Skip to content

Easy FortiClient VPN Profile installation with Intune

Fortinet Document Library has a documented routine for distributing the FortiClient application with Intune to Microsoft Windows. This routine is working Ok, but it is missing information on how to distribute the VPN profiles to the client. This will be the topic for this post.

Table of Contents

Installation of the FortiClient Application

Please read and follow the document in Fortinet Document Library covering the topic of configuring the FortiClient application in Intune. During this routing you need to download the current FortiClient VPN client and start the downloaded EXE file to download the actual MSI installation. This could be wise to do in a Windows Sandbox environment. You will find the MSI file in the newest folder with {randomguid} name under %localappdata%Temp.

After this routine has been setup and you have the app distributed to a group and installed, you will find the application available in the system tray on the devices.

The problem here, is the missing VPN profile for connecting your client to the service.

Installation of FortiClient VPN Profile

I am using proactive remediations to distribute the VPN profile to the Windows devices. This means a prerequisite for an appropriate license SKU.

The scripts used for detection and remediation is located in my GitHub account.

The detection script checks if a defined VPN profile folder exists in the local Registry.

<#
  .NOTES
  ===========================================================================
   Created on:   	27.06.2022
   Created by:   	Simon Skotheimsvik
   Filename:     	FortinetVPNProfile-Detect.ps1
   Instructions:    https://skotheimsvik.blogspot.com/2022/07/fortinet-vpn-profile-distribution-with.html
  ===========================================================================
  
  .DESCRIPTION
    This script will detect if VPN profile is present

#>

# Defining variables for the VPN connection
$VPNName = "Simons VPN"

if ((Test-Path -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName") -ne $true) {
  Write-Host "Not existing"
  Exit 1
}
Else {
  Write-Host "OK"
  Exit 0
}
PowerShell

The remediation script will kick in if the detection script finds the profile to be missing.

<#
  .NOTES
  ===========================================================================
   Created on:   	27.06.2022
   Created by:   	Simon Skotheimsvik
   Filename:     	FortinetVPNProfile-Remediation.ps1
   Instructions:    https://skotheimsvik.blogspot.com/2022/07/fortinet-vpn-profile-distribution-with.html
  ===========================================================================
  
  .DESCRIPTION
    This script will create a VPN profile

#>

# Defining variables for the VPN connection
$VPNName = "Simons VPN"
$Server = "vpn.skotheimsvik.no:443"

# Install VPN Profiles
New-Item "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName" -force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName" -Name 'Description' -Value $VPNName -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName" -Name 'Server' -Value $Server -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName" -Name 'promptusername' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName" -Name 'promptcertificate' -Value 0 -PropertyType DWord -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName" -Name 'ServerCert' -Value '1' -PropertyType String -Force -ea SilentlyContinue;

if ((Test-Path -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName") -ne $true) {
    $exitCode = -1
}
else {
    $exitCode = 0
}

exit $exitCode
PowerShell

This script package should now be added as a proactive remediation package under Microsoft Endpoint Manager. Assign the package to the same group of computers as the FortiClient installation and set an appropriate schedule.

As soon as the remediation script hits your Windows devices, the FortClient will get updated with the assigned VPN Profiles.

This way we have created a fully automated distribution of the FortiClient through Microsoft Intune.

Complementary Information

You can find a routine from Alex Durrant in letsconfigmgr.com describing a complete routine deploying FortiClient VPN and Profiles in one run. This has been tested as a good routine! If you have however followed the documentation from Fortinet Document Library or you need to change or add VPN profiles, you need my proactive remediation routine to automate the VPN profiles for your environment.

Alternative with Scappman from Patch My PC

If you are using Scappman (part of Patch My PC) to automate your application installations and updates in Microsoft, the VPN Profile can be added as part of that installation. This will give the advantage of an always up to date client in your environment.

Please note: This is not a sponsored post

The FortiClient application can easily be found in the App Store at Scappman.

Diving in to the Advanced settings for the installation inside Scappman, we can add some custom post-install commands.

Here we can add the customization needed to get the VPN Profile as a post-install command.

The code for adding the VPN Profile is as follows.

## Install VPN Profiles
Set-RegistryKey -Key "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\SimonsVPN" -Name "Description"  -Value "Simons VPN Connection" -Type String
Set-RegistryKey -Key "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\SimonsVPN" -Name "Server"  -Value "vpn.skotheimsvik.no:443" -Type String
Set-RegistryKey -Key "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\SimonsVPN" -Name "promptusername"  -Value 1 -Type DWord
Set-RegistryKey -Key "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\SimonsVPN" -Name "promptcertificate"  -Value 0 -Type DWord
Set-RegistryKey -Key "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\SimonsVPN" -Name "ServerCert"  -Value 1 -Type String
PowerShell

Scappman will add FortiClient as an application in Intune. There will be one application listing for distribution of the application, and one for keeping the client up to date for all devices targeted by the update application.

This distribution will now automatically be kept up to date and patched throughout its lifetime by the Scappman service.

Published inAutomationIntuneMicrosoft 365PowershellScriptWindows

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.