Network Access Control (NAC) View in BrowserBeginning in ThreatLocker 7.2(beta) and above, Network Access Control will begin in a monitor-only state by default. You will need to create a default deny policy to begin blocking. In ThreatLocker Versions earlier than 7.2 (beta), as soon as Network Access Control is enabled on an organization, all Inbound network traffic will be denied by default. Outbound traffic will be unaffected. It may be preferred to create policies and Authorization Hosts BEFORE enabling Network Access Control on an organization. Computers Not Running ThreatLocker Tab On the Computers page in the ThreatLocker Portal, you will notice there are 2 tabs at the top of the page. By default, you will be on the Computers Running ThreatLocker tab. This is where all the computers in your organization that have the ThreatLocker Agent installed will be listed.The Computers Not Running ThreatLocker tab was designed for Active Directory environments. You will not need to utilize this tab if you are using an RMM as you can set up a continuous deployment whereby newly installed computers will automatically have ThreatLocker installed on whatever schedule you have set up. Creating a Global Computer Group View in BrowserBy default, there will not be a Global group created in your ThreatLocker organization. A Global group would come first in the policy hierarchy which means that policies placed at the Global level will be processed first. Care must be taken when adding policies at a Global level. A deny policy placed at the Global level will block that application at every level, even if another group has an allow policy for the same application. Creating Custom Rules View in BrowserIf you find yourself permitting the same software twice, then you can go in and create custom rules on your own. When creating a custom rule, it is important to create the rule as restrictively as possible without making it burdensome.The hash is a one-way encryption of the file, calculated by ThreatLocker using its own hashing algorithm. It is the most secure way of permitting a file. Customizing the ThreatLocker Popup Windows View in BrowserBeginning in ThreatLocker Version 6.7, you can customize the text of the popup windows for Application Control Policies that are set to deny with the option to request. Navigate to Application Control > Policies.Find the Policy you wish to edit the popup on and select the edit button (pencil icon) next to that Policy.Alternatively, if you wish to create a new Policy, press the 'New Application Policy' button at the top of the page. Deleting Organizations View in BrowserNavigate to the Organizations page.The 'Delete' button located at the top of the screen enables you to delete any empty organizations from your list. Before an organization can be deleted, it must meet the following criteria: It cannot be the Parent organization It cannot contain any computers - it must be empty It cannot be the organization you are currently managing If you try to delete an organization that does not meet the above criteria, you will receive the following error: Device Showing as Offline after Feature Update Overview It's been reported that sometimes during feature updates, Windows can automatically remove programs that it judges to be "incompatible" with the newer build. Because of this, occasionally a computer with the ThreatLocker agent installed can begin showing as 'Offline' in the ThreatLocker portal when it is actually online.The Solution The Health Service was developed to repair any discrepancies with the ThreatLocker Service, and designed to keep the device it's installed on " Google Chrome/ Edge Chromium Extension and Command Prompt View in BrowserGenerally, Google Chrome and Edge Chromium do not require access to Command Prompt. However, some Chrome or Edge Chromium extensions may need to call out to Command Prompt to talk to other applications. If you don't have an extension that requires the ability to communicate with Command Prompt, we recommend that you Ringfence Chrome and Edge Chromium to prohibit communication with Command Prompt.The default Google Chrome and Edge Chromium policies in ThreatLocker are set to block the ability of these browsers to call out to Powershell, RegSVR32, CScript, Command Prompt, and Forfiles. How to Create a ThreatLocker University Account From within the ThreatLocker Portal, click on the ThreatLocker University link located in the left-hand side menu under the Help and Support drop-down.You will be taken to the sign-in page for ThreatLocker University account. Please click 'Register' to create a new account. Please fill in the required fields and click 'Register' to complete your registration.Please note: This password should NOT be your ThreatLocker Portal password. How to Use a Template Computer Group You can create a template computer group in your parent organization and with that easily duplicate policies to computer groups in other organizations.Begin by managing your parent organization.Next, navigate to the Computer Groups page. Select the 'New Computer Group' button at the top of the page.Name your group Template-{enter group name here}. In our example, we named the Template group 'Template-testgroup'. This creates a group that will not have any policies created by default. How to view all built-in Apps Need to take look at all of our Built-In Applications?Log into the Threatlocker Portal.Navigate to Application Control > Policies and click"New Application Policy".A new window will pop up that looks like the image below.Navigate to the "What Applications does this policy apply to?" Section.We will search for "Built-in".Here you will be able to go in and view all of the ThreatLocker Built-in Applications. Lookback Period The initial 5 days after deploying the ThreatLocker agent is when the majority of learning is completed. The Unified Audit will be filled with a lot of green denies as ThreatLocker is profiling all the Applications that are running in your environment and creating Policies to permit them. For this reason, the first 5 days are excluded from the lookback period to give you a more accurate view of what would have been potentially blocked had the computers been in Secured Mode. Maintenance Modes View in BrowserThere are four Maintenance Modes in which ThreatLocker Application Control can operate. The goal is to