To use Connect Before Logon, you must enable the settings
in the Windows registry and choose the authentication method
Software Support: Starting with GlobalProtect™
app 5.2
OS Support: Windows 11 and Windows 10 (requires registry key changes)
The Pre-logon and Pre-logon then On-demand
connection methods are not supported simultaneously with Connect
Before Logon.
To simplify the login process and improve
your experience, GlobalProtect offers Connect Before Logon to allow
you to establish the VPN connection to the corporate network before
logging in to the Windows 10 endpoint using a Smart card, authentication
service such as LDAP, RADIUS, or Security Assertion Markup Language (SAML),
username/password-based authentication, or one-time password (OTP) authentication.
You can benefit from enabling Connect Before Logon when you onboard
new end users on the endpoint that is not set up with a local profile
or account for the user. Connect Before Logon is disabled by default.
When you enable Connect Before Logon, your end users can launch
the GlobalProtect app credential provider and connect to the corporate
network before logging in to Windows endpoint. After Connect Before
Logon establishes a VPN connection, end users can use the Windows
logon screen to log in to the Windows endpoint. GlobalProtect can now
act as a Pre-Login Access Provider (PLAP) credential provider to
provide access to your organization before logging in to Windows.
GlobalProtect retrieves the registry keys only once, when the GlobalProtect
app initializes.
Because Connect Before Logon prompts
you to authenticate twice on the portal and gateway when logging
in to the Windows endpoint for the first time, the Authentication
Override cookie is not working as expected.
To use
Connect Before Logon, you must enable the settings in the Windows registry
and choose the authentication method:
