Hard links
A hard link is the Windows file system representation of a file by which more than one path references a single file in the same volume. This approach is now used for Microsoft Windows 10 February updates. The management of hard links by MACC causes checksum mismatches and other issues during the Microsoft Windows 10 update installations. This issue also occurs with MACC 7.0.x and 8.0.x.
Currently, when modifying the hard links content, the inventory information (checksum, status) is updated only for the current path modified. By default, all files have at least one hard link. The file change event does NOT include the list of hard links associated with that file. Because the inventory information is not updated for all paths at the same time, executing the same file from a different path results in a
checksum-mismatch. This mismatch impacts the Windows update process.
Catalog Cert Extraction
Microsoft Windows binaries can be catalog signed or have an embedded signature. MACC uses specific code to extract embedded certificates. The certificates can be extracted in kernel space and or user-space. Extraction of embedded certificates occurs quickly and is the only type of signing supported with MACC up until the 7.0.x release.
In MACC 7.0.x, support for reputation-based execution was introduced. In one of the workflows, you could allow or block a file by the reputation of its certificate. Because several files in Microsoft Windows are actually catalog signed, this feature requires extraction of catalog signatures. Microsoft had provided APIs to extract the catalog certificates for binaries. These APIs are used by MACC. These APIs are slow and significantly affect performance. To mitigate this effect, MACC stores certificates in the inventory, so that once extracted, they can be reused. Storing them in the inventory means that during inventory merge time, certificates must be extracted once. When an upgrade is run, files are changed, the inventory is merged and the catalog certificate extraction occurs.
If all reputation is disabled, there is no need to extract the catalog certificates.
sadmin config set CatalogCertExtractionDisabled=1
You must reenable this feature by using the Run Command in ePO. Create a Client Task (Run Command) with the following commands: (sadmin keyword is not needed)
config set SoPriority=2
config set MaplCommLostRestart=0
so -c
config set MaplCommLostRestart=5
config set SoPriority=1
eu