FortiClient VPN Package update failure (FortiClient ZTNA replaced FortClient VPN Only client)

[Xavierstarr]

Brief description of your issue

We use WAU (Winget Auto Updater) with GPO deployed and configured via Intune to our machines, policy orginally was to autoupdate all apps (Blanket policy) without a whitelist of blacklist, we have had to blacklist the ID Fortinet.FortiClientVPN this morning a MSI was run to update Forticlient from Winget and replaced the VPN only client with Forticlient's ZTNA client across the board, the annoying part is apart of the install is to trigger the update client side on first launch so all clients are prompted with an Admin Prompt which cannot be avoided until we uninstall ZTNA and install VPN Only.

Logs:

• Beginning a Windows Installer transaction: C:\WINDOWS\TEMP\WinGet\defaultState\Fortinet.FortiClientVPN.7.0.9.0493\extracted\FortiClient.msi. Client Process Id: 24532.

• Starting session 0 - ‎2024‎-‎07‎-‎16T20:34:37.009371500Z.

• Application 'C:\Program Files\Fortinet\FortiClient\FortiTray.exe' (pid 3804) cannot be restarted - Application SID does not match Conductor SID..

• Machine restart is required.

• Starting session 1 - ‎2024‎-‎07‎-‎16T20:34:38.487256600Z.

• Application 'C:\Program Files\Fortinet\FortiClient\FortiTray.exe' (pid 3804) cannot be restarted - Application SID does not match Conductor SID..

• Application or service 'FortiClient SSLVPN daemon' could not be shut down.

• Application or service 'FortiClient Logging daemon' could not be shut down.

• Application or service 'FortiClient Settings Service' could not be shut down.

• Application or service 'FortiClient VPN Service Scheduler' could not be shut down.

• Windows Installer requires a system restart. Product Name: FortiClient VPN. Product Version: 7.0.7.0345. Product Language: 1033. Manufacturer: Fortinet Technologies Inc. Type of System Restart: 1. Reason for Restart: 2.

• The operation completed successfully.

• Product: FortiClient -- Installation completed successfully.

• Ending a Windows Installer transaction: C:\WINDOWS\TEMP\WinGet\defaultState\Fortinet.FortiClientVPN.7.0.9.0493\extracted\FortiClient.msi. Client Process Id: 24532.

Steps to reproduce

FortiClient VPN is installed via a Win32 Intune install package with a .bat file that installs the VPN only client and configures the VPN Profile to registry for all users.

WinGet WAU GPO Config deployed via Intune defines all apps to update at Login (now set a blacklist to block FortiClient VPN)

On login all users Fortclient.exe when launches prompts to finalise the update with elevated privileges and forces a reboot.

On reboot or relaunch FortiClient VPN is replaced with FortClient (ZTNA)

Expected behavior

We expect a Winget Update of the package to not replace the product with a different product, Yes you can connect with VPN using the ZTNA product, but it also displays a licensing error to the end users and informs them that "Free VPN will stop functioning on the 16th of August" which is problematic when we do not use EMS or ZTNA at this site.

Actual behavior

Winget List details the installed version before Winget Update:

Name Id Version Available Source

FortiClient VPN Fortinet.FortiClientVPN 7.4.0.1658 winget

Repo Search returns the following

Name Id Version Available Source

FortiClient VPN Fortinet.FortiClientVPN 7.0.9.0493 winget

what is returned after Winget Updates the Package

Name Id Version Available Source

FortiClient ARP\Machine\X64{079B00DA-23ED-4F29-AED8-7137… 7.0.9.0493

Environment

winget --info
Windows Package Manager v1.8.1911
Copyright (c) Microsoft Corporation. All rights reserved.

Windows: Windows.Desktop v10.0.19045.4713
System Architecture: X64
Package: Microsoft.DesktopAppInstaller v1.23.1911.0

Winget Directories                 
-----------------------------------------------------------------------------------------------------------------------
Logs                               %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\Diag…
User Settings                      %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\sett…
Portable Links Directory (User)    %LOCALAPPDATA%\Microsoft\WinGet\Links
Portable Links Directory (Machine) C:\Program Files\WinGet\Links
Portable Package Root (User)       %LOCALAPPDATA%\Microsoft\WinGet\Packages
Portable Package Root              C:\Program Files\WinGet\Packages
Portable Package Root (x86)        C:\Program Files (x86)\WinGet\Packages
Installer Downloads                %USERPROFILE%\OneDrive\Downloads

Links               
---------------------------------------------------------------------------
Privacy Statement   https://aka.ms/winget-privacy
License Agreement   https://aka.ms/winget-license
Third Party Notices https://aka.ms/winget-3rdPartyNotice
Homepage            https://aka.ms/winget
Windows Store Terms https://www.microsoft.com/en-us/storedocs/terms-of-sale

