Der "FortiClient VPN" lässt sich mit dem korrekten MSI-Packet und einer exportierten Konfiguration-Datei auch ohne die Fortinet / FortiGate Premium EMS Features mit beispielsweise Intune verteilen. Die einzelnen Schritte sind, wenn man weiss wie, nicht sehr aufwändig.
Um das Paket mit Intune möglichst einfach zu halten, habe ich dir eine Vorlage erstellt. Wenn du die Datei "FortiClient VPN.zip" auswählst, kannst du gleich das ganze herunterladen.
Table of Contents
- FortiClient VPN Konfiguration exportieren
- Extrahieren der MSI des Forti Client VPN
- Erkennungsregel anpassen
- Intunewin erstellen
FortiClient VPN Konfiguration exportieren
Als erstes erstellen und exportieren wir die gewünschte Konfiguration des FortiClient's. Den Export kannst du im Client selbst in den Einstellungen anstossen. Wähle dazu einfach das Zahnrad oben rechts, Backup, einen Speicher Ort und setzte ein Passwort.
Das soeben erstellte Backup File benennst du am besten "FortiClientVPN.conf" und packst es in die heruntergeladene Vorlage. Zusätzlich musst du das definierte Kennwort in der Datei "install.ps1" in der zwieten Zeile ($ConfigPW) eintragen.
$PackageName = "FortiClientVPN"
$ConfigPW = "Kateoih785" # insert your password here!
Code language: PowerShell (powershell)
Extrahieren der MSI des Forti Client VPN
Nun müssen wir nur noch das aktuelle MSI aus der Installation extrahieren.
Dazu kannst du hier die aktuelle EXE des "FortiClient VPN only" herunterladen.
Anschliessend führst du die EXE aus und kopierts das MSI aus dem %temp% Verzeichnis heraus.
Das extrahierte MSI packen wir ebenfalls in die Vorlage. Der Ordner dürfte dann so aussehen:
Erkennungsregel anpassen
In der Erkennungsregel (check.ps1) wird die Version des FortiClient VPN und das hinterlegte Profil überprüft. Dazu musst du in der zweiten und dritten Zeile die Parameter "$ProfileName" und "$ProgramVersion_target" anpassen. Der Profilname ist dabei der, den du im FortiClient definiert hast.
$ProfileName = "DEMO scloud" # Change to your Profilename!
$ProgramVersion_target = '7.0.2.90' # Set to version from MSI
Code language: PowerShell (powershell)
Intunewin erstellen
Aus diesem Paket erstellen wir nun mithilfe des Microsoft Win32 Content Prep Tool das Intunewin-File. Das Setup File ist das "install.ps1".
Das erstellte File "install.intunewin" können wir nun im Endpoint Manger unter "Apps > Windows + Add" hochladen und verteilen.
Die Program-Parameter sind:
Install command | %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -command .\install.ps1 |
Uninstall command | %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -command .\uninstall.ps1 |
Bei der Detection Rule kannst du das vorbereitete "check.ps1" verwenden. Aber ACHTUNG, passe den Profilnamen und die Version in der Erkennungsregel zuerst an.
Abhängigkeiten braucht das Paket nicht, du musst das es nur noch zuweisen und speichern.
So hast du den FortiClient VPN per Intune sehr einfach verteiltun und kannst ihn mit dem gleichen Mechanismus auch updaten.
Could please explain in more detals seems like you forget the uninstall script
Hi Danish, the uninstall command/Script is quite simple. Since the installation is based on a MSI you can simply use the command "Get-Package 'FortiClient VPN' | Uninstall-Package -Force".
This is all I do within my uninstall.ps1 (and an additional log).
Is this already enough explanation or do you have a specific sequence/point where's still unclarity?
Buanas Noches
Hice todo el proceso tal cual, guarde en la plantilla mi archivo.conf, pero cuando despliega la app a equipos nuevos no les lleva la configuracion, solo el aplicativo
Hi Julian, did you see an error in the log? ()
Please also check the following points:
- Config file is named FortiClientVPN.conf
- Password in install.ps1 is the one you've chosen
Hola Florian, el registro no me muestra errores, y mi archivo se llama FortiClientVPN.conf y en el otro archivo puse mi clave personal, cuando abro la aplicacion solo me la da opcion de configurar vpn y necesito que me muestre los perfiles configurados
Strange, are you able to manually import the config file after the installation?
Si lo hago manualmente si me funciona, pero lo necesito automatizado para todos los equipos de la compañia
If you want, you can send me your config via the contact form and a sharing link, and I'll have a look in to it.
