Windows - Software - Install Palo Alto GlobalProtect

What the GlobalProtect deployment Worklet does

This Automox Worklet™ deploys the Palo Alto GlobalProtect VPN client to Windows endpoints using MSI installers you stage in the Worklet payload. The evaluation script checks both the 64-bit uninstall hive (SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall) and the 32-bit Wow6432Node hive for any DisplayName matching GlobalProtect. If the client is already present, the endpoint is marked compliant and remediation is skipped.

The remediation phase reads three policy variables: $32bitFilename, $64bitFilename, and $Portal. It detects the endpoint architecture with [System.Environment]::Is64BitOperatingSystem, selects the matching MSI from the payload directory, and launches the installer with Start-Process and the argument list /quiet Portal=$Portal. The portal value is written into the install so users do not have to type it on first launch.

Palo Alto Networks does not host a generic GlobalProtect download link, so you must pull the MSIs (GlobalProtect.msi and GlobalProtect64.msi) directly from your organization's GlobalProtect portal and attach both to the Worklet payload. The script honors the standard MSI exit codes: 0 for success, 3010 for success requiring a reboot, and 1618 when an MSI is already in progress and the endpoint needs a restart before reinstalling.

Why deploy GlobalProtect from a managed policy

GlobalProtect connects a Windows endpoint to the corporate network through the Palo Alto firewall. An endpoint without the client cannot reach internal apps over VPN and cannot participate in Host Information Profile (HIP) checks that your firewall policies rely on. New hires, returned hardware, and reimaged endpoints each create a window where a user has no VPN access until an operator touches the endpoint.

Apply this Worklet to your standard Windows workstation device group. The uninstall-hive registry check runs on every policy pass, so a freshly imaged endpoint picks up the GlobalProtect MSI on its next Automox agent check-in rather than waiting for a help-desk ticket.

How GlobalProtect deployment works

1. Evaluation phase: The script opens the 64-bit uninstall registry key (SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall) using [Microsoft.Win32.RegistryKey]::OpenBaseKey and enumerates DisplayName values for matches against GlobalProtect. It then walks the 32-bit Wow6432Node uninstall key for the same pattern. On 32-bit Windows, only the legacy HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall path is checked. A match exits 0 (compliant); no match exits 1 and flags the endpoint for remediation.

2. Remediation phase: The script determines the architecture, builds the installer path with Split-Path $script:MyInvocation.MyCommand.Path -Parent, and runs Start-Process -FilePath "$installer" -ArgumentList "/quiet Portal=$Portal" -Wait -PassThru. Exit codes 0 and 3010 are treated as success, 1618 is reported as "the endpoint must be restarted prior to reinstalling," and anything else exits 1 with "Installation failed." Successful installs drop the agent under C:\Program Files\Palo Alto Networks\GlobalProtect with the portal already populated.

GlobalProtect deployment requirements

• Windows 8 or later (workstation or server) with PowerShell 4.0 or newer available to the Automox agent

• Both GlobalProtect.msi (32-bit) and GlobalProtect64.msi (64-bit) downloaded from your organization's GlobalProtect portal and uploaded to the Worklet payload

• Set $32bitFilename, $64bitFilename, and $Portal in the remediation code; $Portal accepts a hostname such as vpn.example.com without a scheme

• Administrator privileges on the endpoint for MSI installation (the Automox agent context already meets this)

• Network reachability from the endpoint to the GlobalProtect portal so the client can complete its first connection after install

Expected endpoint state after GlobalProtect deployment

After successful remediation, the GlobalProtect client lives at C:\Program Files\Palo Alto Networks\GlobalProtect, and the PanGPS service is installed and set to start automatically. The tray icon appears for the logged-in user, and the portal field is prefilled with the value you passed in $Portal. Users only need to authenticate on first launch. Exit code 3010 indicates the install succeeded but a reboot is needed before the VPN tunnel can come up, so pair this Worklet with a reboot policy or schedule the run during a maintenance window.

Validate the deployment by running Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object DisplayName -like 'GlobalProtect*' on a remediated endpoint and confirming a DisplayVersion is returned. The next evaluation pass against the same endpoint will return exit code 0 and the Automox console will report the endpoint as compliant. If you ship a new GlobalProtect MSI version, update the filenames in $32bitFilename and $64bitFilename, and pair this Worklet with the matching Uninstall Palo Alto GlobalProtect Worklet to remove the old client before the new one lands.