Help CenterThe Remediator is an enhancement to the ThreatLocker Detect module. It provides secure shell access to managed endpoints from within the ThreatLocker portal. For added security, the Remediator is a separate service, and must be intentionally installed. Without the Remediator's presence on the target computer, there is no shell access from the ThreatLocker portal.
Requirements:
- Windows OS
- ThreatLocker Detect
- ThreatLocker Service > 8.6
- Create an Application Control Policy to permit the ThreatLocker Remediator (Built-In)
- Separate Installation of the Remediator Service via MSI
- Remediator tab can only be accessed by ThreatLocker admins that have MFA enabled
- Admins will need the 'Allow Remediation' permission to gain access to the Remediator tab (even Super Admins will need this permission applied separately)
Downloading the Remediator Service
The Remediator installation files are located in the Install Computer window and in the Remediator tab of the ThreatLocker Detect sidebar for any computer that doesn't already have the Remediator installed.
From the Install Computer Button
From any page in the portal, select the 'Install Computer' button located at the top of the page.
Next select 'Manual Deployment' and the target 'Computer Group'. The Remediator Service installers are located below the ThreatLocker Service installer files.
Select the correct version (x64 or x86) for the target computer.
From the Computers Page/Response Center
From the Computers page or the Response Center > Threats tab, select a computer. On the slideout, ensure that the ThreatLocker Detect tab is selected down the left-hand side of the slideout and then navigate to the Remediator tab.
Select the correct version (x64 or x86) for the target computer.
You will then be presented with the EULA. You will be required to read and accept the EULA before the download will begin.
Installing the Remediator
Before the Remediator can be installed, a policy to permit it must be created. ThreatLocker has a built-in application called ThreatLocker Remediator (Built-In). Create a policy to permit this application at the level needed. For more information on creating Application Control Policies, see: Managing Application Policies | ThreatLocker Help Center (kb.help)
Once a policy has been created to permit the Remediator, be sure to 'Deploy Policies'.
Next, Tamper Protection will need to be disabled on the target computers. (In a future release the need to disable Tamper Protection will be removed.) For more information on disabling Tamper Protection, see: Disable Tamper Protection | ThreatLocker Help Center (kb.help)
Now the Remediator installer can be run on the target computers.
How to Use the Remediator Tab
Please Note: Only Administrators that have logged into the ThreatLocker Portal using MFA will have access to the Remediator Tab.
ThreatLocker mobile application needs to be installed on a mobile device with your administrator logged in to receive a MFA push on Remediator connection.
Navigate to either the Computers Page or the Response Center > Threats page. Click on a computer or active alert. In the slideout, select the 'ThreatLocker Detect' tab on the left-hand side, and then select 'Remediator' at the top of the screen.
Upon selecting the 'Remediator' tab, the portal will check to see if you have logged into the ThreatLocker mobile application with your currently used administrator. If your account is not seen active on the mobile application, you will get prompted to install the mobile app with instructions sent via SMS or Email.
If your administrator account is found active with the ThreatLocker mobile app, you will be prompted with a popup to send the MFA push for approval on the mobile device.
From your mobile device's notification center, you should receive a push notification that requires you to approve or deny the MFA verification step.
Long pressing the push notification gives an option to approve or deny from your mobile device's notification center.
Alternatively, you can select the push notification to be brought to the ThreatLocker mobile app to approve or deny the MFA verification step.
Upon successful approval of the MFA request, the portal will allow access to the Remediator tab allowing you to establish a new connection.
Press 'Connect' to begin a connection.
Once a connection is established, a PowerShell session will be initiated.
At the top of the PowerShell interface is a dropdown where you can select to view only your own commands, or all user account commands.
There is also a dropdown to select a period of time, up to 24 hours, to display commands run within that time frame.
At the bottom of the PowerShell interface is a text box and a blue 'Enter' button.
The textbox can accomodate scripts or single commands. Type or copy/paste commands or scripts into the input box and press the blue 'Enter' button.
The command or script will be run on the target computer and a response will be returned.
The Remediator can only process one command at a time. When a response is pending, the 'Enter' button will be disabled and display a pending animation. 
If the Remediator has not received a command and is not waiting on a response, the session will auto-terminate after 10 minutes.
To kill a running query, press the 'Disconnect' button.
Multi-user Support
The Remediator has been built to support multiple users managing the same computer. In the event another user has already connected to the computer using the Remediator, when the tab is first opened, instead of a 'Connect' button, there will be a 'Disconnect' button.
Each user will be denotated in the PowerShell interface with their initials at the beginning of the input prompt. When selecting to show 'All User Accounts' in the Commands dropdown, use these intials to differentiate between user commands.
If there is a pending response from another user, you will be unable to press 'Enter' until the response is received.