All CtrlOne Features

Search and filter every CtrlOne feature in one place - restrictions, browser controls, admin-console tools, restore module, and the auto-scheduler.

Premium Features

The full endpoint management suite - live PC details and processes, screen-time, security posture, remote support, maintenance, services, asset management, commands, Active Directory, browser control, schedules, snapshots, live preview, wallpaper push and full activity / event logs.

PC Details

A complete hardware and OS inventory for each device - make, model, serial, CPU, RAM, disk layout, BIOS, network adapters, Windows edition and build, agent version and last check-in - so operators can identify and audit every endpoint at a glance.

Live Process

See the real-time list of running processes on a device with owner, CPU and memory usage, and remotely end a rogue or hung process without disturbing the user at the keyboard.

Screen Time

Track daily active-usage and per-application time on each PC, with trends over time - ideal for spotting idle machines, enforcing focus policies and giving end users a daily usage report card.

Security

A consolidated endpoint security posture view - Microsoft Defender / third-party AV and EDR health, real-time protection status, BitLocker encryption state, firewall profiles and pending security actions - all in one panel.

Maintenance

Remote housekeeping tools: disk cleanup, temp-file purge, disk-health (SMART) and low-space early warnings, restore-point creation and general tune-up actions to keep fleets healthy without a site visit.

Services

View and control Windows services on the device - start, stop, and change start-up type - with the agent handling TrustedInstaller-owned services safely so operators can fix service-related issues remotely.

Remote Support

First-party remote control with no third-party relay - view and take control of the desktop, chat with the user, and transfer files, with every session logged for audit. Built into CtrlOne, not a bolt-on.

Asset Management

Operator-entered procurement and lifecycle records the agent can't auto-collect - purchase date, vendor, cost, warranty expiry, assigned user, location and asset tag - so each device carries its full lifecycle history.

Commands

Queue remote commands to a device - restart, shutdown, lock, apply policy, run maintenance and more - with delivery tracking so operators know exactly which actions reached the endpoint.

Active Directory

Surface each device's domain and Active Directory context - domain membership, organisational unit, logged-on domain user and group data - to line up CtrlOne management with your existing directory.

Enterprise Console

A first-party desktop console (WebView2) that runs on the managed PC itself, letting on-site admins view status and apply policy locally - including offline via the local agent bridge - without opening the cloud console.

Browser Control

Live, per-device browser actions - set the homepage, push allow/block URL lists, force SafeSearch, enable kiosk mode, apply DNS filtering and wipe browsing data - applied to Chrome, Edge and Firefox on demand.

Enterprise Security

Fleet-wide and per-device security enforcement - roll out and verify security restriction bundles across many endpoints from a single page, with per-device scoping so each toggle lands on the right machine.

Schedules

Time-based restriction windows that auto-apply and auto-restore - block camera, internet, recorders or any policy on a daily or recurring schedule, with a full activity trail of every automatic transition.

Snapshots

On-demand and scheduled screen captures from the endpoint, stored per device and tenant-scoped, so operators can visually verify what was on screen at a point in time for support or compliance.

Live Preview

A near-real-time stream of the device's screen so operators can watch what's happening live - useful for support triage, monitoring shared kiosks and confirming a user's issue without taking control.

Wallpaper

Push a desktop wallpaper or on-screen watermark to a device remotely - live to the signed-in user's session where possible - for branding, classroom identification or on-screen policy notices.

User Activity

A per-user activity feed showing sign-ins, application launches, policy events and notable actions on the PC, giving operators a human-readable timeline of what happened on each endpoint.

Activity Log

An append-only history of the device's activity - policy applies, restores, blocks and agent events - mirrored durably on the endpoint and surfaced in the console so nothing is lost across reboots or log rotation.

Event Log

Read the Windows Event Log entries collected from the device - system, application and security channels - so operators can diagnose crashes, errors and security events without remoting into the machine.

Basic Protection

Day-one defaults that block the obvious holes - Registry Editor, Control Panel, Windows Update, shortcuts.

Disable Registry Editor

Prevents users from opening the Registry Editor or importing registry files, so low-level system settings cannot be changed.

Right Click Display Settings

Hides the legacy Display Control Panel applet AND the modern Settings → System → Display / Personalization pages.

Disable Windows Update

Removes user access to Windows Update so they cannot pause, defer or trigger feature/quality updates. The update service itself keeps running.

Disable Control Panel

Removes access to Control Panel and all of its applets. The modern Settings app is left unaffected.

Disable shortcuts

Disables the Win key plus every Win+R/E/L/X/I/A/S/D/M/G/U shortcut combo, and remaps the physical Windows keys so they do nothing.

Disable New Shortcut wizard

Removes the 'Shortcut' option from the right-click New menu so users cannot create new shortcuts on the desktop or in folders.

Disable Programs and Features

Blocks the Add/Remove Programs and Programs and Features applets so users cannot uninstall, change or repair installed software.

Disable command prompt

Disables the Command Prompt and batch-script execution. Users see a clear 'command prompt has been disabled by your administrator' message.

Disable PowerShell

Prevents PowerShell - including the ISE editor and PowerShell 7 - from launching, and blocks PowerShell scripts from running.

Disable Run

Hides the Run command from the Start menu and disables the Win+R hotkey so users cannot launch arbitrary commands by name.

Disable Date & Time Change

Locks the system clock so users cannot change the date, time or time zone from the taskbar, Control Panel or Settings. The clock stays visible.

Disable Microsoft Store

Removes the Microsoft Store, blocks all store-delivered apps from running and stops background app updates from downloading.

Disable Services

Prevents users from starting, stopping or reconfiguring Windows services through any of the built-in tools, and hides the Administrative Tools shortcuts.

Disable Bluetooth

Stops the four core Bluetooth services AND disables every paired BT radio device via PnP - no pairing, file transfer or peripheral connections.

Disable Calculator

Stops the Windows Calculator from launching and closes it if it is already open.

Advanced Protection

Deep-system controls for hardened fleets: Group Policy, Task Manager, Defender, services, drivers and more.

Disable Task Manager

Prevents users from opening Task Manager, so they cannot view processes, end tasks or change startup apps. The taskbar shortcut to it is greyed out as well.

Disable Lock Computer

Disables Win+L and the Start menu Lock entry so the user cannot manually lock the workstation. Auto-lock from screensaver or idle timeout still works.

Hide This PC

Hides the 'This PC' icon from the desktop, the Explorer sidebar and the Start menu so users can't browse drives from the My Computer entry point.

Disable Remote Desktop

Refuses incoming Remote Desktop connections to this PC and disables the matching Windows Firewall rule, so the machine cannot be reached over Remote Desktop.

Disable System Properties

Blocks access to System Properties so users cannot view the computer name, change the workgroup or open System Protection.

Disable Computer Management

Locks down the Microsoft Management Console so administrative consoles such as Services, Device Manager and Group Policy refuse to open.

Disable Run as Administrator

Removes the 'Run as administrator' verb from right-click menus so users cannot launch any program elevated, even with the local Admin password.

Disable Group Policy

Prevents users from viewing or refreshing local Group Policy. Domain policy from your servers still applies normally.

Disable Windows Install - New Software Setup Block

Blocks Windows Installer packages from installing, repairing or removing software on this PC. Already-installed software keeps working; only new changes are blocked.

Disable Clipboard

Disables the Windows clipboard so Ctrl+C / Ctrl+V / Ctrl+X copy nothing between apps. A background guardian also clears the clipboard on every paste attempt.

Disable Delete Button

Suppresses the Delete key in Explorer and removes the right-click → Delete entry so users cannot remove files from the desktop, Documents or any folder.

Disable Personalize

Blocks the right-click → Personalize entry on the desktop and the Settings → Personalization page so users cannot change theme, colors or background.

Disable Display Settings

Hides the right-click → Display Settings entry and blocks the Settings → System → Display page so users cannot change resolution, scaling or multi-monitor layout.

Disable Cut

Disables the Ctrl+X hotkey and removes the right-click → Cut entry in Explorer so users cannot move files by cutting them out of a folder.

Disable Copy

Disables the Ctrl+C hotkey and removes the right-click → Copy entry in Explorer so users cannot duplicate files to another location.

Disable Right Click

Disables the right-click context menu on the desktop, in Explorer, and on the taskbar so users cannot reach New / Properties / Send To / Open With.

Disable Right Click Properties

Greys out the 'Properties' entry on right-click menus for files, folders and shortcuts so users cannot view or change permissions, attributes or compatibility settings.

Block Devices and Printers

Hides Devices and Printers from Control Panel and the Settings → Bluetooth & devices page so users cannot add, remove or reconfigure printers, scanners or paired devices.

Disable Microphone

Forces the Windows microphone privacy switch to OFF for ALL apps (Win32 + UWP) so no application - including Teams, Zoom or the browser - can record audio.

Disable Camera

Forces the Windows camera privacy switch to OFF for ALL apps (Win32 + UWP) so no application - including Teams, Zoom or the browser - can capture video.

Disable Windows Notifications

Turns off the Action Center and toast notifications for every app so users don't see banners, sounds or badge counts. App-internal in-window alerts still appear.

Disable Snipping Tool

Prevents the Snipping Tool and the Win+Shift+S screenshot overlay from launching.

Disable Photos App

Prevents the Windows Photos app from launching. Image files opened from File Explorer fall back to whatever other viewer is associated.

Disable Sticky Notes

Prevents the Sticky Notes app from launching. Notes already synced to the cloud remain available on the user's other devices.

Disable Voice Recorder

Prevents the Windows Voice Recorder app from launching. Other apps can still record audio unless the microphone is also blocked.

Disable Airplane Mode

Hides the Airplane Mode toggle from Settings (Network & Internet → Airplane mode) and from the Action Center quick-action flyout. Also forces the radios back on so a device already in airplane mode is brought back online.

Disable Mobile Hotspot

Stops the Windows Mobile Hotspot Service, hides the Mobile hotspot Settings page and the Action Center quick-action, and blocks the Internet Connection Sharing / Mobile Hotspot UI.

Disable Nearby Sharing

Disables the Connected Devices Platform so Nearby Sharing and 'Continue on PC' cannot push files or URLs to other devices over Bluetooth / Wi-Fi-Direct.

Disable Project (Project to this PC)

Blocks 'Project to this PC' (the Miracast wireless-display receiver) and hides Settings → System → Projecting to this PC.

Disable VPN

Turns off the built-in Windows VPN so the PC refuses to start new VPN connections and drops any active one, covering all of the standard VPN types.

Disable Notepad

Blocks Notepad so it fails to launch from the Start menu, the Run box or by opening a text file, while leaving all other apps working. Turning the feature off restores Notepad.

Disable Audio

Disables the entire Windows audio stack at the service level.

Disable Switch User

Hides the 'Switch user' option on the lock screen and Start menu so a logged-in user cannot park their session and let another local account sign in alongside it.

Black Out Lock Screen

Replaces the lock-screen image with solid black so on-screen content can't be photographed while the PC is locked.

Block Unsigned EXE & MSI

Uses built-in Windows signing policies to stop unsigned programs and installers from running, without the brick-risk of full app allow-listing.

Force Auto-Lock After 5 min Idle

Automatically locks the PC after five minutes of inactivity and requires the password to resume.

Disable Format Option

Blocks drive formatting from the right-click menu and the command line so disks can't be wiped by accident or on purpose.

Desktop Protection

Lock down what users can do on the desktop - wallpaper, icons, themes, right-click and personalisation.

Read-Only Desktop Icons

Locks every icon on the desktop in place - users can still click to launch but cannot drag, rename, delete or rearrange them. New shortcuts pinned by IT still appear normally.

Disable Changing Wallpaper

Locks the current wallpaper as the only allowed image. The right-click → 'Set as desktop background' verb is greyed out and the Settings → Personalization → Background page is read-only.

Hide Recycle bin

Removes the Recycle Bin icon from the desktop. Deleted files still go to the Recycle Bin and can be recovered, but the desktop shortcut to it is gone.

Hide Network

Removes the Network icon from the desktop and the Explorer sidebar so users can't browse SMB shares or workgroup PCs through the GUI. UNC paths typed manually still resolve.

Restrict Desktop Save/Copy

Locks the desktop folder so apps and users cannot save or delete files there. Existing desktop files remain untouched. Ideal for kiosk PCs.

Disable Sidebar Desktop

Hides the Desktop folder from the Explorer sidebar and 'This PC' page, and unpins it from Quick Access / Home. The desktop itself is unaffected - only the shell-folder shortcut is removed.

Disable Sidebar Documents

Hides the Documents folder from the Explorer sidebar and 'This PC' page, and unpins it from Quick Access / Home. Files inside Documents are untouched and still reachable by typing the path.

Disable Sidebar Downloads

Hides the Downloads folder from the Explorer sidebar and 'This PC' page, and unpins it from Quick Access / Home. Browsers still save downloads to the same folder - only the shell shortcut disappears.

Disable Sidebar Music

Hides the Music folder from the Explorer sidebar and 'This PC' page, and unpins it from Quick Access / Home. Music files inside the folder remain on disk and still play when opened directly.

Disable Sidebar Pictures

Hides the Pictures folder from the Explorer sidebar and 'This PC' page, and unpins it from Quick Access / Home. Image files inside the folder remain on disk and still open normally.

Disable Sidebar Videos

Hides the Videos folder from the Explorer sidebar and 'This PC' page, and unpins it from Quick Access / Home. Video files inside the folder remain on disk and still play when opened directly.

Show User Watermark on Desktop

Tiles a faint watermark with the PC name, user and date across the desktop, so photos of the screen carry a traceable marker.

Disable Sidebar Public Documents

Hides the Public Documents folder from the Explorer sidebar and Quick Access. Files stay on disk and remain reachable by path.

Disable Sidebar Public Downloads

Hides the Public Downloads folder from the Explorer sidebar and Quick Access. Files stay on disk and remain reachable by path.

Disable Sidebar Public Pictures

Hides the Public Pictures folder from the Explorer sidebar and Quick Access. Images stay on disk and still open normally.

Disable Sidebar Public Videos

Hides the Public Videos folder from the Explorer sidebar and Quick Access. Videos stay on disk and still play when opened directly.

Disable Sidebar Public Music

Hides the Public Music folder from the Explorer sidebar and Quick Access. Music stays on disk and still plays when opened directly.

USB Protection

Per-class USB control - allow keyboards / mice / printers while blocking storage, cameras, MTP or HID. Three-mode mass-storage lockdown (off / read-only / block).

USB Drives Read-Only

Lets USB flash drives and external disks mount but blocks all writes to them.

Disable USB Drives

Blocks USB mass-storage devices (flash drives, external HDDs, SSDs) so they can no longer mount. USB keyboards, mice, headsets and printers continue to work normally.

Disable USB Phones (MTP/PTP)

Prevents Android phones, iPhones and digital cameras from connecting over USB as media devices, so their storage cannot be browsed.

USB Device-Class Allow / Deny

Replaces the all-or-nothing USB sledgehammer with per-class control: allow keyboards, mice and printers while blocking storage, cameras, MTP, network adapters or HID. Survives reboot and applies before the device enumerates.

USB Storage Lockdown (Off / Read-only / Block)

Three-mode mass-storage control. Read-only blocks writes immediately on already-mounted volumes; Block stops new sticks from mounting at all. Keyboards, mice and phone-charging are unaffected.

Software Block Protection

Block specific apps, installers, file types and tools from launching on the PC by name and signature.

Disable New Software Installation

Blocks new software installations across multiple layers - stopping every type of Windows Installer package and closing the per-user side-load path.

Disable 3D Viewer

Blocks the Microsoft 3D Viewer UWP app (formerly Mixed Reality Viewer).

Disable Media Player

Blocks every media-playback app that ships with Windows - the legacy Windows Media Player, the modern Media Player / Groove Music app, and the Movies & TV app.

Disable Microsoft Clipchamp

Blocks the Microsoft Clipchamp video-editor UWP app (bundled by default in Win11 22H2+).

Disable Microsoft To Do

Blocks the Microsoft To Do task / checklist app (a rebrand of Wunderlist) so it exits immediately on launch.

Disable Paint 3D

Blocks the Microsoft Paint 3D app so it exits immediately on launch.

Disable UC Browser

Blocks UC Browser, an Alibaba-owned Chromium-based browser with a multi-year track record of shipping with hostile telemetry and unwanted bundled components.

Disable Opera

Blocks Opera Browser, a Chromium fork that ships with a built-in free unlimited VPN/proxy that bypasses corporate egress controls.

Disable Vivaldi

Blocks Vivaldi Browser (Vivaldi Technologies AS - Norway-based Chromium fork founded by ex-Opera CEO Jon von Tetzchner after the Opera CN ownership change).

Disable Brave

Blocks Brave Browser, the largest Chromium fork by install base after Chrome, Edge and Opera, marketed as a privacy-focused browser.

Disable Mozilla Firefox

Blocks Mozilla Firefox, the largest non-Chromium third-party browser on Windows and Microsoft's documented managed-alternative when Edge is locked down.

Disable Microsoft Edge

Blocks Microsoft Edge (Microsoft-shipped Chromium-based web browser that REPLACED Internet Explorer as Windows default browser starting Win10 1507/Win11 21H2, ONLY browser pre-installed on every shipping Windows 10/11/Server 2019/2022/2025 box).

Disable Apple Safari

Blocks Apple Safari for Windows (Apple-shipped WebKit-based web browser).

Disable Google Chrome

Blocks Google Chrome (Google-shipped Chromium-based web browser - most-deployed third-party browser on Windows).

Disable WhatsApp

Blocks WhatsApp (Meta/Facebook end-to-end-encrypted consumer messaging product).

Disable Microsoft Teams

Blocks Microsoft Teams (unified Teams chat/video/collaboration product, fka Lync, fka Skype for Business).

Disable Google Meet

Blocks Google Meet (browser-based G Suite / Google Workspace video conferencing product, fka Google Hangouts Meet, fka Google Duo for groups).

Disable Zoom

Blocks every shipped Zoom Video Communications desktop app so any launch attempt fails.

Disable LinkedIn

Blocks the LinkedIn app and the LinkedIn website - feed, jobs, messaging and profiles - in Chrome and Edge.

Disable Pinterest

Blocks Pinterest (the Pinterest Inc. visual-discovery / image-bookmark social network, >500 M monthly active users).

Disable Snapchat

Blocks Snapchat (the Snap Inc. ephemeral-messaging / Stories / Spotlight short-form video network, >400 M daily active users).

Disable TikTok

Blocks TikTok (the ByteDance short-form video network, >150 M U.S. monthly users + >1 B global).

Disable Reddit

Blocks Reddit (the link-aggregator / discussion-forum site, >100 M daily active users post-IPO 2024).

Disable Threads

Blocks Meta's Threads, the microblogging service spun out of Instagram. Threads has no Windows desktop app - it is web-only - so this blocks the Threads website in Chrome and Edge.

Disable Midori Browser

Blocks Midori Browser, a lightweight WebKitGTK-based browser originally created in 2007 for the Xfce desktop environment.

Disable Dolphin Browser

Blocks Dolphin Browser, a gesture-driven mobile browser from Dolphin Browser Inc. (formerly MoboTap) primarily distributed for Android and iOS.

Disable Comodo Dragon

Blocks Comodo Dragon, a Chromium-based browser from Comodo Group (now reorganised under Xcitium Inc.) marketed for security-conscious users.

Disable Epic Privacy Browser

Blocks Epic Privacy Browser, a Chromium fork from Hidden Reflex Sales Pvt. Ltd. marketed as a privacy-first 'always-on private browsing' browser.

Disable Chromium

Blocks the upstream Chromium open-source browser, the codebase from which Chrome, Edge, Brave, Opera, Vivaldi, Yandex Browser, Comodo Dragon, SRWare Iron and Epic Privacy Browser are all built.

Disable Telegram

Prevents the Telegram desktop and Microsoft Store apps from opening, and blocks the Telegram website in Chrome and Edge so the web version cannot be used either.

