Note: For organizations deploying to a large amount of endpoints, ThreatLocker recommends using a staggered deployment approach. Organizations that deploy to a large number of endpoints at once may experience increased bandwidth usage as Windows Core and application definitions are downloaded to each endpoint. QOS can be used to limit bandwidth to corecdn.threatlocker.com and apps.threatlocker.com
Note: This can either be done on the first deployment or by using an existing deployment script for ThreatLocker on a scheduled basis. If already in possession of an existing deployment script, the section 'ThreatLocker Automate Deployment Script' can be skipped.
Creating the Opt-in EDF:
- Open ConnectWise Automate.
- Navigate to System-> Configuration->Dashboard->Config->Configurations->Additionals Fields.
- We will create a New EDF that Opts in an Organization at the Client Level.
- Field Name: ThreatLocker Opt-In
- Field Type: Checkbox
- Tab: ThreatLocker
- Data Screen: Clients
- ToolTip: Clients that want TL deployed*
- This EDF will be used to Opt-In the companies you want to deploy ThreatLocker to
- Double Click on the client you would like to Deploy to
- Click on the "Info" tab
- Select the ThreatLocker Tab
- Click on the Check Box to Opt the Client into Deployment.
Autojoin Search Creation:
- Navigate to Automation-> Searches-> View Searches.
- Select Add.
- Select the first "And " and select add a group.
- Select the second "And" and select add a condition (we will select opt-in EDF visible under clients).
The second group that we add will allow us to compound the search criteria. We will be creating a "Not And" group that allows us to only show the machines without ThreatLocker.
- Select the first "And" and add another group.
- Select the third "And" that gets created and we will change this to a "Not And".
- Select "Not And" and add a group.
The "And" that gets generated under the"Not And" will change to Services under Collection Matches.
- Select the autogenerated rule and change to Computer.Services.Name Equals "ThreatLockerService" ( Without Quotations and with the same exact camel casing)
Your search should match the image below:
Applying Search and Script schedule to the A Group:
- Select Browse in the Left Nave
- Select Groups.
We recommend creating a new Group dedicated to ThreatLocker Deployments.
- On the Group being leveraged, select the drop-down for computers under auto-join searches.
- Select the TL deployment search that was created.
- Select Limit to Search.
- At the top left, select Computers-> Scheduled Scripts.
- Select the ThreatLocker Deployment Script.
ThreatLocker Automate Deployment Script
If you do not have the script, you can download and import the XML via this link.
Note: The 'Value' for the ThreatLockerAuthKey must be changed to the Unique Identifier after importing the XML. Instrutions for this are below
- Open the script and navigate to the "Globals and Parameters" tab.
- Update the ThreatLockerAuthKey global parameter to your unique identifier from ThreatLocker. For more information on locating your unique identifier, please refer to our article, How to Locate Your Unique Identifier.
Once updated,
- Select Save to save the modified script.
After the script
- After selecting the script, apply a schedule that fits your use case.