Deploying ThreatLocker to Windows devices with Hexnode UEM

ThreatLocker, a zero-trust endpoint protection platform, provides robust cybersecurity solutions to organizations, ensuring continuous verification and protection against potential threats. ThreatLocker protects endpoints from a wide variety of threats, including phishing, malware, ransomware, rootkits, password attacks, and IoT attacks. This document will assist you through the step-by-step process to deploy ThreatLocker to Windows devices with the help of Hexnode UEM guaranteeing strong protection against cybersecurity threats.

How to deploy ThreatLocker to Windows?

Follow these steps to deploy ThreatLocker to Windows endpoints:

1. Download the PowerShell script from the ThreatLocker portal to deploy ThreatLocker on the devices.
   1. Login to your ThreatLocker portal.
   2. Click the option Computers from the navigation panel.
      Create a new group for the Windows devices by navigating to option +Computer Group and providing the details of the group.

      

   3. After creating the group, the Install Key value can be obtained from the device group information in the ThreatLocker portal. This will be used to replace the Groupkey in the PowerShell script.

      

   4. Click the option Install Computer and select deployment method as Manual Deployment and Computer Group as the group created for the Windows devices.
   5. Then an option to download the PowerShell script will appear in the same tab.
   6. Download the PowerShell script.

      

2. Execute the script to deploy ThreatLocker to the devices.
   1. Login to Hexnode UEM portal.
   2. Go to the Manage tab and select the device.
   3. Click on the Actions drop-down and select the Execute Custom Script option.
   4. Click Choose file to upload the PowerShell script downloaded from the ThreatLocker portal. The script is given below:
      

      ThreatLocker installation script

      ThreatLocker installation script for Windows

      #!/bin/bash GroupKey="xxxxxxxxxxxxxxxxxxxxxxxx" # Check for ThreatLocker app if [ ! -d /Applications/Threatlocker.app ]; then # Make API call and extract version number Version=$(curl -H "InstallKey: $GroupKey" https://api.threatlocker.com/getgroupkey.ashx | awk -F ':' '/URL/ {print $2}') # Check if Version is retrieved if [ -z "$Version" ]; then echo "Unable to retrieve version number" exit 1 fi # Download the specific version of ThreatLocker curl --output "/private/var/tmp/Threatlocker.app.zip" "https://updates.threatlocker.com/repository/mac/$Version/Threatlocker.app.zip" # Unzip and install unzip -qq /private/var/tmp/Threatlocker.app.zip -d /Applications if [ ! -d /Applications/Threatlocker.app ]; then echo "Not able to download the file" exit 1 else open /Applications/ThreatLocker.app --args -groupKey $GroupKey echo "Installing Threatlocker" sleep 15 echo "Verifying Group Key" sleep 15 if [ ! -d /Library/Application\ Support/Threatlocker ]; then echo "GroupKey is Invalid" exit 1 else echo "Threatlocker Installed" exit 0 fi fi fi # Check if ThreatLocker is already installed if [ -d /Applications/ThreatLocker.app ]; then echo "Threatlocker is already installed" exit 1 fi

      1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38

      #!/bin/bash GroupKey="xxxxxxxxxxxxxxxxxxxxxxxx" # Check for ThreatLocker app if [ ! -d /Applications/Threatlocker.app ]; then     # Make API call and extract version number     Version=$(curl -H "InstallKey: $GroupKey" https://api.threatlocker.com/getgroupkey.ashx | awk -F ':' '/URL/ {print $2}')     # Check if Version is retrieved     if [ -z "$Version" ]; then         echo "Unable to retrieve version number"         exit 1     fi     # Download the specific version of ThreatLocker     curl --output "/private/var/tmp/Threatlocker.app.zip" "https://updates.threatlocker.com/repository/mac/$Version/Threatlocker.app.zip"     # Unzip and install     unzip -qq /private/var/tmp/Threatlocker.app.zip -d /Applications     if [ ! -d /Applications/Threatlocker.app ]; then         echo "Not able to download the file"         exit 1     else         open /Applications/ThreatLocker.app --args -groupKey $GroupKey         echo "Installing Threatlocker"         sleep 15         echo "Verifying Group Key"         sleep 15         if [ ! -d /Library/Application\ Support/Threatlocker ]; then             echo "GroupKey is Invalid"             exit 1         else             echo "Threatlocker Installed"             exit 0         fi     fi fi # Check if ThreatLocker is already installed if [ -d /Applications/ThreatLocker.app ]; then     echo "Threatlocker is already installed"     exit 1 fi

   5. Click Execute.
3. Navigate to the Action History tab of the device to check if the ThreatLocker has been installed successfully.

   

4. In the ThreatLocker portal, navigate to the Computers section to view the devices on which the ThreatLocker is deployed.

   

What happens at the device end?

Once the deployment is successfully completed, the devices will be added to the ThreatLocker portal. It helps ensure that the devices are actively protected against a wide range of threats, including phishing, malware, ransomware, rootkits, password attacks, and IoT-related vulnerabilities.

Frequently Asked Questions

1. Does Hexnode automatically update the ThreatLocker agent?

No. The script installs the specific version available at the time of execution. To update the agent, an updated script can be executed with the latest version of the agent.

2. Can ThreatLocker be deployed to multiple device groups?

Yes, the ThreatLocker agent can be deployed to entire device groups. Navigate to Manage > Device Groups within the Hexnode portal. After selecting the required groups, the deployment can be initiated by choosing the Execute Custom Script option from the Actions drop-down menu. However, ensure that the GroupKey in the script matches the intended ThreatLocker group for those devices.

3. What happens if I execute the script on a device where ThreatLocker is already installed?

The script includes a check: if [ -d /Applications/ThreatLocker.app ]. If the agent is detected, the script will echo “Threatlocker is already installed” and exit with an error code to prevent redundant installations.

Troubleshooting

1. GroupKey Reported as “Invalid” in Hexnode Action History

Probable cause:

The deployment fails, or the agent fails to register because the GroupKey used in the script is incorrect, expired, or the corresponding device was deleted in the ThreatLocker portal.

Solution:

Confirm the GroupKey by navigating to Computers > [Group Name] in the ThreatLocker portal. Ensure the key is copied exactly and update the variable in the Hexnode PowerShell script before re-executing the deployment action.

2. Version Retrieval Failure

Probable Cause:

The script fails with the message “Unable to retrieve version number.” This happens when the endpoint is unable to communicate with the ThreatLocker API to determine the latest agent version.

Solution:

Verify that the device has an active internet connection, and that TLS 1.2 or higher is enabled on the Windows device to allow secure API communication.

Best Practices

• Always execute the script on a single test device first. Verify the device appears in the ThreatLocker portal before pushing the script to your entire fleet.
• Ensure the target Windows devices are connected to the internet.