Recently had a big win on this and wanted to share.

Tied in with this post and this post, I have a customer who uses FortiClient as their VPN solution, and they have recently embarked on setting up Hybrid AAD.  We set their tenant up, sorted out licensing and I started to put in the fundamental elements to begin the journey to using Autopilot for provisioning devices.  I had undertaken setting up AAD connect and using IDFix to remediate any issues, such as UPN suffixes for end-users via PowerShell, and we were ready to go.  Equally, I had made them an Intune Win32app for FortiClient, and this installed and removed just fine using PSADT.  I had already tested the Autopilot process and things were looking good.

Navigating to endpoint.microsoft.com and under “Windows Autopilot deployment profiles” I have two Hybrid Azure AD Joined profiles set up for the two scenarios my customer has unique to them.  I have packaged up some apps (all using PSADT) and they have all been tested as working so I now want to run through the Autopilot process, have the apps install, join the machine to the domain using the Intune Connector and be faced with a login screen.
I can only do this however if I use the optional feature (currently public preview at the time of writing this article) of “Skip AD Connectivity check (preview)”

Essentially all this does is to ignore looking for a domain controller and continue through the rest of the autopilot process.  Normally, its going to need to be able to see a domain controller to authenticate me for the first time and thus create me a local profile which, in future, I can use to log on to the machine, offline, should there not be a domain controller in sight.  And so historically, it looks for one and bombs the Autopilot process if it doesn’t find one.  This option will skip that check and let it run through right to the login page. Although remember, if you cant connect some sort of VPN or have that line-of-sight, you simply wont be able to log on with your domain credentials outside of the corporate network.
I tested this.  It works.  I cant log in.

So now I need to work on the FortiClient App which I intend to use to connect a VPN before logon.  Its in Intune as a Win32 app so any configurations I need I should be able to just add to the script, redo the content and have it deploy.  I need to ensure my settings are retained and deployed with the Intune app so I start digging around and trying to find out where they are stored.
I install a clean version of Fortinet Client (in my case its version 6.0.9) onto a test VM and I configure it to how I want it.  I load up the client and select to unlock the settings first..

Then I proceed to untick what options I don’t require and making sure to tick the box for “Enable VPN before logon” (Vital!)

It is stated in the Microsoft Documentation that if your VPN solution supports connection before logon, then you should be able to make this work with any VPN solution.  Previously there were named supported vendors.  Worth noting.
Next we’re going to go to “Remote Access” and then “Configure VPN” to set up our base details for the VPN Connection

Then I’m going to configure my VPN, give it a name, the gateway IP and the port number.  I just made up the below for illustration purposes so don’t shoot me if I cant use that port or that isn’t a true IP address , you get the idea.  I’m also going to leave “Prompt on login” selected rather than saving credentials.

And finally hit save.

So we now have the basics configured.

Next job was top somehow export that setup and have it deploy with the app deployed to the Autopilot profile.  So I searched the registry and found where it was, the details are stored in HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\My Test VPN.  Great! So I export the key to a .reg file (the one pointed to in this image) and using my PSADT app I made I will add this during the “post-Installation” section.

Here is the code in my PSADT Script..

So essentially using the existing reg.exe to import the .reg file you exported.  You could break this down and have the keys created with PowerShell, but I was lazy and used this method.  There are a few ways this can improve, I’m sure.
I tested this with my PSADT script and it worked, so it now needs testing with Autopilot.  I updated the Intune app content by creating a new .intunewin file and uploaded it ready to go. I added the app deployment where it needed to be and reset a laptop ready for the autopilot test.  Next few pictures were taken from my phone so not the greatest. but here is the experience.
On the test device I added it to my network

I can see the Autopilot profile has pulled in and it requests I logon

Autopilot kicks off doing its thing…

OK, so now that’s finished I’m faced with a logon screen, first thing I do is click on sign on options

I can see here FortiClient has indeed installed during autopilot (WIN!)

I have to scroll down and untick the box for “Use my Windows credentials for VPN” because my username and password for the VPN is indeed, separate to my windows creds

This opens up the creds box for the VPN

Then I scroll back up and input my windows credentials for my on prem domain account and attempt to log in (fingers crossed)

(I worked with the network provider to get the certificate on the machines during AP which stops this message but this is the message I got before I did this)

Aaaaand Boom…..  I’m logged in.

Very happy with this.  What I would like you to take away from this blog post is that this methodology, in theory, could be used for any VPN provider.  As long as you can export your profile and have it install with the client during Autopilot and it support connection before logon, this could be implemented for any VPN solution.
I would love to hear if you have got this working with any other VPN client
Thanks for reading, truly hope this helps some of you.
Kind Regards

18 replies
  1. Gevorg Hakobyan
    Gevorg Hakobyan says:

    Hey bud,
    Thanks for the helpful guide. It helped me think outside the box to solve this exact problem I am facing.
    I followed all of these steps but it seems to have ignored my post installation tasks.
    Is there somewhere i need to select to force the post installation tasks to complete?
    [string]$installPhase = ‘Post-Installation’
    Start-Process “C:\Windows\System32\reg.exe” -ArgumentList “import CONFIG.reg”
    Start-Process “C:\Windows\System32\reg.exe” -ArgumentList “import VPNBEFORELOGON.reg”
    Neither of these registries were added to the machine.

