-
Notifications
You must be signed in to change notification settings - Fork 0
Set FortinetVPNRegistry
Pre-configures a FortiClient SSL VPN tunnel by writing the required registry entries to HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\. This allows IT administrators to deploy a standardized VPN configuration to Windows endpoints before users launch FortiClient, ensuring the correct tunnel is available without manual setup.
If the tunnel entry already exists in the registry, the script exits gracefully without overwriting the existing configuration.
- Creates all required FortiClient SSL VPN tunnel registry values in a single operation
- Idempotent — safe to run multiple times; skips if tunnel already exists
- Supports optional username pre-population for a smoother user experience
- SSO/SAML authentication enabled by default
- Server certificate validation enforced (
checkmode) - Suitable for Intune, Group Policy, or RMM deployment
- PowerShell 5.1 or later
-
Must be run as Administrator (writes to
HKLM) - FortiClient installed on the target machine
| Parameter | Type | Default | Description |
|---|---|---|---|
Username |
String | "" |
Pre-populates the username field in the FortiClient VPN tunnel UI. Leave blank to require the user to enter it. |
.\Set-FortinetVPNRegistry.ps1Creates the SSL VPN tunnel registry entries. The user will need to enter their username in FortiClient.
.\Set-FortinetVPNRegistry.ps1 -Username "jdoe@contoso.com"Creates the tunnel entries and pre-fills the username field in FortiClient.
Upload Set-FortinetVPNRegistry.ps1 to Intune > Devices > Scripts with:
- Run this script using the logged-on credentials: No (run as System)
- Enforce script signature check: No (or Yes if script is signed)
- Run script in 64-bit PowerShell: Yes
All values are written to:
HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\<VPN Name>
| Registry Value | Type | Description |
|---|---|---|
Description |
String | Human-readable tunnel description |
Server |
String | VPN server address and SSL port (server:port) |
Username |
String | Pre-populated username (blank by default) |
promptcertificate |
DWORD |
0 — Do not prompt for client certificate |
ServerCert |
String |
check — Enforce server certificate validation |
sso_enabled |
DWORD |
1 — Enable SSO/SAML authentication |
use_external_browser |
DWORD |
0 — Use FortiClient internal browser for SAML |
single_user |
DWORD |
0 — Allow multiple users |
show_remember_password |
DWORD |
1 — Show the "Remember Password" option |
Flags |
DWORD |
4 — Internal FortiClient tunnel flags |
Console messages only. No files are generated.
| Message | Meaning |
|---|---|
FortiClient SSL VPN '<name>' registry entries created successfully. |
Entries written successfully (exit code 0) |
FortiClient SSL VPN '<name>' registry entries already exist. |
Tunnel already configured — no changes made (exit code 0) |
Error creating registry entries: <error> |
Write failed — check admin rights (exit code 1) |
Before deploying, update the following variables at the top of the script to match your environment:
$vpnName = "VPN Name" # Display name shown in FortiClient
$vpnDescription = "SSL VPN" # Tunnel description
$vpnServer = "vpn.server.com" # Your VPN gateway hostname or IP
$sslPort = 10443 # SSL VPN port (default FortiGate: 10443 or 443)Cause: Script not running with Administrator privileges. Solution: Right-click PowerShell → Run as Administrator, or deploy via Intune using System context.
Cause: FortiClient reads registry at startup; changes made while it is running may not appear immediately. Solution: Restart FortiClient after the script completes.
Cause: Script is idempotent and won't overwrite existing values. Solution: Manually delete the registry key and re-run the script:
Remove-Item -Path "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\<VPN Name>" -Recurse -Force
.\Set-FortinetVPNRegistry.ps1- v1.0 (2026-03-09): Initial release — core registry configuration for FortiClient SSL VPN tunnel
- Overview
- Start-LyncCsvExporter
- Get-ComprehensiveLyncReport
- Get-LyncHealthReport
- Get-LyncInfrastructureReport
- Get-LyncServiceStatus
- Get-LyncUserRegistrationReport
- Export-ADLyncTeamsMigrationData
- New-Office365Accounts
- Sync-ContactsFromCsv
- Set-EmailToSharedAccount
- Set-SMTPForward
- Invoke-UserSignOutAndBlock
- Security Assessment Scripts (coming soon)
- Azure Automation (documentation pending)
- Get-GraphToken
- Get-GraphHeaders
- Get-AzureResourcePaging
- Get-EnterpriseAppUsage
- Get-ExchangeErrorsGraph
- Get-PBIWorkspaceUsageReport
- Intune Management (documentation pending)