Connect Before Logon
Focus
Focus
GlobalProtect

Connect Before Logon

Table of Contents

Connect Before Logon

To use Connect Before Logon, you must enable the settings in the Windows registry and choose the authentication method
Software Support: Starting with GlobalProtect™ app 5.2
OS Support: Windows 11 and Windows 10 (requires registry key changes)
The Pre-logon and Pre-logon then On-demand connection methods are not supported simultaneously with Connect Before Logon.
To simplify the login process and improve your experience, GlobalProtect offers Connect Before Logon to allow you to establish the VPN connection to the corporate network before logging in to the Windows 10 endpoint using a Smart card, authentication service such as LDAP, RADIUS, or Security Assertion Markup Language (SAML), username/password-based authentication, or one-time password (OTP) authentication. You can benefit from enabling Connect Before Logon when you onboard new end users on the endpoint that is not set up with a local profile or account for the user. Connect Before Logon is disabled by default. When you enable Connect Before Logon, your end users can launch the GlobalProtect app credential provider and connect to the corporate network before logging in to Windows endpoint. After Connect Before Logon establishes a VPN connection, end users can use the Windows logon screen to log in to the Windows endpoint. GlobalProtect can now act as a Pre-Login Access Provider (PLAP) credential provider to provide access to your organization before logging in to Windows. GlobalProtect retrieves the registry keys only once, when the GlobalProtect app initializes.
Because Connect Before Logon prompts you to authenticate twice on the portal and gateway when logging in to the Windows endpoint for the first time, the Authentication Override cookie is not working as expected.
To use Connect Before Logon, you must enable the settings in the Windows registry and choose the authentication method: