Microsoft365 Consultant and Microsoft Certified Trainer

With a client I am working on their modern workplace. Well.. it's not that modern, because they still want all the traffic to go to the Internet through their network. And that goes through the Palo Alto Global Protect VPN client. The customer is 👑, we say, right?

There is no clear agreement yet whether or not a VPN client should be installed, but until then, we need a VPN client. So the package is created, uploaded to Intune and is installed during the Autopilot process.

So far so good. However,...... after a reboot of a test machine, my password was no longer accepted. Uh? I didn't have a problem with that, did I? Not even while logging in after Autopilot's userphase? 🤔

So I clicked on "login options" and saw the Global Protect icon as default. In other words, entering your WHfB PIN (numeric or alphanumeric) could only be done if you had clicked on the "PIN" icon. So this was annoying for the pilot users and myself, among others.

Figure 01 - GP client is default. Sorry for the Dutch language. :)

After some googling, I came across this blogpost from Peter van der Woude, with the explanation of how you can use the Exclude credential providers setting in the Settings Catalog in Intune. But first I had to uncover the credential GUID of the Global Protect VPN client. After some digging in the registry, I came across this GUID: {25CA8579-1BD8-469c-B9FC-6AC45A161C18}.

We can now use this GUID to hide the Global Protect icon on the sign-in screen and that this is no longer a default option to log in with.

Let's implement this and see what kind of result it gives.

Create the policy

  1. Go to the Enpoint Manager portal
  2. Go to Devices ➡️ Windows ➡️ Configuration Profiles and click on + Create profile
  3. In the dropdown list, select Windows 10 and later as platform and Settings Catalog as profile type
  4. Click on Create
  5. Give the policy a Name and click on Next
Figure 02 - Give the policy a name
  1. Click on + Add settings
  2. Type in the search field exclude credential and hit Search
  3. Click on Administrative Templates\System\Logon and select Exclude credential providers
  4. Enable the setting
  5. Fill in the GUID {25CA8579-1BD8-469c-B9FC-6AC45A161C18}
Figure 03 - Fill in the GUID
  1. Click on Next
  2. Click on Next
  3. Assign this policy to your desired AzureAD device group
Figure 04 - Summary of the profile

The end result

We have created a configuration profile, using the steps above. Now we have to wait for a device to pick up the new policy. 🕝

If all goes well, the Global Protect icon should have been removed and the WHfB PIN should be the default login method. The VPN client is then active in the background.

Figure 05 - GP client is removed from the login screen.

Thanks for reading this post. See you next time!