keep your endpoints in Secured Mode at all times and only enable the other modes to perform specific tasks such as updating or installing new software.Secured Mode In Secured Mode, no Applications will be permitted to execute unless you have created a Policy to allow them to run. Remove Duplicate Computers Button View In BrowserThe 'Remove Duplicate Computers' button on the Computers page can be leveraged to remove computers that have been duplicated within the portal. ThreatLocker will compare both the install date and the last check-in date and time of each computer with the same hostname. It will only remove computers that have not been active in the ThreatLocker Portal at the same time.For example, look at the following chart. Removing Application Control Policies A month or two after you have completed your onboarding with ThreatLocker, it is a good practice to review your policy list and remove any duplicate, unwanted, or unused policies. If a policy is not being used, it provides no value to you.To view which policies are actively being used in your environment, navigate to the Application Control > Policies page. Click the 'Update Last Match Date' button located at the top of the page. Setting an Explicit Deny Policy Explicit DenyAny policy you create can be set to explicitly deny an application even when your computers are in a monitor only or learning mode.Navigate to Application Control > Policies. Choose the policy you want to edit, and change the status from 'Inherit' to 'Secured". This makes it an explicit deny and it will be applied even in learning mode.Conversely, choosing 'Monitor Only' will make the policy a monitor policy regardless of the computer's status. Special Considerations when Running an MSI file from a Network Share When you are running an MSI file from a Network Share, the file's certificate will not be logged in the Unified Audit. In order to log the certificate, the MSI file must be run locally, on the machine, first. After being run on the local machine, the certificate will be successfully captured and logged in the Unified Audit. The Difference Between an Application and a Policy View in BrowserApplications and Policies in ThreatLocker are two separate things that work in conjunction with one another in order to create and maintain your whitelist.Application An Application is a container for the list of files and custom options (e.g. path, process, created by, certificate) that define a specific application.In the screenshot below, you can see different file hashes and custom options that make up this specific application. ThreatLocker Built-In Applications View In BrowserFor convenience, ThreatLocker provides Built-In Application Definitions for many popular business applications. These are predefined Application Definitions that are created and maintained by ThreatLocker. They contain all the files required to run an application. This will include not only the EXE file but every file that is needed by that application, including any prerequisite DLL files.Many DLL files are shared across multiple different Applications. For example, if Application A, Application B, and Application C all use the DLL named myexample. ThreatLocker Health Service Overview This article will cover both how to check to see if the Health Service is already installed, and how to actually install it on a device.If you are using a continuous deployment script, the Health Service will automatically be installed according to the deployment interval you have set (e.g. daily). Check to see if the Health Service is installed In the Windows Services application, search for 'HealthTLService'. ThreatLocker Password Complexity Requirements View in BrowserWhen you are creating or changing your ThreatLocker Portal password, all ThreatLocker Administrator account passwords must be secure.The minimum security requirements for ThreatLocker Portal passwords are: Minimum length of 8 characters and must contain the following: 1 capital letter 1 lowercase letter 1 number 1 special character (e.g. %,^,@) Please note: Passwords cannot contain < or > ThreatLocker Portal Refresh Rates Refresh Policies - rate can be changed by the user in the Edit Computer Groups Page. By default, this is set to 60 seconds.Application Hash Refresh - Every 5 minutesCore Files Refresh - Every 30 secondsTag Items Refresh - Every time the computer checks in (Every 60 seconds while they are online) ThreatLocker Supported OS Builds Minimum System Requirements Windows Supported Hardware CPU: Two cores are required. Expected normal usage is less than 1% with occasional small spikes. Baselining will use up to a full core. .NET 4.5.1 1Gb+ of hard drive space RAM: 2GB. Expected normal usage is 200-600MB See below for the complete list of supported Operating Systems ThreatLocker does not support ARM processors. Supported Windows Workstation Builds Windows 11 - All Versions Windows 10 – All Versions Windows 8. Unverified Certificates When ThreatLocker checks to see if code is signed, we check the certificate against the root CAs installed on your computer to verify that it was signed by a trusted source. If the certificate was not signed by a trusted source, the certificate will show in red and show as unverified.Windows will automatically update the root CAs from Microsoft. If your computer has not run Windows Update in some time, or in some circumstances when you patch using an RMM tool, the root CAs are not updated as part of the patches being installed. Rapid Check-In A temporary rapid check-in period for a specific endpoint can be invoked via the ThreatLocker Tray icon on that endpoint.Right-click on the ThreatLocker icon in the tray. Select 'Rapid Check-in'.The next time this specific endpoint checks into the ThreatLocker Portal, a 5-minute time period of checking in every 5 seconds will begin. Windows Defender Advanced Threat Protection and ThreatLocker Windows Defender Advanced Threat Protection (ATP) runs files in a sandbox environment to ensure they are not malicious. First, Windows Defender ATP creates a VDI sandbox environment in Azure. Windows Defender ATP then executes the file it is investigating in this sandbox. Once completed, Windows Defender ATP deletes the sandbox. When Windows Defender ATP investigates the ThreatLocker Stub or MSI installer in this way, ThreatLocker is installed on the VDI in Azure.