|
ByTechieGeek

Full Intune Lab Guide

Deploying GlobalProtect VPN on Windows 10 and Windows 11 with Microsoft Intune

This hands-on Intune lab guide walks you through deploying Palo Alto Networks GlobalProtect VPN on Windows using Win32 app deployment in Microsoft Intune.

The lab is written for test tenants, learning labs, and production pilots, and follows Microsoft-supported best practices for 2024โ€“2025.

Lab Objectives

By the end of this lab, you will be able to:

  • Package GlobalProtect as a Win32 app
  • Deploy it silently to Windows devices via Intune
  • Use correct detection logic
  • Assign the app using device-based targeting
  • Validate installation and VPN connectivity
  • Troubleshoot common deployment issues

Lab Prerequisites

Tenant & Licensing

  • Microsoft Intune enabled
  • Windows 10 22H2 or Windows 11 22H2+
  • Device enrolled in Intune (Azure AD joined or Hybrid joined)

Admin Access

  • Intune Administrator or Application Manager role

Tools Required

  • GlobalProtect MSI installer
  • Microsoft Win32 Content Prep Tool (IntuneWinAppUtil.exe)
  • Test Windows VM or physical device

Lab Architecture Overview

Deployment Model

  • App type: Win32
  • Install context: System
  • Assignment: Device group
  • VPN profile: Not required

Why

  • GlobalProtect uses its own network driver
  • Native Windows VPN profiles are not supported
  • Win32 apps provide proper detection, upgrades, and remediation

Step 1: Download GlobalProtect Installer

  1. Sign in to the Palo Alto Networks support portal
  2. Download the GlobalProtect MSI for Windows (x64)
  3. Save the MSI to a working folder, for example:C:\IntuneApps\GlobalProtect

Step 2: Convert MSI to IntuneWin Format

  1. Download the Win32 Content Prep Tool
  2. Open Command Prompt as Administrator
  3. Run:IntuneWinAppUtil.exe
  4. Provide:
    • Source folder: C:\IntuneApps\GlobalProtect
    • Setup file: GlobalProtect.msi
    • Output folder: C:\IntuneApps\Output

You will get:

GlobalProtect.intunewin

Step 3: Create the Win32 App in Intune

Intune Admin Center

Apps > Windows > Add > Win32 app

App Information

  • Name: GlobalProtect VPN
  • Description: Corporate VPN client for secure remote access
  • Publisher: Palo Alto Networks

Step 4: Configure Program Settings

Install Command

msiexec /i GlobalProtect.msi /qn /norestart

Uninstall Command

msiexec /x {PRODUCT-CODE} /qn

(You can retrieve the product code after install or from MSI properties.)

Install Behavior

  • System

Device Restart Behavior

  • Suppress

Step 5: Configure Detection Rules

Recommended Option: File Detection

  • Rule type: File
  • Path:C:\Program Files\Palo Alto Networks\GlobalProtect
  • File:PanGPA.exe
  • Detection method: File exists

This provides reliable detection across versions.

Step 6: Assign the Application

Create a Device Group

Groups > New group
  • Group type: Security
  • Membership: Assigned
  • Members: Test Windows devices

Assignment

  • Deployment: Required
  • Target: Device group

Why device-based?

  • Ensures VPN installs before user sign-in
  • Works on shared and multi-user devices
  • Aligns with Conditional Access scenarios

Step 7: (Optional) Preconfigure the VPN Portal

To avoid user input, preconfigure the GlobalProtect portal:

  • Use install parameters, registry keys, or post-install scripts
  • This creates a zero-touch user experience

This step is optional but recommended for enterprise deployments.

Step 8: Sync and Validate Deployment

On the test device:

  1. Go to:Settings > Accounts > Access work or school
  2. Select the Intune-connected account
  3. Click Sync
  4. Monitor:Company Portal > Downloads & updates

Step 9: Validate Installation on the Device

File Check

C:\Program Files\Palo Alto Networks\GlobalProtect

Services

  • PanGPS
  • PanGPA

User Interface

  • GlobalProtect icon visible in system tray

Step 10: Test VPN Connectivity

  1. Launch GlobalProtect
  2. Verify portal address is populated
  3. Connect
  4. Confirm:
    • Tunnel establishes successfully
    • Internal resources are reachable

Troubleshooting Lab Failures

Symptom Cause Resolution
App installs but VPN fails Missing reboot Restart device
App not detected Detection rule mismatch Verify file path
User prompted for admin Wrong install context Use System install
VPN missing at sign-in User-based assignment Switch to device group

Lab Cleanup (Optional)

To remove GlobalProtect:

  • Assign the app as Uninstall
  • Or run uninstall command manually
  • Sync device

Key Learning Outcomes

This lab demonstrates that on Windows:

  • GlobalProtect is deployed as a Win32 app
  • No MDM approval workflows are required
  • Device-based targeting is critical
  • Proper detection ensures reliability
  • The deployment scales cleanly to production

 

LinkedInCopyPinterestRedditTelegramChatGPTSMS

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *