GlobalProtect Pre-Logon Windows 10 Issue


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L0 Member

GlobalProtect Pre-Logon Windows 10 Issue


I am facing a problem with pre-logon on windows 10. I have some windows 10 laptops that works fine but few of them have the problem below.

I have import the  local machine certificate and change registry entries. If I sign out from windows, I can see the pre logon option and connect to my vpn. But when i restart or shutdown the laptop, when it comes to the windows login screen, I dont have any option for pre logon. That means that i have first to login with a cached user , log off and here they are the start global protect option. 

Any advice?

Thanks a lot


L4 Transporter

Do a check on following :-


Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup

Prelogon Value should be 1.


Check your machine certificate status.


your machine certificates it should contain private key.


Check certificate chain for machine certificate.


Troubleshooting logs what error do you see ?



SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 | CCIE-SEC-Attempted
L2 Linker

Just wondering if there was a resolution with this?


From research apparently changing the Pre-Logon Tunnel Rename Timeout to 0 might help.



This setting controls how GlobalProtect handles the pre-logon tunnel that connects an endpoint to the gateway.
A value of -1 means the pre-logon tunnel does not time out after a user logs on to the endpoint; GlobalProtect renames the tunnel to reassign it to the user. However, the tunnel persists even if the renaming fails or if the user does not log in to the GlobalProtect gateway.
A value of 0 means when the user logs on to the endpoint, GlobalProtect immediately terminates the pre-logon tunnel instead of renaming it. In this case, GlobalProtect initiates a new tunnel for the user instead of allowing the user to connect over the pre-logon tunnel. Typically, this setting is most useful when you set the 
Connect Method
Pre-logon then On-demand
, which forces the user to manually initiate the connection after the initial logon.
A value of 1 to 600 indicates the number of seconds in which the pre-logon tunnel can remain active after a user logs on to the endpoint. During this time, GlobalProtect enforces policies on the pre-logon tunnel. If the user authenticates with the GlobalProtect gateway within the timeout period, GlobalProtect reassigns the tunnel to the user. If the user does not authenticate with the GlobalProtect gateway before the timeout, GlobalProtect terminates the pre-logon tunnel.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!