Device Showing as Offline after Feature Update
It's been reported that sometimes during feature updates, Windows can automatically remove programs that it judges to be "incompatible" with the newer build. Because of this, occasionally a computer with the ThreatLocker agent installed can begin showing as 'Offline' in the ThreatLocker portal when it is actually online.
The Health Service was developed to repair any discrepancies with the ThreatLocker Service, and designed to keep the device it's installed on "Online" so long as it's being utilized and active. Once the Health Service is installed, any part of ThreatLocker that's been removed will repair itself.
Older versions of ThreatLocker that have been upgraded through the portal will not automatically install the Health Service. The Health Service can only be installed by using a newer Stub Installer file.
Note: Agents installed with the .msi file will also not include the Health Service
What if my device seemingly has ThreatLocker completely removed?
On the PC experiencing this 'Offline' status issue, follow the next steps to confirm if ThreatLocker is installed on the device or not. This will tell you if the service can be repaired.
- Navigate to C:\Program Files\ and search for the 'ThreatLocker' folder
- Open the Registry Editor (Regedit). HKEY LOCAL MACHINE > SOFTWARE and look for the ThreatLocker folder
- Open the Services application. Search for ThreatLocker Service and HealthTService
If ThreatLocker happens to be missing from all 3 of these areas, it would appear that ThreatLocker is completely uninstalled and there's nothing left to repair. As a final check, we want to see if the Driver is still running.
- Open Command Prompt
- Input the following command
sc query threatlockerdriver
You can see that the state is 'Running'. This is because although every other part of the ThreatLocker Agent has been removed, the driver remains intact. Because the driver is still present, it is repairable with the Health Service.
Note: If you attempt to reinstall ThreatLocker at this point, it will fail because the driver is still running.