How to Deploy FortiClient VPN with Configuration Using Microsoft Intune

Fortinet doesn't provide direct MSI downloads, so you need to extract the MSI from the online installer. This process captures the actual installation package that Intune can deploy.

Download the FortiClient VPN online installer from the Fortinet support portal. You'll need a valid support account to access the downloads section.

Run the installer but don't complete the installation:

FortiClientVPNOnlineInstaller.exe

When the installer reaches the welcome screen, it downloads the MSI to a temporary cache location. Navigate to the cache directory:

C:\ProgramData\Applications\Cache\

Look for a folder with a GUID name containing a version number subfolder. Sort by date modified to find the most recent extraction. The MSI file will be named something like FortiClientVPN.msi.

Copy the MSI file to a safe location on your system:

copy "C:\ProgramData\Applications\Cache\{GUID}\{VERSION}\FortiClientVPN.msi" "C:\Temp\FortiClientVPN.msi"

Cancel the installer after copying the MSI file.

Now you'll package the extracted MSI as a Line-of-Business (LOB) application in Intune for distribution to managed devices.

Log into the Microsoft Intune admin center at https://intune.microsoft.com and navigate to Apps:

Go to Apps > All apps > Add > Line-of-business app

Select Windows as the platform and upload your extracted FortiClient MSI file. Configure the app information:

• Name: FortiClient VPN
• Description: FortiClient VPN client for secure remote access
• Publisher: Fortinet
• Command-line arguments: /quiet /norestart
• Install behavior: System

Set the detection rules to use the MSI product code (automatically detected) or create a custom rule:

# Custom detection rule example
$AppPath = "C:\Program Files\Fortinet\FortiClient\FortiClient.exe"
if (Test-Path $AppPath) {
    $Version = (Get-ItemProperty $AppPath).VersionInfo.FileVersion
    Write-Output "FortiClient version: $Version"
}

Configure requirements:

• Operating system architecture: x64
• Minimum operating system: Windows 10 1607

Assign the app to your target device groups. Start with a pilot group before rolling out enterprise-wide.

Before creating the automated configuration script, you need to understand the registry structure by manually configuring FortiClient on a test device.

Install FortiClient on a test machine and configure your VPN connection manually through the FortiClient interface. This creates the registry entries you'll need to replicate via script.

After configuring the VPN connection, export the registry settings:

reg export "HKLM\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels" C:\Temp\FortiVPN_Config.reg

Open the exported registry file to examine the structure:

[HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\YourVPNName]
"server"="vpn.yourcompany.com"
"port"="443"
"description"="Company VPN Connection"
"auth_method"="sslvpn"
"save_password"=dword:00000000
"auto_connect"=dword:00000000

Document all the registry values you need to replicate. Common settings include:

• server - VPN server FQDN or IP
• port - Connection port (usually 443)
• description - User-friendly name
• auth_method - Authentication method
• certificate - Client certificate path if used

Test the manual configuration thoroughly to ensure it works before proceeding to script creation.

Create a PowerShell script that will automatically configure the VPN settings in the registry after FortiClient installation.

Create a new PowerShell script file named Configure-FortiVPN.ps1:

# FortiClient VPN Configuration Script
# Configure VPN connection via registry

# Variables - Customize these for your environment
$VPNName = "CompanyVPN"
$VPNServer = "vpn.yourcompany.com"
$VPNPort = "443"
$Description = "Company VPN Connection"
$AuthMethod = "sslvpn"

# Registry path for FortiClient VPN tunnels
$RegPath = "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName"

try {
    # Check if FortiClient is installed
    $FortiClientPath = "C:\Program Files\Fortinet\FortiClient\FortiClient.exe"
    if (-not (Test-Path $FortiClientPath)) {
        Write-Error "FortiClient not found. Ensure application is installed first."
        exit 1
    }

    # Create registry path if it doesn't exist
    if (-not (Test-Path $RegPath)) {
        Write-Output "Creating registry path: $RegPath"
        New-Item -Path $RegPath -Force | Out-Null
    }

