Help CenterNote: For organizations deploying to a large amount of endpoints, ThreatLocker recommends using a staggered deployment approach. Organizations that deploy to a large number of endpoints at once may experience increased bandwidth usage as Windows Core and application definitions are downloaded to each endpoint. QOS can be used to limit bandwidth to corecdn.threatlocker.com and apps.threatlocker.com
By default, the Initial Learning Mode period will be set to create Computer Level Policies. ThreatLocker allows users to change not only the level at which policies are created, but also the duration of the Initial Learning period. This article aims to inform you on how to change these default settings to meet your organization's requirements.
Note: Changing the learning period will not affect machines that are already installed in the organization, only new installs of ThreatLocker into the organization.
Changing The Default Learning Period Settings
To change the default learning period settings, first navigate to the 'Devices' page on the left-hand side of the ThreatLocker Portal.
From the 'Devices' page, select the 'Groups' tab found in the top right corner of the page.
From the 'Groups' page, you can either select an existing computer group or select the '+ Computer Group' button to create a new one.
Now, either in the 'Edit Computer Group' or 'Create Computer Group' sidebar, navigate to the 'Computer Group Settings' section in the 'General' tab.
By default, the Initial Learning Mode duration is set to 21 days. You can change this by either using the arrows to the right of each input field or by typing out the number of days or hours you would like Learning Mode to be active for. The input field for days is located to the left, while the input field for hours is positioned to the right.
Under these fields is a switch that allows users to select an 'Indefinite' learning period for the computer group.
Note: Use this option sparingly, as it is recommended that your machines stay in Secured mode as often as possible.
Under the 'Initial Learning Mode Duration' field is a dropdown menu labeled 'Create Policies During Initial Monitoring Period'. This field determines the level at which policies will be created, if at all, during the time a machine is in Learning Mode during the initial learning period. The following options are available within this dropdown:
- Do Not Learn
- System Policies for Computer
- Computer Level Policies
- Computer Group Level Policies
The following sections will outline the meanings behind these different options.
Do Not Learn
The 'Do Not Learn' option for this dropdown allows users to only scan the Baseline of the computer. This means that all driver files unique to that machine will still be learned, but no other applications will be created.
Note: Placing this machine into 'Do Not Learn' will also put the computer into 'Monitor Only Mode' where nothing will be blocked, but nothing will be learned.
This could be useful for adding a new computer to a strict and rigid environment where all your computers are templated. In this instance, you can manually place a single computer into 'Learning Mode' and set all the others to 'Do Not Learn'. The Policies created from the single computer in 'Learning Mode' can then be applied to the computers that did not have Policies automatically created. If this learning computer were set to create group Policies, all the Policies learned would be set for the entire group to use automatically.
Note: Different versions of Windows OS have different files and different drivers, so be careful when installing using this method.
System Policies for Computer
In a strict environment, you have the option to select 'System Policies for Computer'. This would create a Policy for files that ThreatLocker identifies as drivers and policies for miscellaneous Windows files on each computer individually.
This is a useful option if you have a well-established group of policies and don't want to allow additional software onto the computers in this group.
Computer Level Policies
When creating a new computer group, this is the default option that will be selected. 'Computer Level Policies' is the selection that applies the policies learned by a machine to the computer on which the application was learned/executed. The Application Definition remains available for modification after it is created in Learning Mode, allowing the policy to be applied to additional machines within the organization.
For example, let's assume you have three computers in your accounting department that need to use QuickBooks, but no other computers require access to QuickBooks. You can use this option, and only computers currently using QuickBooks will have a Policy allowing QuickBooks. If you have a fourth computer in the future that needs to use QuickBooks, you can easily add the policy created for the first three computers to the fourth computer without needing to go through Learning or Installation Mode.
Computer Group Level Policies
Creating group policies is helpful if you have a standard set of Applications you need to allow on all computers in a specific group. If your organization was created before April 2023, you may find that your groups are set to learn on the group level; however, this can be adjusted to your preference.
When creating or editing a computer group, select the 'Computer Group Level Policies' option in the 'Create Policies During Initial Monitoring Period' dropdown. This will ensure that during the Learning Mode period, any application learned during this time will create a policy for all machines in the computer group.
