>
    Strata Copilot
    Deploy a New Device Using Windows Autopilot and Microsoft Intune
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect Apps
    5. Deploy the GlobalProtect App on Mobile Devices
    6. Manage the GlobalProtect App Using Microsoft Intune
    7. Deploy a New Device Using Windows Autopilot and Microsoft Intune
    Download PDF
    GlobalProtect

    Deploy a New Device Using Windows Autopilot and Microsoft Intune

    Table of Contents

    Deploy a New Device Using Windows Autopilot and Microsoft Intune

    Learn how to provision GlobalProtect on a brand new device using Windows Autopilot and Microsoft Intune
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama or Strata Cloud Manager)
    • Prisma Access (managed by Panorama or Strata Cloud Manager)
    • GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription
    • Supported with GlobalProtect app for Windows (version 5.2 or later is required for the Connect Before Logon deployment)
    • Endpoints must be running Windows 10 (64-bit)
    You can ship a new Windows device to an end user and automatically deploy the GlobalProtect app and any required PKI or authentication settings automatically by leveraging Microsoft Intune and Windows Autopilot. This is useful in environments where you want to ship the device directly from a supplier or warehouse without having to do any configuration, such as PKI and certificate deployment, GlobalProtect app deployment prior to delivery to the end user.

    Use Autopilot to Deploy GlobalProtect in Connect Before Logon Mode

    In Connect Before Logon mode, the GlobalProtect app acts as a Pre-Login Access Provider (PLAP) credential provider to provide access to your corporate network before the user logs in to the Windows device, allowing users on an endpoint that is not yet set up with a local profile, certificates, or user accounts to gain the access needed to reach the domain controller and join the domain. This deployment does not require a PKI environment and instead uses a user-based logon sequence (LDAP, RADIUS, SAML, username/password-based authentication, smart cards, or OTP authentication are supported). In this deployment, the end user device is provisioned as follows:
    1. The end user logs in to Autopilot, identifying their domain.
    2. Autopilot then connects to Intune, which has been configured to deploy the GlobalProtect app with the default portal address, the Connect Before Logon settings, and the domain join configuration.
    3. The end user clicks the Pre-Login Access Provider (PLAP) button to log in to GlobalProtect and establish the tunnel to the GlobalProtect gateway (on premises or Prisma Access), enabling access to the domain controller.
    4. GlobalProtect prompts the user to log in to the credential provider, after which Windows Autopilot can finish configuring the device.
    To use this deployment, you will need to create a package for Microsoft Intune to deploy to Windows Autopilot. This package will contain the GlobalProtect MSI file along with a couple of wrapper scripts you will create to install the MSI and set the configuration parameters needed to deploy the app in Connect Before Logon mode, and a second script to launch the installer in 64-bit mode (Intune launches in 32-bit mode by default). You will then upload the package to Intune to create the application and add it to the group targeted for Autopilot.
    1. Download the GlobalProtect app MSI file from the Palo Alto Networks Customer Support Portal.
      For this deployment to work you must use GlobalProtect App version 5.2.x or later (which is when Connect Before Logon was introduced).
    2. Create a PowerShell wrapper script to instruct Microsoft Intune how to install GlobalProtect.
      The script must include the instructions to:
      • Set the portal address so the user doesn’t have to enter it (PORTAL=”portal_name)
      • Set the app to use the default browser after the initial logon (DEFAULTBROWSER=”yes”)
      • Set the connect method to Connect Before Logon (CONNECTMETHOD=”user-logon”)
      • Register GlobalProtect with the Windows credential provider to allow for Connect Before Logon at the login screen
      You can also use additional settings to customize the GlobalProtect app deployment. Here is an example of a wrapper script that you can copy and edit with your own values for the portal address and MSI file name:
      $PortalAddress = 'myportal.gpcloudservice.com'
$MSIFileName = 'GlobalProtect64-6.0.4.msi'
$MSISwitches = '/quiet /norestart'

$ScriptPath = Split-Path -Path $MyInvocation.MyCommand.Path

$InstallProcess = Start-Process -FilePath "msiexec" -ArgumentList ("/i " + [char]34 + $ScriptPath + "\" + $MSIFileName + [char]34 
PORTAL=”myportal.gpcloudservice.com”” DEFAULTBROWSER=””yes”” CONNECTMETHOD=””user-logon”” 

#Register PLAP provider
Start-Process -FilePath "$env:ProgramFiles\Palo Alto Networks\GlobalProtect\PanGPS.exe" -ArgumentList "-registerplap" -Wait
Write-Host ("Installation completed, exiting with last return code (" + $InstallProcess.ExitCode + ")")
Exit $InstallProcess.ExitCode
      Because Microsoft Intune launches installers in 32-bit mode by default, you must also create a batch file that calls your PowerShell script using the 64-bit PowerShell host. Without this, the script runs under the 32-bit environment, which can cause the installation to fail or behave unexpectedly on 64-bit endpoints.
      Create a batch file (for example, Install.bat) with the following content:
      @echo off
:: use sysnative to make sure running 64 bit
%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File "Install.ps1"
      Include this batch file in your installation package and point the Install command in Intune to it rather than directly to the PowerShell script.
    3. (Hybrid Azure AD only) Install the Intune Connector for Active Directory and the AzureAD Connector.
    4. Register the end user devices with Autopilot and create the group for the Out of Box Experience (OOBE) you are creating to deploy the GlobalProtect app.
      Refer to the Microsoft Windows Autopilot documentation for instructions.
    5. Create the GlobalProtect app installation package (the MSI file and the scripts) and upload it to Microsoft Intune.
      1. Use the Microsoft Win32 Content Prep Tool to create the app package.
        By default, the installer launches in 32-bit mode. Use the script to convert it to 64-bit mode as in the following example:
        IntuneWinAppUtil.exe -c C:\Temp\GlobalProtectPackage\Install -s GlobalProtect64-6.0.4.msi -o C:\Temp\GlobalProtectPackage\Output
      2. Upload the app package to Microsoft Intune.
        Make sure the Install command points to the batch file you created to launch the MSI in 64-bit mode.
      3. Assign the app to the group you created for Autopilot.
    6. Test the deployment process.
      1. Power on the device, which will automatically connect to Autopilot and launch the OOBE experience you customized.
      2. When prompted, provide your username to identify the organization you belong to so that you can complete Autopilot registration.
        This initiates the Autopilot registration. Autopilot then reboots the system and invokes the Intune profile you created and assigned to the device, which begins the process of pushing the GlobalProtect app and the settings you defined to specify the portal, set the Connect Before Logon mode, and the command flags to register GlobalProtect with the credential provider to the device, along with any other apps and configurations you defined in the Intune profile.
      3. After the configurations and apps are pushed to the endpoint, click the Pre-Login Access Provider (PLAP) button
        to log in to GlobalProtect and establish the tunnel.
        GlobalProtect begins connecting using the portal name you supplied in your wrapper script.
      4. After successfully establishing the tunnel, GlobalProtect prompts you to log in to the credential provider. Enter your domain credentials.
        If you are using SAML, GlobalProtect presents the embedded browser even if you have pushed settings to use the default browser. This is because the user is not yet logged in.
      5. After successful authentication, the GlobalProtect Connected screen displays. The device now has the connectivity required to reach the domain controller and join the domain. Click Back.
      6. Enter your Windows domain login credentials to log in to the device and join the domain.
      7. After you successfully authenticate using the domain credentials, Autopilot finishes configuring the user profile.
      8. Verify that GlobalProtect has been successfully installed and that policy is being enforced as expected.
        Review the traffic logs to ensure that the device is hitting the security policy you have configured for your GlobalProtect users. For example, in the logs below we can see that user10@acmeprismaaccess.com is hitting the rule that allows mobile users that pass the HIP check can access the internal network.

    © 2026 Palo Alto Networks, Inc. All rights reserved.