Help CenterIf you want to deploy a custom application with multiple .dll files, executables, or dependencies and it hasn't already been permitted in ThreatLocker, either through a built-in policy or a previous custom policy, you may use learning mode to track all of the changes required to run the new application.
Learning Mode can be started in several different ways; however, if you are pushing software out through a remote management or software deployment tool, it is easier to start Learning Mode from the Computers page.
Learning Mode will have to be configured in the "Schedule Maintenance" window
Before installing the software on the first computer, we recommend that you use a test machine or a clean machine to push the application out.
In the ThreatLocker Portal (from the computers page):
-
Find the machine you would like to start the maintenance period for.
-
Select the wrench icon that says ‘Schedule Maintenance'.
This will open a sidebar window.
In the drop-down list shown below. Select ‘Application Control Learning Mode’.
It is important to note that Learning Mode is scheduled with a start and an end time. By default, Learning Mode will last for one hour; however you can choose to end it earlier.
Under the date/time, select an existing application if you are performing an update. Otherwise, if this is a new installation:
- Select ‘New’
- Enter a name for the application.
- Select who you would like to permit the application for, whether it is for the entire organization, an individual computer group, or a single computer.
Optionally, select an existing application and choose the application name “<Automatic>” and it will automatically name the application based on an internal algorithm.
Select the level that you wish to create the application policy for.
If you are deploying software, such as an MSP management tool, and you wish to push it out to all of your clients, we recommend that you select the global group, under computers.
System Policies Only creates computer-level policies for Windows Files drivers and Printers Drivers
With “Applies to,” this will specify which username to apply the learning mode to.
Apply to all users: This option will apply learning mode to all users on a host.
Apply to selected users: This option will apply learning mode to specific usernames on the same host to be added in the Domain/User format.
After the configuration is complete and you are satisfied with your settings, select 'Add Scheduled Maintenance'.
The computer will enter learning mode within 60 seconds. To ensure that it is effectively in learning mode, wait around 60 seconds and refresh the Computers page. Then, verify that the 'Last Check In' time has been updated to confirm.
With Learning Mode enabled, push out the desired software using your RMM or deployment tool.
You will notice the new files being tracked during the installation in the unified audit. Simply search by Action Type - 'Install' and you will be able to expand each file and see further details for them.
Once the installation is complete:
- Navigate to the Computers Page and checkmark the device
- Click “Secure Mode” and click Yes to confirm.
A new policy will now have been created to permit the new application, along with a definition for that application and all of the files required to run it.
There is no further action needed now that the installation has been completed on the first computer.
Note: If you wish to deploy to other clients and you did use learning mode for the global group, you should deploy policies to all your clients before you push the agent out.
To do this:
- Navigate to the Organizations page in the ThreatLocker Portal.
- Click the gray hamburger menu button.
- Select 'Deploy All Policies'.
Within 60 seconds, all of your clients will now be able to run the new software. You may use your RMM or any other software deployment tool to push out the new application.
