Search and filter every CtrlOne feature in one place - restrictions, browser controls, admin-console tools, restore module, and the auto-scheduler.
Premium Features
The full endpoint management suite - live PC details and processes, screen-time, security posture, remote support, maintenance, services, asset management, commands, Active Directory, browser control, schedules, snapshots, live preview, wallpaper push and full activity / event logs.
PC Details
A complete hardware and OS inventory for each device - make, model, serial, CPU, RAM, disk layout, BIOS, network adapters, Windows edition and build, agent version and last check-in - so operators can identify and audit every endpoint at a glance.
Live Process
See the real-time list of running processes on a device with owner, CPU and memory usage, and remotely end a rogue or hung process without disturbing the user at the keyboard.
Screen Time
Track daily active-usage and per-application time on each PC, with trends over time - ideal for spotting idle machines, enforcing focus policies and giving end users a daily usage report card.
Security
A consolidated endpoint security posture view - Microsoft Defender / third-party AV and EDR health, real-time protection status, BitLocker encryption state, firewall profiles and pending security actions - all in one panel.
Maintenance
Remote housekeeping tools: disk cleanup, temp-file purge, disk-health (SMART) and low-space early warnings, restore-point creation and general tune-up actions to keep fleets healthy without a site visit.
Services
View and control Windows services on the device - start, stop, and change start-up type - with the agent handling TrustedInstaller-owned services safely so operators can fix service-related issues remotely.
Remote Support
First-party remote control with no third-party relay - view and take control of the desktop, chat with the user, and transfer files, with every session logged for audit. Built into CtrlOne, not a bolt-on.
Asset Management
Operator-entered procurement and lifecycle records the agent can't auto-collect - purchase date, vendor, cost, warranty expiry, assigned user, location and asset tag - so each device carries its full lifecycle history.
Commands
Queue remote commands to a device - restart, shutdown, lock, apply policy, run maintenance and more - with delivery tracking so operators know exactly which actions reached the endpoint.
Active Directory
Surface each device's domain and Active Directory context - domain membership, organisational unit, logged-on domain user and group data - to line up CtrlOne management with your existing directory.
Enterprise Console
A first-party desktop console (WebView2) that runs on the managed PC itself, letting on-site admins view status and apply policy locally - including offline via the local agent bridge - without opening the cloud console.
Browser Control
Live, per-device browser actions - set the homepage, push allow/block URL lists, force SafeSearch, enable kiosk mode, apply DNS filtering and wipe browsing data - applied to Chrome, Edge and Firefox on demand.
Enterprise Security
Fleet-wide and per-device security enforcement - roll out and verify security restriction bundles across many endpoints from a single page, with per-device scoping so each toggle lands on the right machine.
Schedules
Time-based restriction windows that auto-apply and auto-restore - block camera, internet, recorders or any policy on a daily or recurring schedule, with a full activity trail of every automatic transition.
Snapshots
On-demand and scheduled screen captures from the endpoint, stored per device and tenant-scoped, so operators can visually verify what was on screen at a point in time for support or compliance.
Live Preview
A near-real-time stream of the device's screen so operators can watch what's happening live - useful for support triage, monitoring shared kiosks and confirming a user's issue without taking control.
Wallpaper
Push a desktop wallpaper or on-screen watermark to a device remotely - live to the signed-in user's session where possible - for branding, classroom identification or on-screen policy notices.
User Activity
A per-user activity feed showing sign-ins, application launches, policy events and notable actions on the PC, giving operators a human-readable timeline of what happened on each endpoint.
Activity Log
An append-only history of the device's activity - policy applies, restores, blocks and agent events - mirrored durably on the endpoint and surfaced in the console so nothing is lost across reboots or log rotation.
Event Log
Read the Windows Event Log entries collected from the device - system, application and security channels - so operators can diagnose crashes, errors and security events without remoting into the machine.
Basic Protection
Day-one defaults that block the obvious holes - Registry Editor, Control Panel, Windows Update, shortcuts.
Disable Registry Editor
Prevents users from opening the Registry Editor or importing registry files, so low-level system settings cannot be changed.
Right Click Display Settings
Hides the legacy Display Control Panel applet AND the modern Settings → System → Display / Personalization pages.
Disable Windows Update
Removes user access to Windows Update so they cannot pause, defer or trigger feature/quality updates. The update service itself keeps running.
Disable Control Panel
Removes access to Control Panel and all of its applets. The modern Settings app is left unaffected.
Disable shortcuts
Disables the Win key plus every Win+R/E/L/X/I/A/S/D/M/G/U shortcut combo, and remaps the physical Windows keys so they do nothing.
Disable New Shortcut wizard
Removes the 'Shortcut' option from the right-click New menu so users cannot create new shortcuts on the desktop or in folders.
Disable Programs and Features
Blocks the Add/Remove Programs and Programs and Features applets so users cannot uninstall, change or repair installed software.
Disable command prompt
Disables the Command Prompt and batch-script execution. Users see a clear 'command prompt has been disabled by your administrator' message.
Disable PowerShell
Prevents PowerShell - including the ISE editor and PowerShell 7 - from launching, and blocks PowerShell scripts from running.
Disable Run
Hides the Run command from the Start menu and disables the Win+R hotkey so users cannot launch arbitrary commands by name.
Disable Date & Time Change
Locks the system clock so users cannot change the date, time or time zone from the taskbar, Control Panel or Settings. The clock stays visible.
Disable Microsoft Store
Removes the Microsoft Store, blocks all store-delivered apps from running and stops background app updates from downloading.
Disable Services
Prevents users from starting, stopping or reconfiguring Windows services through any of the built-in tools, and hides the Administrative Tools shortcuts.
Disable Bluetooth
Stops the four core Bluetooth services AND disables every paired BT radio device via PnP - no pairing, file transfer or peripheral connections.
Disable Calculator
Stops the Windows Calculator from launching and closes it if it is already open.
Advanced Protection
Deep-system controls for hardened fleets: Group Policy, Task Manager, Defender, services, drivers and more.
Disable Task Manager
Prevents users from opening Task Manager, so they cannot view processes, end tasks or change startup apps. The taskbar shortcut to it is greyed out as well.
Disable Lock Computer
Disables Win+L and the Start menu Lock entry so the user cannot manually lock the workstation. Auto-lock from screensaver or idle timeout still works.
Hide This PC
Hides the 'This PC' icon from the desktop, the Explorer sidebar and the Start menu so users can't browse drives from the My Computer entry point.
Disable Remote Desktop
Refuses incoming Remote Desktop connections to this PC and disables the matching Windows Firewall rule, so the machine cannot be reached over Remote Desktop.
Disable System Properties
Blocks access to System Properties so users cannot view the computer name, change the workgroup or open System Protection.
Disable Computer Management
Locks down the Microsoft Management Console so administrative consoles such as Services, Device Manager and Group Policy refuse to open.
Disable Run as Administrator
Removes the 'Run as administrator' verb from right-click menus so users cannot launch any program elevated, even with the local Admin password.
Disable Group Policy
Prevents users from viewing or refreshing local Group Policy. Domain policy from your servers still applies normally.
Disable Windows Install - New Software Setup Block
Blocks Windows Installer packages from installing, repairing or removing software on this PC. Already-installed software keeps working; only new changes are blocked.
Disable Clipboard
Disables the Windows clipboard so Ctrl+C / Ctrl+V / Ctrl+X copy nothing between apps. A background guardian also clears the clipboard on every paste attempt.
Disable Delete Button
Suppresses the Delete key in Explorer and removes the right-click → Delete entry so users cannot remove files from the desktop, Documents or any folder.
Disable Personalize
Blocks the right-click → Personalize entry on the desktop and the Settings → Personalization page so users cannot change theme, colors or background.
Disable Display Settings
Hides the right-click → Display Settings entry and blocks the Settings → System → Display page so users cannot change resolution, scaling or multi-monitor layout.
Disable Cut
Disables the Ctrl+X hotkey and removes the right-click → Cut entry in Explorer so users cannot move files by cutting them out of a folder.
Disable Copy
Disables the Ctrl+C hotkey and removes the right-click → Copy entry in Explorer so users cannot duplicate files to another location.
