Windows - Software - Configure Palo Alto GlobalProtect

What the GlobalProtect enforcement Worklet does

This Automox Worklet™ enforces the GlobalProtect VPN client and its configured portal URL on Windows endpoints. The Worklet evaluates two conditions on each run. First, whether GlobalProtect is installed under HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall. Second, whether the Portal value at HKLM:\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup matches the URL defined in the policy.

When GlobalProtect is missing, the remediation script runs your uploaded MSI installer silently with /quiet Portal=$Portal so the client comes up already pointed at the right gateway. When GlobalProtect is installed but the Portal value has drifted, the Worklet writes the correct value back to PanSetup and restarts the PanGPS service so the new portal takes effect without an endpoint reboot.

The Worklet handles both 32-bit and 64-bit Windows by inspecting [System.Environment]::Is64BitOperatingSystem and selecting the matching $32bitFilename or $64bitFilename installer. A single policy covers heterogeneous fleets that mix Windows 10, Windows 11, and Windows Server 2012 R2 or later.

Why enforce a GlobalProtect portal baseline

GlobalProtect is the remote-access tunnel of record for many regulated environments, and the Portal value is the single registry setting that decides which gateway an endpoint will trust. A laptop can arrive from a vendor with the wrong portal baked in. A user-initiated reinstall can pick up an old MSI. A migration can update the portal everywhere except a handful of sites. In each case, the endpoint quietly connects to the wrong portal, users lose access, and security teams lose evidence that every endpoint terminates on the approved gateway.

The PanSetup\Portal value can drift after a vendor installer upgrade, a profile copy, or a local admin who switches networks. Apply this Worklet through the remote-access policy that covers your Windows laptops and servers so the GlobalProtect agent is installed from the payload MSI when missing and the documented Portal value is written from a single configuration. A weekly evaluation catches a wrong Portal value or a missing install before it becomes an audit finding or a help-desk backlog.

How GlobalProtect enforcement works

1. Evaluation phase: The evaluation script checks for a GlobalProtect entry under HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall using both 32-bit and 64-bit registry views. When the install is found, the script reads the Portal value from HKLM:\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup and compares it to the $Portal variable defined in the policy. The endpoint is flagged for remediation when GlobalProtect is missing or when the live Portal value does not match the configured URL. A compliant endpoint exits 0 with no further action.

2. Remediation phase: For missing installs, the remediation script invokes Start-Process against the architecture-appropriate MSI with the argument list /quiet Portal=$Portal. Exit codes 0 and 3010 (reboot required) are treated as success. Exit code 1618 (another install in progress) is surfaced as a failure with a message asking for an endpoint restart before retry. When GlobalProtect is already installed but the Portal value drifted, the script writes the correct value back to PanSetup using [Microsoft.Win32.RegistryKey]. It then calls Restart-Service -Name 'PanGPS' -Force so the new gateway takes effect without rebooting.

GlobalProtect enforcement requirements

• Windows 8 or later (Windows 10, Windows 11, Windows Server 2012 R2 or later) with PowerShell 4.0+

• Administrator context for HKLM registry writes and for restarting the PanGPS service (the Automox agent runs as SYSTEM by default)

• Both the 32-bit and 64-bit GlobalProtect MSI installers uploaded to the Worklet under the names referenced by $32bitFilename and $64bitFilename

• $Portal set to the FQDN of your organization's GlobalProtect portal (e.g., vpn.example.com); the same value must be set in both evaluation.ps1 and remediation.ps1

• MSI installers must be obtained directly from your GlobalProtect portal; no public download is available on the vendor site

• Network reachability from the endpoint to the portal FQDN during the silent install

Expected GlobalProtect endpoint state

After remediation, every targeted endpoint has GlobalProtect installed and the Portal registry value at HKLM:\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup equal to the URL defined in $Portal. The PanGPS service is running, and the system-tray client opens directly to your gateway without prompting users for a portal address. Subsequent policy runs report the endpoint as compliant and skip remediation because the evaluation phase finds the install present and the Portal value already correct.

To validate after a policy run, query the live value with Get-ItemProperty -Path 'HKLM:\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup' -Name Portal and confirm it matches $Portal. Confirm the service is running with Get-Service -Name PanGPS, which should report Status: Running. For audit evidence, capture both outputs alongside the Automox activity-log entry, which records exit code 0 on success and exit code 3010 when a post-install reboot is queued. When the portal URL changes during an infrastructure migration, update $Portal in both scripts and re-run the policy. The Worklet will rewrite PanSetup and bounce PanGPS on every endpoint still pointed at the old gateway.