Note: The most secure way to permit applications into your organization is to install them using the ThreatLocker Testing Environment and create policies to permit the installed applications at the level they are needed. The next most secure way is to permit applications for a single computer using Application Control Installation Mode from within the Approval Request window and create policies to permit the installed applications for other groups or computers that require them. Application Control Learning Mode will capture all files that are executed or installed on a machine and are not currently permitted or denied by an existing policy. As this permits a much broader range of files, it is important that Application Control Learning Mode be used sparingly.
There are eight Maintenance Modes in which ThreatLocker Application Control can operate. The goal is to keep your endpoints in ‘Secured Mode’ at all times and only enable the other modes when needed to perform specific tasks.
Maintenance modes can be enabled through two different means: from the ‘Devices’ page, and within advanced options found in the ‘Maintenance’ tab.
Changing Maintenance Modes in the Devices Page
Navigate to the 'Devices’ page using the left-hand menu.
From here, navigate to the computer you wish to change the maintenance mode on. A dropdown under the ‘Mode’ column displays the maintenance mode that the machine is in.
Selecting this dropdown will display five maintenance mode options for you to choose from:
Secured Mode
In ‘Secured Mode’, no Applications will be permitted to execute unless you have created a Policy allowing them to run. This is the mode that your machines should always be in unless you require a specific maintenance mode to perform a task.
Application Control Learning Mode
‘Application Control Learning Mode’ disables blocking temporarily. This maintenance mode is capable of learning files that are executing or installing on a machine during the maintenance period. It will learn any file that executes or installs which is not already part of a permit or deny policy.
‘Application Control Learning Mode' can be used during the installation or execution of files to ensure that all files related to the application you are running are learned into your environment. This is useful when you have software that might be used by multiple computers as ‘Application Control Learning Mode’ can create a new application, allowing you to attach new policies onto it for other machines. To enable ‘Application Control Learning Mode’, select ‘Application Control Learning Mode’ from the quick dropdown, then select ‘Application’ from the menu. Select the dropdown to choose the Application you would like to permit files to. Run the Application, and it will catalog all the files that are being installed and files that would ordinarily be blocked, adding them to the Application. After that, you can place your computer back into ‘Secured Mode’.
Selecting either ‘Computer’ or ‘Group’ from the menu will activate Automatic learning. Automatic learning will create multiple Applications based on what is run on the machine during the period that the maintenance mode is enabled. Selecting ‘Computer’ or ‘Group’ will create policies for each new Application at the machine or group level, depending on which is chosen.
If you select ‘Application’ on the menu, then select < Automatic > from the dropdown, it will enable ‘Automatic System’. ‘Automatic System’ only learns drivers and miscellaneous Windows files, so it would not be an appropriate choice for trying to install new software. This 'Automatic System’ option is normally used when onboarding new computers to learn the drivers and system files that are unique to that machine.
By default, when you enable ‘Application Control Learning Mode’, it will be turned on for one hour unless you specify a different time. Once the hour is up, ‘Secured Mode’ will be enabled regardless of the maintenance mode that was in effect before it was switched to ‘Application Control Learning Mode’. Files that are not already permitted on the machine through a Policy will be blocked and require approval to run on the machine.
If you are installing software that has never been used before in your environment, you will need to utilize the Advanced Maintenance mode. This can be accessed by selecting the ‘Advanced’ button in the ‘Application Control Learning Mode’ menu.
You can also select the ‘Schedule Maintenance’/Wrench button to the right of the ‘Maintenance Mode’ dropdown.
Both options will bring you to the ‘Maintenance’ tab for that computer’s page, allowing you to make more granular Maintenance Mode configurations like creating new applications to learn files into. This will be covered in the ‘Advanced Options’ section below.
Application Control Monitor Only
‘Application Control Monitor Only’ will also disable blocking temporarily. No changes will be learned in ‘Application Control Monitor Only’ mode, but files that are executing will be logged in the Unified Audit. This is useful for administrators to allow a one-time function for software that does not require a new policy to be made. It allows you to monitor the activity without worrying that it will be permitted in the future.
By default, when you enable ‘Application Control Monitor Only’ mode, it will be enabled for one hour unless you specify a different time. Once the hour is up, ‘Secured Mode’ will be enabled regardless of the maintenance mode that was in effect before it was switched to ‘Application Control Monitor Only’ mode. Once in ‘Secured Mode’, Application Control restrictions will be enabled again.
Network Control Monitor Only
‘Network Control Monitor Only’ mode allows all network traffic but logs it in the Unified Audit. This is also enabled for an hour unless a different time is specified and will switch to ‘Secured Mode’ regardless of the maintenance mode that was in effect prior to it being switched to ‘Network Control Monitor Only’ mode. Once in ‘Secured Mode’, Network Control restrictions will be enabled again.
Storage Control Monitor Only
‘Storage Control Monitor Only’ mode disables any storage control restrictions that might be in place. Data access will be logged in the Unified Audit during this time. ThreatLocker will enable this mode for an hour by default, but a different time can be specified. This will be switched to ‘Secured Mode’ regardless of the maintenance mode that was in effect prior to it being switched to ‘Storage Control Monitor Only’ mode. Once in ‘Secured Mode’, Storage Control restrictions will be enabled again.
Changing Maintenance Modes Using Advanced Options
Selecting the Schedule Maintenance icon will open the Maintenance Mode window. The Maintenance Mode Window provides more advanced options when setting a Maintenance period. The ‘Maintenance Type’ dropdown menu displays all maintenance modes that your machine can be put into. This allows you to have more granular control of the mode parameters and provides you with additional maintenance modes such as ‘Elevation Mode’, ‘Disable Tamper Protection’, and ‘Disable ThreatLocker Detect’.
Application Control Learning Mode (Advanced Options)
‘Application Control Learning Mode’ is the main mode that is affected by the Advanced Maintenance Mode window. As mentioned above, using the Advanced Maintenance Mode window, you can create new Applications with Application Control Learning Mode. Select ‘Application Control Learning Mode’ from the ‘Maintenance Type’ dropdown.
Under this, you can select the start and end dates for the learning period. By default, ThreatLocker will select a period of one hour.
Next, switch the ‘Application’ button from ‘Existing’ to ‘New’. This will create a new field in which you can put the name of the new Application you would like to create during the learning period. Under this, select which group or computer you would like to permit the Application for, then select the ‘Add Scheduled Maintenance’ button to start ‘Application Control Learning Mode’.
Additionally, to enable Automatic learning from within this page, you can select < Automatic > from the ‘Existing Application’ dropdown.
Selecting this dropdown will provide you with a new dropdown titled ‘Permit learned Applications for’. The options provided are ‘Computer’, ‘Computer Group’, and ‘System Policies only’. These options reflect the ones available within the Devices page, allowing you to automatically create new Applications for the Computer or Computer Group, or focusing solely on creating policies for drivers and Windows files.
Disable Tamper Protection
‘Disable Tamper Protection’ mode removes the protection against tampering with ThreatLocker files, services, and registry entries. This is required as part of removing the ThreatLocker agent, otherwise Tamper Protection will restrict you from doing so. If you have any other questions regarding disabling Tamper Protection, please refer to the Disable Tamper Protection article.
Disable ThreatLocker Detect
‘Disable ThreatLocker Detect’ mode will prevent potential alerts for ThreatLocker Detect from populating during the specified time. This mode should be used when performing administrative tasks that have the potential to generate Detect alerts, thus ensuring that ThreatLocker Cyber Heroes or your ThreatLocker Detect admin do not receive false positive alerts during maintenance time.
Elevation Mode
‘Elevation Mode’ enables Elevation for all applications, allowing any application to run with administrative privileges. By default, the suggested length of time for Elevation Mode to be enabled is one hour.
Changing Maintenance Modes Using Multiselect
From within the 'Devices' page, you can choose to schedule maintenance on multiple devices at once.
Using the checkboxes to the left of the Device names, select all of the devices you wish to change the maintenance mode on.
Once your devices are selected, you will see that there are new buttons above the list of devices. Select the 'Schedule Maintenance' button.
Selecting this button will open a popup window titled 'Schedule Maintenance'.
From here, you will be given four maintenance mode options:
- Application Control Monitor Only
- Application Control Learning Mode (Group)
- Application Control Learning Mode (Computer)
- Disable Tamper Protection
First, select the start and end dates for your maintenance period. By default, ThreatLocker will suggest one hour.
Next, select the dropdown to choose your maintenance mode.
Note: Both options for Application Control Learning Mode in this section will function as Automatic Learning. New Applications and Policies will be created based on whether the Group or Computer option is selected.
Select the checkbox to the left of the 'Allow the user to end the schedule from the Computer' option if you wish to allow the user to end the maintenance mode early.
Once all settings have been chosen, select the 'Start Maintenance (number of devices)' button at the bottom of the window.
Ending the Maintenance Mode
From the Devices Page
To end the maintenance mode early from within the 'Devices' page, navigate to the dropdown menu within the 'Mode' column of the computer whose maintenance mode you are ending.
Select the dropdown menu, then select 'Secured Mode' from the options. Your maintenance period will end, and the computer will be set to 'Secured Mode' indefinitely until another maintenance mode is enabled.
From the Maintenance Tab
To end your maintenance mode early, navigate to the ‘Maintenance History’ section of the ‘Maintenance’ page. Maintenance modes that are still active will have a button labeled ‘End’ in the top right corner. Select this button to end the maintenance mode.
Your maintenance period will end, and the computer will be set to 'Secured Mode' indefinitely until another maintenance mode is enabled.
From the Multiselect Tool
To end the maintenance mode early, use the checkboxes to the left of all devices to select the ones you want to end the maintenance mode for.
Once all devices have been selected, you will see that a new button will appear above the list of devices. To the left of the 'Schedule Maintenance' button, there will be a 'Secure Mode' button. Select this, then select 'Yes' to confirm you would like to apply 'Secured Mode' to all devices you have selected.
All devices that were selected will now be moved into 'Secured Mode' indefinitely until another maintenance mode is enabled.