GlobalProtect on Windows 365 Cloud PC

Where Can I Use This?	What Do I Need?
NGFW (managed by Panorama and Strata Cloud Manager) Prisma Access (managed by Panorama and Strata Cloud Manager)	GlobalProtect 6.2.5 and later

A Windows 365 Cloud PC is a virtual machine that provides a Windows desktop experience in the cloud. You can deploy GlobalProtect on Cloud PCs to enhance network security for cloud-based virtual desktop environments. Windows and macOS users can connect to the cloud PC via the Remote Desktop (RDP) protocol, enabling them to access private applications hosted in the cloud. GlobalProtect routes network traffic through Prisma Access, providing additional defense against unauthorized access and cyber threats.

To use the Network Enforcement feature, you must whitelist the source machine's IP address in the Enforcer exception for the RDP session to work.

Follow the steps below to deploy GlobalProtect on a Windows 365 Cloud PC:

1. Prepare Win32 app content for upload.

   During this stage, you configure the GlobalProtect client settings and prepare the installation package.
2. Add the Win32 app to Microsoft Intune.

   During this step, you add the GlobalProtect app to Intune and configure the deployment settings. The system then pushes the GlobalProtect installation to the designated Cloud PCs based on the settings and groups you've specified. The GlobalProtect app is installed when the Cloud PC receives and processes this deployment instruction from Intune.

   For an uninterrupted RDP stream between the host and cloud PC, you must exclude Microsoft network traffic in one of the following ways:

   • Exclude Wildcard FQDN (*.wvd.microsoft.com) and the Windows Virtual Desktop service tags. You can obtain IP information for the Windows Virtual Desktop service tag manually with the Azure IP Ranges JSON file. For more information, refer to Azure IP Ranges and Service Tags – Public Cloud. You can also use a PowerShell script to get the IPs in a CSV format.
     Since the IP address count exceeds 200 entries, you may need to use advanced split tunneling. It is recommended that you configure bypass with wildcard FQDNs since FQDNs do not change over time. You can also add other service endpoints to your optimized path. For more information, refer to the Microsoft Network Requirements. If your solution does not support wildcard FQDNs, you can use IP addresses for the bypass configuration. Currently, Microsoft only provides IP addresses for RDP connectivity.
   • Exclude the following access routes and domains.:
     • Access routes:
       • 169.254.169.254
       • 168.63.129.16
     • Split tunneling domains
       • *.infra.windows365.microsoft.com
       • *.cmdagent.trafficmanager.net
       • login.microsoftonline.com
       • login.live.com
       • enterpriseregistration.windows.net
       • global.azure-devices-provisioning.net
       • *.azure-devices.net
       • *.wvd.microsoft.com
       • *.prod.warm.ingest.monitor.core.windows.net
       • catalogartifact.azureedge.net
       • gcs.prod.monitoring.core.windows.net
       • azkms.core.windows.net
       • mrsglobalsteus2prod.blob.core.windows.net
       • wvdportalstorageblob.blob.core.windows.net
       • oneocsp.microsoft.com
       • www.microsoft.com
       • *.servicebus.windows.net
       • go.microsoft.com
       • aka.ms
       • learn.microsoft.com
       • query.prod.cms.rt.microsoft.com
3. Review the event logs on the Windows host and the managed app logs on Intune to confirm that the GlobalProtect app was deployed successfully on the Cloud PC.