How to prioritize policies in ThreatLocker?
This document outlines the step-by-step process of how to prioritise policies in ThreatLocker Dashboard.
This article is a part of our ThreatLocker How-to Guides series, Chapter 08 – Policy Management.
Introduction
In ThreatLocker, multiple policies may apply to the same application, user, or device. When policies conflict (e.g., one allows and one blocks), policy order determines which rule takes effect.
Higher-priority policies are applied first, so managing the order is crucial to ensure the correct behavior.
Implementation
Step 1: Access Unified Audit
- Log in to the ThreatLocker Portal.
- Navigate to Modules > Application Control > Policies
- Locate the policy you want to prioritize
Step 2: Understand Policy Priority (Order)
Each policy has an Order number that determines its priority.
- Lower numbers have higher priority
- Higher numbers have lower priority
by following this example, we have two conflicting policies:
- Allow CMD (Order: -189)
- Block CMD (Order: -190)
To ensure that CMD is allowed, the Allow CMD policy must have a lower order number than the Block CMD policy.We will update the Allow CMD policy to Order: -200, giving it higher priority.
Step 3: Review and Deploy the Policy to prioritize policies in ThreatLocker
Then, click Deploy to apply the updated policy.
Thereafter, CMD is allowed because the Allow policy takes precedence.
Conclusion
Managing policy order is essential when multiple ThreatLocker rules apply to the same application or device.
By assigning a lower order number to higher-priority policies, you ensure the correct actions, such as allowing or blocking an application are enforced as intended.Always review and adjust policy order when conflicts arise to maintain consistent behavior and uphold your Zero Trust security model.