Greetings PAN community. Hoping to find someone that has seen this issue already so that I can move forward with my implementation of Intune Baselines. We use Configuration profiles at the moment to manage our fleet where we use the Global Protect client for vpn and OKTA for MFA to complete the connection. I have a test group set up in Azure to test the functionality of our endpoints using the Nov2021 Microsoft Intune baseline. Upon applying the Intune baseline policy to the test group, Global Protect fails to make a vpn connection. A window pops up states: "script error" LIne: 8 char: 3 error: Access is denied code: 0 ---- Then at bottom of window asks if you want to continue running scripts. Regardless of choosing yes or no, another window pops up with "global protect" in top bar but the entire rest of window is blank. While this window is up the GP client says it's still connecting. It looks as if the blank window might be a screen to enter credentials, but it's blank.
I've been in touch with Microsoft and they were not helpful. Offered some areas to check, but so far nothing has worked. Anyone have an idea of what in the Baseline that would stop the vpn login process?> I've pulled some logs from the GP client but haven't had much success interpreting them. Any pointers is greatly appreciated.
Have you followed the palo alto articles below?
Also generate a tech support file and look at the PanGPS and PanGPA logs after you generate the tech support:
Also I have seen issues with the Microsoft Defender and globalprotect Intune , so if you are using the defender you may also check that with Microsoft as the permissions of files that the defender and globalprotect use can have discrepancy.
Also have you tested with the MFA authentication with only username and password if the issue is still there? Also how do you use the MFA with Palo Alto and Radius server or are using the direct integration between Okta and Palo Alto?
Just a note with MAC I have seen a lot of issues and Intune as Intune works better with Microsoft and Android but for Mac and IOS better use Jamf Pro and integrate it with Intune:
Thank you for the response Nikolay. However, I was able to find the "needle in the haystack". In this case, GP client is using IE/Edge as the default browser. After a process of elimination, the IE setting in the Intune Baseline, "Internet Explorer internet zone less privileged sites" setting needed to be set to "ENABLE" so the Okta login page would display dialogue boxes for entering your credentials. Previously the window would pop up and was blank.
Still I think Globalprotect is using your systems configured default web browser that can easily be changed:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!