Palo Alto GP connection method 'On-demand' not working on some Windows clients

I've noticed on some of the Windows (maybe this happens on macOS as well, but haven't tested it) that even though the App configurations setting for Connection Method was set to On-demand (Manual user initiated connection), it would still try to immediately connect to VPN when user logs into Windows.

Found a post on Reddit where I found the solution. Seems that GP client, sometimes, doesn't create proper registry keys, so the solution is quite simple - create the keys and reboot Windows:

  1. Open registry editor (regedit)
  2. Navigate to: HKEY_CURRENT_USER\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\<Portal FQDN or IP>
  3. Add two DWORD(32-bit) keys if they are missing:
  • Name: UpdateOD; Type: REG_DWORD; Value: 1
  • Name: WasOD; Type: REG_DWORD; Value: 1

Finally, reboot the client PC.

This fixed the issue for me, hopefully it helps you as well.