The first improvement you will notice is that the ‘Monitor Only’ mode box has been removed. It has been replaced with a quick dropdown ‘Status’ box which represents the current security status of ThreatLocker and provides a quick way of changing this status.  

Enabling Protection

The ‘Enable Protection’ box ends all maintenance periods and secures all the selected computers. At any time, to end all maintenance periods and re-enable protection, select the box next to the computer you wish to end maintenance on and enable protection on and click the ‘Enable Protection’ box placing the selected computer into a ‘Secured’ status.

Disabling Protection

The ‘Disable Protection’ box allows you to place multiple computers into Monitor Only Mode or Learning Mode at once.

Enabling Monitor Only Mode

To place computers in Monitor Only Mode first, select the checkbox next to the computers you wish to enable Monitor Only Mode on. Then, select the ‘Disable Protection’ box. From the dropdown menu, select the date and time you wish to re-enable protection, and do not select the box next to ‘Allow Learning based on Group Settings’.  

You will see the status read ‘Monitor Only’ in red. This status means that no execution or Ringfencing policies that don’t have explicit denies will be blocked. Nothing will be learned in ‘Monitor Only’ Mode. All actions will be logged in the Unified Audit.

Enabling Learning Mode

To enter ‘Learning Mode’ you need to click the check box next to ‘Allow Learning Based on Group Settings’.  

After clicking ‘Start’ the status will change to ‘Learning Mode’. 

When computers are first installed, they will stay in ‘Learning Mode’ based on the computer group settings. Navigate to ‘Computer Groups’, then the specific group to enter the group management window where you can view or change the default Learning Mode duration setting via the ‘Initial Learning Mode Duration for New Computers’ dropdown menu. This change will take effect on computers that are installed AFTER this setting is changed.

Client Version

The ‘Client Version’ box allows you to easily select which version of ThreatLocker you want to run on the selected computer. You can choose to ‘Inherit from Group’, or select a specific version of ThreatLocker.

Maintenance Mode

The ‘Maintenance Mode’ button replaces the ‘Start Learning Mode’ button from earlier versions. It opens up the ‘Maintenance Schedule’ menu. There are five different types of maintenance you can schedule. Multiple maintenance schedules can run at the same time.

Elevation Mode

To select the ‘Elevation Mode’, you must have the ThreatLocker Elevation product. It allows you to automatically elevate any programs that require elevation for all users or selected users.

To add an elevation period, select a start date and an end date. The default time period is one hour. Then select ‘Add Maintenance Schedule’. If you select the ‘Allow the user to End the schedule from the Computer’, a popup box will appear on the end user’s computer showing that Elevation Mode is enabled and the user can click to end the elevation period when they are done. There is also a countdown timer on the popup showing how much time is remaining.

If the ‘Allow the user to End the schedule from the Computer’ box is not checked, the popup will not appear, and Elevation Mode will run silently on the computer.

Installation Mode

Installation Mode turns off blocking for execution and Ringfencing policies and learns any changes or newly installed files on the system.

Learning Mode

Learning Mode is similar to Installation Mode. It learns what files are being installed on the computer and it learns what files would be denied using the default deny policy. If you have an application already installed and you want to learn what files are required to run it, you can put the computer into ‘Learning Mode’, select the application from the ‘Application’ dropdown menu and click ‘Add Maintenance Schedule’ to place the computer in Learning Mode.

There is also an ‘Automatic’ option in the ‘Application’ list. This is the default mode when installing new computers. This automatically learns the application name and creates policies. When you first install, the time period is set to one week. When setting on ‘Automatic’ it is not recommended to select ‘Allow the user to End the schedule from the Computer’.  

Monitor Only

‘Monitor Only’ mode is similar to the others. You select ‘Monitor Only’ and choose the start and end times. You choose which users to apply it to and then select ‘Add Maintenance Schedule’. This will turn off blocking temporarily but it will not learn. If you select the ‘Allow the user to End the schedule from the Computer’ box then the user will receive a popup stating that Monitor Only mode is temporarily enabled. 

Tamper Protection Disabled

‘Tamper Protection Disabled’ allows you to disable tamper protection for a period of time. For example, if you need to disable ThreatLocker to diagnose an issue, you can do that. It is recommended to only disable Tamper Protection when working with ThreatLocker Support.

Select ‘Tamper Protection Disabled’ and choose the start and end times. ‘Tamper Protection Disabled’ must be applied to all users. If you want the end user to receive a popup, select the box next to ‘Allow the user to End the schedule from the Computer’. Click ‘Add Maintenance Schedule’ to start the ‘Tamper Protection Disabled’ period. The status will be flagged in red.

Move Computer

‘Move Computer’ allows you to move multiple computers at once. Choose the computers you wish to move and then click the ‘Move Computer’ button.

Then you will choose the ‘Target Organization’ and the ‘Target Computer Group’ from the dropdown menus to move computers easily from one organization to another.

It is important to note that the policies applied to those computers do not get carried over to the new organization. For this reason, you may want to click the box next to ‘Enable Learning and Rescan Baseline’ before you click ‘Move’. This is not a required step, but if you do not choose this, it may block existing software on the computer.

Rescan Baseline

When you click on ‘Rescan Baseline’ you can choose whether or not to ‘Enable learning based on group settings’. If you choose not to ‘Enable learning based on group settings’, no policies will be created automatically. You will get a list of all the files on that computer in the ‘Unified Audit’.