Configuring ProfileUnity with Windows 10/11 AppLocker

Microsoft Windows 10/11 AppLocker prevents ProfileUnity from running. Users either cannot log on to the ProfileUnity Client or when they do, they notice that certain features do not run or do not run properly.

To resolve this issue, you must create AppLocker exception rules for the ProfileUnity NETLOGON directory as well as other paths where ProfileUnity executables reside.

Rule 1: ProfileUnity NETLOGON Directory

  • Create rule in: Executable Rules and Script Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: Path
  • Path: \\<DomainName>\netlogon\ProfileUnity\*
  • Exceptions: None
  • Name (Example): ProfileUnity – Network Share

This is the current deployment path. If unsure, check the ProfileUnity console by going to Administration > ProfileUnity Tools > Deployment Path.

 

Rule 2: ProfileUnity Client Install Directory

  • Create rule in: Executable Rules and Script Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: Path
  • Path: %PROGRAMFILES%\ProfileUnity\*
  • Exceptions: None
  • Name (Example): ProfileUnity – Install Folder

This rule uses the default installation path using the AppLocker path variable. If the install uses a non-default path, use the correct full Installation Path.

AppLockerRules for FlexApp Packages

If using FlexApp apps, all executables in the FlexApp package must have the same signature for the application to work correctly. Using a rule with custom values with wildcards for the publisher string can also be used to make the rule more inclusive if the signatures do not match exactly, otherwise multiple signature rules must be used.

Rule 3: Select one or more Publisher, Path or File Hash Rule

FlexApp Publisher Rule
  • Create rule in: Executable Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: Publisher
  • Publisher: Import Publisher information using the following:
    1. Browse to the install folder of the App.
    2. Select one of the Apps executables.
    3. Move the slider up to point to Publisher. All other fields will be ‘*’.
    4. Click Next.
  • Exceptions: None
  • Name (Example): FlexApp – Publishers Signature <App Name>

For .exe files that are not signed, a Path or File Hash rule can be used.

Path Rule

  • Create rule in: Executable Rules and Script Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: Path
  • Path: \DEVICE\*\VOLUMES\C\<APP FOLDER PATH>\*

Example\DEVICE\*\VOLUMES\C\PROGRAM FILES\<APP SUB-FOLDER>\*

  • Exceptions: None
  • Name (Example): ProfileUnity – Users Temp Folder

File Hash Rule (for unsigned executables)

  • Create rule in: Executable Rules
  • Permissions:
    • Actions: Allow
    • Users or Group: Everyone
  • Permissions: File Hash
  • Select the executable to generate the rule from:
    1. Click Browse Files (or Browse Folders if that can be used).
    2. Browse to the install folder of the executable.
    3. Select the executable and click Open.
    4. Click Next.
  • Name (Example): FlexApp – File Hash <EXE Name>

The File Hash rule must be updated whenever the executable is changed or updated.