Palo Alto GlobalProtect Hotfix Versions

jmoock · October 09, 2025, 07:48:52 AM

When hotfix versions are released for GlobalProtect, since the detection rules look at the registry (which only contains the X.Y.Z portion of the version, ex: 6.2.

the updates are shown as being already installed in Intune/WSUS. Can future detection rules look at something that includes the revision number, such as the version of the PanGPS executable which includes the release version (ex: 6.2.8.317) or possibly the MSI product ID (if it in fact changes in hotfix releases) so that GlobalProtect hotfixes can be reliably deployed with PatchMyPC?

Thank you

Andrew Jimenez (Patch My PC) · October 09, 2025, 11:43:21 AM

We are working on this; we have found a way to improve the WSUS rules easily enough and will do so in the coming weeks. As for the Intune detection, that will require a major rework on our detection rules, as almost every other product in our catalog provide the full version number in the ARP registry. We've asked customers to reach out to Palo and request the full version number be provided in ARP for easy detection, and they have provided other registry values to key off of instead...

davidlettice · October 17, 2025, 05:10:43 AM

We're also having issues with this, where it perceives 6.3.3-676 to be the same as 6.3.3-633, and therefore doesn't push out any updates until it hits 6.3.4

One "workaround" we've found is to change the app itself to use a custom detection method:

Path: HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup
Name: CurrentVersion
Method: String Comparison
Operator: Equals
Value: 6.3.3-676 (or your version number)

The downside with this that it will treat this as a first-time deployment and ignores the update rings we have in place - something that for a business critical app just doesn't work for us.

Andrew Jimenez (Patch My PC) · October 20, 2025, 01:48:07 PM

That extra info is helpful, and we are hoping to utilize it to better support this app in the near future! Thanks!

jchipman · October 28, 2025, 07:21:46 AM

Is there any kind of ETA for the WSUS implementation so the hotfixes can be applicable? Our org follows the 'preferred' releases for GlobalProtect and we missed the opportunity to catch the last one so now the latest release is not the preferred one, nor is it detected as applicable due to it being a hotfix. Ideally trying to avoid publishing an app to accomplish this update.

Andrew Jimenez (Patch My PC) · November 05, 2025, 11:40:22 AM

I think we'll be able to fix both the WSUS rules and Intune rules with the next release of the GlobalProtect apps!

iamr00t · November 10, 2025, 01:08:51 PM

Just to keep the responsibility on the right side, shoudn't Palo Alto be making these properly versioned? It seems like Palo Alto should be releasing their products with standard dot releases, and Patch My PC should need to work around their lack of proper version control. Am I wrong, here?

iamr00t · November 12, 2025, 07:26:15 AM

Ping

Andrew Jimenez (Patch My PC) · November 12, 2025, 08:46:06 AM

You are correct, Palo should be versioning their software correctly, and we recommend customers reach out to Palo about this. Until the installers change, we are planning to implement some improvements to detection for these apps anyway.

iamr00t · November 12, 2025, 02:38:51 PM

I personally appreciate Patch My PC for working around their lack of standards. I have be trying to work around this for now with the detection mod and I noticed if I try to replace the MSI with a newer version or create a second custom app for GP, I am told that there is already 3.2.8 installer. Even that would be useful, as now I need to completely delete the app from the Portal, Publisher, and app catalog and remake it (and somehow retain my additiona command switches). Tips on that are welcome as well. Either way, thanks for coming up with good workarounds.