Globalprotect pre logon windows 10 full#
I’ll be writing a post dedicated to the full technical and security architecture around a cert-based Palo Alto Always On VPN configuration, so I’ll only briefly touch on the relevant parts here. At the same time there has also been a push to implement a proper Always On VPN configuration. We are already a Palo Alto GlobalProtect customer and have been happy with the solution, so getting the two to work together just made sense. After enrollment is completed you are on your own to establish pre-login connectivity to facilitate an initial logon to your domain as there are no cached credentials yet on the machine.
At its core it is really just a flag telling OOBE not to perform a DC connectivity check. After this I decided to put everything on the backburner and abandon MS VPN (I found the MS VPN solution using RRAS to be clunky and inconsistent with a lot to be desired).įast forward a few months and Microsoft finally released the new ‘functionality‘. Soon after, I found a post from Microsoft saying that they had this setting in private beta and would be releasing it in the coming months. In the logging I also saw references to a configuration parameter that would disable the DC check. I was able to sometimes get an enrollment to work via device tunnel MS VPN policies, but success wasn’t consistent and relied on policies/certificates coming down in a timely manner. Sifting through logs I could see the only thing holding back a successful enrollment was a little function at the end of enrollment that was simply looking for a domain controller.
Globalprotect pre logon windows 10 Offline#
The issue with Autopilot was that technically you were still required to have line of sight to a domain controller even though the domain join happened via an offline blob using the on-prem Intune connector. I was looking at both for different reasons but also looking at them as a combined solution. UPDATE: Please also see part two on implementing Autopilot/GlobalProtect without certificates here: īack in April, at the beginning of the pandemic, I started putting a lot of focus into getting Windows Autopilot to work with Hybrid Join clients and Microsoft Always On VPN.
0 kommentar(er)
