Changing How Computers Initially Learn Once Deployed (Computer, Group, or System Policies)
You can change how you want ThreatLocker to create Policies while your endpoints are in their initial Learning Mode.
Create Group Policies
By default, computer groups will be set to 'Create group Policies', meaning the Applications that are found are learned across an entire computer group. For example, if ThreatLocker finds Notepad++ on one of your computers, it will automatically create a Policy to allow it on all computers in that group. 'Create group Policies' is useful if you have a standard set of Applications you need to allow on all computers in a certain group.
However, if you want to further reduce your attack surface and allow Applications only on the specific computers they are used, you may want to change this default setting. Navigate to the Computer Groups page. Click on the pencil icon next to the computer group you want to change these default learning settings on.
The new setting will take effect on computers that have the ThreatLocker Agent deployed to after the setting is changed.
Create Computer Policies Only
To permit Applications only on the computers they are learned on, you can select 'Create computer policies only'. This would apply the Policies only to the computer the Application was learned on. The Application Definition would still be available to your entire organization, and you could easily add a Policy for that Application anywhere else you wanted it applied.
For example, let's assume you have 3 computers in your accounting department that need to use Quickbooks, but no other computers need access to Quickbooks, you could use this option and only the computers that currently use Quickbooks will have a Policy allowing Quickbooks. If you had a 4th computer in the future that needed to use Quickbooks, you could easily add that Policy that was created for the first 3 computers to the 4th computer without needing to go through Learning or Installation Mode.
Create System Policies for Computer Only
In a very strict environment, you could choose 'Create System Policies for Computer Only'. This would create a Policy for files that ThreatLocker deems as drivers and a Policy for miscellaneous Windows files on each computer individually.
This could be useful if you have a well-established group of Policies and you don't want to allow anything else. You can install new computers using this option and that way no new Applications that may happen to be on that computer are permitted in your secure environment.
Do Not Automatically Create Policies
And the last option is 'Do not automatically create Policies'. This would only scan the Baseline of the computer and not create any Policies.
This also places the computer into Monitor Only Mode. Nothing will be blocked, but nothing will be learned.
This could be useful for adding a new computer to a strict and rigid environment where all your computers are templated. In this instance, you could place a single computer into Learning Mode manually and set all the others to 'Do not automatically create Policies'. The Policies created from the single computer in Learning Mode can then be applied to the computers that did not have Policies automatically created. If this learning computer was set to create group Policies, all the Policies learned will be set for the entire group to use automatically.
Please note: Different versions of Windows OS have different files and different drivers, so be very careful when installing using this method.