Help Center
Note: For organizations deploying to a large amount of endpoints, ThreatLocker recommends using a staggered deployment approach. Organizations that deploy to a large number of endpoints at once may experience increased bandwidth usage as Windows Core and application definitions are downloaded to each endpoint. QOS can be used to limit bandwidth to corecdn.threatlocker.com and apps.threatlocker.com
By default, Initial Learning Mode will be set to 'Create Computer Policies Only'.
You can change how you want ThreatLocker to create Policies while your endpoints are in their initial Learning Mode.
Create Computer Policies Only
The default behavior is to permit Applications only on the computers they are learned on. 'Computer Policies Only' is the appropriate dropdown selection that applies the Policies only to the computer the Application was learned on. The Application Definition would still be available to your entire organization, and you could easily add a Policy for that Application anywhere else you wanted it applied.
For example, let's assume you have 3 computers in your accounting department that need to use Quickbooks, but no other computers need access to Quickbooks, you could use this option and only the computers that currently use Quickbooks will have a Policy allowing Quickbooks. If you had a 4th computer in the future that needed to use Quickbooks, you could easily add that Policy that was created for the first 3 computers to the 4th computer without needing to go through Learning or Installation Mode.
Create Group Policies
Creating group policies is useful if you have a standard set of Applications you need to allow on all computers in a certain group. If your organization was created before April 2023, you may find your groups are set to learn on the group level, but this can be adjusted to your preference.
To change how computers initially learn from creating policies from the computer only to the gomputer group, navigate to the Computers page.
Here, select the computer group you want to change these default learning settings on.
Under the 'Create Policies on Basline Upload' dropdown, change the selection to 'Group Policy'.
The new setting will take effect on computers that have the ThreatLocker Agent deployed to after the setting is changed.
Create System Policies for Computer Only
In a very strict environment, you could choose 'System Policies for Computer'. This would create a Policy for files that ThreatLocker deems as drivers and a Policy for miscellaneous Windows files on each computer individually.
This could be useful if you have a well-established group of Policies and you don't want to allow anything else. You can install new computers using this option and that way no new Applications that may happen to be on that computer are permitted in your secure environment.
Do Not Automatically Create Policies
And the last option is 'None'. This would only scan the Baseline of the computer and not create any Policies for the learning mode duration you select.
This also places the computer into Monitor Only Mode. Nothing will be blocked, but nothing will be learned.
This could be useful for adding a new computer to a strict and rigid environment where all your computers are templated. In this instance, you could place a single computer into Learning Mode manually and set all the others to 'Do not automatically create Policies'. The Policies created from the single computer in Learning Mode can then be applied to the computers that did not have Policies automatically created. If this learning computer was set to create group Policies, all the Policies learned will be set for the entire group to use automatically.
Please note: Different versions of Windows OS have different files and different drivers, so be very careful when installing using this method.