How to Enable Learning Mode in ThreatLocker?
This document outlines the step-by-step process of how to enable learning mode in ThreatLocker Dashboard.
This article is a part of our ThreatLocker How-to Guides series, Chapter 04 – Learning and Training Mode.
Introduction
ThreatLocker’s Learning Mode (also known as Training Mode) allows the system to observe and log application behavior on endpoints without applying enforcement policies.
This mode is especially useful during device onboarding, helping IT administrators identify software usage before implementing allow/deny rules.
Enabling Learning Mode reduces user disruptions and ensures policies are based on real-world usage patterns.In this article, we’ll walk through the step-by-step process of enabling Learning Mode using the Maintenance Schedule feature.
Implementation
Step 1: Open the Target Device’s Configuration Panel
- Log in to the ThreatLocker Portal
- Go to the Devices tab from the main navigation
- Locate the device where you want to enable Learning Mode
- Click on the device to open its detailswindow
Step 2: Schedule Maintenance with Learning Mode
In the device details window, navigate to the Maintenance tab to access the maintenance configuration panel.
- Within the maintenance section, configure the following settings to enable Learning Mode:
- Maintenance Type: Select Application Control Learning Mode
- Start Date and Time: Specify when the learning period should begin
- End Date and Time: Define when the learning period should end
- Applies To: Choose Existing Applications
- Learning Method: Select Automatic
Once all fields are completed, click “Add Scheduled Maintenance”, then click “Save” to activate Learning Mode on the selected device.
The target device can be seen listed under the Mode column as being in Application Control Learning Mode, with a status of In Progress.
Conclusion
Enabling Learning Mode in ThreatLocker is a critical step when onboarding new devices or evaluating application behavior in a Zero Trust environment. It allows administrators to observe real-world usage without enforcing restrictions, reducing disruptions and helping build accurate allow/deny policies.
By scheduling Learning Mode on specific devices, you ensure that only trusted applications are captured, setting a strong foundation for secure, data-driven policy enforcement.