Skip to content
FortiClient VPN configuration with Intune
Home » FortiClient VPN configuration with Intune

FortiClient VPN configuration with Intune

The "FortiClient VPN" can be distributed with the correct MSI package and an exported configuration file even without the Fortinet / FortiGate Premium EMS features with, for example, Intune. If you know how, the individual steps are not very complex.

To keep the package with Intune as simple as possible, I created a template for you. If you select the "FortiClient" file, you can download the whole thing right away.

Table of Contents

Export FortiClient VPN configuration

First we create and export the desired configuration of the FortiClient. You can trigger the export in the client itself in the settings. Simply select the cog wheel in the top right, Backup, a storage location and set a password.

FortiClient VPN Backup

It's best to name the backup file you just created "FortiClientVPN.conf" and put it in the downloaded template. In addition, you must enter the defined password in the "install.ps1" file in the second line ($ConfigPW).

$PackageName = "FortiClientVPN" $ConfigPW = "Kateoih785" # insert your password here!
Code language: PowerShell (powershell)

Extracting the MSI of the Forti Client VPN

Now all we have to do is extract the current MSI from the installation.
You can do that here Download the current EXE of the "FortiClient VPN only".
Then run the EXE and copy the MSI from the %temp% directory out.

Extract FortiClient VPN MSI

We also pack the extracted MSI into the template. The folder should then look like this:

FortiClient VPN Package Intune

Customize detection rule

The version of the FortiClient VPN and the stored profile are checked in the detection rule (check.ps1). To do this, you have to adjust the "$ProfileName" and "$ProgramVersion_target" parameters in the second and third line. The profile name is the one you defined in the FortiClient.

$ProfileName = "DEMO scloud" # Change to your Profilename! $ProgramVersion_target = '' # Set to version from MSI
Code language: PowerShell (powershell)

Create Intunewin

From this package we now create using the Microsoft Win32 Content Prep Tool the Intunewin file. The setup file is "install.ps1".

FortiClient VPN - intunewin

We can now use the created "install.intunewin" file in the Endpoint Manager under "Apps > Windows + Add" upload and distribute.

add win32 app
add win32 app FortiClient VPN

The program parameters are:

Install command%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -command .\install.ps1
Uninstall command%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -command .\uninstall.ps1

FortiClient VPN program parameters Intune
FortiClient VPN requirements Intune

You can use the prepared "check.ps1" for the detection rule. but ATTENTION, customize the profile name and version in the detection rule first.

FortiClient VPN detection rule Intune

The package does not need dependencies, you just have to assign and save it.
This is how you can easily distribute the FortiClient VPN via Intune and update it with the same mechanism.

19 thoughts on “FortiClient VPN Konfiguration mit Intune”

    1. Hi Danish, the uninstall command/Script is quite simple. Since the installation is based on a MSI you can simply use the command "Get-Package 'FortiClient VPN' | Uninstall-Package -Force".
      This is all I do within my uninstall.ps1 (and an additional log).

      Is this already enough explanation or do you have a specific sequence/point where's still unclarity?

  1. Buanas Noches

    Hice todo el proceso tal cual, guarde en la plantilla mi archivo.conf, pero cuando despliega la app a equipos nuevos no les lleva la configuracion, solo el aplicativo

    1. Hi Julian, did you see an error in the log? ()
      Please also check the following points:
      - Config file is named FortiClientVPN.conf
      - Password in install.ps1 is the one you've chosen

      1. Hola Florian, el registro no me muestra errores, y mi archivo se llama FortiClientVPN.conf y en el otro archivo puse mi clave personal, cuando abro la aplicacion solo me la da opcion de configurar vpn y necesito que me muestre los perfiles configurados

    2. Sehr gute Anleitung, leider geht nur die VPN Konfig wenn die Ip beim EMS Server noch über die Konfig gehen würde das wäre hammer :=

    3. Hey Florian

      Been looking for a solution for this for a while now. I have tried your solution and still get same error as all the others i have tried.
      In the OOBE screen in the device setup stage i get the error 0x81036502 (i think this is a permissions issue). I believe i have followed your instructions correctly.

      i did change the path to the following as i am using an IPsec VPN
      $RegPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\IPsec\Tunnels\$ProfileName"

      Can you help?

      1. I have also tried changing the import command to below as i beleiv it needs it since i chnaged from SSL to IPSec. Still not working.
        Start-Process "C:\Program Files\Fortinet\FortiClient\FCConfig.exe" -ArgumentList "-m vpn -f FortiClientVPN.conf -o import -i 1 -p $ConfigPW" -Wait

      2. Hi Jock, with some configurations the FortiClient requires/forces a restart which results in the error "0x81036502".
        Could you try to exclude the FortiClient from ESP, so it will be installed after?
        Or what happens if you install the App from the Company Portal?

        1. Hi Florian

          Thanks for the reply.

          Im new to autopilot so will need a little hand holding 🙂 What do you mean by excluding the forticleint from the ESP?
          Havent tried the company portal option as that would require user intervention and im trying to avoid that.


          1. No worries 🙂
            In the ESP ( you can define which apps should be installed before the first user login. If not mandatory in the ESP the app will be installed after the first login. This way you don't get an error and can troubleshoot the installation more easily.
            After the installation you'll find a log file at "C:\Program Files\4net\EndpointManager\Log\FortiClientVPN-install.log" maybe this gives you a hint what went wrong.

    4. Ok, i follow now. So i select the apps that "must" to be installed before user can login and it will only install those in the OOBE. Anything else will be installed when the user logs in? is that correct?

      for example, in the "Block device use until required apps are installed if they are assigned to the user/device" option i change to selected and maybe choose "Microsoft 365 Apps for Windows 10 and later" as the only app to install in the OOBE stage. Once thats installed and the OOBE stage moves on and then the user gets to login. The ForticlientVPN will then install whilst the user is logged in?

        1. Thank You.

          Will give it a go later and let you know how it goes. Probably best to test i can actually run the script on a machine first to see if that works before i try with intune 🙂

    5. Hi Florian

      Just wanted to say thanks for your help.

      I have now successfully got the Forticlient VPN and config file installed successfully. Unfortunately i couldnt get your powershell method working manually when i ran it on a machine. so i ended up going back to a method i know worked whilst a user was logged in using a script file. So, thanks to your suggestion of leaving it until the user logged in i managed to get it to work.. (i didnt know you had an option of delaying an install using the ESP 🙂 )


    Leave a Reply

    Your email address will not be published. Required fields are marked *