Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiGeekz
New Contributor II

Intune MSI deployed FortiClient requires end user(s) to have admin rights

Hello,  we seem to be converging in the security space with end users and the free version of the FortiClient.

Currently deployed via Intune 7.2.2 FortiClient SSL VPN with SAML authentication back to Entra.  When it works its no problem, however we also use the same method inhouse and I'm aware that on occasion you need to restart the FortiClient by shutting it down in the task tray and re-launching it.  So what's the issue?

 

Well moving end user(s) away from local administrative rights whereby this is the only issue we face at present, end users receive a UAC prompt when attempting to close/open the FortiClient otherwise its a full machine restart.

 

Has anyone got around this as yet without sacrificing security?

I may have to provide an additional IPSEC tunnel if the situation does not improve.

 

Thoughts?

7 REPLIES 7
Stephen_G
Moderator
Moderator

Hi FortiGeekz,

 

Thanks for using Community forums. I recognize you're looking for people who have experience with specific setups, so you may not get a reply. But we'll try to make sure you get an answer to your query from an expert or a community member.

 

Kind regards,

Stephen - Fortinet Community Team
Stephen_G
Moderator
Moderator

Hi FortiGeekz,

 

I haven't found anyone who has an answer to your query yet. I'll keep looking and get back to you ASAP.

 

Kind regards,

Stephen - Fortinet Community Team
psevca
Staff
Staff

Hello,

can you please confirm if Intune was executing the installer using a non-admin account and was the endoint rebooted after the installation ?

 

When the installer runs MSI silently:
- the upgrade / install will happen
- the installer will NOT start Forticlient if a reboot is required.
- there will be no reboot prompt requesting a reboot.

This can be reproduced by upgrading / installing Forticlient and then NOT rebooting the system after the upgrade has been completed.
If one tries to open the Forticlient GUI/console then UAC prompt is shown because Forticlient needs start its services.
However, the UAC prompt is NOT a bug because the device has not been rebooted.

After rebooting:
1) FCT starts automatically.
2) Opening the GUI does not cause a UAC prompt.

 

regards

 

Peter

FortiGeekz
New Contributor II

Hello psevca, 

 

Yes, the behavior you describe is what's witnessed.

We have Intune installing the w32 app as system without a reboot nag.

 

However, this is not of great concern, it's the stability of the SAML authentication request and then client errors thereafter.  If an error (transient) is generated 99% of the time the FortiClient will not recover on subsequent connection requests.  Usually, we see this represented as the FortiClient SSL VPN connecting to around 40% and then some error thrown.

 

From here the only way to establish a connection is to restart the ForitClient however as in a security centric nature, end users do not have administrator rights and therefore cannot shut down the FortiClient.  Instead, a full Windows restart is required.  It's this behavior we would like to see no requirement of elevation of rights to restart the FortiClient.

psevca

Hello,

the problem with UAC prompt should be resolved if the Intune deployment is configured with a reboot after the FCT deployment. Once this condition is met, the FCT should not ask user for admin credentials/trigger UAC when FCT is shutdown. 

 

regards

 

Peter

FortiGeekz
New Contributor II

Going to give this a test and reply back here...

Not sure this changes anything:

-------------------------------------------------------------------------------------------------

msiexec.exe /i "FortiClient.msi" /passive /quiet INSTALLLEVEL=3 DESKTOPSHORTCUT=1 /NORESTART

timeout /t 240 /nobreak

"C:\Program Files\Fortinet\FortiClient\FCConfig.exe" -m vpn -f fcconfig.conf -o import

-------------------------------------------------------------------------------------------------

Intune then prompts the user to restart.  Once the device has restarted if they need to shutdown FortiClient then they are prompted for admin credentials.

FortiGeekz
New Contributor II

We redeployed this with a mandatory reboot.

After the restart, we tested with a user that had no local machine admin rights.

If they attempt to shutdown the FortiClient they are prompted for admin credentials.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors