The Carbon Black App Control Console Home page includes an emergency Lockdown button that changes the Enforcement Level of all agent-managed computers to High.

During an emergency lockdown, the following is true for active agents whose policies do not have any enforcement settings disabled:

• Banned files are blocked.
• All Unapproved files that appear after the emergency lockdown are blocked.
• All existing Unapproved files that remain Unapproved are blocked.
• Certain files become locally approved, as described below, and can be executed.
• Computers that were offline when emergency lockdown was initiated are locked down upon reconnection to the Carbon Black App Control Server if the lockdown remains in effect.
• Lockdown affects all active agents, including those in Visibility Only mode. It does not affect computers whose agents are disabled.

In some cases, locking down a computer causes some Unapproved files to become locally approved. In the Advanced Settings panel of the Edit Policy page, there is a checkbox labeled Locally approve unapproved files on transition from Visibility or Low Enforcement Level to Medium or High . This affects computers whose Enforcement Levels are Low or None when they are moved to Enforcement Levels of High or Medium:

• If the box is checked, existing Unapproved files that first appeared on a computer when it was in Low (or None) Enforcement Level are locally approved upon lockdown.
• If the box is not checked, Unapproved files on computers in that policy remain Unapproved after lockdown and are not allowed to run. Console users with the default ReadOnly privileges do not have access to Emergency Lockdown. A login account role must have Manage Computers privileges for its members to perform an emergency lockdown.

WARNING: 

• Emergency Lockdown changes only the Enforcement Level of computers.
• In policies with Advanced Settings of Off or Report Only, computers might not block certain threats even when in lockdown.