    # Set VPN configuration values
    Write-Output "Configuring VPN settings..."
    New-ItemProperty -Path $RegPath -Name "server" -Value $VPNServer -PropertyType String -Force
    New-ItemProperty -Path $RegPath -Name "port" -Value $VPNPort -PropertyType String -Force
    New-ItemProperty -Path $RegPath -Name "description" -Value $Description -PropertyType String -Force
    New-ItemProperty -Path $RegPath -Name "auth_method" -Value $AuthMethod -PropertyType String -Force
    New-ItemProperty -Path $RegPath -Name "save_password" -Value 0 -PropertyType DWord -Force
    New-ItemProperty -Path $RegPath -Name "auto_connect" -Value 0 -PropertyType DWord -Force

    Write-Output "VPN configuration completed successfully"
    
    # Verify configuration
    $ServerValue = Get-ItemProperty -Path $RegPath -Name "server" -ErrorAction SilentlyContinue
    if ($ServerValue.server -eq $VPNServer) {
        Write-Output "Configuration verified: Server = $($ServerValue.server)"
        exit 0
    } else {
        Write-Error "Configuration verification failed"
        exit 1
    }
}
catch {
    Write-Error "Script execution failed: $($_.Exception.Message)"
    exit 1
}

If your organization requires signed scripts, sign the PowerShell script:

# Self-sign the script (for testing)
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject "CN=PowerShell Code Signing" -KeyUsage DigitalSignature -Type CodeSigningCert
Set-AuthenticodeSignature -FilePath "Configure-FortiVPN.ps1" -Certificate $cert

Deploy your configuration script through Intune's PowerShell script management feature to automatically configure VPN settings after FortiClient installation.

In the Intune admin center, navigate to device scripts:

Go to Devices > Scripts and remediations > Platform scripts > Add > Windows 10 and later

Upload your PowerShell script and configure the settings:

• Name: Configure FortiClient VPN
• Description: Automatically configures company VPN settings in FortiClient
• Script location: Upload your Configure-FortiVPN.ps1 file

Configure execution settings:

• Run this script using the logged on credentials: No
• Enforce script signature check: Yes (if you signed the script)
• Run script in 64 bit PowerShell Host: Yes

Set up assignments and scheduling:

• Assign to the same device groups as your FortiClient app
• Consider using a dependency or delay to ensure FortiClient installs before the script runs

Create a detection script to verify successful configuration:

# Detection script
$RegPath = "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\CompanyVPN"
if (Test-Path $RegPath) {
    $server = Get-ItemProperty -Path $RegPath -Name "server" -ErrorAction SilentlyContinue
    if ($server.server -eq "vpn.yourcompany.com") {
        Write-Output "VPN configured correctly"
        exit 0
    }
}
Write-Output "VPN not configured"
exit 1

Ensure proper deployment sequencing so FortiClient installs before the configuration script runs. This prevents script failures due to missing application files.

Set up app dependencies in Intune to control installation order:

Edit your FortiClient VPN app in Intune and go to Properties > Dependencies > Add

Configure dependency relationships if you have prerequisite software (like specific certificates or network drivers).

For the PowerShell script, create a remediation script that checks for FortiClient before applying configuration:

# Enhanced configuration script with dependency checking
$MaxRetries = 5
$RetryDelay = 30

for ($i = 1; $i -le $MaxRetries; $i++) {
    $FortiClientPath = "C:\Program Files\Fortinet\FortiClient\FortiClient.exe"
    
    if (Test-Path $FortiClientPath) {
        Write-Output "FortiClient found, proceeding with configuration..."
        # Run your configuration code here
        break
    } else {
        Write-Output "Attempt $i: FortiClient not found, waiting $RetryDelay seconds..."
        if ($i -eq $MaxRetries) {
            Write-Error "FortiClient installation not detected after $MaxRetries attempts"
            exit 1
        }
        Start-Sleep -Seconds $RetryDelay
    }
}

Configure assignment filters to target specific device groups or exclude devices that shouldn't receive the VPN configuration:

{
  "filterType": "include",
  "rule": "(device.deviceOwnership -eq \"Corporate\") and (device.operatingSystem -eq \"Windows\")"
}

Set up monitoring and reporting:

• Create a custom device compliance policy that checks for VPN configuration
• Use Intune reporting to track deployment success rates
• Set up alerts for failed deployments

Thoroughly test your deployment on pilot devices before rolling out to the entire organization. This step identifies potential issues and validates the complete workflow.

Select a small group of test devices representing your environment diversity (different Windows versions, hardware configurations, network locations).