Disable Facebook

Prevents the Facebook and Messenger apps from opening and blocks the Facebook and Messenger websites in Chrome and Edge, so the whole Meta surface is unavailable.

Disable Facebook Messenger

Prevents the Messenger app from opening and blocks the Messenger website in Chrome and Edge.

Disable Python

Prevents any Python interpreter - including the launcher, IPython and Conda - from running.

Disable Tor Browser

Prevents the Tor Browser and its bundled connection helpers from launching, so users cannot use Tor to bypass web controls.

Disable Pale Moon

Prevents the Pale Moon browser, including its portable version, from launching.

Disable Puffin Browser

Prevents the Puffin browser from launching and blocks its installer and updater so it cannot reinstall itself.

Control Panel Protection

Hide individual Control Panel applets so users can see what they need and nothing else.

Disable Administrator Tool

Hides the 'Administrative Tools' applet from Control Panel.

Disable Autoplay

Hides the 'AutoPlay' applet from Control Panel.

Disable Backup & Restore

Hides the legacy 'Backup and Restore (Windows 7)' applet from Control Panel.

Disable Bitlocker Drive Encryption

Hides the 'BitLocker Drive Encryption' applet from Control Panel.

Disable Colour Management

Hides the 'Color Management' applet from Control Panel.

Disable Credential Manager

Hides the 'Credential Manager' applet from Control Panel.

Disable Date & Time

Hides the 'Date and Time' applet from Control Panel.

Disable Default Programs

Hides the 'Default Programs' applet from Control Panel.

Disable Device Manager

Hides the 'Device Manager' applet from Control Panel.

Disable Device & Printers

Hides the 'Devices and Printers' applet from Control Panel.

Disable Ease of Access Center

Hides the 'Ease of Access Center' applet from Control Panel.

Disable File Explorer Options

Hides the 'File Explorer Options' applet (formerly 'Folder Options' on Win7/8) from Control Panel.

Disable File History

Hides the 'File History' applet from Control Panel.

Disable Fonts

Hides the 'Fonts' applet from Control Panel.

Disable Indexing Options

Hides the 'Indexing Options' applet from Control Panel.

Disable Internet Options

Hides the 'Internet Options' applet from Control Panel.

Disable Keyboard

Hides the 'Keyboard' applet from Control Panel.

Disable Mail (Microsoft Outlook)

Hides the 'Mail (Microsoft Outlook)' applet, installed by Office, from Control Panel.

Disable Mouse

Hides the 'Mouse' applet from Control Panel.

Disable Network and Sharing Center

Hides the 'Network and Sharing Center' applet from Control Panel.

Disable Phone and Modem

Hides the 'Phone and Modem' applet from Control Panel.

Disable Power Options

Hides the 'Power Options' applet from Control Panel.

Disable Programs and Features Control Panel

Hides the 'Programs and Features' applet from Control Panel.

Disable Recovery

Hides the 'Recovery' applet from Control Panel.

Disable Region

Hides the 'Region' applet from Control Panel.

Disable RemoteApp and Desktop Connections

Hides the 'RemoteApp and Desktop Connections' applet from Control Panel.

Disable Security and Maintenance

Hides the 'Security and Maintenance' applet, formerly known as Action Center, from Control Panel.

Disable Sound

Hides the 'Sound' applet from Control Panel.

Disable Speech Recognition

Hides the legacy 'Speech Recognition' applet from Control Panel.

Disable Storage Spaces

Hides the 'Storage Spaces' applet from Control Panel.

Disable Sync Center

Hides the 'Sync Center' applet, which manages Offline Files, from Control Panel.

Disable System

Hides the legacy 'System' applet - the 'About this PC' and advanced system settings surface - from Control Panel.

Disable Work Folders

Hides the 'Work Folders' applet and its per-user sync engine from Control Panel.

Disable Windows Mobility Center

Hides the 'Windows Mobility Center' applet from Control Panel.

Disable Windows Defender Firewall

Hides the 'Windows Defender Firewall' applet, including its advanced-security console link, from Control Panel.

Disable User Accounts

Hides the 'User Accounts' applet, including the advanced user-accounts and Credential Manager surfaces, from Control Panel.

Disable Troubleshooting

Hides the 'Troubleshooting' applet and its diagnostic tools from Control Panel.

Disable Taskbar and Navigation

Hides the 'Taskbar and Navigation' applet (per-user shell-integration surface that Microsoft also forwards to the Win11 Settings > Personalization > Taskbar UWP page) from Control Panel.

Browser Protection

Browser-engine-level controls (Chrome, Edge, Firefox) - Incognito, Extensions, DevTools, downloads.

Tamper Protection

Blocks every standard way to remove the agent - silent uninstalls, the Programs and Features entry, stopping or deleting its service, force-closing it, and deleting its files. It self-heals if any protection is tampered with.

Disable Internet Upload

Kills Microsoft Explorer's upload-to-web wizard so users cannot push files to OneDrive, SharePoint or arbitrary FTP destinations from right-click menus.

Limit Browser Upload Speed

Throttles browser UPLOAD bandwidth (outbound only) to a precise operator-typed KB/s value via Windows native QoS Policy on common browser executables.

Limit Browser Download Speed

Throttles download speed in the major browsers (Chrome, Firefox, Edge, Brave, Opera and Vivaldi) down to a limit you set in KB/s.

Block Ads in All Browsers

Blocks advertisements, trackers and banner networks across every browser (Chrome, Firefox, Edge, Brave, Opera, Vivaldi and IE) by filtering out around 80 of the largest ad-network domains system-wide.

Disable Internet Download

Forces Chrome and Edge to block ALL downloads - every file type, every source, every site - using their enterprise download-restriction policy.

Disable Incognito / Private Mode

The New Incognito / InPrivate Window menu entries disappear. All browsing logs to history.

Disable Browser Extensions

Users cannot install new extensions from the Web Store. Already-installed extensions are also disabled until removed.

Disable Downloads

The browser blocks ALL downloads - every file save returns 'failed - blocked'. Streaming media in the page still plays.

Disable Developer Tools (F12)

F12, Ctrl+Shift+I and the View source / Inspect right-click verbs all refuse to open the DevTools panel.

Force SafeSearch

Adult content is filtered out of Google search results and only moderate-restricted YouTube videos play.

Block Browser Camera & Microphone

Forces every website camera and microphone request to be denied in Chrome, Edge and Firefox, so web pages can't capture video or audio.

Block Proxy & DoH Reconfiguration

Locks proxy settings and DNS-over-HTTPS so users can't reroute traffic to slip past the web filter.

Start Menu Protection

Trim the Start menu - Run, Search, Power, recent items - for kiosk and shared-PC scenarios.

Disable Sleep

Removes the Sleep entry from the Start menu power button so users can only Sign out / Restart / Shut down. Auto-sleep from idle timeout still runs on its own schedule.

