KB44810 - Pulse client components clean up and Seamless Upgrade Helper tool for Browsers (Agentless) to remediate Cert issue.

This article outlines the details that admins need to know to use the Pulse client components clean up and Seamless Upgrade Helper tool for browsers.

The Client components that were part of the versions affected by KB44781 until this time had to be removed manually or via Uninstallers.

In PCS 9.1R11.5, we have provided a built-in tool for automated/seamless clean-up of browser-based Pulse client-side components.

• For Admins:

1. This option would be admin-driven, disabled by default, and is available under Maintenance -> System -> Options -> “Enable Pulse Client Components removal Tool for Cert issue Remediation”.
2. This is a Global option and cannot be customized for certain roles.
3. This applies to Windows End-Points only.
4. Admins can add customized pre-auth content to let end-users know that this option is enabled temporarily and about the functionality it offers.
   
   Authentication -> Signing-in -> Sign-in Notification -> Pre-Auth Sign-in Notification
5. This would work for end users with non-Admin rights provided there is Pulse Desktop Client and/or Pulse Secure Installer Service already installed.
6. This would run on the end point once irrespective of the client component versions currently installed.
7. This is browser-specific, i.e. once run from Chrome it will not re-run upon subsequent browser logins unless cache/cookies are removed.However, the first we run it on another supported Browser such as Edge, Firefox, it will run once again.
8. Admins can turn this option off after a certain time, based on the end user feedback/reports.

• End User Flow:

1. User enters the URL in the browser.
2. The "Pre Sign-In notification" is presented to the user (If configured).
3. User gets the Helper download prompt (As shown below).

       4. Clicks on the download (This downloads the PulseUpgradeHelper.msi)
       5. User runs the MSI.
       6. If presented with the "Windows Defender SmartScreen" Prompt as shown below,please click on “More Info” and then click on “Run Anyway” as shown below.





Microsoft smart screen that runs with Windows Defender uses prevalence to trust the certificate used in signing the Pulse Binaries. This is the expected behavior according to our CA. And, with time, the end-users will stop receiving these notifications as the trust would be built.

We involved Microsoft to update the prevalence of our application and end users should no longer see these warnings,

Note: A similar behavior may be seen with some AV vendors as well. These warnings will stop with time.

        7. After components get cleared, the “Pulse Upgrade Helper” prompt shows up as below (Pulse Desktop Client & any open instances of IE is closed upon clicking OK).



       8. After a few seconds, the end user will get the procedure completion prompt (See below).



       9. User goes back to the browser (IE users need to open a new instance of IE) and hits Click HERE to continue to log in.

• Logs:

Please provide the following log for investigation in case of any issues: C:\Users\Public\Pulse Secure\Logging\PulseSecure_KB44781

• Note:

1. This is specific to browser-related PCS components. Customers impacted by Pulse Desktop Client upgrade due to the old certificate should use the solution outlined in KB44792 - How to remove old client side components via Stand-Alone Pulse Desktop Client to resolve the Pulse Desktop Client Upgrade issue?
2. The MSI that gets downloaded is not compatible with SCCM and other similar tools.
3. In the event, the components are not cleared properly (partial removal due to inevitable conditions), the user can clear their browser cache/cookies to reinitiate the User flow outlined earlier.

PCS 9.1R11.5 is expected to release by the 3rd week of June, 2021.