01-13-2022 10:52 AM
Greetings PAN community. Hoping to find someone that has seen this issue already so that I can move forward with my implementation of Intune Baselines. We use Configuration profiles at the moment to manage our fleet where we use the Global Protect client for vpn and OKTA for MFA to complete the connection. I have a test group set up in Azure to test the functionality of our endpoints using the Nov2021 Microsoft Intune baseline. Upon applying the Intune baseline policy to the test group, Global Protect fails to make a vpn connection. A window pops up states: "script error" LIne: 8 char: 3 error: Access is denied code: 0 ---- Then at bottom of window asks if you want to continue running scripts. Regardless of choosing yes or no, another window pops up with "global protect" in top bar but the entire rest of window is blank. While this window is up the GP client says it's still connecting. It looks as if the blank window might be a screen to enter credentials, but it's blank.
I've been in touch with Microsoft and they were not helpful. Offered some areas to check, but so far nothing has worked. Anyone have an idea of what in the Baseline that would stop the vpn login process?> I've pulled some logs from the GP client but haven't had much success interpreting them. Any pointers is greatly appreciated.
01-17-2022 08:59 AM
Have you followed the palo alto articles below?
Configure an Always On VPN Configuration Using Microsoft Intune (paloaltonetworks.com)
Also generate a tech support file and look at the PanGPS and PanGPA logs after you generate the tech support:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaLCAS
Also I have seen issues with the Microsoft Defender and globalprotect Intune , so if you are using the defender you may also check that with Microsoft as the permissions of files that the defender and globalprotect use can have discrepancy.
Also have you tested with the MFA authentication with only username and password if the issue is still there? Also how do you use the MFA with Palo Alto and Radius server or are using the direct integration between Okta and Palo Alto?
Multi-Factor Authentication (paloaltonetworks.com)
Just a note with MAC I have seen a lot of issues and Intune as Intune works better with Microsoft and Android but for Mac and IOS better use Jamf Pro and integrate it with Intune:
Integrate Jamf Pro with Microsoft Intune for compliance - Microsoft Intune | Microsoft Docs
01-17-2022 12:28 PM
Thank you for the response Nikolay. However, I was able to find the "needle in the haystack". In this case, GP client is using IE/Edge as the default browser. After a process of elimination, the IE setting in the Intune Baseline, "Internet Explorer internet zone less privileged sites" setting needed to be set to "ENABLE" so the Okta login page would display dialogue boxes for entering your credentials. Previously the window would pop up and was blank.
01-18-2022 12:09 AM - edited 01-18-2022 12:10 AM
Nice!
Still I think Globalprotect is using your systems configured default web browser that can easily be changed:
Automatic Launching of Web Browser in Captive Portal Environment (paloaltonetworks.com)
Change Windows 10's default browser from Edge – Which Computing Helpdesk
Set Microsoft Edge as the default browser on Windows and macOS | Microsoft Docs
07-18-2022 03:17 PM
In case someone like me (just an end user) ends up here, I am replying to this thread as I had the same problem and solved it.
I was forced to re-image my laptop for my company to a "modern image". Before and after were both Win10 21H2. I assume Win11 (which my laptop was not on the compatible list) would have the same problem. After re-imaging I had the exact problem described here. The "modern image" is Intune controlled.
My dilemma was Global Protect is used for my client so I don't have a client laptop image and they wouldn't help me. Very few contractors have Global Protect rights as it is, most use Citrix for access. However, I require it for some of my job functions to be on the client's network. My company doesn't support Global Protect, so they really weren't going to have experience with this or help much (likely). They certainly were not going to change a global setting in Intune that was mentioned in the "needle in a haystack" response for me or for everyone that is in the group of people I am lumped in with.
Changing the default browser doesn't help at all. I tried Edge, IE, Firefox, Chome.
Global Protect was an older version at first, but the client did give me 5.2.12 but it had the same problem.
The solution was pretty simple. I had to add the OKTA site to both the Edge IE compatible site list and the Internet Trusted Sites (IE sites) in the Trusted Sites list via Internet Options in the control panel. I also added the portal / connect sites (two of them that I needed). There was also an OKTA re-direct that I didn't realize at first so I had that in both places also. After that, the OKTA browser page opened up to enter my credentials when I connected to the required portal. Perhaps the portal site wouldn't be required because that is not the first thing opened up from a browser, but I added it anyway. I think this would be the same solution for Win11.
08-10-2022 07:56 AM
Just had this issue as well. After reading tons of KB articles, I have found a work around. When installing the client and connecting for the first time, you can specify to use you local system default browser the first time you connect. In my case, the IE browser was failing every time because of Intune settings. In order to get it to use another browser, and not address the change in Intune, I had to re-install with the following command:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