Monitor the deployment process in real-time:

# PowerShell script to check deployment status locally
$AppName = "FortiClient VPN"
$VPNName = "CompanyVPN"

# Check if app is installed
$App = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*FortiClient*" }
if ($App) {
    Write-Output "✓ FortiClient installed: $($App.Version)"
} else {
    Write-Output "✗ FortiClient not found"
}

# Check VPN configuration
$RegPath = "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName"
if (Test-Path $RegPath) {
    $Config = Get-ItemProperty -Path $RegPath
    Write-Output "✓ VPN configured: Server = $($Config.server)"
} else {
    Write-Output "✗ VPN configuration not found"
}

# Test VPN connectivity (basic)
$VPNServer = (Get-ItemProperty -Path $RegPath -Name "server" -ErrorAction SilentlyContinue).server
if ($VPNServer) {
    $TestConnection = Test-NetConnection -ComputerName $VPNServer -Port 443
    if ($TestConnection.TcpTestSucceeded) {
        Write-Output "✓ VPN server reachable"
    } else {
        Write-Output "✗ Cannot reach VPN server"
    }
}

Validate end-user experience:

1. Launch FortiClient on test devices
2. Verify the VPN connection appears in the connection list
3. Test authentication with user credentials
4. Confirm network access to internal resources after connection
5. Test disconnect and reconnect functionality

Check common failure points:

• Windows Defender or third-party antivirus blocking installation
• Group Policy conflicts with VPN settings
• Network restrictions preventing VPN traffic
• Certificate issues for SSL VPN authentication

Document any issues and create troubleshooting procedures:

# Troubleshooting script for common issues
# Check Windows Event Logs for FortiClient errors
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='FortiClient'} -MaxEvents 10 | Format-Table TimeCreated, LevelDisplayName, Message -Wrap

# Check Intune management extension logs
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin'} -MaxEvents 20

Implement comprehensive monitoring and establish troubleshooting procedures for ongoing deployment management and user support.

Set up Intune reporting dashboards to track deployment metrics:

Navigate to Apps > Monitor > App install status to view FortiClient deployment statistics.

Create custom reports for VPN configuration success:

# PowerShell script for deployment reporting
$Computers = Get-ADComputer -Filter * -Properties OperatingSystem | Where-Object { $_.OperatingSystem -like "*Windows 10*" -or $_.OperatingSystem -like "*Windows 11*" }

$Results = foreach ($Computer in $Computers) {
    try {
        $Session = New-PSSession -ComputerName $Computer.Name -ErrorAction Stop
        $Status = Invoke-Command -Session $Session -ScriptBlock {
            $FortiClient = Test-Path "C:\Program Files\Fortinet\FortiClient\FortiClient.exe"
            $VPNConfig = Test-Path "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\CompanyVPN"
            [PSCustomObject]@{
                ComputerName = $env:COMPUTERNAME
                FortiClientInstalled = $FortiClient
                VPNConfigured = $VPNConfig
                LastChecked = Get-Date
            }
        }
        Remove-PSSession $Session
        $Status
    } catch {
        [PSCustomObject]@{
            ComputerName = $Computer.Name
            FortiClientInstalled = "Error"
            VPNConfigured = "Error"
            LastChecked = Get-Date
            Error = $_.Exception.Message
        }
    }
}

$Results | Export-Csv -Path "C:\Reports\FortiClient-Deployment-Status.csv" -NoTypeInformation

Common troubleshooting scenarios and solutions:

Set up automated remediation for common issues:

# Remediation script for missing VPN configuration
$RegPath = "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\CompanyVPN"

if (-not (Test-Path $RegPath)) {
    Write-Output "VPN configuration missing, attempting repair..."
    
    # Re-run configuration script
    try {
        # Your configuration code here
        Write-Output "Configuration repaired successfully"
    } catch {
        Write-Error "Remediation failed: $($_.Exception.Message)"
        # Log to event log for monitoring
        Write-EventLog -LogName Application -Source "FortiClient Deployment" -EventId 1001 -EntryType Error -Message "VPN configuration remediation failed: $($_.Exception.Message)"
    }
}

Establish user support procedures:

• Create self-service troubleshooting guides
• Document common user error messages and solutions
• Set up helpdesk escalation procedures for complex issues
• Provide alternative connection methods for critical users