Disable Logout (Sign out)

Removes the Sign out entry from the Start menu user-icon flyout so users cannot manually sign out. Lock and switch-user remain available unless those are blocked separately.

Disable Restart

Removes the Restart entry from the Start menu power button. Windows Update can still trigger automatic restarts via its scheduled tasks unless WU is also disabled.

Disable Shut Down

Removes the Shut down option from the Start menu power button so users cannot power the PC off from the interface. The hardware power button still works.

Function Keys Protection

Disable F1-F12 system shortcuts and the function-key combos that bypass restrictions.

Disable F1 Key

Blocks the F1 key system-wide. F1 normally opens Help in Office, browsers, Windows Explorer and most desktop apps.

Disable F2 Key

Blocks the F2 key system-wide. F2 normally renames the selected file or folder in Windows Explorer.

Disable F3 Key

Blocks the F3 key system-wide. F3 normally opens Find / Search in browsers, Explorer and most editors.

Disable F4 Key

Blocks the F4 key system-wide. F4 normally drops down the address bar in Explorer and repeats the last action in Office.

Disable F5 Key

Blocks the F5 key system-wide. F5 normally refreshes the current page in browsers and Explorer and starts slideshow in PowerPoint.

Disable F6 Key

Blocks the F6 key system-wide. F6 normally cycles focus between panes in browsers, Explorer and Office.

Disable F7 Key

Blocks the F7 key system-wide. F7 toggles caret browsing in browsers and triggers spell-check in Office.

Disable F8 Key

Blocks the F8 key system-wide. F8 toggles selection-extend mode in Excel and (on some hardware) opens the boot menu pre-Windows.

Disable F9 Key

Blocks the F9 key system-wide. F9 normally recalculates formulas in Excel and refreshes fields in Word.

Disable F10 Key

Blocks the F10 key system-wide. F10 normally activates the menu bar in browsers, Explorer and most desktop apps.

Disable F11 Key

Blocks the F11 key system-wide. F11 normally toggles full-screen mode in browsers, Explorer and many media apps.

Disable F12 Key

Blocks the F12 key system-wide. F12 normally opens DevTools in browsers and Save As in Microsoft Office.

Hot Keys

Block Win-key and Ctrl/Alt combos at the driver level so they can't be used to escape lockdown.

Disable Num Lock Key

Swallows the Num Lock key system-wide so the user cannot toggle the numeric-keypad mode. The current Num Lock state at the moment the policy is applied stays as-is until the policy is turned off.

Disable Caps Lock Key

Swallows the Caps Lock key system-wide so users cannot accidentally (or intentionally) flip into all-caps typing - useful in form-entry kiosks and data-entry workstations where uppercase input causes downstream parsing problems.

Disable Scroll Lock Key

Swallows the Scroll Lock key system-wide. Excel and a handful of legacy apps treat Scroll Lock as a navigation-mode switch; blocking it removes that surprise behaviour for end-users.

Disable Ctrl+Alt+Del Menu Items

Hides every action button on the Ctrl+Alt+Del Secure Attention Sequence screen - Lock, Switch User, Change Password, Sign Out, and Task Manager - policies.

Disable Alt+Tab / Win+Tab / Ctrl+Alt+Tab

Installs a low-level WH_KEYBOARD_LL hook that swallows the VK_TAB keystroke whenever Alt OR the Windows key is held down - kills Alt+Tab (App Switcher), Win+Tab (Task View / virtual-desktop picker), Ctrl+Alt+Tab (sticky App Switcher), and the less-common Win+Ctrl+Tab.

Disable Ctrl+Esc (opens Start menu)

Installs a low-level WH_KEYBOARD_LL hook that swallows VK_ESCAPE whenever Ctrl is held down - kills Ctrl+Esc, the legacy Start-menu shortcut that still works on every keyboard / RDP session / scripted SendKeys() call even when the Start button itself is hidden.

Remote Application Block Protection

Block AnyDesk, RustDesk, UltraViewer and other remote-control tools that bypass corporate VPNs.

Disable Quick Assist

Blocks Microsoft Quick Assist, the in-box remote-help tool that ships on every Win10/11 install and is the canonical scammer delivery vehicle for tech-support fraud.

Disable Chrome Remote Desktop

Blocks the Chrome Remote Desktop host so the PC cannot be controlled through Google's remote-access service, including unattended access.

Disable Parsec

Blocks Parsec (Parsec Cloud Inc., now part of Unity - low-latency game-streaming / unattended-remote-access product, popular for cloud-gaming AND remote-game-development AND increasingly abused for tech-support scams + low-latency lateral movement).

Disable RemotePC

Blocks RemotePC (IDrive Inc.'s unattended-remote-access product, a TeamViewer/AnyDesk alternative).

Disable Zoho Assist

Blocks Zoho Assist (Zoho Corporation's remote-support / unattended-remote-access product, on-demand 6-digit-code AND always-on agent install models).

Disable Splashtop

Blocks Splashtop (Splashtop Inc.'s remote-desktop product family - Streamer / Business / SOS / Personal / Enterprise).

Disable LogMeIn

Blocks LogMeIn (GoTo Technologies, formerly LogMeIn Inc. / Citrix Online - Pro / Central / Rescue / Hamachi product family).

Disable GoToMyPC

Blocks GoToMyPC (GoTo Technologies - the legacy Citrix-era consumer/SMB unattended-remote-access product, separate g2* binary family from LogMeIn proper).

Disable AnyDesk

Blocks AnyDesk, the most-named brand in global tech-support-scam complaint data: a tiny portable binary that needs no install or admin and only requires the victim to read back a 9-digit ID.

Disable UltraViewer

Blocks UltraViewer (DucFabulous Co., Ltd., Hanoi Vietnam - TeamViewer/AnyDesk-clone, dominant scam-vehicle remote-control product across Vietnam / Southeast Asia / India / Bangladesh / Middle East where AnyDesk and TeamViewer have less brand recognition).

Disable TeamViewer

Blocks TeamViewer, historically the #1-named brand in global tech-support-scam complaint data from 2010 to 2025.

Disable RustDesk

Blocks RustDesk, an open-source AnyDesk-clone hosted on GitHub under AGPLv3 by PURSLANE LTD (Hong Kong).

Attachment Block Protection

Stop risky email attachments and downloaded executables from running on protected machines.

3rd Party Mail Software Attachment Protection

Blocks attachment uploads from third-party desktop mail clients - Thunderbird, Postbox, Mailbird, eM Client, Foxmail and The Bat! - by clearing queued attachments and capping the allowed attachment size to almost nothing. Fully reversible.

Disable Gmail / Mail Attachment Downloads

Blocks Gmail attachment downloads in Chrome and Edge. This covers the browser only - downloads through other tools or the Outlook desktop app are not affected.

