Using Learning Mode to Track Installed Files from an RMM or Software Deployment Tool

4 min. readlast update: 02.09.2021

If you want to deploy a custom application that has multiple dlls, executables, or dependencies, and that application hasn't already been permitted in ThreatLocker, either through a built-in policy or a previous custom policy, you may use learning mode to track all of the changes required to run the new application.

Learning Mode can be started a few different ways, however, if you are pushing software out through a remote management tool or software deployment tool, it is easier to start learning mode from the computers page.

Learning Mode will have to be configured in the "Maintenance Mode" window
undefined

Before installing the software on the first computer, we recommend that you use a test machine or a clean machine to push the application out to.

In the ThreatLocker Portal (from the computers page):

  1. Select the machine you want to push the software to first.
  2. Select 'Start Maintenance Mode'.

This will open a pop up window.

In the drop-down list shown below, select an existing application if you are performing an update. Otherwise, if this is a new installation:

  1. Select 'Create New Application'.
  2. Enter a name for the application.
  3. Select who you would like to permit the application for, whether it is for the entire organization, an individual computer group, or a single computer.
undefined

Create the application name -- <Automatic> will automatically name the application based on an internal algorythm.

undefined

Select the level that you wish to create the application policy for. 

If you are deploying software such as a MSP management tool, and you wish to push it out to all of your clients, we recommend that you select the global group, under computers.
undefined

System Policies Only creates computer-level policies for Windows Files drivers and Printers Drivers

It is important to note that learning mode is scheduled with a start and an end time. By default, learning mode will last for one hour; however you can elect to end it earlier.

undefined

In the following portion, 'Notify the following logged in user that Learning Mode is inactive' -- you may leave this blank if you wish for all logged in users to be notified that Learning Mode has been enabled.undefined

Apply to all users: This option will apply learning mode to all users on a host.

Apply to selected users: This option will apply learning mode to specific usernames on the same host, to be added in the Domain/User format.

After the configuration is complete and you are satisfied with your settings, select 'Add to Maintenance Schedule'.

undefined

The computer will enter learning mode within 60 seconds. To ensure that the computer is effectively in learning mode, you can wait around 60 seconds, and refresh the computers page. Verify that the 'Last Check In' time has updated to confirm.

undefined

With Learning Mode enabled, push out the desired software using your RMM or deployment tool.

undefined

You will notice the new files being tracked during the installation in the unified audit. Simply search by Action Type - 'Install' and you will be able to expand each file and see further details of them.undefined

undefined

Once the installation is complete:

  • Navigate to the Computers Page and click "Maintenance Mode"
  • Select 'End' to end Learning Mode in the bottom box
undefined

A new policy will have now been created to permit the new application along with a definition for that application and all of the files required to run it.undefined

There is no further action needed now that the installation has been completed on the first computer.

Note-

If you wish to deploy to other clients and you did use learning mode for the global group, you should deploy policies to all of your clients before you push the agent out.

To do this:

  • Navigate to the Organizations page in the ThreatLocker Portal.
  • Select the topmost checkbox to select all organizations.
  • Select 'Deploy Policies'.

Within 60 seconds, all of your clients will now be able to run the new software. You may use your RMM or any other software deployment tool to push out the new application.

undefined

Was this article helpful?