ThreatLocker Application Control Policies give you the power to control what software can execute, and what that software can do on your endpoints.
When you first deploy ThreatLocker, Policies may automatically be created under a specific computer group or individual computers. You can configure how Policies are automatically created within the ‘Computer Groups’ section of the ‘Devices’ page.
You can edit, create, or modify Policies to suit your needs.
Policies run like firewall policies in order from top to bottom. Once a Policy is matched, the action for that Policy is taken, and no further Policies are processed. Policies can be applied to the Entire Organization, Individual Computers, or Computer Groups. This is dependent on how the policy is set up. If you are a parent of other organizations, policies that are applied to the "Global" group automatically apply to all your child organizations.
Policies are applied in the following order:
-
Global (If you have child organizations)
-
Global-Group (If you have child organizations)
-
Entire Organization
-
Computer
-
Computer Group
Example: If you have a policy that denies access to PowerShell at the Entire Organization level, and a second policy that allows PowerShell at the Computer level, PowerShell will be blocked from executing. This is because Organizational Level Policies are always applied first.
At the end of the Computer Group policy, there is a default Policy. This Policy applies to all Applications. This Policy is set to deny by default, making sure that if the application that is attempting to execute is not part of a permitted Policy above, it will automatically be denied.
Creating a New Policy
Navigate to the ‘Application Control’ module under the ‘Modules’ tab, then navigate to the ‘Policies’ page.
Select the ‘+ New Policy’ button from the top left corner of the page.
This will open a side-panel titled ‘Create Application Policy’. Here, you will see all settings you can implement for creating an Application Policy.
Details section
-
Within this field, enter the Policy Name for the new policy you are creating. This is a mandatory field as denoted by the * beside ‘Policy Name’.
-
Enter a brief description of the policy here, if desired, to help you keep track of your policies and what they do.
-
By default, the ‘Policy Active’ switch will be turned on. This can be switched to the off position to turn the policy off, rendering it inactive until the switch is flipped on. This allows you to create policies that might not be needed until a later date, or to turn off policies after they are no longer needed without deleting the policy.
-
By default, ‘Add Policy to Top’ is selected, which places new policies at the top of the list. They will be run before other Policies. Policies can be reordered up or down the list after creation by changing their number. If you wish the Policy to be placed at the bottom of the list, select ‘Add Policy to Bottom’ instead of the default selection chosen.
-
By default, all Application executions are logged in the Unified Audit. For permit policies, if you do not wish to log when an Application is executed, you can de-select the ‘Log in the Unified Audit’ button.
Applies To section
-
Here, you can select which computer or group this policy will apply to. Depending on your needs, you can apply it to the Entire Organization, Globally, or to any computer group or workstation within the organization.
-
While Application Policies are applied to a computer, computer group, or organization, it is also possible to only apply the Policy to certain logged-in users by inputting the name as DOMAIN\USERNAME. (e.g. you may want to permit iTunes for the C.E.O. only). Though not required, if you are using the Active Directory Sync tool, you can select the option ‘Selected Users & Groups’ and select Active Directory groups from this dropdown list. For more information about applying Policies to users or groups, see Applying Policies to Users or Active Directory Groups.
Conditions section
-
Add the Applications that you want to permit or deny under ‘Selected Applications’. Applications are lists of file hashes, signatures, or other patterns. You can use pre-defined Applications that are created by ThreatLocker, or you can create your own Applications. (See Managing Application Definitions). Alternatively, you can select ‘All Applications’, which will apply to every Application that can be requested. ThreatLocker does not recommend setting a permit policy to apply to ‘All Applications’ as this is a security risk, permitting any application to run in your environment. The ‘All Applications’ option is provided to create your own Default Deny Policy.
-
By default, ‘All Interfaces’ will be selected, but sometimes you will have a need for other interfaces. Selecting ‘Selected Interface’ will allow you to select from the following list of interfaces:
-
- USB
-
-
DVD
-
-
-
UNC (Network Path)
-
-
-
SCSI (Local Drive)
-
-
-
SATA (Local Drive)
-
-
-
IDE (Local Drive)
-
-
Here, you can set the policy expiration. By default, ThreatLocker will not apply a policy expiration. You can select from ‘Set Policy Expiration’, which will provide you with a calendar to select the date and time that the policy will expire by. This is useful for users that require limited use of an application. Additionally, you can select ‘Schedule Policy’, which will apply the policy during the days and times that are specified by you.
Actions Section
Note: If you are setting a policy to deny, the option to 'Kill Running Processes' will populate. Turning on that option will force stop the designated application from running on any device with this policy, including a force stop of everything that is referenced within the application definitions. It is designed to be aggressive.
![]()
-
Here, select whether you would like this policy to be permitted or denied. You can additionally select ‘Permit with Ringfence’. Ringfencing™ allows you to control how an Application can interact with other Applications, files, the registry, and network locations. For more information, see Ringfencing | ThreatLocker Help Center. Choosing the ‘Permit with Ringfence’ option will give you the following options:
-
-
‘Restrict this application from interacting with other applications?’
-
-
-
‘Restrict this application from accessing files?’
-
-
-
‘Restrict this application from changing the registry?’
-
-
-
‘Restrict this application from accessing the internet?’
-
-
Selecting the ‘Assist with programs that require local administrator privileges’ will give you the option to apply Elevation to this policy.
-
Selecting ‘Elevate to run as local administrator will allow the specified Application to run with administrator privileges. You can select the ‘Notify User’ checkbox as well to generate a popup on the user’s end, letting them know that elevation has been granted.
-
Selecting ‘Force the program to run as a standard user’ will make it so that the program will not request admin permissions and will instead force the program to run under the standard user context.
-
The slider bar shown here will allow you to choose how long this application will be elevated for.
End User Experience Section
Note: This section will only appear if you ‘Deny’ the policy.
-
The ‘Show Notification and Allow User to Request’ switch will permit ThreatLocker to send a notification to the user when an application is blocked. The user will have the option to send up an Application Request.
-
Turning the ‘Email/SMS Administrator on Request’ switch on will allow you to insert Administrator names and phone numbers to send notifications if a user requests access related to the policy. Input the email address into the field. If inputting a cell number, enter the number prefixed with ‘sms:’ (e.g. sms:5556661234).
Note: Any non-US cell numbers require the country code to be added (i.e. UK numbers require +44 instead of the number, e.g. sms:+447789456123).
Once all your chosen parameters have been selected, select the ‘Create’ button at the bottom of the page to create your new policy.
Policies are not automatically deployed to clients after they are created. After you have created a Policy, select the ‘Deploy Policies’ button from the top right corner of the page.