Configuring ProfileUnity with Windows 10/11 AppLocker

Microsoft Windows 10/11 AppLocker prevents ProfileUnity from running. Users either cannot log on to the ProfileUnity Client or when they do, they notice that certain features do not run or do not run properly.

To resolve this issue, you must create AppLocker exception rules for the ProfileUnity NETLOGON directory as well as other paths used by ProfileUnity executables.

Rule 1: ProfileUnity NETLOGON Directory

  • Create rule in: Executable Rules and Script Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: Path
  • Path: \\<DomainName>\netlogon\ProfileUnity\*
  • Exceptions: None
  • Name (Example): ProfileUnity – Network Share

This is the current deployment path. If unsure, check the ProfileUnity console by going to Administration > ProfileUnity Tools > Deployment Path.

Rule 2: ProfileUnity User Temp Directory

  • Create rule in: Executable Rules and Script Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: Path
  • Path: C:\Users\*\AppData\Local\Temp\prox*
  • Exceptions: None
  • Name (Example): ProfileUnity – Users Temp Folder

This directory and these files only exist during ProfileUnity execution and do not appear within a user session. You can make them appear temporarily by re-running C:\Program Files\ProfileUnity\userinit.exe, which re-runs the login process but leaves the temporary files for troubleshooting purposes.

This directory can be redirected to a fixed location like C:\Temp using ProfileUnity ADM GPO template. In this case, use the redirected location for the rule.

Rule 3: ProfileUnity Client.NET Directory

  • Create rule in: Executable Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: Publisher
  • Publisher: Import Publisher information using the following:
    1. Browse to the ProfileUnity Install folder. The default location is:
      C:\Program Files\ProfileUnity
    2. Go to the Client.NET sub-folder.
    3. Select one of the executables, for example:
      LwL.ProfileUnity.Client.exe
    4. Move the slider up to point to Publisher. All other fields will be ‘*’.
    5. Click Next.
  • Exceptions: None
  • Name (Example): ProfileUnity – Publishers Signature

Rule 4: ProfileUnity Client Install Directory

  • Create rule in: Executable Rules and Script Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: Path
  • Path: %PROGRAMFILES%\ProfileUnity\*
  • Exceptions: None
  • Name (Example): ProfileUnity – Install Folder

This rule uses the default installation path using the AppLocker path variable. If the install uses a non-default path, use the correct full Installation Path.

AppLockerRules for FlexApp DIA Packages

If using FlexApp DIA apps, all executables in the DIA must have the same signature for the DIA to work correctly. Using a rule with custom values with wildcards for the publisher string can also be used to make the rule more inclusive if the signatures do not match exactly, otherwise multiple signature rules must be used.

Rule 5: DIA Publisher Rule

  • Create rule in: Executable Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: Publisher
  • Publisher: Import Publisher information using the following:
    1. Browse to the install folder of the App.
    2. Select one of the Apps executables.
    3. Move the slider up to point to Publisher. All other fields will be ‘*’.
    4. Click Next.
  • Exceptions: None
  • Name (Example): ProfileUnity DIA – Publishers Signature <App Name>

For .exe files that are not signed, a Path or File Hash rule can be used.

Path Rule

  • Create rule in: Executable Rules and Script Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: Path
  • Path: \DEVICE\*\VOLUMES\C\<APP FOLDER PATH>\*

Example\DEVICE\*\VOLUMES\C\PROGRAM FILES\<APP SUB-FOLDER>\*

  • Exceptions: None
  • Name (Example): ProfileUnity – Users Temp Folder

File Hash Rule (for unsigned executables)

  • Create rule in: Executable Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: File Hash
  • Select the executable to generate the rule from:
    1. Click Browse Files (or Browse Folders if that can be used).
    2. Browse to the install folder of the executable.
    3. Select the executable and click Open.
    4. Click Next.
  • Name (Example): ProfileUnity DIA – File Hash <EXE Name>

The File Hash rule must be updated whenever the executable is changed or updated.

If there are any issues running ProfileUnity during logoff, add:

\\domain\netlogon\ProfileUnity\lwl.profileunity.client.logoff.exe 

as a File Hash Rule to the Allow list the same way as it is done for .exe files that are not signed.