    • Jonathan
      Jonathan says:

      Hi Gevorg. I have not experienced an issue with the post installation tasks running before. It sounds like you’ve got some issue with the script. Start by testing something simple in the post tasks, to see if they actually run. If that works, you know that the post -install steps are running, but something is preventing the registry imports.
      Test your code locally on a device to check there’s no issues.
      One other thing, why are there two registry keys? When I created mine, despite the SSLVPN being created in the sub key, I actually exported the root key and just imported that, once. So, export HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient at its root, and import it entirely, instead of trying the subkeys.
      Good luck!

    • Jonathan
      Jonathan says:

      I’m not sure what script you refer to. I packaged the application in PSADT, this is freely available for you to download, I suggest you do as its updated all the time. My post then outlines what to put in each section. If you’re still struggling after attempting, let me know.

  2. Avi
    Avi says:

    Can you share how you got the Configuration file (I tired with Xml)
    what install command did you use in the PSDT script?
    Thanks in advance

    • Jonathan
      Jonathan says:

      The install command line I used for the PSADT script was “Execute-MSI -Action Install -Path “FortiClient.msi” -AddParameters “INSTALLLEVEL=3”. The installer I used was an MSI file I have no XML.

  3. Gianelli Gonzalez Huerta
    Gianelli Gonzalez Huerta says:

    Hi Jonathan!
    Great post! I have one question, what are the commands/switches you used to install FortiClient as win32 package, i am still not able to push it and im pretty sure it has to be with the prompts you get when trying to install the app.

    • Jonathan
      Jonathan says:

      Hi, sorry for the delay in replying I actually lost my source files and had to spend some time investigating how to pull them back from Intune, that was not fun! The installer I’m using is an MSI, so the code I use for install within PSADT is “Execute-MSI -Action Install -Path “FortiClient.msi” -AddParameters “INSTALLLEVEL=3”

  4. Ahmed Soliman
    Ahmed Soliman says:

    Thanks for sharing this post, I have done the same but instead of using PS or reg import I have used Forticlient Configuration and used the .mst file to be added within the WIN32 intune package, the only things missing here and it will be great to have to set the default option for login to Forticlient login option to make it even more straight forward for on-boarding, any ideas how that could be done?

    • Jonathan
      Jonathan says:

      I looked into that, but it seems like Forticlient configuration tool is a paid product and my customer didn’t have it. Either-or will work fine. Was the process easy?

  5. Nandu Ditto
    Nandu Ditto says:

    Hi Jonathan,
    I have added the post installation commands as same as yours.
    But it is not importing registry.
    Where should I Save the registry file before running script ?

    • Jonathan
      Jonathan says:

      My registry file is within source files for the application I created to install FortiClient, I simply included the .reg file.I used PSADT to make the application in Intune and then used a step to import the registry key as part of the post-actions in the script. Regards, Jonathan.

  6. Nandu
    Nandu says:

    Hi Jonathan,
    I have found success in adding Forticlient VPN and I got Successfully Connected to VPN in the login screen. Thanks for your post. 🙂
    But after VPN connection ,Account Setup is keep trying to Join Organisation Network. and It has almost completed 1 hour now.
    I can see the hostname entry already in Intune and on Prem AD. But the device is not yet ready.
    Any suggestion is welcomed. Thanks in advance.

    • Jonathan
      Jonathan says:

      You’re very welcome for the post! I’m really glad it was useful for you. I’m not sure I follow your request. Your Autopilot process finished completely? If so you then connect your VPN to be on the corporate network, when you log in if you have any faults I would start by checking if you have any domain group policies that are affecting the device at logon, or indeed any logon scripts deployed. Without seeing it its difficult to troubleshoot. Feel free to add more context if you wish. Regards, Jonathan

      • Joel
        Joel says:

        Hi Jonathan,
        Got it working eventually, Thanks.
        Can i ask a question around using the forticlient windows app. Is there anything I can do with integrating the app and the configuration settings in In-tune for an always on connection. I am experiencing an issue where the screen times out during Autopilot setup and disconnects the VPN.

        • Jonathan
          Jonathan says:

          I would concentrate on narrowing down what the cause of the time out is. Do you have your timeout setting set too short? Or is there another cause such as its waiting for a response its not getting because of network security. I’m afraid I won’t be much help as I’m unfamiliar with your environment, but I wish you luck with it.


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *