Multiple functionalities/features fail for End-Users with a Certificate error.
This issue started on the 12th of April, 2021 after 12:00 am UTC time as the validity of the code signing certificate expired.

1. This impacts PCS/PPS.
2. This impacts the following releases,

• 9.1R11, 9.1R11.1
• 9.1R10
• 9.1R9, 9.1R9.1
• 9.1R8, 9.1R8.1, 9.1R8.2

       3. This impacts only Windows End-Points.
       4. The following features are impacted:

• Terminal Services.
• JSAM
• HOB
• CTS
• VDI
• Secure Meeting (Pulse Collaboration).
• Host Checker.
• Launching of PDC via browser.
• SAML with External Browser with HC enabled.

This issue does not impact,

• Users who access Pulse Desktop Client directly (Not Via a Browser).
• macOS, Linux Users.
• Release prior to 9.1R8.x

The following are the fixed releases,
 

Product	Release	ETA	Download Link	Known Issues
PCS	Pulse Connect Secure-9.1R11.3 Software (Build 12173) & above	Released	Download	PDC fails to prompt for upgrade. Solution
PCS	Pulse Connect Secure 9.1R8.4 Software (Build 12177)	Released	Download	1. PDC fails to prompt for upgrade. Solution 2. The PSAL installation prompts for admin credentials on windows 8.1 for Local user.
PCS	Pulse Connect Secure-9.1R9.2 Software (Build 12181)	Released	Download	1. PDC fails to prompt for upgrade. Solution 2. The PSAL installation prompts for admin credentials on windows 8.1 for Local user.
PCS	Pulse Connect Secure-9.1R10.2 Software (Build 12179)	Released	Download	1. PDC fails to prompt for upgrade. Solution 2. The PSAL installation prompts for admin credentials on windows 8.1 for Local user.

Note:

1. Pulse Desktop versions viz., 9.1.8(8393), 9.1.9(8395), 9.1.10(8401), 9.1.11(8389) shipped/bundled with the PCS fixes per the table above do not have any new code fixes/improvements. Therefore, there is no need to use them.
2. If you do use them, please note that, Auto upgrade of Pulse Desktop Clients from 9.1.8 (8393), 9.1.9 (8395), 9.1.10  (8401) to 9.1.11 (8389) will fail. This is due to the lower build number - 9.1.11 (8389).
3. To upgrade PDC, Run the manual/Uninstaller exe step, connect to PCS and launch the PDC via the browser.
4. Recommendation/Workaround to overcome 2.

• Use SCCM or any or any other third Party Software Management control system.
• Manual Un-installation of impacted PDC before installing the newer PDC version 9.1.11 (8389).

Note - We will update PPS timelines as soon as it becomes available.

General Guidelines to install the fix :

1. The solution would involve upgrading the PCS server as well as clearing the older Pulse Secure components on the End-User devices

Note - End-Users who do not have any Pulse Secure components already installed, can skip Step # 2.

       2. The End User devices that have Pulse Secure components already installed would need to follow one of the two methods outlined below:

       a. KB44810 - Pulse client components clean up and Seamless Upgrade Helper tool for Browsers (Agentless) to remediate Cert issue.
       b. Run the Uninstall Pulse Components Executable
 

	Executable	Fix	Hashes	Guidelines
For non-IE Users	Portal Download Link: Uninstaller.exe(Under release download page) Direct Download Link: Uninstaller.exe	This ensures that Host Checker Process is stopped before uninstalling it.	MD5 Signature: c21351499944ad54efbc370510e414f8 SHA2 Signature: 57284f5dd349c6c719f90de0e6b8ddb10894c6d84dc7a3471f72fec2d2620205	End-users do not require admin privileges to run this Uninstall Pulse Components Executable.
For IE Users (Applicable to all browsers)	Portal Download Link: Uninstaller-forIE.exe (Under release download page) Direct Download Link: Uninstaller-forIE.exe	This will remove all the legacy traces of ActiveX	MD5 Signature: c0c7b3be7e01ccf64cc1aba231c973a5 SHA2 Signature: d14100452e6f08fb302fcd16bae8e3b8c83327daf1c2798765b80771b0f10a65	This tool should be run in the affected user login context. Close Internet Explorer browser instances. If there are Internet explorer process running in the background, kill them via task manager. Run uninstaller & enter your Admin credentials if prompted. Note:- Do not use Run as Administrator option Troubleshooting - If users still have issue, please collect PulseSecure_KB44781.log from \Users\<Username>\AppData\Roaming and open a support case.

