There are four Maintenance Modes in which ThreatLocker Application Control can operate. The goal is to keep your endpoints in Secured Mode at all times and only enable the other modes to perform specific tasks such as updating or installing new software.
Secured Mode
In Secured Mode, no Applications will be permitted to execute unless you have created a Policy to allow them to run.
Installation Mode
Installation Mode is intended to temporarily disable blocking to allow you to install new software. It also catalogs all files in the software that is being installed so that it can be used in the future by that computer or any other computer with a Policy for that software. For example, if you need to install new software, change the mode to Installation in the quick dropdown menu located next to the computer name you are installing software on, pick the name of the intended software, let it install and then return the computer to Secured Mode. Installation Mode catalogs the files that are installed/created/changed on the machine.
By default, when you enable Installation Mode, it will be enabled for one hour unless you specify a different time, and once the hour is up, Secured Mode will be enabled regardless of the maintenance mode that was in effect before it was switched to Installation Mode.
Installation Mode is the preferred method for installing new software and updating existing software.
Please note that if you are installing software that has never been used before in your environment, from the Computers page, you will need to utilize the Maintenance Mode button so you can create a new Application and give it a name. If you are approving an Approval Request from the Approval page, you can create and name a new Application directly from the same Approval Request.
Learning Mode
Learning Mode also disables blocking temporarily. In addition to learning the installed files, it also learns what is trying to run on your computer that you don't have a policy set to explicitly deny(anything that would normally be caught by the default policy). Learning Mode is good as an "oops mode" wherein if you have tried to install software but forgot to turn on Installation Mode and the installation was blocked, then you can go back and enable Learning Mode and run the installation again to capture the files that were denied. To enable Learning Mode, select Learning from the quick dropdown and then choose the name of the Application you want to learn. Run the Application, and it will catalog all the files that are being installed and files that would ordinarily be blocked and add them to the Application. After that, you can place your computer back into Secured Mode.
By default, when you enable Learning Mode, it will be enabled for one hour unless you specify a different time, and once the hour is up, Secured Mode will be enabled regardless of the maintenance mode that was in effect before it was switched to Learning Mode.
Learning Mode casts a much wider net than Installation Mode. When installing or updating a single program, we recommend using Installation Mode.
Please note that if you are installing software that has never been used before in your environment, you will need to utilize the Maintenance Mode button so you can create a new Application and name it.
Monitor Mode
Monitor Mode will also disable blocking temporarily. No changes will be learned in Monitor Mode but files that are executing will be logged in the Unified Audit. This is useful for administrators to allow a one-time function that you don't want any Policy created around. It allows you to monitor the activity without worrying that it will be permitted in the future.
By default, when you enable Monitor Mode, it will be enabled for one hour unless you specify a different time, and once the hour is up, Secured Mode will be enabled regardless of the maintenance mode that was in effect before it was switched to Monitor Mode.
Advanced Options
Selecting the Advanced Options icon will open the Maintenance Mode window. The Maintenance Mode Window provides more advanced options when setting a Maintenance period. Below, you can see the side window that pops up on the right, allowing you to schedule other modes such as Elevation Mode, Disable Tamper Protection, and Disable ThreatLocker Detect alerts.