Why GlobalProtect Credential Provider (CP) is the default sign-in option just after the GlobalProtect Install
24774
Created On 11/06/19 21:27 PM - Last Modified 01/24/24 11:45 AM
Question
Why GlobalProtect Credential Provider (CP) is the default sign-in option just after the GlobalProtect Install?
Environment
- Palo Alto Firewall.
- PAN-OS 8.0 and above.
- GlobalProtect App/Agent 4.0. and above.
Answer
SSO is widely deployed in Windows environment, therefore, GlobalProtect Credential Provider (CP) is the default sign-in option just after the GP installment. SSO will fail if GlobalProtect CP is not selected by default after installation.
- The behavior is controlled by HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\IsGPCPFirstTime registry key which is set to 1 by default.
- After the first login, the HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\IsGPCPFirstTime registry key is automatically set to 0.
In case the GP CP does not need to be in the default selection immediately after installation, the HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\IsGPCPFirstTime registry key needs to be set to 0 immediately after GP installation.
Additional Information
NOTE: Generally, changing the registry key is Windows OS function and can be achieved in different ways, please use the method that suits your environment.
Additionally, if you don't need to use SSO, you can prevent the GlobalProtect Credential Provider deployment from the begin by installing GlobalProtect via msiexec with the following option:
msiexec.exe /i GlobalProtect.msi use-sso no