Deploying ThreatLocker via GPO with a startup script

2 min. readlast update: 08.08.2024

View in browser

Note: For organizations deploying to a large amount of endpoints, ThreatLocker recommends using a staggered deployment approach. Organizations that deploy to a large number of endpoints at once may experience increased bandwidth usage as Windows Core and application definitions are downloaded to each endpoint. QOS can be used to limit bandwidth to corecdn.threatlocker.com and apps.threatlocker.com

 1) Download the startup script.

2) Unzip the script and open it in the text editor of your choice.  

3) Add the deployment unique identifier of the parent (Getting your Unique Identifier from ThreatLocker) to the "Key" variable on line 21.

undefined undefined

4) Add the organization identifier of the child (on the organizations page) to the "Company" variable on line 21. 

Note: If you are deploying to the parent organization, or you do not have any child organizations, simply use the parent organization's identifier (on the organizations page).

undefined undefined

5) Save the script.

6) Open Group Policy Management on your AD server.

undefined

7) Expand Forest>Domain>Group Policy Objects.

undefined

8) Right-click "Group Policy Objects" and select "New".

undefined

9) Name your Group Policy Object and select "OK".

undefined

10) Right-click the new Group Policy Object and select "Edit".

undefined

11) Expand Computer Configuration>Windows Settings.

undefined

12) Select "Scripts (Startup/Shutdown)" and double click "Startup".

undefined

13) Select "Browse".

undefined

14) Paste the startup script from steps 1-4 into the file explorer that opens.

undefined

15) Select the script and select "Open".

undefined

16) Select "OK".

undefined

17) Select "Apply" then select "OK".

undefined

18) Exit the Group Policy Management Editor.

undefined

19) Back in Group Policy Management, Right-click the OU or domain you would like to apply the Group Policy Object to and select "Link an Existing GPO...".

undefined

20) Select the Group Policy Object then select "OK".

undefined

21) Right-click the linked Group Policy and select "enforced".

undefined

At this point, all that is needed is for the endpoints to get updated group policies.

Note: If you want to force a group policy update on an endpoint to test, use the "gpupdate /force" command in CMD.

 

Troubleshooting

In case the ThreatLocker agent is not deploying to your endpoints, please use the following troubleshooting steps:

  1. Test connections using PSEXEC, including checking internet properties. (inetcpl.cpl, or running Google Chrome as System and attempting to access a webpage)

  2. Use Invoke-WebRequest to test connections to ThreatLocker APIs. (Invoke-WebRequest -uri "https://api.g.threatlocker.com as an example)

  3. Add a delay to the script to allow network drivers to load. (this may cause the boot procedure to take longer on a machine.)
Was this article helpful?