- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hi, we need to enable CheckPoint Mobile VPN - SDL (Secure Domain Logon) option centrally. Preferred method is through scripting like Powershell. It seems that adding registry key HKLM\SOFTWARE\Wow6432Node\CheckPoint\TRAC SDLEnabled REG_DWORD 0x1 is not enough. Only thing we see is that the checkbox is ticket but it is not resulting in SDL option from Windows logon screen. We recently already deployed Checkpoint VPN to thousands of endpoints, only SDL option needs to be activated programmatically.
After registry deployed as described above, we do see that the checkbox is enabled, but it is not working as when a user manually enable this checkbox.
I reconfigured the installation with VPN Configuration Utility you mentioned, enabled SDL and monitor registry changes during the installation. Now I noticed a new registry. What that, I was succesfully enabled SDL for already deployed clients.
RegistryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\{a7fd389f-fac9-4772-b6af-54e09f65a2a3}"
Now it works. Thank you.
In addition to the registry setting, you will have to deploy a version of the client where this option was enabled.
This means building an MSI using the following tool: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Then redeploy the client.
Unfortunately, that is the only way to achieve this that I am aware of.
I reconfigured the installation with VPN Configuration Utility you mentioned, enabled SDL and monitor registry changes during the installation. Now I noticed a new registry. What that, I was succesfully enabled SDL for already deployed clients.
RegistryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\{a7fd389f-fac9-4772-b6af-54e09f65a2a3}"
Now it works. Thank you.
Not 100% sure that is universal or not but glad you got it working.
Hi,
do you know if there is any other way to enable SDL without deploying a new VPN client on each computer?
I tried to add a registry key with both values but the Network sign-in button is not shown on the user client.
registry added via a GPO ( computer configuration section)
{a7fd389f-fac9-4772-b6af-54e09f65a2a3)
SDLenable=1
Deploying a new package is too difficult because all users are out of the office.
Like I mentioned earlier in the thread, not sure what was mentioned in the thread by @DunN is universal or not.
Recommend manually enabling it the same way to see if it creates the same registry key in the same location.
Currently Check Point VPN version 98.61.58 is deployed and SDL is available (see GUI i posted ealier) but the checkbox is unticket. We like to enable this option for already deployed clients without going through the whole building and redeploy installation process. Is there an alternative way?
Just my 2 Cents...
Deploying this via Registry brought up the SDL Window as the user logs on, but on a lot of cases the Connect Button on the Logon Window was missing.
We programatically enabled SDL by simply running: %ProgramFiles(x86)%\CheckPoint\Endpoint Connect\trac.exe sdl -st enable once per Client.
This can be done by an software deployment system for example, with basically every user.
I have observed that sometimes CP screen is in the background. By ALT-TAB'ing you can make the screen shows.
Sorry, I probably didn't describe it sufficient. I don't mean the CP Screen itselfe... if you have SDL enabled, you should have an addition icon on the bottom right of the Windows 10 Logon Screen, left of the Icon that indicates the Network Status (Wifi Icon for example). If you click this button / icon you can manually establish the connection before entering a useraccount to the Logonscreen. This is especially helpful if you want to logon with a windows domain account that has never been logged on to before and has no cached credentials (aka if a user receives a new device via mail and wants to logon with this AD account for the first time).
This Button / Icon was missing for a lot of our users were we tried to deploy it via registry. It always appeared for the people we enabled SDL via trac.exe.
Ah yes, if you first enable SDL via the GUI or with trac.exe command you already discribed (i haven't tested it that), there will be few keys created under:
RegistryPath = "HKLM:\SOFTWARE\Classes\CLSID\{a7fd389f-fac9-4772-b6af-54e09f65a2a3}"
RegistryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\{a7fd389f-fac9-4772-b6af-54e09f65a2a3}"
With those, the icon you mentioned will be created so users without a user profile can succesfully logon. I'm using registry keys depoyment so I can remediate already deployed configurations. Of course I am aware that this method is not supported by Checkpoint.
We are using 86.70 version. We would like to hide or lock this option where the user can't make a change on the secure domain login option, but we enabled using registry settings. Can you help us with the registry settings?
You should be able to both push the necessary registry changes described in this thread and lock them through GPO.
We don't provide a way to do this, however.
For anyone else that struggles with this in the future due to absolutely no official documentation, you need to do the following on the client:
Create these registry keys and values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7FD389F-FAC9-4772-B6AF-54E09F65A2A3}]
@="CPEPC_PLAP"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7FD389F-FAC9-4772-B6AF-54E09F65A2A3}\InprocServer32]
@="CPEPC_PLAP.dll"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\{A7FD389F-FAC9-4772-B6AF-54E09F65A2A3}]
@="CPEPC_PLAP"
Run the following command to enable Secure Domain Logon:
"C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect\trac.exe" SDL -ST Enable
You don't actually have to create the registry values before running the trac command but you do have to create the {A7FD389F-FAC9-4772-B6AF-54E09F65A2A3} keys under both CLSID and PLAP Providers.
If you create the keys then the command will set the values for you.
If you don't create the keys then trac.exe will not create the values and the logon screen icon will not appear.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY