How to whitelist unknown publishers in ThreatLocker?

This document outlines the step-by-step process of how to whitelist unknown publishers in ThreatLocker.

This article is a part of our ThreatLocker How-to Guides series, Chapter 11 – Maintenance and Troubleshooting.

Introduction

Whitelisting an application from an unknown publisher allows it to run in your environment while maintaining control through ThreatLocker policies.

Implementation

Step 1: Use Unified Audit to Locate the Target Application

1. Log in to the ThreatLocker Portal.
2. Navigate to Unified Audit.
3. Use the filter section to find the application:

• Date Range – Set a start and end date.
• Action Type – Set to Execution.
• Group By – Select Application Name to have a clearer view.
• (Optional) Use the Search bar to locate a specific executable (e.g., hello.exe).
• Click Search, locate the target application (e.g., hello.exe), and open its details.

Step 2: Whitelist the Application

1. In the event details window, click Approve Application.

2. Fill in the approval form:

• Install Type: Select New Installation.
• Policy Name: e.g., Hello.exe.
• Applied To: Select This Computer (or the desired group/organization).

Condition Section: 

• Select Permanent (or specify a duration if temporary).

Action Section:

• Select Permit Application.
• Under Elevation, select Do Not Elevate.

3. Once all fields are configured, click Approve.

Step 3: Verify the Policy

1. Navigate to Modules > Application Control > Policies.
2. Use the filter to select the target PC or computer group.
3. Confirm that the new policy appears in the list.

Conclusion

By using Unified Audit and the Approve Application feature, you can safely whitelist software from unknown publishers while ensuring it only runs on the systems you specify.