Admin Setting                             State
--------------------------------------------------
LocalManifestFiles                        Disabled
BypassCertificatePinningForMicrosoftStore Disabled
InstallerHashOverride                     Disabled
LocalArchiveMalwareScanOverride           Disabled
ProxyCommandLineOptions                   Disabled
DefaultProxy                              Disabled

Winget AutoUpdater (Deployed via Windows Store (NEW)) - Intune
Winget AutoUpdater GPO is deployed via Intune custom ADMX Templates
Winget Autoupdater Config as per below

Enable Automatic Updates       - Enabled
Updates at Logon               - Enabled
Notification Level             - Enabled
Enable Start Menu Shortcuts    - Enabled
Updates Interval               - Enabled
Run WAU on metered connection  - Enabled
Activate WAU GPO Management    - Enabled

(NEW) Application GPO Blacklist - Enabled
   - Fortinet.FortiClientVPN

[Xavierstarr]

Some assistance to uninstall FortiClient ZTNA and reinstall FortiClient VPN via maybe a remediation script would be helpful, with minimal client impact.

[stephengillie]

This should be moved to the winget-pkgs repo. It's probable that the latest Fortinet.FortiClientVPN manifest needs to be removed, or updated with the correct VPN only installer.

PS C:\ManVal> (find-winGetPackage Fortinet.FortiClientVPN).AvailableVersions
7.0.9.0493
7.0.1.0083
6.2.6.0951
6.2.0.0780

For reverting, would it work to uninstall the current version, then install the previous version? The blacklist entry should prevent upgrading into the version which is actually the ZTNA client.

winget uninstall Fortinet.FortiClientVPN
winget install Fortinet.FortiClientVPN --version 7.0.1.0083

[denelon]

I'm going to go ahead and move this to winget-pkgs. Feel free to mention me if we need to do something with the WinGet client.

[murraynickels]

See comment here https://github.com/microsoft/winget-pkgs/issues/163137#issuecomment-2232123003

[duncan1602]

Can someone update this package, please? The wrong package has been pushed. It is the paid version of Fortinet and not the free version. This has replaced all the free versions in our organization. This is a serious problem. Please push the latest free version of Fortinet VPN, which is 7.4.0.1658.

[amber-m-mvd]

I found some rehosted versions. I hope this helps somewhat.

[amber-m-mvd]

7.0.7 - https://cerberus.ciat.cgiar.org/FortiClientVPNSetup_7.0.7.0345_x64.exe 7.0.8 - https://fcems.fesvcs.com/FortiClientVPNSetup_7.0.8.0427_x64.exe 7.0.12 - https://support.emid.co.za/FORTIGATE/FortiClientVPNSetup_7.0.12.0572_x64.exe 7.0.13 - https://repo.exanet.pl/net/FortiClient/FortiClientVPNSetup_7.0.13.0577_x64.exe 7.2.0 - https://files.crossingnetworks.com:8081/WEBCROSS/Fortigate_Client/Windows/FortiClientVPNSetup_7.2.0.0690_x64.exe 7.2.0 - https://download.lawr.ucdavis.edu/pub/Win/Fortinet/FortiClientVPNSetup_7.2.0.0690_x64.exe 7.2.2 - http://uberupdate.lvusd.org/FortiClient/Windows/FortiClientVPNSetup_7.2.2.0864_x64.exe 7.2.4 - https://repo.exanet.pl/net/FortiClient/FortiClientVPNSetup_7.2.4.0972_x64.exe 7.2.4 - https://docs.bartonccc.edu/infoserv/vpn/Fortinet/FortiClientVPNSetup_7.2.4.0972_x64.exe 7.2.4 - http://www.download.numerica.pl/FortiClientVPNSetup_7.2.4.0972_x64.exe 7.2.4 - https://dl.partian.co/FortiClient/Windows/7.2.4/FortiClientVPNSetup_7.2.4.0972_x64.exe

[y2k04]

I was unable to communicate with Fortinet support, so I am just bruteforcing the filestore url now. After the bruteforce finding finishes, I will upload it to my GitHub repo. And yes. amber-m-mvd is me.

[duncan1602]

@y2k04 here is the latest version 7.4.0.1658. How can we add it to winget? https://cunextgenus-my.sharepoint.com/:u:/g/personal/duncan_pereira_cunextgen_com/ESpjMS9fujlPo82VQ6qnmhoB5PrvfyZx0-Zy2sxKaZdltw?e=jfipgN

[y2k04]

Like the moderators said in an older post about updating FortiClientVPN, just rehost it!

https://github.com/y2k04/forticlient-vpn-setup/releases/tag/7.4.0.1658

I'll add the older versions I found a little later.

[y2k04]

Added all of the versions I found to https://github.com/y2k04/forticlient-vpn-setup/releases

[rvtdadmin]

We unfortunately had this issue also. Is it going to be reviewed how an installer for a different product was picked up as an upgrade to this product? @denelon

https://github.com/microsoft/winget-pkgs/pull/163199

Thank you