Sehr gute Anleitung, leider geht nur die VPN Konfig wenn die Ip beim EMS Server noch über die Konfig gehen würde das wäre hammer :=
Hey Florian
Been looking for a solution for this for a while now. I have tried your solution and still get same error as all the others i have tried.
In the OOBE screen in the device setup stage i get the error 0x81036502 (i think this is a permissions issue). I believe i have followed your instructions correctly.
i did change the path to the following as i am using an IPsec VPN
$RegPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\IPsec\Tunnels\$ProfileName"
Can you help?
I have also tried changing the import command to below as i beleiv it needs it since i chnaged from SSL to IPSec. Still not working.
Start-Process "C:\Program Files\Fortinet\FortiClient\FCConfig.exe" -ArgumentList "-m vpn -f FortiClientVPN.conf -o import -i 1 -p $ConfigPW" -Wait
Hi Jock, with some configurations the FortiClient requires/forces a restart which results in the error "0x81036502".
Could you try to exclude the FortiClient from ESP, so it will be installed after?
Or what happens if you install the App from the Company Portal?
Hi Florian
Thanks for the reply.
Im new to autopilot so will need a little hand holding 🙂 What do you mean by excluding the forticleint from the ESP?
Havent tried the company portal option as that would require user intervention and im trying to avoid that.
G
No worries 🙂
In the ESP (https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-status) you can define which apps should be installed before the first user login. If not mandatory in the ESP the app will be installed after the first login. This way you don't get an error and can troubleshoot the installation more easily.
After the installation you'll find a log file at "C:\Program Files\4net\EndpointManager\Log\FortiClientVPN-install.log" maybe this gives you a hint what went wrong.
Ok, i follow now. So i select the apps that "must" to be installed before user can login and it will only install those in the OOBE. Anything else will be installed when the user logs in? is that correct?
for example, in the "Block device use until required apps are installed if they are assigned to the user/device" option i change to selected and maybe choose "Microsoft 365 Apps for Windows 10 and later" as the only app to install in the OOBE stage. Once thats installed and the OOBE stage moves on and then the user gets to login. The ForticlientVPN will then install whilst the user is logged in?
Yes, correct.
Thank You.
Will give it a go later and let you know how it goes. Probably best to test i can actually run the script on a machine first to see if that works before i try with intune 🙂
Hi Florian
Just wanted to say thanks for your help.
I have now successfully got the Forticlient VPN and config file installed successfully. Unfortunately i couldnt get your powershell method working manually when i ran it on a machine. so i ended up going back to a method i know worked whilst a user was logged in using a script file. So, thanks to your suggestion of leaving it until the user logged in i managed to get it to work.. (i didnt know you had an option of delaying an install using the ESP 🙂 )
G
Hi Florian
Thanks for the help it is working for me.
Hi Florian,
Awesome guide, thanks. How do you usually deal with app updates in cases like this? Would it be preferable to always keep the installer package up to date, or is it better to just install a base version and let it update itself? And then provide an updated installer every once in a while.
In this case, unfortunately, it varies from version to version. I've had some versions that force a reboot (even though they say they don't).
So you have to test every update carefully before you install it.
But I recommend keeping it as up to date as possible, because an old FortiVPN client can be very risky. If you have Defender for Endpoint, you'll soon find out that there are a lot of CVCs.
Hey Florian. Thank you for sharing the valuable. In our organization, we use FortiClient VPN, but after installation from Intune, we have to manually Register with Zero Trust Fabric using the Server Address or Invitation Code. After this, our FortiClient gets activated.
Could you kindly advise how to connect/activate our FortiClient as preconfigured so we don't have to perform manual activation?
do you have a FortiEMS licence?
Yes, we have the FortiClient EMS license. I also want you to know that we are using the MSI version app.
With the EMS license, you don't need to use this guide, you can just use the MSI: https://docs.fortinet.com/document/forticlient/7.2.0/intune-deployment-guide/776135/configuring-the-forticlient-application-in-intune
Thank you for sharing the link, Florian.
It is what exactly we needed. There is only one concern: the uninstallation script forcefully reboots the machine, which our organization wants to avoid.
I tried modifying the uninstall script with switches, but these switches did not help me revoke a forceful restart.
/norestart,
/silent
/verysilent
msiexec /quiet /norestart /uninstall {079B00DA-23ED-4F29-AED8-7137A11CCD4A
Is there any chance we can avoid a forceful restart for this uninstall script, please