Global Protect Client and Intune Security Baseline

cancel
Showing results for 
Search instead for 
Did you mean: 

Global Protect Client and Intune Security Baseline

L0 Member

Greetings PAN community.  Hoping to find someone that has seen this issue already so that I can move forward with my implementation of Intune Baselines. We use Configuration profiles at the moment to manage our fleet where we use the Global Protect client for vpn and OKTA for MFA to complete the connection.  I have a test group set up in Azure to test the functionality of our endpoints using the Nov2021 Microsoft Intune baseline.  Upon applying the Intune baseline policy to the test group, Global Protect fails to make a vpn connection.  A window pops up states:  "script error" LIne: 8 char: 3 error: Access is denied code: 0 ----  Then at bottom of window asks if you want to continue running scripts.  Regardless of choosing yes or no, another window pops up with "global protect" in top bar  but the entire rest of window is blank.  While this window is up the GP client says it's still connecting.  It looks as if the blank window might be a screen to enter credentials, but it's blank. 

I've been in touch with Microsoft and they were not helpful. Offered some areas to check, but so far nothing has worked.  Anyone have an idea of what in the Baseline that would stop the vpn login process?>  I've pulled some logs from the GP client but haven't had much success interpreting them.  Any pointers is greatly appreciated.

3 REPLIES 3

Cyber Elite
Cyber Elite

Have you followed the palo alto articles below?

 

 

Configure an Always On VPN Configuration Using Microsoft Intune (paloaltonetworks.com)

 

 

 

Also generate a tech support file and look at the PanGPS and PanGPA logs after you generate the tech support:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaLCAS

 

 

 

Also I have seen issues with the Microsoft Defender and globalprotect Intune , so if you are using the defender you may also check that with Microsoft as the permissions of files that the defender and globalprotect use can have discrepancy. 

 

 

Also have you tested with the MFA authentication with only username and password if the issue is still there? Also how do you use the MFA with Palo Alto and Radius server or are using the direct integration between Okta and Palo Alto?

 

Multi-Factor Authentication (paloaltonetworks.com)

 

 

Just a note with MAC I have seen a lot of issues and Intune as Intune works better with Microsoft and Android but for Mac and IOS better use Jamf Pro and integrate it with Intune:

 

Integrate Jamf Pro with Microsoft Intune for compliance - Microsoft Intune | Microsoft Docs

 

Overview - Integrating with Microsoft Intune to Enforce Compliance on Mac Computers Managed by Jamf ...

 

 

 

Thank you for the response Nikolay.  However, I was able to find the "needle in the haystack".  In this case, GP client is using IE/Edge as the default browser.  After a process of elimination,  the IE setting in the Intune Baseline, "Internet Explorer internet zone less privileged sites" setting needed to be set to "ENABLE" so the Okta login page would display dialogue boxes for entering your credentials.  Previously the window would pop up and was blank. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!