To use Connect Before Logon, you must enable the settings
in the Windows registry and choose the authentication method
: Starting with GlobalProtect™
: Windows 10 (requires registry key
The Pre-logon and Pre-logon then On-demand
connection methods are not supported simultaneously with Connect
To simplify the login process and improve
your experience, GlobalProtect offers Connect Before Logon to allow
you to establish the VPN connection to the corporate network before
logging in to the Windows 10 endpoint using a Smart card, authentication
service such as LDAP, RADIUS, or Security Assertion Markup Language (SAML),
username/password-based authentication, or one-time password (OTP) authentication.
You can benefit from enabling Connect Before Logon when you onboard
new end users on the endpoint that is not set up with a local profile
or account for the user. Connect Before Logon is disabled by default.
When you enable Connect Before Logon, your end users can launch
the GlobalProtect app credential provider and connect to the corporate
network before logging in to Windows endpoint. After Connect Before
Logon establishes a VPN connection, end users can use the Windows
logon screen to log in to the Windows endpoint. GlobalProtect can now
act as a Pre-Login Access Provider (PLAP) credential provider to
provide access to your organization before logging in to Windows.
GlobalProtect retrieves the registry keys only once, when the GlobalProtect
Because Connect Before Logon prompts
you to authenticate twice on the portal and gateway when logging
in to the Windows endpoint for the first time, the Authentication
Override cookie is not working as expected.
Connect Before Logon, you must enable the settings in the Windows registry
and choose the authentication method: