Company logoHelp Center
Visit www.threatlocker.com

Automatic Policy Creation

4 min. readlast update: 08.18.2025

Windows 

After you deploy the ThreatLocker agent, it will do its first learning baseline on what it finds and it will continue learning as your computers are in Application Control Learning Mode. By default, your computers will automatically be placed into Application Control Learning Mode as defined by their computer group. During this learning period, ThreatLocker is going to attempt to learn your environment and create sufficient policies so that everything that is permitted and running currently can continue to work once you lock down your endpoints. 

The ability for ThreatLocker to create these policies during the learning period is known as Automatic Policy Creation. ThreatLocker uses unique hashing algorithms during Automatic Policy Creation. Additional options include MD5, SHA1, and SHA256.   

Although most things are, not every application will be automatically cataloged during Application Control Learning Mode. ThreatLocker uses advanced algorithms combined with past experiences to create Application Definitions and policies when your endpoints are in Application Control Learning Mode. These algorithms can change from application to application.  

As a general rule, applications that are installed in correct locations such as the Program Files folder, AppData, and in the Windows directory are going to be learned and have policies automatically created for them. 

Applications that are installed in your Documents folder, Downloads folder, Desktop folder, Users folders, or files at the root of C:\ are not going to be profiled during the automatic learning period (baselining) unless ThreatLocker is able to match them to an application name.  

ThreatLocker uses various algorithms and parameters to decide an application's name. When you are onboarding, ThreatLocker is trying to figure out what all your applications are. ThreatLocker uses the location of the application, what process is calling it, and many other rules in its algorithms to decide what an application is and what to name it. 

Mac  

After you deploy the ThreatLocker agent, it will perform its initial baseline based on what it detects and will continue learning while your computers are in Application Control Learning Mode. By default, your computers will automatically be placed into Application Control Learning Mode as defined by their computer group. During this learning period, ThreatLocker is going to attempt to learn your environment and create sufficient policies so that everything that is permitted and running currently can continue to work once you lock down your endpoints. 

The ability for ThreatLocker to create these policies during the learning period is known as Automatic Policy Creation. ThreatLocker uses unique hashing algorithms during Automatic Policy Creation. Additional options include MD5, SHA1, and SHA256.   

Although most things are, not every application will be automatically cataloged during Application Control Learning Mode. ThreatLocker uses advanced algorithms combined with past experiences to create Application Definitions and policies when your endpoints are in Application Control Learning Mode. These algorithms can change from application to application. 

As a general rule, applications that are installed in typical locations, such as the Applications folder and Library folders, are going to be learned and have policies automatically created for them. Applications that are installed in cloud storage are not going to be profiled during the automatic learning period (baselining).   

ThreatLocker uses various algorithms and parameters to decide an application's name. When you are onboarding, ThreatLocker is trying to figure out what all of your applications are. ThreatLocker uses the path of the application, its Developer ID, what process is calling it, and many other rules in its algorithms to decide what to name an application. 

Baseline

Baselining is an action taken by the ThreatLocker agent once it is first installed on a user's machine. This is an automatic learning period in which ThreatLocker catalogs applications that are present on the computer. This initial Baseline period and Application Control Learning Mode will not profile the Documents, Downloads, Desktop, Users, or Files folders at the root of C:\ unless ThreatLocker can match these files to an existing application name within the organization. The Baseline operating system and driver files unique to the machine being baselined will be learned into an application named $hostname/Drivers or $hostname/Windows.

A policy that Baseline creates will show a Last Match within the 'Policies' section of the 'Application Control' Module; however, selecting this option will bring up no results unless the 'Baseline' action type is selected from the Unified Audit. As Baseline log information is retained indefinitely, ThreatLocker stores this data differently from other Unified Audit logs that are subject to a different data retention policy. Baseline logs can always be viewed, but you must select 'Baseline' as the action type when filtering the Unified Audit, as they are not included by default.

Was this article helpful?