ThreatLocker maintains a local applications database on each endpoint, continuously updated with built-in application definitions and Windows Core file hashes. This ensures that policies are enforced accurately, and that new software is recognized quickly as it is deployed across an environment. In non-persistent Windows VDI environments, machines spin up from a static Golden Image with a fixed software inventory, so continuous database updates are unnecessary in this context.
The guidance below describes how to configure ThreatLocker appropriately for this type of environment. While ThreatLocker has a very low IO and memory footprint. In environments with shared disk and low memory, this can reduce unnecessary disk I/O and bandwidth consumption without compromising protection.
Recommended Configuration
I. Place Non-Persistent VDIs in a Dedicated Sub-Organization or Computer Group
Non-persistent VDIs, or VDIs sharing the same SAN or Storage Device, should be placed in their own sub-organization or computer group rather than grouped alongside persistent machines. This prevents app definition bloat originating from non-VDI machines from affecting the Golden Image environment and simplifies management of this infrastructure within the ThreatLocker portal.
II. Disable Built-In Application and Windows Core Updates
The Golden Image computer group should be configured to learn custom applications only. This means ThreatLocker will permit only the files that exist on the Golden Image itself, rather than continuously pulling built-in application definitions and Core file hashes. Microsoft releases about 100,000 new files every month; permitting only what is already on your device, will change the need for these definitions to be updated. When VDIs spin up from this image, they will not trigger database downloads. There are four steps required to disable these settings for your organization, which are outlined in the next section of this guidance.
Steps to Disable Built-Ins and Windows Core Updates
Be sure to apply all five steps below to properly disable both built-in applications and Windows Core Updates.
Note: Steps I, II and III must be applied to the sub-organization or computer group (see “Recommended Configuration”) before installing ThreatLocker on the Golden Image. Steps IV and V are recommended post-install if those policies exist.
Warning: If the Golden Image device is in its own computer group within the primary organization, please apply any changes to Advanced Settings only to that computer group. Do not to apply the Settings in steps I. and II. to the Entire Organization.
I. Enable “Learn policies for custom applications only” in Advanced Settings
-
Go to the Advanced Settings module and click on “New Setting”.
-
In Create Settings >> General, select: Setting Type: “Automatic Learning – Policy Creation” and applies to: “Entire Organization” (or the group in which the Golden Image belongs).
-
Under Policy Creation Settings, select “Learn policies for custom applications only” from the dropdown.
-
Click on “Create” to add the Setting to your organization.

II. Set "Do not run Baseline scan for newly installed computers" in Advanced Settings
-
Go to the Advanced Settings module and click on “New Setting”.
-
In Create Settings >> General, select: Setting Type:" Baseline Configuration" and applies to: “Entire Organization” (or the group in which the Golden Image belongs).
-
Under Baseline Configuration, click on the dropdown and select “Do not run Baseline scan for newly installed computers”.
-
Click on “Create” to add the Setting to your organization.

III. Add “DisableCore” to organization settings
-
Go to the Organization module and identify the organization that will contain your Golden Image.
-
Click on the Settings icon to the right of the organization name.
-
In “Edit Organization Settings”, go to the “Options” tab.
-
In the Options field, type in: DisableCore then click on the text that appears below; it will populate “DisableCore” in grey.

-
Click “Save” to apply the settings.

IV. Update the $hostname\Drivers application policy for the Golden Image
- Go to the Application Policies module.
- In the search bar, type in $hostname\Drivers where “hostname” is the name of the Golden Image machine; hit your Enter key to search.
- Click on the Application Name to open the policy.

- In the "Edit Application Policy" window, under "Applies To", chage the dropdown selection to "Entire Organization".
- Click on “Save” to update the policy.

IV. Update the $hostname\Windows application policy for the Golden Image
- Go to the Application Policies module.
- In the search bar, type in $hostname\Windows where “hostname” is the name of the Golden Image machine; hit your Enter key to search.
- Click on the Application Name to open the policy.

- In the “Edit Application Policy” window, under “Applies To”, change the dropdown selection to “Entire Organization”.
- Click on “Save” to update the policy.

Application Update Workflow for Non-Persistent VDIs
When built-in application definitions and Windows Core updates are disabled, all application and OS updates must be managed through the Golden Image. VDI instances do not download or learn new application definitions at runtime, ensuring that all required file hashes are learned once and persist across all non-persistent sessions.
Update Process
-
Boot the Golden Image
-
-
Power on the master image used to create VDI instances.
-
-
Enable Learning Mode
-
-
Place the machine into Learning Mode to allow ThreatLocker to automatically detect and permit new or updated files.
-
-
Apply Updates
-
-
Perform all required changes, including:
-
-
-
Operating system patches
-
-
-
Application updates (e.g., Office, Adobe)
-
-
-
Agent upgrades (if applicable)
-
-
Allow ThreatLocker to Learn Changes
-
-
Ensure all newly introduced or modified files are captured as custom application definitions.
-
-
Re-secure the Machine
-
-
Exit Learning/Installation Mode
-
-
-
Confirm policies are enforcing as expected
-
-
Validate the Image
-
-
Perform functional testing to ensure:
-
-
-
Applications launch correctly
-
-
-
No unexpected blocks occur
-
-
-
Run a baseline scan if required
-
-
Perform Cleanup Steps (see full process below, “Steps to Delete the ComputerId, ComputerAuthKey, ComputerSettingsV6, and pk.dat File”): Delete the following files/values:
-
-
Delete the following files/values:
-
-
-
ComputerId
-
-
-
ComputerAuthKey
-
-
-
ComputerSettingsV6
-
-
-
pk.dat
-
-
Snapshot / Seal the Golden Image
-
-
Capture a new image checkpoint or snapshot
-
-
Deploy Updated VDIs
-
-
New VDI instances created from this image will:
-
-
-
Already include all required application hashes
-
-
-
Avoid downloading additional application definitions at startup
-
Important: With built-in application definitions and Windows Core updates disabled, all application updates (such as Microsoft Office, Adobe, and similar software) must be maintained through the Golden Image. Any updates not included in the image may result in blocks across all VDI sessions.
Steps to Delete the ComputerId, ComputerAuthKey, ComputerSettingsV6, and pk.dat File
Important Note: Deleting ComputerSettingsV6 is critical for ThreatLocker Agent versions 10.5.3 and above. If ComputerSettingV6 is not deleted, it can lead to potential issues with machines not checking in after the initial installation.
-
Disable Tamper Protection
-
For instructions on how to disable tamper protection, please navigate to the following article: Disabling Tamper Protection
-
Open Command Prompt as an Administrator.
-
Type "net stop HealthTLService" to stop the Health Service.
-
This step must be done before you attempt to stop the ThreatLocker Service as it will revive the ThreatLocker Service.
-
Press Enter
-
Type "net stop threatlockerservice" to stop the ThreatLocker Service.
-
Press Enter
-
Type "net stop threatlockerdriver" to stop the ThreatLocker Driver
-
Press Enter
-
Delete the ComputerId, ComputerAuthKey, and ComputerSettingsV6 from the registry shown in the image below:

- Delete pk.dat from C:\Program Files\ThreatLocker

-
Leave the ThreatLocker Service and Health Service stopped.
-
They will start when the VDI boots up.
-
These steps need to be followed each time the Golden Image is booted up and reimaged.
Expected Outcome
Disabling built-in app and Core file downloads substantially reduces the size of the applications database. For environments that have accumulated built-in definition history over time, the reduction can be significant. For environments sharing storage across many VMs, this translates to a meaningful reduction in I/O load and spin-up time.
Help Center