Maintenance Modes

4 min. readlast update: 07.20.2023

View in Browser

There are four Maintenance Modes in which ThreatLocker Application Control can operate. The goal is to keep your endpoints in Secured Mode at all times and only enable the other modes to perform specific tasks such as updating or installing new software.  

Secured Mode

undefined

In Secured Mode, no Applications will be permitted to execute unless you have created a Policy to allow them to run.  

Installation Mode

undefined

Installation Mode is intended to temporarily disable blocking to allow you to install new software. It also catalogs all files in the software that is being installed so that it can be used in the future by that computer or any other computer with a Policy for that software. For example, if you need to install new software, change the mode to Installation in the quick dropdown menu located next to the computer name you are installing software on, pick the name of the intended software, let it install and then return the computer to Secured Mode. Installation Mode catalogs the files that are installed/created/changed on the machine. 

By default, when you enable Installation Mode, it will be enabled for one hour unless you specify a different time, and once the hour is up, Secured Mode will be enabled regardless of the maintenance mode that was in effect before it was switched to Installation Mode.

 Installation Mode is the preferred method for installing new software and updating existing software.  

Please note that if you are installing software that has never been used before in your environment, from the Computers page, you will need to utilize the Maintenance Mode button so you can create a new Application and give it a name. If you are approving an Approval Request from the Approval page, you can create and name a new Application directly from the same Approval Request.

Learning Mode

undefined

Learning Mode also disables blocking temporarily. In addition to learning the installed files, it also learns what is trying to run on your computer that you don't have a policy set to explicitly deny(anything that would normally be caught by the default policy). Learning Mode is good as an "oops mode" wherein if you have tried to install software but forgot to turn on Installation Mode and the installation was blocked, then you can go back and enable Learning Mode and run the installation again to capture the files that were denied. To enable Learning Mode, select Learning from the quick dropdown and then choose the name of the Application you want to learn. Run the Application, and it will catalog all the files that are being installed and files that would ordinarily be blocked and add them to the Application. After that, you can place your computer back into Secured Mode.  

By default, when you enable Learning Mode, it will be enabled for one hour unless you specify a different time, and once the hour is up, Secured Mode will be enabled regardless of the maintenance mode that was in effect before it was switched to Learning Mode.  

Learning Mode casts a much wider net than Installation Mode. When installing or updating a single program, we recommend using Installation Mode.  

Please note that if you are installing software that has never been used before in your environment, you will need to utilize the Maintenance Mode button so you can create a new Application and name it. 

Monitor Mode

undefined

Monitor Mode will also disable blocking temporarily. No changes will be learned in Monitor Mode but files that are executing will be logged in the Unified Audit. This is useful for administrators to allow a one-time function that you don't want any Policy created around. It allows you to monitor the activity without worrying that it will be permitted in the future.

By default, when you enable Monitor Mode, it will be enabled for one hour unless you specify a different time, and once the hour is up, Secured Mode will be enabled regardless of the maintenance mode that was in effect before it was switched to Monitor Mode.  

Advanced Mode

undefined

Selecting Advanced Mode will open the Maintenance Mode window. You can also click the Maintenance Mode button. Either option provides the same Maintenance Mode window where you can enable any of the maintenance periods. The Maintenance Mode Window provides more advanced options when setting a Maintenance period.  

Was this article helpful?