Block Archive Attachments (.zip .tar .tgz .gz .rar)

Records operator intent that ARCHIVE-class file attachments should be blocked on this PC.

Block Executable Email Attachments

Records that executable-type email attachments should be blocked on this PC, covering the standard set of high-risk file types such as programs, scripts and installers.

Mail Data Upload Protection

Blocks outbound email data leaks by closing the standard mail-sending and mail-sync channels and disabling attachment uploads in the Outlook desktop app. Stops both webmail and desktop mail clients from sending data off the PC.

Allow Google Drive (whitelist)

Whitelists Google Drive's own apps (installer and sync client) so the live installer-guard doesn't mistake them for blocked setup files.

Block Google Drive Uploads

Blocks file uploads to Google Drive on the web across Chrome, Edge, Brave, Vivaldi and Opera, including the insert-image/file picker in Docs, Sheets and Slides.

Block OneDrive / SharePoint Uploads

Blocks web uploads to OneDrive personal, OneDrive for Business and SharePoint Online tenants, plus the new Outlook-on-the-web upload path.

Block Dropbox Uploads

Blocks file uploads to Dropbox on the web and its upload API. The desktop Dropbox client is handled separately.

Block WhatsApp Web File Sharing

Blocks sending documents, photos and videos through WhatsApp Web by cutting off its media-upload servers.

Block Telegram Web Uploads

Blocks sending files, photos and videos through Telegram Web, including drag-drop and pasted screenshots.

Block Gmail Attachment Uploads

Blocks attaching files in Gmail on the web, including drag-drop and pasted screenshots.

Restrict Browser Uploads to PDF Only

Only lets users upload PDF files from the browser - any other file type is cancelled at the file picker across every browser.

Restrict Browser Uploads to Images Only

Only lets users upload image files (JPG, PNG, GIF, WebP and more) from the browser - anything else is cancelled at the file picker.

Premium Protection

Top-tier shields - tamper protection, ransomware storm detection, offline fail-closed, per-app time budgets, screen-time report card, disk / SMART early warning, webcam-mic notifier, HKLM hive signing, GUI crash watchdog and silent self-update.

Mass File Rename Protection

Watches Documents, Desktop, Pictures, Videos, Music and Downloads for bulk-rename storms. Triggers when more than 20 files are renamed within 5 seconds in a single folder - kills the offending process, restores original filenames from a rolling shadow journal, and logs the incident. Honey-file canaries detect ransomware-style scans before user files are touched.

Mass File Extension Change Protection

Detects bulk extension swaps (e.g. .docx → .locked, .jpg → .enc) on user document folders. Same 20-in-5-seconds threshold as mass rename, with extension-class heuristics for the canonical ransomware suffix list (.locked, .enc, .crypt, .crypted, .pay, .ransom, .888, etc.). Process killed, files restored from journal, incident logged.

Ransomware Protection

A layered ransomware shield: decoy files that trip an alarm when encrypted, protection for Windows backup snapshots, detection of known ransomware programs and startup tampering, and detection of dropped ransom notes. It automatically quarantines the offending program and records the incident.

Offline Fail-Closed Enforcement

Per-policy 'after N days offline, drop into the strictest restriction set' safeguard. Prevents an attacker from killing connectivity to escape lockdown. Window is rollback-aware - restoring an old policy version restores the safeguard with it.

Per-Application Time Budgets

Set daily time limits and optional time-of-day windows for individual apps (for example, 30 minutes a day of a game, only between 4-6pm). Tracked per user and kept across reboots.

Local Screen-Time Report Card

End-user-visible daily summary fired as a tray balloon at 18:00 local. Shows top apps + total active minutes for the day so the user sees what was tracked. No cloud round-trip required.

Low-Disk + SMART Early-Warning Probe

SYSTEM-only background probe runs every 5 min. Surfaces low-disk and predictive SMART failure attributes long before Windows itself notices, so a failing drive becomes a heartbeat alert instead of a Monday-morning crash.

Webcam / Microphone In-Use Notifier

User-session GUI polls the Capability Access Manager every 5s and flashes a tray balloon when a new app starts using the webcam or mic. Catches apps that bypass the indicator LED on cheaper laptops.

Config Value Signing

The four guarded configuration values (Server URL, Account Username, Account Password Hash, Launch Password Hash) carry an HMAC-SHA256 sibling signature. Tampering with a value without resigning is detected and reverted on the next agent tick.

Agent GUI Crash Watchdog

Closes the gap where killing the agent + watchdog as a pair (e.g. taskkill /IM by image name) would leave the GUI down. A SYSTEM-side watchdog respawns the GUI on next user logon and flags the kill in the audit trail.

Agent Silent Self-Update

Hourly cloud poll for a newer build. The SYSTEM-elevated copy downloads, verifies, and runs the silent NSIS upgrade in-place. User session resumes against the new EXE on the next login - no operator touch needed.

WTS-Probe 3-Strike Sentinel

Before restarting the desktop to apply restrictions, the agent checks that it can safely do so. If the check fails three times it leaves the desktop running untouched, so tightly locked-down PCs never end up with a blank screen.

Browsers

Per-browser launch blocks via Image File Execution Options - pick which browsers users may run.

Google Chrome

Blocks Chrome so it fails to launch from the taskbar, Start menu or any link. Windows already open keep running until closed - pair with Close All Browsers for instant effect.

Microsoft Edge

Blocks Edge so it fails to launch. Edge is the default browser on Windows 10 and 11, so blocking it without setting another default leaves users with no browser unless one is allowed.

Mozilla Firefox

Blocks Firefox so it fails to launch. Firefox is the only mainstream non-Chromium browser, so blocking it closes the last gap around Chrome and Edge policies.

Brave

Blocks Brave so it fails to launch. Because most Chrome enterprise policies (Incognito, Extensions, Developer Tools) don't apply to Brave, blocking it outright is often the only reliable control.

Opera

Blocks Opera so it fails to launch. Opera ships with a built-in VPN that can bypass the 'Disable VPN' control, so blocking the browser outright is the only complete fix.

Internet Explorer

Blocks Internet Explorer. IE has been retired by Microsoft and replaced by Edge's IE Mode - only legacy intranet apps still need it, so this block is safe on most fleets.

Browser Controls

Live browser actions: homepage, allow/blocklists, kiosk, SafeSearch, DNS filtering, data wipe.

Close All Browsers Now

Force-close any running browser windows on this PC so policy changes take effect immediately.

Open URL in Default Browser

Launch the user's default browser pointed at a URL - useful for pushing onboarding links, intranet pages, or compliance notices.

Set Homepage / Start Page

Force a URL as the start page for Chrome and Edge using managed policy. Operator chooses the URL; takes effect on next browser launch.

Block URLs

Add websites to a system-wide block list, one per line, so they fail to load in every browser and app - not just Chrome and Edge.

