Long Arrow Right External Link angle-right Search Send Times Loader chevron-down thumb-up thumb-down Spinner angle-left
Go to ThreatLocker

Search our Knowledge Base

Default Computer Group Policies

Updated May 9, 2023

View in Browser

ThreatLocker has provided default Policies to permit some common business Applications for you right out of the box. These default policies exist to help make your onboarding process quicker and easier.

Workstations Group Default Policies

Permit:

  • msdt.exe (Ringfenced)
  • WScript.exe (Ringfenced)
  • SpoolSv.exe (Ringfenced)
  • RingCentral Meetings (Ringfenced)
  • Zoom Video Communications, Inc. (Ringfenced)
  • Lifesize Video Conferencing Software (Ringfenced)
  • Cisco WebEx LLC (Ringfenced)
  • Blue Jeans (Ringfenced)
  • GoToMeeting (Ringfenced) 
  • Microsoft Edge Chromium (Ringfenced) 
  • Microsoft Office Installer (Ringfenced) 
  • Microsoft Office (Ringfenced) 
  • Chrome Updater (Built-In) 
  • Google Chrome (Ringfenced) 
  • Microsoft Onedrive (Built-In) 
  • Windows Communication App (Built-In)
  • Windows Phone (Built-In)
  • Windows Defender (Ringfenced)
  • Internet Explorer (Ringfenced)
  • Windows Command Prompt (Ringfenced)
  • Curl (Ringfenced)
  • Powershell (Ringfenced)
  • RunDLL - Block Internet (Ringfenced)
  • CScript (Ringfenced)
  • Windows RegSVR32 (Ringfenced)
  • Windows Scheduled Tasks (Ringfenced) 
  • WMI (Ringfenced)
  • Windows Core Files (Built-In)
  • Windows Update (Built-In)
  • Microsoft Windows HCL Publisher (Built-In)

Deny:

  • Block Hyper-V (Built-In): Hyper-V is a built-in Windows tool that allows you to create virtual computers within your computer. ThreatLocker blocks this by default to prevent a bad actor from spinning up a virtual machine in your environment to bypass your security software, including ThreatLocker.  
  • Deny Certutil.exe Policy: CertUtil has been exploited in the wild to perform living-off-the-land attacks. Using CertUtil an attacker could download files, potentially evading detection because it is using a legitimate Windows tool. 
  • Deny SignTool.exe Policy: SignTool is used to create digital certificates. These certificates serve as a way to ensure file integrity. In the wrong hands, it could be used to sign malware, making the files seem legitimate and trustworthy. 
  • Deny PScriptPolicy Tester Policy: PSScriptPolicy Tester is used by Windows to check to see if App Locker (Windows own built-in rudimentary Application Whitelisting program) is running. We set this policy to deny so that Windows knows Application Whitelisting is running. This Policy is also set not to show in the Unified Audit to reduce the amount of white noise included in the audit. The denies will, however, be visible in the blocked items tray on the endpoint.
  • BCDedit Deny: BCDEdit is a command-line tool for managing BCD stores. We recommend implementing this policy to harden system security by disabling the ability to change boot settings locally. 
  • Deny Disney+: Disney+ is a Windows Startup process and we recommend keeping this policy in place for businesses who wish to deny access to streaming services.
  • Default Deny Policy: At the bottom of the list, there is a default-deny Policy. Much like a firewall, any Application that hasn't matched any of the other Policies will be caught by the default-deny and be blocked.  

Servers Group Default Policies

Permit:

  • WScript.exe (Ringfenced)
  • SpoolSv.exe (Ringfenced)
  • Microsoft Onedrive (Built-In) 
  • Windows Communication App (Built-In)
  • Windows Defender (Ringfenced)
  • Internet Explorer (Ringfenced)
  • Windows Command Prompt (Ringfenced)
  • Curl (Ringfenced)
  • Powershell (Ringfenced)
  • RunDLL - Block Internet (Ringfenced)
  • CScript (Ringfenced)
  • Windows RegSVR32 (Ringfenced)
  • Windows Scheduled Tasks (Ringfenced)
  • Windows Core Files (Built-In)
  • Microsoft Windows HCL Publisher (Built-In)

Deny:

  • Deny Certutil.exe Policy: CertUtil has been exploited in the wild to perform living-off-the-land attacks. Using CertUtil an attacker could download files, potentially evading detection because it is using a legitimate Windows tool. 
  • Deny SignTool.exe Policy: SignTool is used to create digital certificates. These certificates serve as a way to ensure file integrity. In the wrong hands, it could be used to sign malware, making the files seem legitimate and trustworthy. 
  • Deny PScriptPolicy Tester Policy: PSScriptPolicy Tester is used by Windows to check to see if App Locker (Windows own built-in rudimentary Application Whitelisting program) is running. We set this policy to deny so that Windows knows Application Whitelisting is running. This Policy is also set not to show in the Unified Audit to reduce the amount of white noise included in the audit. The denies will, however, be visible in the blocked items tray on the endpoint.
  • Default Deny Policy: At the bottom of the list, there is a default-deny Policy. Much like a firewall, any Application that hasn't matched any of the other Policies will be caught by the default-deny and be blocked.  
Did this answer your question?
Thanks so much for your feedback!
%s of people found this helpful.