Enterprise deployment
This page is for IT administrators and security teams deploying Halo Link into environments with strict application control, zero-trust, antivirus, or allowlisting policies. It documents the signing identity, network endpoints, file layout, and update process tree you need to author allowlist rules.
For standard installation steps, see the Installation page.
Jump to...
Quick fix Code signing Network What runs Update process tree
Quick fix
If your AV or application-control product has just blocked Halo Link, two rules cover the common case:
- Trust the publisher. Allow files signed by Subject CN
Halo Connect Pty Ltd. CoversHaloLinkService.exe,updater.exe,HaloLinkUtility.exe, all DLLs, and every MSI release. - Trust the updater's child processes. Allow any process whose parent is
C:\Program Files (x86)\Halo Connect\Halo Link\updater.exe. Covers the unsignedaiu*.bathelpers the updater extracts toC:\Windows\SystemTemp\during an update (see Update process tree for why this is needed).
If your product only supports one of these, rule 2 is the one updates need. Without it, auto-updates will fail. Rule 1 is recommended on top so installs and on-disk binaries are also covered.
If neither rule type is supported, fall back to path-based exclusions for the two directories in the table below.
Allowlist reference
| Scope | Value |
|---|---|
| Service install directory | C:\Program Files (x86)\Halo Connect\Halo Link |
| Updater data directory | C:\ProgramData\Halo Connect\Halo Link |
| Publisher (Authenticode Subject CN) | Halo Connect Pty Ltd |
| Updater parent path (for parent-process rules) | C:\Program Files (x86)\Halo Connect\Halo Link\updater.exe |
| Windows Service name | Halo Link Service |
| Scheduled Task name | Halo Link Updater Hourly |
If Halo Link has already been quarantined or removed by your AV, contact Support before reinstalling.
Code signing identity
All Halo Link MSI packages and binaries are Authenticode-signed. Match on Subject CN (Halo Connect Pty Ltd). Exact-Subject and thumbprint rules will break on certificate renewal even though the CN stays the same.
| Field | Value |
|---|---|
| Subject CN | Halo Connect Pty Ltd |
| Subject O | Halo Connect Pty Ltd |
| Issuer | GlobalSign GCC R45 EV CodeSigning CA 2020 (O=GlobalSign nv-sa, C=BE) |
| Serial number | 6193551D5CC83A17E09D1227 |
| Thumbprint (SHA1) | 908DC7E1B6D64241E6E921F30675D7C40B5EB16F |
| Valid from | 2025-11-28 |
| Valid until | 2029-02-03 |
| Signature algorithm | sha256RSA |
Full Subject DN (for auditors)
E=hello@haloconnect.io, CN=Halo Connect Pty Ltd, O=Halo Connect Pty Ltd, STREET="Unit 21 L, 144 Edward Street", L=Brisbane, S=Queensland, C=AU, OID.1.3.6.1.4.1.311.60.2.1.3=AU, SERIALNUMBER=672 819 993, OID.2.5.4.15=Private Organization
Address, registration number, and email fields can change when our company registration is updated. Use the full DN for an audit record only. Don't build allowlist rules against it.
Verifying a signed artifact
Expect Status: Valid with a SignerCertificate whose Subject CN matches Halo Connect Pty Ltd. The thumbprint above is valid until 2029-02-03; on renewal only the thumbprint, serial, and validity dates change.
Network endpoints
Halo Link connects outbound only. There are no inbound listeners or ports to open.
| Purpose | Production | Staging |
|---|---|---|
| API | https://api.haloconnect.io/ |
https://api.stage.haloconnect.io/ |
| Uploads / downloads | https://downloads.haloconnect.io/ |
https://downloads.stage.haloconnect.io/ |
| Web PubSub (WSS) | wss://wps-haloapi-prod.webpubsub.azure.com |
wss://stage-haloapi-wps.webpubsub.azure.com |
| Blob Storage | https://*.blob.core.windows.net |
https://*.blob.core.windows.net |
All connections use TLS 1.2 or higher (1.3 where supported) over port 443. Web PubSub uses the WSS protocol on 443.
For proxy-server configuration, see Proxy server configuration on the Installation page.
What runs, where, and how
| Process | Role | Context | Location |
|---|---|---|---|
HaloLinkService.exe |
Windows Service. Handles queries, uploads results | LocalSystem |
C:\Program Files (x86)\Halo Connect\Halo Link\ |
updater.exe |
Auto-updater, invoked by scheduled task | LocalSystem |
Same as service |
HaloLinkUtility.exe |
CLI utility for diagnostics and one-shot tasks | Interactive user | Same as service |
Windows Service: Halo Link Service. Starts automatically, runs as LocalSystem.
Scheduled Task: Halo Link Updater Hourly runs updater.exe /silentall -nogui -nofreqcheck hourly as LocalSystem, with a deterministic per-install jitter (0–59 minutes) so that check-ins don't cluster. Disabling this task prevents security updates from reaching the agent.
Registry: HKLM\SOFTWARE\WOW6432Node\Halo Connect\Halo Link stores Environment, Link GUID, Halo GUIDs, Database Hostname, and PMS Type. See Log files for the full schema.
Data directory: C:\ProgramData\Halo Connect\Halo Link\ (updater working directory and logs).
Database access: Halo Link reads the local PMS database via SQL Server, Firebird, or ODBC (depending on the PMS). No remote database connectivity is initiated or required.
Update process tree
This section explains why the parent-process rule in Quick fix is needed. If you've already added that rule, you don't need to do anything here.
When Halo Link auto-updates, the signed updater.exe (the Advanced Installer Updater, "AIU") runs as LocalSystem and spawns the following process tree:
| Process | Typical path | Signed | Role |
|---|---|---|---|
updater.exe |
C:\Program Files (x86)\Halo Connect\Halo Link\ |
Yes (Halo Connect Pty Ltd) | Entry point, launched by the hourly scheduled task |
cmd.exe |
C:\Windows\SysWOW64\ |
Yes (Microsoft) | Runs the extracted helper scripts |
aiu*.bat |
C:\Windows\SystemTemp\upd*.tmp\ |
No | Transient helper scripts emitted by the Advanced Installer updater. Randomised names, exist only during the update |
halolink*.msi |
C:\Windows\SystemTemp\ |
Yes (Halo Connect Pty Ltd) | Downloaded update package |
msiexec.exe |
C:\Windows\System32\ |
Yes (Microsoft) | Applies the downloaded MSI |
The aiu*.bat helpers are not individually signed and run from randomised paths, so a publisher or certificate rule alone will block them. A parent-process trust rule for updater.exe lets the helpers execute without per-file rules.
To trigger the updater manually (useful when forcing a check-in or running an audit/capture session):