Windows Update KB2693643 Breaks SSL VPN with FortiClient (with EMS)

VPN
1

Edit: I typed all of the below and failed to mention - uninstalling KB2693643 did in fact resolve the issue. Thanks u/QuietThunder2014 :smiley:

I wanted to share this in case it had not already been shared and anyone else runs into this issue and, like me, exhausted all of their troubleshooting efforts.

A member of my IT team started experiencing issues connecting to VPN (SSL) with FortiClient. The progress would make it to 98% then bounce back, retry a few times and then fail.

I checked the usual culprits, a thorough check through EMS, the settings on both the client and the FortiGate, compatibility issues etc. Then I started digging through FortiAnalyzer VPN logs and packet tracersā€¦nothing seemed to be pointing to the culprit.

At one point, from the FortiClient, I identified this error:

info	sslvpn	FortiSslvpn: 22696: Did not find interface for local_gwy 25ed170a

There were plenty of ā€œsolutionsā€ I found in other Reddit posts, Microsoft forums even, but none worked. Everything from disabling IPv6 in the interfacesā€™ settings toā€¦well if you made it to this post you probably already know and like me, had to keep looking.

Finally, I came across this post: FortiClient SSLVPN Windows 11 routes problem - Fortinet Community

Now, I have Windows 10 with RSAT installed, but not through this update. Furthermore, KB2693643 is supposedly for W10, yet it came as an update on my coworkerā€™s W11 machine. They hadnā€™t enabled RSAT in Windows Features nor downloaded to this machine yet, so we were unaware it was there. Sure enough however, once they uninstalled this update the VPN connection via their FortiClient worked.

Iā€™m not sure if this has been shared already, but I wanted to make sure that if anyone else is experiencing this issue they have all available troubleshooting resources at their disposal. Hopefully Fortinet identifies this and finds a solution because even with FortiClient 7.0.7.0345 this is happening (downloaded from Fortinet yesterday).

2

Holy shit man. Yea same exact issue across multiple laptops in the last month or so. So hard to trouble shoot because we just got EMS and rolled out Forticlient 7.0.6. I have had two separate tickets with support and the response was uninstall it and reinstall. I did it once and completely bricked the machine where it is stuck in a scheduled scan. Appreciate your post man. I will definitely try this!

3

Same issue with our Windows 11 machines. The machines connect to the FortiClient VPN, but then the VPN adapter receives an APIPA address. After uninstalling KB2693643, the machines were able to browse the network drive.

4

Sorry for the necro, but I would just like it to be known that this is STILL an issue in 2025. The issue is that the publicly available installer for RSAT is designed for Windows 10, and is not supported in Windows 11. I would like it to be known that my issue was specifically with ADUC, so thatā€™s what Iā€™m helping install.

I have seen several ways of installing in on Windows 11, such as in Settings > Apps > Optional Features or Settings > System > Optional Features but neither of those worked for me. Could be because I am on a work computer.

What worked for me was installing via PowerShell: https://www.pdq.com/blog/how-to-install-remote-server-administration-tools-rsat/

For installing ADUC, open an elevated PowerShell session, then type in the following:

 Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"

This will take some time to install. To verify that it was installed, us this code. You will see an output like the below image.

 Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property DisplayName, State

671Ɨ396 10.2 KB

If you want to install ALL of the RSAT tools, use the following command instead. Note that this will take a long time:

Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online
5

Solved installing FortiClientSetup_6.0.10.0297_x64.

So the solution is to use a specific version of forticlient?

6

This may be a silly question but just to confirm did uninstalling the update fix the issue?

7

Same results here and the uninstall did the trick. Any way to install RSAT without KB2693643?

8

Wellā€¦donā€™t keep me hanging! Did it help or not?! I would love to know I helped someone out!

9

Just ran into this today actually, how silly this has never been addressedā€¦

10

I assume the comment you were replying to is deleted? 6.0.10 is pushing three years oldā€¦I would absolutely not recommend installing that in a production environment. The resolution I provided is, AFAIK, is the least intrusive. If you need RSAT tools, install them on a jump server.

11

Lol it did. I typed all of that and failed to mention that is the solution. Thanks for pointing that out! Itā€™s been a long weekā€¦

12

Try to install RSAT with PowerShell.
How to Install Remote Server Administration Tools (RSAT) on Windows | Windows OS Hub (woshub.com)

13

Sorry for the suspense! So I already had some time on Monday scheduled with the FortiGeniuses. Turns out, the FC Removal tool doesnā€™t actually remove the client. Last week I booted from safe mode, ran the tool, rebooted. Tried to reload. Didnt work. Apparently, you have to uninstall like normal from control panel after you run the fc removal tool (not much of a removal tool). All this to say, I was able to fix my laptop without uninstalling the update. That being said, we have another user with the exact same issue that I am going to try it on today.

14

Looks like RSAT only works with that KB which was made for Win10 thus not working properly on win11. At least on what ive seen

15

Well, you can have RSAT installed but not have the ability to use it unless you escalate privileges. We have a normal domain account and then a DA. For me, whenever I need to use RSAT I just ā€œRun asā€ and use the DA credentials.

16

Leaving this here in case someone else is struggling with getting RSAT enabled through PowerShell on Windows 11. This is what worked for me:

  1. Download the appropriate ā€œLanguage and Optional Features ISOā€ from here: Install language packs on Windows 11 Enterprise VMs in Azure Virtual Desktop - Azure | Microsoft Learn (for example Windows 11, version 22H2 and 23H2 Language and Optional Features ISO)

  2. Mount the ISO by double clicking it or through PowerShell: ($(Mount-DiskImage "$env:USERPROFILE\Downloads\22621.1.220506-1250.ni_release_amd64fre_CLIENT_LOF_PACKAGES_OEM.iso" -PassThru) | Get-Volume).DriveLetter (this will also display the drive letter the drive got mounted as which you will need in the next step)

  3. Run this PowerShell command: Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online -Source "D:\LanguagesAndOptionalFeatures" -LimitAccess (change D:\ to the appropriate drive letter if necessary)

  4. Verify that the installation was successful:
    Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property Name, State

  5. Dismount the ISO either by ejecting it through explorer or through PowerShell: Dismount-DiskImage "$env:USERPROFILE\Downloads\22621.1.220506-1250.ni_release_amd64fre_CLIENT_LOF_PACKAGES_OEM.iso"

Bonus: To disable/uninstall RSAT run this PowerShell command and then reboot: Get-WindowsCapability -Name RSAT* -Online | ForEach-Object {Remove-WindowsCapability -Name $_.Name -Online}Note that you might get an error stating ā€œPermanent package cannot be uninstalled.ā€ about the Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0 package. If this happens try to run the uninstall command again after youā€™ve rebooted.

17

This works for me

Add-WindowsCapability ā€“online ā€“Name Rsat.Dns.Tools~~~~0.0.1.0

18

This will only work on machines that have access to Windows Update which many managed corporate devices donā€™t. In that case this should do the trick (works even offline): https://www.reddit.com/r/fortinet/comments/11nuuph/windows_update_kb2693643_breaks_ssl_vpn_with/llmownt/

19

First of all, calm down. No one has massive problems considering there are over a dozen hardening practices in place to mitigate a LSASS attack. Disabling UseLogonCredential, making use of the Protected Users group in AD, disabling plain-text password storage, disabling LADM debugā€¦all of this Iā€™m pretty sure has been done. Am I free of risk? Nope, but believe me there are much bigger security-fish to fry where I currently work than a small handful of DA accounts.