Deploy Palo Alto GlobalProtect via Intune | Guide
Palo Alto GlobalProtect is the VPN and zero trust network access client for Palo Alto firewalls and Prisma Access. The MSI installer supports silent deployment with the portal address pre-configured, so users connect automatically when GlobalProtect launches. This guide covers both on-premises firewall and Prisma Access deployment.
Prerequisites
- A Palo Alto Networks firewall with GlobalProtect configured, or a Prisma Access subscription
- Your GlobalProtect portal address (hostname or IP of your firewall/Prisma Access gateway)
- Admin access to your firewall or Prisma Access to download the agent
Download the MSI
On a Palo Alto firewall, download GlobalProtect from the portal:
Firewall web UI → GlobalProtect → Portals → select portal → Agent → Download
For Prisma Access, download from the Panorama console under GlobalProtect. Download the GlobalProtect64.msi (64-bit Windows).
Wrap with the Content Prep Tool
IntuneWinAppUtil.exe -c "C:\AppSource\GlobalProtect" -s "GlobalProtect64.msi" -o "C:\IntunePackages"
Add the app in Intune
- Upload the .intunewin file
- Name: Palo Alto GlobalProtect
- Publisher: Palo Alto Networks
Install and uninstall commands
Detection rule
Known gotchas
GlobalProtect prompting for credentials
If your portal uses SAML/SSO authentication via Entra ID, GlobalProtect will launch the browser for authentication. On the first connection after deployment this is expected. Ensure your SAML IdP is configured in the portal settings before deploying at scale.
Older versions still installed
If users have an older GlobalProtect version installed (e.g. from a previous EXE-based deployment), the MSI install may fail or conflict. Use a detection rule that checks for any existing GlobalProtect install and run an uninstall pre-script if needed.
Frequently Asked Questions
Use: msiexec /i "GlobalProtect64.msi" /quiet /norestart PORTAL=your-portal-address. The PORTAL property pre-configures the GlobalProtect gateway so users connect automatically without needing to enter a server address.
Download GlobalProtect from your Palo Alto firewall or Prisma Access portal. On a firewall, go to GlobalProtect > Portals, select your portal, and download the Windows 64-bit agent. The filename is GlobalProtect64.msi.
Add PORTAL=your-firewall-hostname-or-ip to the msiexec install command. This pre-populates the portal address field so users do not need to type it when they first open GlobalProtect.
Use a file detection rule: check for PanGPA.exe in C:\Program Files\Palo Alto Networks\GlobalProtect. This file is present after a successful install regardless of version.