Why GlobalProtect Credential Provider (CP) is the default sign-in option just after the GlobalProtect Install

• Palo Alto Firewall.
• PAN-OS 8.0 and above.
• GlobalProtect App/Agent 4.0. and above.

SSO is widely deployed in Windows environment, therefore, GlobalProtect Credential Provider (CP) is the default sign-in option just after the GP installment. SSO will fail if GlobalProtect CP is not selected by default after installation.

• The behavior is controlled by HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\IsGPCPFirstTime registry key which is set to 1 by default.

• After the first login, the HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\IsGPCPFirstTime registry key is automatically set to 0.

In case the GP CP does not need to be in the default selection immediately after installation, the HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\IsGPCPFirstTime registry key needs to be set to 0 immediately after GP installation. 

NOTE: If you don't need to use SSO, you can prevent the GlobalProtect Credential Provider deployment from the beginning by installing GlobalProtect via msiexec with the following option:
msiexec.exe /i GlobalProtect.msi use-sso no
Also, make sure GP Portal has Use Single Sign-on (Windows) set to No. If it's set to Yes, the Portal config will rewrite the user-sso registry to Yes and icon will show up in the Windows logon screen.

NOTE: Generally, changing the registry key is Windows OS function and can be achieved in different ways, please use the method that suits your environment.

NOTE: The show password icon (eye symbol) is not displayed in the password field with GPCP.