FortiClient VPN 7.0.1 -> 7.4.0 upgrade via Intune

JoWannes · March 6, 2025, 4:09am

Hi,

Our company is still using FortiClient VPN version 7.0.1, deployed via Intune.

I’m looking to upgrade FortiClient to version 7.4.0 while keeping the configuration.

First I packaged (.intunewin) the .exe setup, changed it to the .msi later. The upgrade itself works, it keeps the config (now, using the msi), but for the first use it gives a UAC prompt for %programfiles%\Fortinet\FortiClient\FortiClientSecurity --start --service fa_scheduler

Our end users have no admin rights, so cannot do that, and the VPN does not connect afterwards.

I’ve tried quite a couple of things / different deployment methods but haven’t found a solution.

Any idea how I can best upgrade, keeping the config, without requiring admin credentials from the end user?

Thanks in advance!

40nets · March 6, 2025, 4:09am

Why FC 7.4.0? I haven’t had much luck with it. We are still using 7.0.13 for our remote people as we found it to be least problematic.

More-Distribution949 · March 6, 2025, 4:09am

**Go 7.2.5 as first non-rubish VPN software for a year

So you dont have to pay Fortinet protection racket for their buggy Zero Trust rubbish, this PS script with Intune will cover all bases (New, Upgrade not logged into VPN, Upgrade and logged onto VPN - this one stupid issue Fortinet dont care about but nelow will get around)

Change COMPANYVPN, whateveryourcompany & vpn.yourcompany.domain:443 to own stuff

-–

# Disable the FA_Scheduler service

Set-Service -Name “FA_Scheduler” -StartupType Disabled

# Define the path to the FortiClient command-line tool

Stop-process -name “fortiSSLVPNdaemon” -force

Start-Sleep -Seconds 10

taskkill /im FortiVPN.exe /t /f

taskkill /im FCDBLog.exe /t /f

taskkill /im FortiSettings.exe /t /f

taskkill /im FortiTray.exe /t /f

# Kill the scheduler.exe process

Get-Process -Name “scheduler” -ErrorAction SilentlyContinue | Stop-Process -Force

# Install FortiClient VPN

Write-Host “Installing FortiClient VPN…”

Start-Process Msiexec.exe -Wait -ArgumentList ‘/i FortiClient.msi /quiet /norestart’

Write-Host “FortiClient VPN installed.”

Start-Sleep -Seconds 5

# Enable the FA_Scheduler service

Set-Service -Name “FA_Scheduler” -StartupType Automatic

# Install VPN Profiles

$vpnKeyPath = “HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\COMPANYVPN”

if((Test-Path -LiteralPath $vpnKeyPath) -ne $true) {

Write-Host “Creating VPN profile…”

New-Item -Path $vpnKeyPath -Force -ErrorAction SilentlyContinue

}

# Add VPN profile properties

Write-Host “Configuring VPN profile…”

New-ItemProperty -LiteralPath $vpnKeyPath -Name ‘Description’ -Value ‘whateveryourcompany’ -PropertyType String -Force -ErrorAction SilentlyContinue

New-ItemProperty -LiteralPath $vpnKeyPath -Name ‘Server’ -Value ‘vpn.yourcompany.domain:443’ -PropertyType String -Force -ErrorAction SilentlyContinue

New-ItemProperty -LiteralPath $vpnKeyPath -Name ‘promptusername’ -Value 1 -PropertyType DWord -Force -ErrorAction SilentlyContinue

New-ItemProperty -LiteralPath $vpnKeyPath -Name ‘promptcertificate’ -Value 0 -PropertyType DWord -Force -ErrorAction SilentlyContinue

New-ItemProperty -LiteralPath $vpnKeyPath -Name ‘ServerCert’ -Value ‘1’ -PropertyType String -Force -ErrorAction SilentlyContinue

New-ItemProperty -LiteralPath $vpnKeyPath -Name ‘sso_enabled’ -Value 1 -PropertyType DWord -Force -ErrorAction SilentlyContinue

New-ItemProperty -LiteralPath $vpnKeyPath -Name ‘use_external_browser’ -Value 1 -PropertyType DWord -Force -ErrorAction SilentlyContinue

Write-Host “VPN profile configured successfully.”

JoWannes · March 6, 2025, 4:09am

I just checked for the latest version that I could find…

We’re using the free version, so just basic VPN functionality. I wouldn’t expect issues with that…?

What are the issues you’re experiencing?

JoWannes · March 6, 2025, 4:09am

Thank you very much for this.
I’ll look into it later this week.

JoWannes · March 6, 2025, 4:09am

I have packaged this script and the msi and deployed it via Intune to my 2 test devices.

It does the upgrade well. Needs a reboot afterwards but keeps the existing VPN profile. That is very nice.

New installation does succeed, but not with the profile. The register keys are not created. Not even the tunnel folder: HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\COMPANYVPN

However, when I manually run that part of the script as system, it does create the keys and the VPN profile is available in FortiClient. Any idea about that?

SonicDart · March 6, 2025, 4:09am

this might be a lifesaver for me, so does this keep profiles made by the user or only the ones we specify?

40nets · March 6, 2025, 4:09am

Forticlient dropping connections, or not connecting after the computer is locked.

More-Distribution949 · March 6, 2025, 4:09am

coolio, tell me how it goes, occasional after upgrade with that script you will get the blue thing below, I send the following email to staff the day before (Would be great if Fortinet knew how to develop client products, but meh)

-—

I need to remotely upgrade devices to the latest Fortinet VPN client – this is to resolve some security issue and help with stability

This will start DATE/ TIME where you will get a popup message it’s upgrading and won’t be usable for approx. 5 minutes during that time

After the upgrade if you get this message when first running the Fortinet client, then reboot

JoWannes · March 6, 2025, 4:09am

I think I found the solution to the issue. The register keys were being made in HKLM\SOFTWARE\WOW6432Node.

See: https://call4cloud.nl/sysnative-64-bit-ime-intune-syswow64-wow6432node/

More-Distribution949 · March 6, 2025, 4:09am

You ate running the 64bit app on 64bit windows? I feel using 32bit one there

JoWannes · March 6, 2025, 4:09am

We are / have been using the x64 version.

Edit: see above, it is now fully functional.

Once again, thank you very much, u/More-Distribution949!