Follow

ProfileUnity Post Flight processes do not run, no postflight logs generated in highly secured environment

Product: ProfileUnity-FlexApp  

Product Version: 6.5+ and newer

Expires on: 365 days from publish date

Updated: January 9, 2017

 

Problem:

ProfileUnity PostFlight processes do not run and post flight logs are not generated. Default printers do not set based on portability save.

 

Symptoms:

ProfileUnity PostFlight processes do not run and post flight logs are not generated. Default printers do not set based on portability save. Elevation logs show Lwl.ProfileUnity.Client.net.exe not allowed elevation by policy. This could be common in high security environments

 

The lwl_elevation_servce log found in c:\windows\temp\profileunity will have following error:

 

[lwl_elevation_service.20988, 9/13/2016 10:33:19.750 AM; Informational]: Trust verification failed on path: C:\Program Files\ProfileUnity\client.exe Error: The timestamp signature and/or certificate could not be verified or is malformed.
[lwl_elevation_service.20988, 9/13/2016 10:33:19.750 AM; Informational]: The path: C:\Program Files\ProfileUnity\client.exe is not allowed to be elevated by policy.

 

Possible Resolution(s): 

When ProfileUnity elevates itself we check that our code is signed by us for security reasons so no one can hijack our elevation process and gain administrator rights to the OS. When “Check for publishers certificate revocation must be enforced” is enforced, this forces the binary that is checking the cert to check a certificate CRL URL on if the cert is valid, since our elevation functions run under the system account this URL cannot be checked.

 

The resolution here is to move away from our code signing as the check to validate our binaries to the SH1 hash of client.exe, lwl.profileunity.client.net.exe, and C:\Program Files\ProfileUnity. This is just as secure as certificate checking.

 

Step 1) Create SH1 hash for client.exe (to be done with each patch or profileunity client)

a) go to http://onlinemd5.com/

b) Browse to C:\Program Files\ProfileUnity select filename "client.exe"

c) Checksum type: SHA1

d) Copy File checksum. Example: "1D48D9E0E0B70AC3CA6551D0C5C35343A25123EA"

 

 

Step 2) Create SH1 hash for lwl.profileunity.client.net.exe (to be done with each patch or profileunity client)

a) go to http://onlinemd5.com/

b) Browse to C:\Program Files\ProfileUnity\Client.net and select filename "lwl.profileunity.client.exe"

c) Checksum type: SHA1

d) Copy File checksum. Example: "8E15FC93DB8F7642D0EB013E251B894119142FE8"

 

Step 3) Create SH1 hash for C:\Program Files\ProfileUnity (to be done with each patch or profileunity client)

a) Open PowerShell as an elevated user

b) Use the script below to create a custom function. Copy and paste this into your PowerShell prompt:

Function Get-FolderHash
{
    param ($folder)
    
    Write-GridLog "Calculating hash of $folder"
    $files = dir $folder -Recurse |? { -not $_.psiscontainer }
    
    $allBytes = new-object System.Collections.Generic.List[byte]
    foreach ($file in $files)
    {
        $allBytes.AddRange([System.IO.File]::ReadAllBytes($file.FullName))
        $allBytes.AddRange([System.Text.Encoding]::UTF8.GetBytes($file.Name))
    }
    $hasher = [System.Security.Cryptography.MD5]::Create()
    $ret = [string]::Join("",$($hasher.ComputeHash($allBytes.ToArray()) | %{"{0:x2}" -f $_}))
    Write-GridLog "hash of $folder is $ret."
    return $ret
}

c) Hit enter after copying the script data to return to a PowerShell command prompt.

d) Run the command:

Get-FolderHash "C:\Program Files\ProfileUnity"

e) You may get some errors when running this command, but the hash will be the last line displayed

 

      f) Copy the hash "4c425a64889dd93dfd03382d189b89ed" and save to a note pad.

 

Step 2) Update lwl_elevation_service.xml

a) ProfileUnity not in base and its installed using GPO.

Open lwl_elevation_service.xml from \\domain\netlogon\profileunity\elevation.zip

Edit the Elevation.xml to:

<?xml version="1.0" encoding="utf-8"?>
<configuration version="1.0">
  <!-- valid log levels are emergency=0, alert=1, critical=2, error warning -->
  <!-- notice, informational, and debug, -->
  <log path="C:\Windows\Temp\ProfileUnity" level="debug" />
  <data path="C:\Program Files\ProfileUnity\Elevation" />
  <policy>
    <whitelist>
      <path hash="1D48D9E0E0B70AC3CA6551D0C5C35343A25123EA"/>
      <path hash="8E15FC93DB8F7642D0EB013E251B894119142FE8"/>
      <path hash="4c425a64889dd93dfd03382d189b89ed"/>
    </whitelist>
    <blacklist></blacklist>
  </policy>
</configuration>

 

b) ProfileUnity is in the base

Perform all steps in step 2 bullet "a"

Go to base image and run: LwL.ProfileUnity.Client.Startup.exe /uninstall, than again LwL.ProfileUnity.Client.Startup.exe

Recompose

 

c) ProfileUnity is installed on physical machines

Perform all steps in Step 2 bullet "a" 

Edit LwL.ProfileUnity.Client.Startup.exe.config

Find these 2 lines:

<setting name="ElevationVersion" serializeAs="String">

<value>6.5.5696-d5e8616</value>

Append 1 to the end of the #

Example: <value>6.5.5696-d5e8617</value>

Save. 

Restart Physical Machines.

 

NOTE: Any time there is an update to the ProfileUnity client version, these steps will need to be done in their entirety again.

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.