hands are tied, and cannot re-publish it right now.. 

But, what I can do, is take some of the content, and share it here.. 

 

In order to stop the GlobalProtect client from loading along with other start up applications when the system boots up:

 

Windows 10:

On Windows 10, this functionality has moved from System Configuration to Task Manager. Because of that there are 2 ways to get to this. 

  1. From Start > Run > msconfig,  then click on "Startup". Notice the link to start Task Manager.

    jdelio_0-1617742629662.png

     

    System Config showing you have to open Task Manager .

  2. OR You can start Task Manager with "Control + Shift + Esc", or Right Click on an empty area of the Windows Task Bar, and click "Task Manager".  Once there Click on the "Startup" tab. 
  3. Once in the Startup tab, look for "GlobalProtect client.  Right click and then click "Disable". or click once, and select "Disable" at the bottom of the window.
    jdelio_1-1617742629681.png

     

    Task Manager screen showing the options to disable GlobalProtect.

That was essentially what was in the article..

I hope this helps a little..

 

-joe

 

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items!

View solution in original post

14 REPLIES 14

Cyber Elite
Cyber Elite

@Hodor,

GlobalProtect by default installs itself to run at startup, as most VPN clients do. This ARTICLE goes in-depth with how you would disable this if it isn't a required action in your enviroment. There are ways to script this with Group Policy that I would suggest looking into unless this is a really small installation. 

View solution in original post

This is an incredible annoyance for our users, the App is set to On-demand yet the portal pops up continuosly for logon credentials even though the app is clearly displaying "OnDemand mode" as it does so! I thought the whole point of "OnDemand" was that the user could initiate it when required, not a continuous spamming of the user for credentials to initiate a VPN connection they are not interested in.

 

The article detailing how to fix this appears to have been pulled by PA. Both the link above and this (from Google's cache) are inacessible:

 

https://live.paloaltonetworks.com/t5/SME-GlobalProtect-Articles/How-to-Stop-GlobalProtect-from-Loadi...

 

Any suggestions?

@mshattock,

You can always simply turn the GlobalProtect client so that it doesn't launch on startup. 

Thanks, but I'm trying to configure the behaviour globally for hundreds of users, not just swat away the symptoms on one machine manually. Additionally, if it's not running, there's no systray icon to click on, and that's how users have been trained.

Perhaps my Google-fu is weak, but I'm aware that there's a bug with Globalprotect that, even if it's configured in On-demand mode, behaves as if its in SSO mode.

Ideally, it autostarts in on-demand mode, and actually respects that on-demand setting, sitting there in the system tray until user-interaction.

 

If the 'on-demand still running in SSO mode' bug doesn't have an easy fix, disabling autostart globally is a worse, but acceptable option.

 

Hope that makes sense.....

@mshattock,

This isn't a bug, it's a design decision with how SSO functions within GlobalProtect. Once you restart the GP client gets set to default mode, which means that on-demand isn't setup and it defaults to SSO. The client them does a discovery on the portal to determine if it's setup with on-demand or SSO. Since you are in on-demand mode, the notification that pops up should simply be the "connect" option. 

I won't argue that PAN should include some savable registry key or something of the sort to stop this functionality and default to true on-demand, but it isn't setup like that as is. In the current implimentation this functionality would break SSO; there was hope that during the redesign of the agent they were going to make some backend code changes to allow for this feature request to finally be fullfilled, but that simply wasn't the case.

 

As it sits now if you wish to supress to message right off the bat you would need to NOT start GP on startup and train the user to actually launch it like they would a normal application. 

Understood, that's a very disappointing design choice by PA. It's certainly working as intended, it's just infuriating and causing a lot of hatred within our company (and also hurting the reputation of GlobalProtect across the wider web community).

 

With 'true' On-demand being an unusable and broken mess, our only option is to prevent Globalprotect from autostarting and retraining users to launch it manually before they want to connect.

 

Since the article detailing this has been pulled (at least, neither Google's cache nor my login are permitted to view it) would you be kind enough to detail how I could configure Globalprotect not to autostart globally? This is something that needs to be configured at the portal end, since our group policy doesn't have any influence on machines outside our domain (and used by BYOD staff and those working from home).

 

Thanks.

@mshattock,

You're going to hate my answer to this .... you can't stop the 'start on logon' for the GlobalProtect app from the firewall, it needs to be done on the end users machine. Since you don't control the end-device you also can't do this any other way since you wouldn't have the rights to modify registry keys or anything like that. The article in question essentially simply walked users through removing the start on logon functionality on their machines, nothing more. 

The application install by default adds itself to startup items. 

 

It's possibly something you could/can manually modify through something like InstEd and simply remove the functionality and rebuild the msi file. However that's questionably legal when it comes to redistributing the file or telling someone they could/can modify the MSI to get the behavior to function as they wish. You probably could/can do something like that, maybe, and get it functional. If someone were to do this they might want to look at the Registry and Component table, they might be able to modify those locations to stop GP from automatically being included in the statup directory. But who knows, I'm certenatly not telling you it's possible ;-) 

Ah okay, sounds like the best course of action is for me to submit a feature request, or a bug report.

 

 

Having GP reset itself to default mode means that the "on-demand" setting is being ignored. That's a bug, in my opinion but if PA have a reason for this weird behaviour they should at least add an option to workaround this behaviour for those that actually want an on-demand VPN client, or simply remove the on-demand option altogether because it's not usuable as one.

 

Thanks for the assistance.

I get an "Access Denied" message when i click the link. Anyone know why? Im new to the Live Community

Eric Rivera
Network Administrator
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!