Workaround: Do one of the following:

• Use FortiClient EMS to do the deployment.
• To run a local FortiClient upgrade, do the following:
  1. Shut down FortiClient.
  2. Stop FortiShield.
  3. Perform the local FortiClient upgrade using MSI or the FortiClientSetup.exe file.

Application Firewall conflict with Windows firewall causes issues updating domain group policies.

Zero Trust tagging rule set syntax does not check registry key values.

FortiOS cannot get the updated VPN IP address in firewall dynamic EMS tag address when FortiClient establishes the VPN tunnel.

Zero trust tag rule for Active Directory group does not work when registering FortiClient to EMS with onboarding user.

When using off-net profile with antivirus protection enabled, FortiClient (Windows) does not show Malware Protection in navigation bar.

FortiClient does not get updated profile and does not sync with EMS.

FortiClient shows all feature tabs without registering to EMS after upgrade.

FortiClient fails to synchronize with EMS on Windows 7 x86 platform for long time.

After EMS license expires, FortiClient (Windows) still shows ZTNA and Application Firewall tabs.

After administrator selects Mark All Endpoints As Uninstalled, FortiClient (Windows) connected with verified user changes to unverified user.

Administrator cannot restore a quarantined file through EMS quarantine management if FortiClient (Windows) registered as onboarding user.

Redeploying from another EMS server causes FortiClient (Windows) to not reconnect to EMS automatically.

After upgrading FortiClient with EMS local onboarding user with LDAP, FortiClient (Windows) prompts for registration authentication.

FortiClient fails to send username to EMS, causing EMS to report it as different users.

NETIO.SYS causes blue screen of death on FortiClient endpoints.

Allow Admin Users to Terminate Scheduled and On-Demand Scans from FortiClient Console feature does not work as expected.

FortiClient does not block access to removable media.

FortiClient (Windows) on Windows 10 fails to block SSL VPN when it has a prohibit host tag applied.

SSL VPN negate split tunnel IPv6 address does not work.

Negate split tunnel IPv4 address does not work for dual stack mode using IPv6 access.

For SSL VPN dual stack, GUI only shows IPv4 address.

FortiClient to FortiGate SSL VPN gets stuck during connection with SAML.

SSL VPN disconnects and returns hostcheck timeout after 15 to 20 minutes of connection.

When VPN is up, changes for IP properties-> Register this connection's IP to DNS are not restored after VM reboot from power off.

Free VPN-only client does not show token box on rekey and GUI open.

Certificate works for IPsec VPN tunnel if put it in current user store but fails to work if in local machine.

FortiClient (Windows) does not use second FortiGate to connect to resilient tunnel from FortiTray if it cannot reach first remote gateway.

When no_dns_registration=1,Register This Connection's Address in DNS of NW IP properties is not selected after VPN is up.

IPsec VPN IPv6 remote gateway is missing.

When Limit Users to One SSL-VPN Connection at a Time is enabled on FortiOS, FortiClient displays error code -8.

IPsec VPN on OS start with SSL VPN failover on Wi-Fi cannot connect.

FortiClient search domains transfer incorrectly to endpoints.

VPN before logon does not work with Okta multifactor authentication and enforcing acceptance of the disclaimer message.

FortiClient does not use second FortiGate to make VPN connection when IPsec VPN resilience with VPN is up and first remote gateway becomes offline.

Always up feature does not work as expected when trying to connect to VPN from tray.

SAML connection with external browser authentication and single sign on port 8020 is busy, with FortiClient returning a JavaScript error.

FortiClient opens multiple browser tabs when connecting to SSL VPN via SAML using external browser.

SAML internal browser authentication prompt does not show up when redirection to external browser is disabled.

Routes are missing when using DHCP over IPsec VPN.

VMware Horizon client does not work with application-based split tunnel.

If allow_local_lan=0 and per-application split tunnel with exclude mode and full tunnel are configured, FortiClient (Windows) should block local RDP/HTTPS traffic.

FortiClient (Windows) does not block malicious sites when Web Filter is disabled.

Web Filter is enabled on FortiSASE profile on EMS when Web Filter is already enforced on the FortiGate.

Blocked web client shows dropped connection message instead of URL blocked message.

Web Filter blocks Chocolatey installation.

FortiTray keeps notifying user to install Web Filter plugin even when Chrome has already installed the plugin.

FortiClient console does not show security risk category as configured on EMS under Web Filter profile.

Windows 7 does not support TCP forwarding feature.

FortiClient (Windows) cannot show normal webpage of Internet real server (Dropbox) with ZTNA.

Using an external browser for SSH ZTNA requires restarting FortiClient on Windows 11.