Company logoHelp Center
Visit www.threatlocker.com

Storage Control Policies

6 min. readlast update: 04.24.2025

Storage control gives you very granular control over who and what can access your important shares. It can allow you to block any or all external storage devices from being able to reach your shares, helping to prevent data loss. Storage control policies are processed from the top down, so any permit policy needs to be located above the deny policy. These policies can easily be reordered by changing the order number to the left of the policy name. 

Creating a New Storage Control Policy 

Using the left-hand menu, select the ‘Modules’ dropdown, then select ‘Storage Control’. 

 

In the ‘Storage Control’ page, select the ‘+ New Policy’ button from the top left corner of the page. 

 

Selecting this button will open a side-panel titled ‘Create Storage Policy’. 

  

Within this panel, you can set up your Storage Policy. 

Starting in the ‘Details section: 

 

  1. Input the name of your policy. This is required as denoted by the * as shown in the field. 

  1. Put an optional description of your policy. This will help you and other administrators understand what the policy aims to do. 

  1. By default, this will be switched on. This switch determines if the policy is active or not. If switched off, the policy will exist and retain all information that is set up, but none of the settings will be applied until the switch is turned back on. 

Next, move on to the ‘Applies To’ section: 

 

  1. Here, you will select which group or computer you want this policy to apply to. By default, the group selected will be ‘Entire Organization’. By using the dropdown, you can select other groups or computers. 

  1. By default, ‘All Users & Groups’ will be selected. Selecting ‘Selected Users & Groups’ instead allows you to apply this policy to individual computers or groups in a domain.

Next, move to the 'Conditions' section:

The ‘Conditions’ section offers several changes you can make and apply to this policy. This will determine how the policy interacts with the system. 

Starting off, you are given the option to allow users read or read/write access to the storage device(s). 

By default, read only access will be selected. This is because ‘Permit’ is also selected by default. If ‘Deny’ is selected, these conditions will instead be Read/Write and Write. This is chosen so that the most restrictive option is selected by default. 

 

Read - Users will be able to view but cannot make changes. 

Read/Write - Users will be able to view and make changes. 

 

Read/Write - Users will not be able to view or make changes. 

Write – Users will not be able to make changes but can view. 

Next, choose between either ‘All Interfaces’ (default) or ‘Selected Interface’. 

 

Choosing ‘Selected Interface’ will give you a dropdown with the following options: 

  • USB 

  • DVD 

  • UNC (Network Path) 

  • SCSI (Local Drive) 

  • SATA (Local Drive) 

  • IDE (Local Drive) 

  • User Profile Disk 

  • NVME 

  • PCIe 

  • SDXC 

  • Apple Fabric (macOS support only) 

Once this has been chosen, you can select your file path preference. By default, ‘All File Paths’ will be chosen, but you can also choose individual file paths. This field will permit you to insert wildcards or Regex rules as well. 

Note: If you remove or disable all the default Storage Control Policies, you will need to specify a drive letter to be monitored on subsequently created policies. For example, if you disable the default policies, but want to prevent all .txt files from read & write access, you will have to specify the drive letter (i.e. c:\*.txt) in the file path textbox. 

 

Next select the storage device that this policy will be applied to. By default, ‘All Storage Devices’ will be selected, but you can select an individual storage device to apply this to. Choosing ‘Selected Storage Devices’ will provide you with a list of available storage devices you can add to the policy. This list shows all storage devices that you have added into your organization. 


Next, you can have this policy apply to all programs or only selected ones. If applying a Permit Policy, entering the name of a program here or selecting ‘All Programs’ will permit either the chosen or all programs to contact the storage device. If applying a deny policy, it will deny either the programs that are chosen or all programs. When selecting to apply the policy to a specific program, you will need to type the full path of the process you would like to add here.


Next, select if you would like the policy to be applied to ‘All Devices’, ‘Encrypted Only’, or ‘Non-encrypted Only’. By default, ‘All Devices’ will be selected. 

 

Next, choose between ‘All Devices’ or ‘Running ThreatLocker’. This allows you to choose to apply this policy to all devices or only those that are running ThreatLocker. 

Note: This is a legacy feature that will be removed in a future update. If you have any questions regarding this feataure, please reach out to your Solutions Engineer. 

 

Lastly for the ‘Conditions’ section, select your policy expiration. By default, it will be set to ‘No Policy Expiration. If you do not want this policy to be permanent, you can choose to set an expiration date or even schedule a time for how long you want the policy to be active. Setting a policy expiration requires you to put the date and time for when a policy expires, whereas ‘Schedule Policy’ requires a date and time for when the policy starts. You will also need to input the amount of time you want the policy to be active for (i.e. 2 hours or 30 minutes). 

 

Now, in the ‘Actions’ section: 

Select if you want this policy to be ‘Permit’ or ‘Deny’. 

 

If the policy is set to ‘Permit’, you will have a switch option at the bottom that can be toggled on or off titled ‘Log in the Unified Audit’. This will be turned on by default. 

 

If the policy is set to ‘Deny’, the switch will be changed to ‘Allow User to Request’, which will be switched off automatically. Turning this switch on will permit the user to request access, which will appear in the Response Center, even though this is a deny policy. This can help you if the policy was made but does not always have to be enforced, or to keep track of when users are trying to access this policy. 

 

Next, select if you would like to add this policy to the top or bottom. Adding a policy to the top is the default selection as this will make sure this policy is hit before all other policies. 

 

Now that all your settings have been chosen, select ‘Create’ at the bottom of the page. 

 

After this, make sure you deploy policies for this change to take effect.

Was this article helpful?