Skip to main content

ThreatLocker Deployment [NinjaOne]

Purpose

This solution is designed to configure the automatic deployment of the ThreatLocker Agent on Windows and Macintosh machines that are missing the agent, using the NinjaOne platform.

Associated Content

Custom Field

ContentTypeAvailable OptionsFunction
cPVAL ThreatLocker DeploymentDrop-downAll, Windows, Windows and Macintosh, Disabled, windows workstations, windows servers and Macs, Windows Workstations and macs, windows servers, macs, UninstallCustom Field to select OS to enable auto-deployment of ThreatLocker. Select 'Uninstall' to uninstall ThreatLocker if it is already installed on the machines.
cPVAL ThreatLocker Auth KeyTextStores the ThreatLocker authorization key for Windows machines.
cPVAL ThreatLocker Organization NameTextFill it with the organization name under which the ThreatLocker agent is to be installed in ThreatLocker Portal
cPVAL ThreatLocker Mac GroupKeyTextStores one or more tags, separated by commas (optional).

Automation

ContentFunction
ThreatLocker DeploymentInstalls ThreatLocker agent on Windows operating systems.
ThreatLocker Deployment - MACInstalls ThreatLocker agent on Macintosh operating systems.
Uninstall ThreatLockerUninstalls ThreatLocker from a Windows machine. Tamper Protection must be disabled before running this script, otherwise the uninstall may fail.

Compound Conditions

ContentFunction
ThreatLocker Deployment - WorkstationsTriggers the ThreatLocker Deployment automation on Windows workstations where deployment is enabled and ThreatLocker is not installed.
ThreatLocker Deployment - ServersTriggers the ThreatLocker Deployment automation on Windows servers where deployment is enabled and ThreatLocker is not installed.
ThreatLocker Deployment - MACTriggers the ThreatLocker Deployment [MAC] automation on Macintosh machines where deployment is enabled and ThreatLocker is not installed.
Uninstall ThreatLocker - WindowsTriggers the Uninstall ThreatLocker automation on Windows machines where uninstallation is enabled and ThreatLocker is installed.

Implementation

Step 1

Create the following custom fields:

Step 2

Create the following automations:

Step 3

Create the following Compound conditions:

FAQ

Q. What is this solution used for?

A. This solution is used to automatically deploy the ThreatLocker agent on Windows and macOS endpoints managed by NinjaOne when the agent is missing. It ensures consistent security coverage without requiring manual installation.

Q. Which operating systems are supported?

A. Windows and macOS

Q. Will this reinstall ThreatLocker if it is already installed?

A. No. The compound conditions explicitly check whether the ThreatLocker agent is not installed. If the agent is already present, the deployment script will not run.

Q. Where are the ThreatLocker credentials stored?

A. Credentials are stored securely using NinjaOne Custom Fields:

  • Windows Auth Key: cPVAL ThreatLocker Auth Key
  • Windows Organization Name: cPVAL ThreatLocker Organization Name
  • macOS Group Key: cPVAL ThreatLocker Mac GroupKey

These values are retrieved dynamically at runtime by the deployment scripts.

Q. Can this be enabled or disabled per organization?

A. Yes. The custom field cPVAL ThreatLocker Deployment controls whether automatic deployment is enabled at the organization level. This allows granular control over where ThreatLocker is deployed.

Q. Does this require user interaction?

A. No. The deployment runs silently in the background via NinjaOne automations and does not require any user interaction.

Changelog

2026-06-02

  • Added Uninstall option in the cPVAL ThreatLocker Deployment custom field.
  • Added missing components to the documents as per our new document standards.
  • Renamed the compound condition from ThreatLocker-deployment-windows to ThreatLocker-deployment-workstations. Separated workstations and servers compound conditions because servers use different Custom fields for deployment.
  • Added ThreatLocker uninstallation script for windows and its corresponding Custom Field.

2025-05-27

  • Initial version of the document