Help CenterTable of Contents
How is the Default Deny Policy Created? | What is the Default Deny Policy? | Prevention of Disabling the Default Deny Policy
Beginning December 22, 2025, ThreatLocker will be creating Default Policies at the Entire Organization level for the following scenarios:
- Newly Created Organizations
- Newly Created Child Organizations of existing Organizations that have flattened their application policy structure
Organizations that fit that description will have Default Policies created at the Entire Organization level, rather than at the group level, INCLUDING the Default Deny Policy. For Organizations and Child Organizations created before December 22, 2025, that do not have the flat policy structure applied, Default Policies will continue to be created at the group level for new child organizations.
This only applies to Windows machines.
Important Note: You must have the Default Deny Policy in place for Application Control Learning mode to work. For Organizations created after December 22, 2025, or Child Organizations of a parent with the flat policy structure applied, the Default Deny policy will automatically be created at the Entire Organization level with the following naming convention: "Default - (Organization Name)". Otherwise, a Default Deny policy will continue to be created for each new group in your organization. This is designated by the naming convention of "Default - (Group Name)". The Default Deny policy must use the "Default - (Organization/Group name)" naming convention for Application Control Learning mode to work. If any of the following is true, Application Control Learning Mode will NOT work:
- There is no Default Deny policy at the Entire Organization level or Computer Group
- The Default Deny policy is named something that does not follow the "Default - (Organization/Group name)" naming convention
- Naming your Default Deny policy "Deny All" will not allow Application Control Learning Mode to work
The Default Deny policy is a key component of ThreatLocker Allowlisting. This article discusses the importance and function of the Default Deny policy and why ThreatLocker automatically creates it for you on machines in your organization.
How is the Default Deny Policy Created?
When you create a new Organization in your ThreatLocker Portal, ThreatLocker automatically creates policies at the Entire Organization level for Windows groups only. MAC, Linux, and Windows XP will have separate policies.
If your parent organization was created before December 22, 2025, or your parent organization has not had the flat policy structure applied to it, child organizations in your environment will instead have default policies created at the Windows or Servers Computer Group level. For a list of all automatically created policies, please navigate to the following article:
Default Computer Group Policies | ThreatLocker Help Center
Each group contains a Default Deny policy labeled Default - (Group Name) if it is a non-Windows group. This policy sits at the bottom of the policy list and will be added whenever a new non-Windows computer group is created.
If your organization automatically created Entire Organization level policies, the Default Deny policy will be labeled as Default - (Organization Name).
What is the Default Deny Policy?
The Default Deny policy is the core of ThreatLocker Allowlisting. Any application not already permitted or denied by an existing policy while a machine is in Secured mode will be blocked by the Default Deny policy. This is how ThreatLocker prevents the execution of applications not permitted to run within your environment.
The Default Deny policy is automatically set at the bottom of the policy list. This allows ThreatLocker to review all other policies before reaching the Default Deny. If the Default Deny is set above any other policies, it will automatically deny anything that occurs below it.
Prevention of Disabling the Default Deny Policy
ThreatLocker does not recommend disabling the Default Deny policy. To ensure this is done only with your explicit permission, multiple safeguards have been implemented in our portal to prevent this from occurring. There are four scenarios in which you will be prompted to provide permission to change the Default Deny policy:
- Switching the policy from 'Deny' to 'Permit'
- The Default Deny policy should remain denied. If the Policy Action is switched to 'Permit', the policy will be permitted, and users in that group can access any application unless there are other deny policies within the organization. Selecting the 'Save' button will require you to input 'I UNDERSTAND' after reading and acknowledging the warning popup.
- Switching the policy from 'Deny' to 'Permit with Ringfence'
- The Default Deny policy should remain denied. If the Policy Action is switched to 'Permit with Ringfencing', the policy will be permitted with the Ringfencing configuration, and users in that group can access any application unless there are other deny policies within the organization. Selecting the 'Save' button will require you to input 'I UNDERSTAND' after reading and acknowledging the warning pop-up.
- Switching the policy from 'Active' to 'Inactive'
- Policies within your organization can be switched from 'Active' to 'Inactive', which is helpful if you need to temporarily turn off a policy without deleting it. If you try to switch the Default Deny policy to inactive, you will have to acknowledge the warning pop-up, as rendering it inactive will allow users to access all applications that do not have an existing deny policy.
- Deleting the Default Deny Policy
- Attempting to delete the Default Deny policy will require you to acknowledge the warning pop-up, as doing so will allow users to access all applications that do not have an existing deny policy.
