Dear All,
I am facing an issue during the First Logon (Pre-Logon VPN) after the Autopilot setup.
Here are the details:
Device installed with Autopilot. Applications are installed correctly. (Office, VPN Client, SCCM Agent, Company Portal,etc..)
Setup Type: Pre-Provisioning mode. Green screen at the end of the setup, device can be Resealed.
Seems all Good!
Initiating the First Login...
Non-Office Network...
Desired solution:
Pre-Logon to VPN and then Windows Sign-In.
VPN Solution: Palo Alto GlobalProtect VPN
Connection type: Always ON
Client app: Installed on the System
- configured with portal address
- configured for Pre-Logon
Problem:
When the Autopilot Setup is finished and I am at the Windows logon Screen I can choose the Network Sign-In option from the icon at the bottom-right corner.
MFA is enabled and that is when the problem starts..
It is driving me correctly to the MFA sign-in Page...
I get the Approval push to my Authenticatior, and I approve it.
And then I get the message:
You can't get there from here!
When I check the device compliance in Intune it is marked as "Compliant"! ("Although the "Enrolled by: user" is empty")
----------------------------------------------------------------------
Workarounds that worked:
1. If I put the user to the Exception list on the Conditional Access Policy item in Azure for the GlobalProtect application, it works. So I assume that the VPN and its settings are configured correctly because it is working even through the Pre-Logon, but once 2FA is enabled, it is not. Feels like that it didn't detects that the device is Enrolled and Compliant.
2. Sign-in to Windows with a Dummy user, sign-in to the company portal App, and then it is working.
I would like to avoid using these workarounds and use it with the MFA if possible.
Have you seen such behavior already? Or should it work at all as we want it?
Thanks in advance,
Cheers
I am facing an issue during the First Logon (Pre-Logon VPN) after the Autopilot setup.
Here are the details:
Device installed with Autopilot. Applications are installed correctly. (Office, VPN Client, SCCM Agent, Company Portal,etc..)
Setup Type: Pre-Provisioning mode. Green screen at the end of the setup, device can be Resealed.
Seems all Good!
Initiating the First Login...
Non-Office Network...
Desired solution:
Pre-Logon to VPN and then Windows Sign-In.
VPN Solution: Palo Alto GlobalProtect VPN
Connection type: Always ON
Client app: Installed on the System
- configured with portal address
- configured for Pre-Logon
Problem:
When the Autopilot Setup is finished and I am at the Windows logon Screen I can choose the Network Sign-In option from the icon at the bottom-right corner.
MFA is enabled and that is when the problem starts..
It is driving me correctly to the MFA sign-in Page...
I get the Approval push to my Authenticatior, and I approve it.
And then I get the message:
You can't get there from here!
When I check the device compliance in Intune it is marked as "Compliant"! ("Although the "Enrolled by: user" is empty")
----------------------------------------------------------------------
Workarounds that worked:
1. If I put the user to the Exception list on the Conditional Access Policy item in Azure for the GlobalProtect application, it works. So I assume that the VPN and its settings are configured correctly because it is working even through the Pre-Logon, but once 2FA is enabled, it is not. Feels like that it didn't detects that the device is Enrolled and Compliant.
2. Sign-in to Windows with a Dummy user, sign-in to the company portal App, and then it is working.
I would like to avoid using these workarounds and use it with the MFA if possible.
Have you seen such behavior already? Or should it work at all as we want it?
Thanks in advance,
Cheers
