Help CenterNote: This Agent Setting requires the ThreatLocker Windows Agent Version 10.5.3 or above. This Agent Setting is not currently available on MAC or Linux devices.
By default, placing devices in your organization into Application Control Learning Mode will learn all files executed or installed on the machine during the learning period. This excludes files that are part of an existing deny policy or those that already have permit policies associated with the machine accessing them. If no application is selected to be learned into, ThreatLocker will automatically create applications and policies for the machine in Application Control Learning Mode. It does so by using its creation algorithm, or by creating a policy tied to one of the Built-In applications that are maintained and updated by our Application Team. If this does not suit your preferences, ThreatLocker now offers an Agent Setting that allows you to customize how ThreatLocker learns applications during Application Control Learning Mode.
To apply this Agent Setting, first navigate to the 'Agent Settings' page, then select the '+ New Setting' button to open the 'Create Settings' side panel. Once opened, select the 'Setting Type' dropdown and choose 'Automatic Learning - Policy Creation' from the list.
Ensure that you select where you would like to apply this setting. By default, 'Entire Organization' will be selected, but you can also choose to apply it to a specified computer group or individual machine.
Note: This Agent Setting will only apply the policies to individual computers in your organization even if the Agent Setting is set to 'Entire Organization' or a selected computer group.
After selecting the 'Automatic Learning - Policy Creation' setting, the 'Parameters' section will now populate with a dropdown labeled 'Policy Creation Settings'.
ThreatLocker offers four options within this dropdown:
- Learn policies for Built-In and custom applications
- This is the default setting for Application Control Learning Mode. ThreatLocker will create policies at the individual machine level, either by creating or using custom applications or using Built-In applications, if an existing built-in application exists. Applications with a deny policy or applications with an existing permit policy will not have additional policies created.
- Learn policies for custom applications only
- This setting creates new custom applications and policies within your organization for applications that are installed or executed during the learning period. Custom applications are not maintained by ThreatLocker. Applications with a deny policy or applications with an existing permit policy will not have additional policies created.
- Learn policies for Built-In applications only
- This setting creates policies tied to Built-In applications. Built-In applications are maintained daily by our Applications Team, who update our Built-Ins with the latest hashes and custom rules. This ensures that applications in your environment are the most secure and up-to-date version. When this setting is applied, if a user installs or executes an application that matches a Built-In, a policy will be created using that Built-In application. If the application does not match any of our Built-Ins, a custom application will be created in the organization, but no policies will be created. This ensures that you can see applications that users attempted to install during their learning period and determine if it is acceptable to remain in your environment. Additionally, applications that do not match a ThreatLocker Built-In will display as a 'Green Deny' in the Unified Audit, as they will have been executed on the machine during the learning period, but would otherwise not have been executed had the machine been in a secured state. Applications with a deny policy or applications with an existing permit policy will not have additional policies created.
- Learn application files only (No policies)
- This setting creates custom applications for software that is installed or executed on a machine, but does not create any policies. These applications can be used to view what users in your organization regularly access on their machines and can be assigned policies later on if it is determined that these programs are required. You can also opt to delete or create deny policies for these applications. Additionally, applications executed during this time that don't have a policy will appear as a 'Green Deny' in the Unified Audit. This is because there is no permit policy authorizing the use of the application, so it would have otherwise been denied had the machine been in a secured state. Applications with a deny policy or applications with an existing permit policy will not have additional policies created.
Once you have finished selecting the parameters for your Agent Setting, select the 'Create' button at the bottom of the page and ensure that you select the 'Update Agents' button as well. This will alert the ThreatLocker agent that settings have been changed on the associated machines.
Now, the next time that a device is put into Application Control Learning Mode, policies will be created based on the parameters you have inserted in this Agent Setting.