Unblock URLs

Remove websites from the system-wide block list. Enter one per line; changes apply immediately.

Whitelist Mode (Chrome/Edge)

Allow ONLY the listed URL patterns and block everything else in Chrome and Edge. Pure kiosk-style browsing.

Clear Whitelist Mode

Remove the allow-list / block-list policy so Chrome and Edge browsing is unrestricted again.

Disable Incognito / Private Mode

Disable Incognito Mode in Chrome and InPrivate Mode in Edge so users cannot bypass history / audit by going private.

Disable Browser Extensions

Block installation of all extensions in Chrome and Edge - stops side-loaded VPNs, ad-blockers, and rogue add-ons.

Disable Downloads

Block all file downloads in Chrome and Edge. Useful for kiosk PCs and data-loss-prevention scenarios.

Disable Developer Tools (F12)

Disable the developer tools (F12 inspector) in Chrome and Edge so users cannot bypass site rules.

Parental Control (Family DNS)

Switches every active network adapter to CleanBrowsing Family DNS, blocking adult, proxy and mixed-content sites system-wide for ALL apps and browsers.

Force SafeSearch

Enforce Google + Bing SafeSearch and YouTube Restricted Mode via managed policy so search results are family-safe by default.

Launch in Kiosk Mode

Open Chrome full-screen with no browser chrome on a single URL - turns the PC into a single-purpose terminal.

Clear Browsing Data

Wipe history, cookies, cache and form data from Chrome and Edge on the target PC for a clean handover or shared-PC reset.

Clear Saved Passwords

Erase saved passwords stored in Chrome and Edge - important when an employee leaves or a shared-kiosk PC is being repurposed.

Reset All Browser Policies

Strip every Chrome/Edge managed policy that this agent has applied so the browsers behave like a fresh install again.

Browser Hardening

Harden Chrome, Edge and Firefox - turn off saved passwords, autofill, sync, history and the first-run import wizard.

Disable Password Manager

Turns off the built-in password manager in Chrome and Edge so the browser no longer saves or auto-fills credentials.

Disable Password Reveal (eye icon)

Removes the show-password eye icon from browser-managed password fields in Microsoft Edge.

Disable Autofill - Addresses

Stops Chrome and Edge from suggesting or auto-filling saved address details on web forms.

Disable Autofill - Credit Cards

Stops Chrome and Edge from auto-filling saved payment cards at checkout - recommended for PCI-DSS endpoints.

Lock Download Directory

Forces all browser downloads into one locked folder; users can't choose where files are saved.

Disable Import Bookmarks on First Run

Stops the first-run wizard from importing bookmarks and favourites from other browsers or profiles.

Disable Saving Browser History

Stops Chrome and Edge from recording browsing history, so the address bar won't autocomplete from past sites.

Clear History on Browser Exit

Automatically clears browsing history every time the browser is fully closed.

Disable Browser Sync (Google / Microsoft account)

Disables sign-in and sync of bookmarks, history, passwords and extensions to Google or Microsoft accounts.

Mirror Hardening to Firefox

Mirrors every active Browser Hardening setting into Firefox automatically, so the same rules apply there too.

Content Filter

Category-based website blocking - adult, gambling, drugs, piracy, social, streaming, gaming and more, applied system-wide.

Block Adult / Pornography

Blocks well-known adult and pornography sites system-wide using a managed hosts-file block list.

Block Gambling / Betting

Blocks well-known gambling and betting sites system-wide using a managed hosts-file block list.

Block Drugs / Substance

Blocks well-known drug and substance sites system-wide using a managed hosts-file block list.

Block Piracy / Torrents

Blocks well-known piracy and torrent sites system-wide using a managed hosts-file block list.

Block Proxies / VPN bypass

Blocks well-known proxy and VPN-bypass sites system-wide using a managed hosts-file block list.

Block Malware / Phishing

Blocks well-known malware and phishing sites system-wide using a managed hosts-file block list.

Block Social Media

Blocks well-known social media sites system-wide using a managed hosts-file block list.

Block Streaming / Video

Blocks well-known streaming and video sites system-wide using a managed hosts-file block list.

Block Gaming Sites

Blocks well-known gaming sites system-wide using a managed hosts-file block list.

Block Shopping / E-commerce

Blocks well-known shopping and e-commerce sites system-wide using a managed hosts-file block list.

Block Dating Sites

Blocks well-known dating sites system-wide using a managed hosts-file block list.

Block Crypto Exchanges

Blocks well-known crypto-exchange sites system-wide using a managed hosts-file block list.

Admin Console

The web app your operators live in - dashboards, onboarding wizard, policy versioning + rollback, compliance evidence pack, employee portal, bulk actions, saved views, scheduled reports, outbound integrations, SSO, API tokens, BitLocker posture, endpoint isolation and more.

Devices Console

Single-pane fleet view of every PC running CtrlOne - search, filter, group, and drill into per-device restriction status, last-seen, and live actions.

Policies

Reusable bundles of restriction toggles you can apply to one PC, a group, or your whole fleet. Versioned, named, and easy to roll out or roll back.

Device Groups

Organise PCs into logical groups (offices, roles, kiosks) so policies and bulk commands target exactly the right machines without one-by-one work.

Feature Groups

Curated bundles of restrictions for common scenarios (kiosk, finance team, contractor laptop) so operators don't have to remember which toggles belong together.

User Management

Invite teammates as admins or auditors, manage permissions, reset passwords, and audit sign-in history. Email-based invites and password-reset flows included.

Block Events

Real-time stream of every blocked action on every PC - what was blocked, by which restriction, and when. Filter by device, user, or restriction.

Asset Management

Full hardware and software inventory for every managed PC - CPU, RAM, storage, OS build, installed applications, licence keys and device identifiers - collected at check-in and updated on every sync. Query, filter and export the fleet's asset register from the admin console without touching a single machine.

Enterprise Security Baseline

Curated, opinionated security defaults across screen, recording, USB, clipboard, print, network and apps - flip an entire hardening baseline in one click.

Browser Control Center

Push browser homepages, allowlists, blocklists, kiosk mode, SafeSearch, DNS filtering, and live URL blocking from one screen across the fleet.

Premium / Licence Management

Track licence keys, seat counts, subscription tier per device and per tenant. Activate, deactivate, transfer, and audit licence usage in one place.

Org Settings

Configure email delivery, branding, retention, audit-log cleanup, password policy, and other tenant-wide preferences without opening a config file.

Restriction Test Bench

QA-friendly screen that lets operators trigger and verify each restriction without touching production policies - invaluable during onboarding.

Uninstall Master

Remotely uninstall, reset, or rotate keys on devices that are leaving the fleet - including a forced-clean mode that takes the agent off the PC entirely.

Alerts Engine

Background engine that watches for offline devices, suspicious block-event spikes, licence expiry, and email-delivery failures - and emails the right operator.

