Removing Application Control Policies
A month or two after you have completed your onboarding with ThreatLocker, it is a good practice to review your policy list and remove any duplicate, unwanted, or unused policies. If a policy is not being used, it provides no value to you.
To view which policies are actively being used in your environment, navigate to the Application Control > Policies page. Click the 'Update Last Match Date' button located at the top of the page.
This will update the 'Last Match' column located on the right side of the page. This process could take up to an hour to complete.
If you have policies that have never been matched or are no longer being matched, you can remove them one by one or en mass by leveraging the 'Remove Unused Policies' button. Keeping your policy list short is ideal for maintaining good control over your environment.
Removing Individual Policies
Navigate to the Application Control > Policies page. You can select policies to remove by clicking the checkbox to the left of the policy name(s) you wish to remove and then click the 'Delete' button at the top of the page.
In the screenshot above, you can see this policy doesn't have a 'Last Match' so it is not being used.
Leveraging the Remove Unused Policies Button
Navigate to the Application Control > Policies page. Select the 'Remove Unused Policies' button at the top of the page.
A date box will appear. By default, the date is set to 6 weeks prior. You can change this date to whatever you prefer. All policies that have NOT been matched since the date you selected will be removed with a couple of exceptions.
- ThreatLocker's default policies will not be removed using this button.
- Any policies that were created within the time frame you selected will also not be removed.
- No policies that are currently being used will be removed.
- No policies set to explicitly deny an application will be removed.
Click the 'Remove' button once you have made your date selection.