Disable Right Click
Disables the right-click context menu on the desktop, in Explorer, and on the taskbar so users cannot reach New / Properties / Send To / Open With.
Disable Right Click Properties
Greys out the 'Properties' entry on right-click menus for files, folders and shortcuts so users cannot view or change permissions, attributes or compatibility settings.
Block Devices and Printers
Hides Devices and Printers from Control Panel and the Settings → Bluetooth & devices page so users cannot add, remove or reconfigure printers, scanners or paired devices.
Disable Microphone
Forces the Windows microphone privacy switch to OFF for ALL apps (Win32 + UWP) so no application - including Teams, Zoom or the browser - can record audio.
Disable Camera
Forces the Windows camera privacy switch to OFF for ALL apps (Win32 + UWP) so no application - including Teams, Zoom or the browser - can capture video.
Disable Windows Notifications
Turns off the Action Center and toast notifications for every app so users don't see banners, sounds or badge counts. App-internal in-window alerts still appear.
Disable Snipping Tool
Prevents the Snipping Tool and the Win+Shift+S screenshot overlay from launching.
Disable Photos App
Prevents the Windows Photos app from launching. Image files opened from File Explorer fall back to whatever other viewer is associated.
Disable Sticky Notes
Prevents the Sticky Notes app from launching. Notes already synced to the cloud remain available on the user's other devices.
Disable Voice Recorder
Prevents the Windows Voice Recorder app from launching. Other apps can still record audio unless the microphone is also blocked.
Disable Airplane Mode
Hides the Airplane Mode toggle from Settings (Network & Internet → Airplane mode) and from the Action Center quick-action flyout. Also forces the radios back on so a device already in airplane mode is brought back online.
Disable Mobile Hotspot
Stops the Windows Mobile Hotspot Service, hides the Mobile hotspot Settings page and the Action Center quick-action, and blocks the Internet Connection Sharing / Mobile Hotspot UI.
Disable Nearby Sharing
Disables the Connected Devices Platform so Nearby Sharing and 'Continue on PC' cannot push files or URLs to other devices over Bluetooth / Wi-Fi-Direct.
Disable Project (Project to this PC)
Blocks 'Project to this PC' (the Miracast wireless-display receiver) and hides Settings → System → Projecting to this PC.
Disable VPN
Turns off the built-in Windows VPN so the PC refuses to start new VPN connections and drops any active one, covering all of the standard VPN types.
Disable Notepad
Blocks Notepad so it fails to launch from the Start menu, the Run box or by opening a text file, while leaving all other apps working. Turning the feature off restores Notepad.
Disable Audio
Disables the entire Windows audio stack at the service level.
Disable Switch User
Hides the 'Switch user' option on the lock screen and Start menu so a logged-in user cannot park their session and let another local account sign in alongside it.
Black Out Lock Screen
Replaces the lock-screen image with solid black so on-screen content can't be photographed while the PC is locked.
Block Unsigned EXE & MSI
Uses built-in Windows signing policies to stop unsigned programs and installers from running, without the brick-risk of full app allow-listing.
Force Auto-Lock After 5 min Idle
Automatically locks the PC after five minutes of inactivity and requires the password to resume.
Disable Format Option
Blocks drive formatting from the right-click menu and the command line so disks can't be wiped by accident or on purpose.
Desktop Protection
Lock down what users can do on the desktop - wallpaper, icons, themes, right-click and personalisation.
Read-Only Desktop Icons
Locks every icon on the desktop in place - users can still click to launch but cannot drag, rename, delete or rearrange them. New shortcuts pinned by IT still appear normally.
Disable Changing Wallpaper
Locks the current wallpaper as the only allowed image. The right-click → 'Set as desktop background' verb is greyed out and the Settings → Personalization → Background page is read-only.
Hide Recycle bin
Removes the Recycle Bin icon from the desktop. Deleted files still go to the Recycle Bin and can be recovered, but the desktop shortcut to it is gone.
Hide Network
Removes the Network icon from the desktop and the Explorer sidebar so users can't browse SMB shares or workgroup PCs through the GUI. UNC paths typed manually still resolve.