Admin Audit Log

Tamper-evident record of every admin action: policy edits, command queues, user invites, password resets, restores. Filter, export, and retain per policy.

Tenant Onboarding Wizard

Guided 4-step flow at /onboarding: claim key -> installer download -> first device check-in -> apply policy template. Polls every 5s while waiting for the first device so the operator sees the moment it arrives.

Policy Versioning + Rollback

Every policy edit snapshots the prior state into policy_versions. Newest-first list with diff-vs-current and a one-click Restore. Rollback itself snapshots first so it stays undoable.

Compliance Evidence Pack

Streams a ZIP with audit log, policies, policy versions and device posture in CSV + JSON, plus a framework-specific README mapping evidence to controls. Ships HIPAA, SOC 2 and ISO 27001 templates. Manifest carries SHA-256 of every file.

Per-Tenant Dashboard

Single-fetch /dashboard summary: devices online/offline/unclaimed, open alerts, operators, 7-day audit volume, agent-version mix and recently enrolled PCs. Auto-refreshes every 30s. Master-admin gets the cross-tenant rollup.

Employee Self-Service Portal

Cookie-gated /portal for end-users. The local agent mints a short-lived signed link the user clicks; they see their device, the restrictions currently on, and can submit unblock-app / temp-unrestrict / other requests for an admin to decide.

Bulk Device Actions

Selection bar above the device list for bulk reassign, bulk uninstall and bulk re-policy. Audited per-action; admin / owner only for destructive ones.

Saved Device Views

Save the current filter, search, sort and column set as a named view. Private-by-default with a per-tenant share toggle so the whole console can land on the same starting page.

Per-Tenant Device + Operator Caps

Hard ceilings on devices and operators, enforced server-side as a safety floor independent of plan + seat overrides. Stops a runaway script from enrolling 10,000 PCs into a 50-seat plan.

Per-Tenant Custom Branding

Per-tenant logos, colours and installer product names. Branding applies to the admin console, the employee portal, and the NSIS installer's UI strings.

Scheduled Reports (PDF / CSV)

Cron-style report schedules that email a PDF or CSV to a distribution list. Built-in templates for fleet posture, audit summary and policy drift.

Outbound Integrations

Per-tenant outbound dispatcher pushes alerts to Slack, Teams, PagerDuty, generic webhooks, Splunk HEC and Microsoft Sentinel. Secret rotation and per-channel filters are first-class.

Per-Tenant SSO (SAML + OIDC)

Each tenant brings its own IdP. State between login start and IdP callback is carried in HMAC-signed envelopes so there's no shared session store to scale or leak.

Service-Account API Tokens

Mint, scope and revoke long-lived tokens for service accounts. Tokens are role-aware so a CI runner can read inventory without being able to issue commands.

Endpoint Isolation

One-click 'cut this PC off the network' that drops a deny-by-default Windows Filtering Platform rule keeping only the agent's cloud channel reachable. Reversible from the same button.

Remote Control Tooling

Operator-initiated remote sessions via the device's installed remote-control tool (AnyDesk-class). Agent reports installed/running status and can wipe the tool's saved ID for a clean session.

Patch Enforcement

Force-install missing security patches, surface the per-device patch backlog and roll up across the fleet. Pairs with the offline fail-closed window so unpatched offline PCs degrade automatically.

BitLocker Posture

Per-device BitLocker enable/disable/pause/resume plus a fleet posture rollup: which volumes are protected, which are suspended for the next reboot and which are unprotected.

AV / EDR / Defender Health

Heartbeat surface for Defender real-time, signature freshness, Tamper Protection, and any 3rd-party AV / EDR registered with Security Center. A drift in any of these becomes an alert.

Network Telemetry

Per-device adapter, IP, gateway, DNS, public IP and last-seen-on-which-Wi-Fi data. Used by the geofence and the 'this PC moved off the corporate network' alert.

USB DLP

Per-device USB write events: which file, which volume, which user, when. Pairs with USB Storage Lockdown so the operator can flip from monitor to enforce on a single PC or the whole fleet.

Restore Module

One-click recovery: capture a clean install baseline and restore the PC to it on demand.

Install Baseline Capture

At install time the agent captures a baseline of the PC's Windows service settings and website block list, then stores it locally and in the cloud so the system can be restored later.

Cloud Baseline Sync

Background sync makes sure the cloud always holds the latest local baseline - so the operator can restore to install-time defaults even if the PC is wiped and reimaged.

Restore to Install Defaults

One-click restore replays captured service start types and hosts entries, plus chains the existing CtrlOne backup restore - bringing the PC back to install-time state.

Safe Skip List

Restore deliberately skips RDP, RPC, DCOM, DNS, DHCP, the CtrlOne agent itself and Defender so the operator session and remote management survive mid-restore.

Local Restore CLI

Local technicians can run the same restore offline via --restore-install-baseline (or /RESTOREDEFAULTS) when the PC is disconnected from the internet.

Restore from Admin Console

Per-device card showing capture time, service count, hosts size, last restore status - with a confirm dialog before queueing the cloud restore command.

Auto Scheduler

Time-based restriction windows that auto-apply and auto-restore - block camera, internet and recorders on a daily schedule with no manual touch.

Scheduled Camera Block

Disables every webcam and camera device on the PC during scheduled windows. Re-enables automatically the moment the window ends - no manual toggle, no agent restart.

Scheduled Internet Block

Cuts network connectivity (Wi-Fi + Ethernet + cellular) for the scheduled period. The PC stays usable for offline work; access is restored automatically when the window closes.

Scheduled Recording Block

Terminates and prevents launch of screen / audio recorders (OBS, Bandicam, Camtasia, Snagit, Xbox Game Bar, etc.) for the duration of the scheduled window.

Multiple Time Windows Per Day

Stack as many time ranges as you need on a single schedule - e.g. 09:00-12:00 and 14:00-18:00. Each window applies and lifts independently.

Cross-Midnight Schedules

Windows that wrap past 00:00 (e.g. 22:00 → 06:00) are handled correctly. The engine evaluates start / end on the right calendar day every time.

Automatic Apply & Restore

Once a schedule is saved no operator action is needed. The server fires the restriction ON at start and OFF at end automatically - even if the operator is offline.

Instant Sync to Device

Schedule edits propagate to the agent in seconds via the existing command channel. No PC restart, no re-install, no operator intervention required.

Strict Enforcement Mode

While a window is active the user cannot bypass blocked features - the agent re-asserts the block continuously and logs every bypass attempt to the audit trail.

Per-Device Schedules

Each PC has its own schedule list - pick the restrictions to enforce, the time windows, and toggle the schedule on or off without affecting other devices.

Schedule Activity Log

Every automatic apply / restore is recorded with timestamp, restriction id, schedule id and outcome - visible in the device activity feed for compliance review.