Note: We strongly suggest to host these files on your respective fileshare links as necessary.

To manually remove PSAL and Setup Client components perform the following,

           

       3.  Once, Step # 2 is completed, the End-Users should be able to successfully connect to the new PCS version.

Fixed Issue # 1:

Users may see "Windows Defender SmartScreen" pop-up during the installation of Pulse Secure components.

Microsoft smart screen that runs with Windows Defender uses prevalence to trust the certificate used in signing the Pulse Binaries. This is the expected behavior according to our CA. And, with time, the end-users will stop receiving these notifications as the trust would be built.

We involved Microsoft to update the prevalence of our application and end users should no longer see these warnings,

Note: A similar behavior may be seen with some AV vendors as well. These warnings will stop with time.
 

Frequently Asked Questions :

1.    Why do we need to remove the client-side components before connecting to the new PCS server version? Is it because the Symantec code needs to be removed before the Digicert can be effective?

• The already installed binaries are signed by Symantec.
• It requires the same issuer name (CA) to replace existing binaries on the endpoints.
• As Digicert has already acquired Symantec’s Website Security and PKI solution, we can no longer obtain a Symantec certificate as they have stopped all the servers/infra that is required to manage Symantec certificate.
• Therefore, the client side pulse components need to be removed before you can successfully connect to the fixed PCS server versions.

2.    Can we use the same Pulse component uninstall executable for all the affected versions?
a.    Yes, we can use the same Pulse component uninstall executable for all the affected versions.

3.    Will the executable impact Pulse Installer service & the Pulse Desktop Client?
a.    No, the executable will not impact Pulse Installer service or the Pulse Desktop Client.

4.    Does this executable work on all Windows Operating systems?
a.    The executable works on Windows 8.1/10 (32/64-Bit).

5.    Do we have to upgrade the PCS server only after end-users clean up the pulse components?
a.    Both the activities can run independent of each other.

6.    What is the recommended software version?
a.    The recommended software version is PCS 9.1R11.4 SA44784 (Please review the Release Notes prior to upgrade).

7.    What actions should I undertake if I upgrade from PCS versions prior to 9.1R8 to 9.1R8.4/9.1R9.2/9.1R10.2/9.1R11.3/4?
a.    Although PCS versions prior to 9.1R8 do not have a functionality impact, the certificate used in them is Symantec.
       Therefore, you would need to perform the same set of actions that are applicable to the affected PCS versions.

Workaround:

• Use Pulse Desktop Client (Do not launch it through the browser).

Short Summary of all the related KBs for reference:

 

Knowledge Base Article	Solution Offered	Installs Additional components?
KB44781 - Multiple functionalities/features fail for End-Users with a Certificate error. (This KB)	Manual Steps/Uninstallers provided resolves the old (Symantec) certificate issue on Browser Related Components only.	Installs the "Pulse Setup Client" as well to facilitate connections to PCS device with new certificate.
KB44792 - How to remove old client side components via Stand-Alone Pulse Desktop Client to resolve the Pulse Desktop Client Upgrade issue?	Uninstaller provided resolves the Pulse Desktop Client upgrade issue due to the old (Symantec) certificate.	Installs "Pulse Setup Client" & "PSAL" components to facilitate backward compatibility with 9.1R7 or prior PCS connections as well.
KB44810 - Pulse client components clean up and Seamless Upgrade Helper tool for Browsers (Agentless) to remediate Cert issue.	Uninstaller comes Built-in with the PCS 9.1R11.5 & above to resolve the old (Symantec) certificate issue on Browser Related Components only.	Installs "Pulse Setup Client" & "PSAL" components to facilitate backward compatibility with 9.1R7 or prior PCS connections as well.
KB44829 - Steps to Uninstall Browser/Pulse Client related Components via SCCM	SCCM related solution to resolve the old (Symantec) certificate issue for both Pulse upgrade & Browser related components issue.	Installs "Pulse Setup Client" & "PSAL" components to facilitate backward compatibility with 9.1R7 or prior PCS connections as well.