Restrict Desktop Save/Copy
Locks the desktop folder so apps and users cannot save or delete files there. Existing desktop files remain untouched. Ideal for kiosk PCs.
Disable Sidebar Desktop
Hides the Desktop folder from the Explorer sidebar and 'This PC' page, and unpins it from Quick Access / Home. The desktop itself is unaffected - only the shell-folder shortcut is removed.
Disable Sidebar Documents
Hides the Documents folder from the Explorer sidebar and 'This PC' page, and unpins it from Quick Access / Home. Files inside Documents are untouched and still reachable by typing the path.
Disable Sidebar Downloads
Hides the Downloads folder from the Explorer sidebar and 'This PC' page, and unpins it from Quick Access / Home. Browsers still save downloads to the same folder - only the shell shortcut disappears.
Disable Sidebar Music
Hides the Music folder from the Explorer sidebar and 'This PC' page, and unpins it from Quick Access / Home. Music files inside the folder remain on disk and still play when opened directly.
Disable Sidebar Pictures
Hides the Pictures folder from the Explorer sidebar and 'This PC' page, and unpins it from Quick Access / Home. Image files inside the folder remain on disk and still open normally.
Disable Sidebar Videos
Hides the Videos folder from the Explorer sidebar and 'This PC' page, and unpins it from Quick Access / Home. Video files inside the folder remain on disk and still play when opened directly.
Show User Watermark on Desktop
Tiles a faint watermark with the PC name, user and date across the desktop, so photos of the screen carry a traceable marker.
Disable Sidebar Public Documents
Hides the Public Documents folder from the Explorer sidebar and Quick Access. Files stay on disk and remain reachable by path.
Disable Sidebar Public Downloads
Hides the Public Downloads folder from the Explorer sidebar and Quick Access. Files stay on disk and remain reachable by path.
Disable Sidebar Public Pictures
Hides the Public Pictures folder from the Explorer sidebar and Quick Access. Images stay on disk and still open normally.
Disable Sidebar Public Videos
Hides the Public Videos folder from the Explorer sidebar and Quick Access. Videos stay on disk and still play when opened directly.
Disable Sidebar Public Music
Hides the Public Music folder from the Explorer sidebar and Quick Access. Music stays on disk and still plays when opened directly.
Software Block Protection
Block specific apps, installers, file types and tools from launching on the PC by name and signature.
Disable New Software Installation
Blocks new software installations across multiple layers - stopping every type of Windows Installer package and closing the per-user side-load path.
Disable 3D Viewer
Blocks the Microsoft 3D Viewer UWP app (formerly Mixed Reality Viewer).
Disable Media Player
Blocks every media-playback app that ships with Windows - the legacy Windows Media Player, the modern Media Player / Groove Music app, and the Movies & TV app.
Disable Microsoft Clipchamp
Blocks the Microsoft Clipchamp video-editor UWP app (bundled by default in Win11 22H2+).
Disable Microsoft To Do
Blocks the Microsoft To Do task / checklist app (a rebrand of Wunderlist) so it exits immediately on launch.
Disable Paint 3D
Blocks the Microsoft Paint 3D app so it exits immediately on launch.
Disable UC Browser
Blocks UC Browser, an Alibaba-owned Chromium-based browser with a multi-year track record of shipping with hostile telemetry and unwanted bundled components.
Disable Opera
Blocks Opera Browser, a Chromium fork that ships with a built-in free unlimited VPN/proxy that bypasses corporate egress controls.
Disable Vivaldi
Blocks Vivaldi Browser (Vivaldi Technologies AS - Norway-based Chromium fork founded by ex-Opera CEO Jon von Tetzchner after the Opera CN ownership change).
Disable Brave
Blocks Brave Browser, the largest Chromium fork by install base after Chrome, Edge and Opera, marketed as a privacy-focused browser.
Disable Mozilla Firefox
Blocks Mozilla Firefox, the largest non-Chromium third-party browser on Windows and Microsoft's documented managed-alternative when Edge is locked down.
Disable Microsoft Edge
Blocks Microsoft Edge (Microsoft-shipped Chromium-based web browser that REPLACED Internet Explorer as Windows default browser starting Win10 1507/Win11 21H2, ONLY browser pre-installed on every shipping Windows 10/11/Server 2019/2022/2025 box).
