Help Center
Note: For organizations deploying to a large amount of endpoints, ThreatLocker recommends using a staggered deployment approach. Organizations that deploy to a large number of endpoints at once may experience increased bandwidth usage as Windows Core and application definitions are downloaded to each endpoint. QOS can be used to limit bandwidth to corecdn.threatlocker.com and apps.threatlocker.com
You can change how you want ThreatLocker to create Policies while your endpoints are in their initial Learning Mode.
Create Group Policies
By default, Initial Learning Mode will be set to 'Create Computer Policies Only'. Newly created computer groups will learn Computer Level policies rather than Group Level policies. For example, if ThreatLocker finds Notepad++ on one of your computers, it will automatically create a Policy to allow it on all computers in that group. 'Create group Policies' is useful if you have a standard set of Applications you need to allow on all computers in a certain group. If your organization was created before April 2023, you may find your groups are set to learn on the group level, but this can be adjusted to your preference.
However, if you want to further reduce your attack surface and allow Applications only on the specific computers they are used, you may want to change this default setting. Navigate to the Computers page. Select the computer group you want to change these default learning settings on.
The new setting will take effect on computers that have the ThreatLocker Agent deployed to after the setting is changed.
Create Computer Policies Only
To permit Applications only on the computers they are learned on, you can select 'Computer Policies Only'. This would apply the Policies only to the computer the Application was learned on. The Application Definition would still be available to your entire organization, and you could easily add a Policy for that Application anywhere else you wanted it applied.
For example, let's assume you have 3 computers in your accounting department that need to use Quickbooks, but no other computers need access to Quickbooks, you could use this option and only the computers that currently use Quickbooks will have a Policy allowing Quickbooks. If you had a 4th computer in the future that needed to use Quickbooks, you could easily add that Policy that was created for the first 3 computers to the 4th computer without needing to go through Learning or Installation Mode.
Create System Policies for Computer Only
In a very strict environment, you could choose 'System Policies for Computer'. This would create a Policy for files that ThreatLocker deems as drivers and a Policy for miscellaneous Windows files on each computer individually.
This could be useful if you have a well-established group of Policies and you don't want to allow anything else. You can install new computers using this option and that way no new Applications that may happen to be on that computer are permitted in your secure environment.
Do Not Automatically Create Policies
And the last option is 'None'. This would only scan the Baseline of the computer and not create any Policies for the learning mode duration you select.
This also places the computer into Monitor Only Mode. Nothing will be blocked, but nothing will be learned.
This could be useful for adding a new computer to a strict and rigid environment where all your computers are templated. In this instance, you could place a single computer into Learning Mode manually and set all the others to 'Do not automatically create Policies'. The Policies created from the single computer in Learning Mode can then be applied to the computers that did not have Policies automatically created. If this learning computer was set to create group Policies, all the Policies learned will be set for the entire group to use automatically.
Please note: Different versions of Windows OS have different files and different drivers, so be very careful when installing using this method.