ThreatLocker Deployment Steps - Quick Start

2 min. readlast update: 09.05.2023

Important: The ThreatLocker service requires to be run as System. Changing it to a user can cause major problems, including (but not limited to) the ability to turn off Tamper Protection.

  1. Deploy the ThreatLocker Agent to your endpoints. Computers will automatically be in Learning Mode so nothing will be blocked while ThreatLocker learns what Applications are running on your computers.  
  2.  Add suggested Ringfencing policies for Applications you use. In addition to the default Ringfencing policies that are automatically applied at deployment, there are some additional recommended templates available to be added if and where applicable.  
  3. Perform weekly audit reviews. Review the Unified Audit to identify any Applications that may not have been learned or auto-updating Applications that might require a custom rule to eliminate future denies.    
  4. Set your endpoints to 'Secured' status. Once computers are secured, everything currently running will continue to run and nothing new will be permitted unless you create a Policy to allow it 
  5. Enable Elevation Control. Where applicable, Elevation Control allows you to run an Application with admin rights even if the user is not an admin.   Note: Elevation control will be in effect regardless of the computer status.  If you choose to enable Elevation prior to Secured Mode, be sure to notify users of the possible popup messages they might receive regarding elevation requests.  
  6. Update Computer Group Settings for future deployments. Now that your environment is learned, you may want to change the behavior for any newly installed computers so that Applications present on newly installed computers do not get learned and shared across the computer group.
  7. Set up desired Storage Policies, including Remote Presence. Set up storage policies to monitor and control access to your network shares and local folders. Block external storage devices, if desired. Setting up Remote Presence on your servers will ensure that a computer without ThreatLocker running cannot access those servers. Note: Storage Control will be in effect regardless of the computer status.   
  8. Remove unmatched Application Policies. Having policies that you don't use can create unnecessary holes in your Application security. You can quickly delete all unmatched Applications using the 'Remove Unused Policies' button. It is good to wait 6-8 weeks after deployment before doing this.  

Was this article helpful?