Overview
This article covers the order of policies as they apply to your computers. The first policy that a file matches is the one that is processed, and no further policies will be applied to that file.
Application Control
- Global - (Designed for customers with multiple sub organizations) policies under the Global computer group will apply first to the parent organizations and all child organizations. Policies placed at this level will apply FIRST.
- Global Group {GroupName} - (Designed for customers with multiple sub organizations) policies under these groups will apply to any computers for the parent and child organizations that are part of a computer group that matches the name after the "-" (e.g., policies under Global-Workstations will apply to all parent and child organizations in the Workstations groups). Policies placed at this level will apply SECOND.
- Entire Organization - policies at this level will apply to all computers within the single organization being managed. Policies placed at this level will apply THIRD.
- Computers {Hostname} - Located under the Computers section in the "Applies to" dropdown list under the Policies page, policies located here will apply to the single computer selected. Computer-level policies will apply FOURTH.
- Computer Group {GroupName} - Located under the Groups section in the "Applies to" dropdown list under the Policies page, policies located here will apply to any computers under the selected group (e.g., policies under Workstations will apply to all computers in this organization installed under the Workstations group). Computer Group level policies will apply LAST.
Note: Built-In applications will always take precedence over custom applications.
For example: A group policy for the "Command Prompt (Built-In)" application will be matched before a Global policy for a Command Prompt custom application.
At the bottom of each group (excluding Global and Template groups) is the "Default - {GroupName}" policy; this is the catchall policy responsible for denying unknown applications. The default policy is set to Request by default.
Elevation Control
Elevation Control follows the same policy hierarchy as Application Control. This means that if an Elevation policy for an application is below a non-elevated permit policy, the permit policy will be matched, and the application will not be elevated. Therefore, verifying that the elevation policy you create is above any permit policies for that application is essential.
Storage Control
The order is similar to Application Control; however, Storage Control does not support Global policies.
Network Control
The order is similar to Application Control; however, Network Control does not support Global policies.
Configuration Manager
Configuration manager policies follow a top-down hierarchy, regardless of where they are applied. This is useful for creating exceptions to Configuration Manager policies.
ThreatLocker Detect
ThreatLocker Detect does not follow any specific policy hierarchy. If the condition(s) for the Detect policy is/are matched, then the actions specified in the Detect policy will be performed.