>
    Strata Copilot
    Configure Pre-Logon Support for Prisma Access Agent
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent Administration
    4. Configure the Prisma Access Agent
    5. Configure Pre-Logon Support for Prisma Access Agent
    Download PDF
    Prisma Access Agent

    Configure Pre-Logon Support for Prisma Access Agent

    Table of Contents

    Configure Pre-Logon Support for Prisma Access Agent

    Learn how to configure pre-logon for Prisma Access Agent, enabling secure tunnel connections before user authentication for improved device management and security.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • NGFW (Managed by Panorama)
    • Check the prerequisites for the deployment you're using
    • Minimum required Prisma Access Agent version: 25.3
    • macOS or Windows desktop devices
    • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
    Configure pre-logon for Prisma Access Agent to establish a secure tunnel before a user logs into their device, which provides essential network access for managing and updating remote devices without requiring a user to log in to their device.
    To implement pre-logon, you'll need to:
    • Deploy machine certificates throughout your environment, typically using a service like Microsoft Certificate Services. Prisma Access Agent uses these certificates for device authentication during the pre-logon process.
    • Configure the Prisma Access Agent settings to enable the pre-logon feature.
    • Be familiar with security policies and how they apply to pre-logon users.
    Pre-logon integrates with existing authentication methods, enabling you to use certificate-based authentication for pre-logon while maintaining SAML or other methods for user login. This flexibility ensures that your security policies remain intact while improving device management capabilities. The feature also supports agent upgrades and downgrades, ensuring your devices remain current and secure. Pre-logon is designed to work across system restarts and sleep-wake cycles, providing consistent connectivity for your managed devices.

    Pre-Logon Tunnel Flow

    The pre-logon device tunnel establishes connectivity through a sequence that begins at system boot and transitions seamlessly to user sessions.
    Pre-logon mode is only application running on an endpoint after system reboot or user sign-out. When a managed device boots up or resumes from sleep, the device immediately uses its preinstalled machine certificate to authenticate with the Endpoint Manager. Upon successful authentication, a tunnel is established before any user logs in. This tunnel uses a generic username called pre-logon because the user has not yet logged in. The pre-logon tunnel grants the device access to network resources as defined by the security policy configuration that you set up. At this stage, you can push updates, apply group policies, or perform other management tasks without user interaction.
    If an actual username configured in the IdP is called pre-logon, for example pre-logon@email.com, that user will be able to access Prisma Access Agent only in pre-logon mode. Specifically, the pre-logon@email.com user will receive the app configuration that is mapped to the generic pre-logon user, instead of the app configuration being mapped to the pre-logon@email.com user.
    Pre-Logon User Experience
    The Windows pre-logon experience is different from pre-logon for macOS. When a Windows device starts up, the pre-logon process will show what happens during a pre-logon connection. While on macOS, there are no visual cues related to the pre-logon connection. Users just need to sign in when prompted by the operating system.
    Throughout the pre-logon process, the Windows login screen will show the Prisma Access Agent status. If the device has never been enrolled (meaning the agent has never registered with the Endpoint Manager, and never been configured on the device), pre-logon enrollment proceeds automatically. When finished, the agent will automatically connect to the best available gateway using the pre-logon tunnel. Once connected, the agent status will change to Connected, and will list the gateway that the agent is connected to.
    For a device undergoing first-time enrollment, authentication takes place with the Endpoint Manager and the gateway. If the device has previously been enrolled and the user is restarting their device, authentication happens only with the gateway.
    After a user logs in, the pre-logon tunnel transitions to a user-specific tunnel with potentially broader access rights. The transition happens after the configured pre-logon tunnel rename timeout expires. Throughout the user's session, administrators retain the ability to manage the device, retrieve logs, and monitor its status.
    Upon user logout, the system reverts to the pre-logon state. The user-specific tunnel is terminated, and the device returns to using the limited pre-logon tunnel. This ensures continuous management capability and essential connectivity even when no user is actively logged in. The cycle of transitioning between pre-logon and user-specific tunnels continues, maintaining appropriate access controls throughout the device's operational states until it's shut down.
    The remote shell functionality does not work when the user is on the logon screen. However, after the user logs on and until the tunnel rename timeout period expires, the pre-logon tunnel is active and the remote shell will work as expected.

    © 2026 Palo Alto Networks, Inc. All rights reserved.