Help CenterThreatLocker provides users with several different ‘Status’ options in the Approval Center to help organize your approval requests. One of these options is called ‘Not Learned’. Selecting Not Learned from the Status dropdown will display a list of applications that were detected but not learned during the automatic learning period. When a machine is in its automatic learning period, file locations such as the Documents folder, Downloads folder, Desktop folder, Users folders, or files at the root of C:\ are not profiled unless a policy already exists for them. Files that are executed or viewed in the system are able to be opened and interacted with, however policies for these applications will not be generated. When the machine has finished baselining or has been Secured, it can be helpful to utilize the ‘Not Learned’ status page to create policies for applications that were not learned during the automatic learning period.
Note: If an application is executed from one of the file locations that is not automatically profiled but is a Key File of a Built-In application managed by ThreatLocker, a policy for it will be created.
To locate the ‘Not Learned’ status page, navigate to the ‘Response Center’ using the left-hand menu.
From within the ‘Approval Center’ page, select the ‘Status’ dropdown menu, then select ‘Not Learned’ from the list of available options.
Once this is selected, you will see all files that have the ‘Not Learned’ status.
If a file’s Action Type is ‘Baseline’, that means that the application was detected by ThreatLocker during baselining but could not be automatically learned as it was in one of the locations that is not profiled.
You will also notice that the user associated with this file is ‘ThreatLocker’.
If the Action Type is ‘Execute’, it means that during the automatic learning period, a user tried to execute an application from within one of the non-profiled files.
You can use the ‘Not Learned’ page as a resource to see what custom rules should be made to permit all applications your organization uses frequently. You can also select these individual entries populated in the ‘Not Learned’ status page and action them as you would a pending approval request.
For any questions regarding approval requests, please refer to the following article:
For any further questions regarding automatic policy creation, please refer to the following article:
For questions regarding custom rule creation, please refer to the following article: