Microsoft Intune Out of Box Experience and Autopilot Hybrid AD Join

L1 Bithead

Microsoft Intune Out of Box Experience and Autopilot Hybrid AD Join

We are in the development phase of deploying a large number of new laptops to our user base. Due to the current circumstances with COVID and the changes we have made for out employees we would like to allow our users to receive the devices directly and utilize Intune for the deployment along with GlobalProtect pre-logon functionality. 


We currently have a working setup to utilize machine certificate based pre-logon along with SAML after Windows login. Our Intune profiles are successfully pushing the certificates and GlobalProtect Client before the end point attempts to join the domain, but the client never seems to attempt to connect to the portal. 


I was hoping others have gone down this path and had some insight on how to get this to successfully work or if it is even possible. Any information would be helpful since Microsoft has no good information on the process. Our setup is as follows:


PANOS - 9.1.3

GlobalProtect Client - 5.1.5

Certificate Chain on both the Firewall as well as all clients

Portal Configuration - pre-logon configuration agent first then SAML authentication second with auto generated cookies to manipulate the configuration agent being used.

Gateway Configuration - both portal agents point to the same gateway and require a client certificate with the root and intermediate configured within a certificate profile.


As mentioned the pre-logon method works without any issue in production, but when we attempt to deploy a workstation using Microsoft Intune Windows 10 Out of Box or AutoPilot the process fails. 


I see a lot of MS documentation about using UWP GlobalProtect and am not sure on if it is required.

L0 Member

I wrote up an article on getting GlobalProtect pre-login to work together with Windows Autopilot here: There was an issue pushing the client and getting pre-logon to kick in the first time that I had to work around. I go over all of this here.

L4 Transporter

Looks like working solution but to integrate with existing environment ,where we are doing authentication of portal based on LDAP or Radius etc will not work in this case.


In such case we need OR  case  of Authentication if certificate authentication fails User authentication will work or viseversa

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 | CCIE-SEC-Attempted
L1 Bithead

@mdepalmaevr you don't really need to set LogonFlag + LogonState on the registry if you do the installation with 'msiexec /i "GlobalProtect64-5.2.4.msi" /q PORTAL=fqdn.address PRELOGON=1'.


At least this works for me without additional hustle.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!