Rexec package offline after updating to 3.2.0.1 on Windows 2008 R2

  • 7022120
  • 17-Oct-2017
  • 16-Jan-2019

Environment

Privileged Account Manager 3.2.0.1
Microsoft Windows 2008 R2
Microsoft Windows 2008 R2 SP1

Situation

Session audits are not being captured on Windows 2008 R2 after updating to PAM 3.2.0.1
Rexec package status is registered, but offline
The update was previously installed successfully according to the Hosts Console Package Update
The following appears in the PAM Agent's unifid.log on the Windows server:
Error, init_audit line: 1720 rv=720006:The handle is invalid. 
Error, NPUM driver is not initialized. Try restarting NPUM service or system restart.
Error, Failed to load module rexec: Unknown error

Resolution

PAM 3.2.0.1 requires at least Microsoft Windows 2008 R2 SP1 with Microsoft Security Advisory 3033929 Security Patch to support SHA-2 code signing. We recommend keeping Microsoft Windows on the latest security patches, which would avoid this particular issue.

After Windows has successfully been updated to the latest security patches or at least the requisite one mentioned above, please restart the server so the rexec module can start successfully.

Cause

Microsoft Windows needs to be able to verify the signature of PAM kernel drivers' SHA2 certificate.

Additional Information

For more details regarding this prerequisite Microsoft Security Patch, please refer to the following:

Microsoft Security Advisory 3033929
Availability of SHA-2 Code Signing Support for Windows 7 and Windows Server 2008 R2
https://docs.microsoft.com/en-us/security-updates/securityadvisories/2015/3033929
https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=35b0920d-d4aa-48b9-bc23-bbd97afbd849