Windows - Software - Install Palo Alto GlobalProtect

What the GlobalProtect Installer does

This Automox Worklet™ installs Palo Alto GlobalProtect on Windows endpoints. GlobalProtect provides secure VPN connectivity to your organization's network, enabling remote workers to access internal resources safely from any location.

The Worklet requires you to upload your organization's GlobalProtect MSI installers to the Worklet payload. You must download these installers from your GlobalProtect portal, as Palo Alto Networks does not provide generic download links. This approach provides the correct client version configured for your specific infrastructure.

During remediation, the Worklet detects system architecture, selects the appropriate 32-bit or 64-bit installer from the payload, and executes a quiet installation with your configured portal URL. The installation uses standard Windows Installer exit codes to report success or failure.

Why deploy GlobalProtect through Automox

GlobalProtect VPN is essential for organizations that need to provide secure remote access to internal resources. Manual VPN client deployment across distributed endpoints requires significant IT resources and creates delays for remote workers who need immediate network access.

Automating GlobalProtect deployment through this Worklet standardizes VPN client installation and preconfigures the portal URL. New employees and remote workers receive properly configured VPN access without manual IT intervention.

The Worklet also provides visibility into which endpoints have the GlobalProtect client installed, helping you track remote access coverage and identify endpoints that may need VPN capability for compliance or security requirements.

How GlobalProtect installation works

1. Evaluation phase: The Worklet searches Windows registry uninstall keys for "GlobalProtect" in both 64-bit and 32-bit registry paths. If found, the endpoint is marked compliant. If not found, the endpoint proceeds to remediation.

2. Remediation phase: The Worklet detects system architecture and selects the corresponding MSI installer from the payload. It executes the installer with /quiet and Portal=[your-portal-url] arguments, then validates the exit code (0 for success, 3010 for success with reboot required, 1618 indicates endpoint needs restart first).

GlobalProtect installation requirements

• Windows 8 or later

• PowerShell 4.0 or later

• 32-bit and 64-bit GlobalProtect MSI installers uploaded to Worklet payload

• Configure $32bitFilename, $64bitFilename, and $Portal variables in remediation code

• Administrative privileges for software installation

Expected state after GlobalProtect installation

After successful remediation, Palo Alto GlobalProtect appears in the Windows Programs list and registry uninstall keys. The GlobalProtect client icon appears in the system tray, and users can connect to your organization's VPN portal using their credentials.

The portal URL is preconfigured during installation, so users only need to enter their authentication credentials. Subsequent Worklet runs will detect the existing installation and exit without action, marking the endpoint as compliant.

How to validate install palo alto globalprotect changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for install palo alto globalprotect.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Write-Output, Get-ChildItem, Get-ItemProperty.

4. Validate remediation effects from script operations such as Split-Path, Get-ChildItem, Get-ItemProperty, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for install palo alto globalprotect. This supports repeatable software lifecycle workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as Write-Output, Get-ChildItem, Get-ItemProperty and remediation operations such as Split-Path, Get-ChildItem, Get-ItemProperty. Use these indicators to verify that endpoint changes match intended policy outcomes.