Disable Apple Safari
Blocks Apple Safari for Windows (Apple-shipped WebKit-based web browser).
Disable Google Chrome
Blocks Google Chrome (Google-shipped Chromium-based web browser - most-deployed third-party browser on Windows).
Disable WhatsApp
Blocks WhatsApp (Meta/Facebook end-to-end-encrypted consumer messaging product).
Disable Microsoft Teams
Blocks Microsoft Teams (unified Teams chat/video/collaboration product, fka Lync, fka Skype for Business).
Disable Google Meet
Blocks Google Meet (browser-based G Suite / Google Workspace video conferencing product, fka Google Hangouts Meet, fka Google Duo for groups).
Disable Zoom
Blocks every shipped Zoom Video Communications desktop app so any launch attempt fails.
Disable LinkedIn
Blocks the LinkedIn app and the LinkedIn website - feed, jobs, messaging and profiles - in Chrome and Edge.
Disable Pinterest
Blocks Pinterest (the Pinterest Inc. visual-discovery / image-bookmark social network, >500 M monthly active users).
Disable Snapchat
Blocks Snapchat (the Snap Inc. ephemeral-messaging / Stories / Spotlight short-form video network, >400 M daily active users).
Disable TikTok
Blocks TikTok (the ByteDance short-form video network, >150 M U.S. monthly users + >1 B global).
Disable Reddit
Blocks Reddit (the link-aggregator / discussion-forum site, >100 M daily active users post-IPO 2024).
Disable Threads
Blocks Meta's Threads, the microblogging service spun out of Instagram. Threads has no Windows desktop app - it is web-only - so this blocks the Threads website in Chrome and Edge.
Disable Midori Browser
Blocks Midori Browser, a lightweight WebKitGTK-based browser originally created in 2007 for the Xfce desktop environment.
Disable Dolphin Browser
Blocks Dolphin Browser, a gesture-driven mobile browser from Dolphin Browser Inc. (formerly MoboTap) primarily distributed for Android and iOS.
Disable Comodo Dragon
Blocks Comodo Dragon, a Chromium-based browser from Comodo Group (now reorganised under Xcitium Inc.) marketed for security-conscious users.
Disable Epic Privacy Browser
Blocks Epic Privacy Browser, a Chromium fork from Hidden Reflex Sales Pvt. Ltd. marketed as a privacy-first 'always-on private browsing' browser.
Disable Chromium
Blocks the upstream Chromium open-source browser, the codebase from which Chrome, Edge, Brave, Opera, Vivaldi, Yandex Browser, Comodo Dragon, SRWare Iron and Epic Privacy Browser are all built.
Disable Telegram
Prevents the Telegram desktop and Microsoft Store apps from opening, and blocks the Telegram website in Chrome and Edge so the web version cannot be used either.
Disable Facebook
Prevents the Facebook and Messenger apps from opening and blocks the Facebook and Messenger websites in Chrome and Edge, so the whole Meta surface is unavailable.
Disable Facebook Messenger
Prevents the Messenger app from opening and blocks the Messenger website in Chrome and Edge.
Disable Python
Prevents any Python interpreter - including the launcher, IPython and Conda - from running.
Disable Tor Browser
Prevents the Tor Browser and its bundled connection helpers from launching, so users cannot use Tor to bypass web controls.
Disable Pale Moon
Prevents the Pale Moon browser, including its portable version, from launching.
Disable Puffin Browser
Prevents the Puffin browser from launching and blocks its installer and updater so it cannot reinstall itself.
Control Panel Protection
Hide individual Control Panel applets so users can see what they need and nothing else.
Disable Administrator Tool
Hides the 'Administrative Tools' applet from Control Panel.
Disable Autoplay
Hides the 'AutoPlay' applet from Control Panel.
Disable Backup & Restore
Hides the legacy 'Backup and Restore (Windows 7)' applet from Control Panel.
Disable Bitlocker Drive Encryption
Hides the 'BitLocker Drive Encryption' applet from Control Panel.
Disable Colour Management
Hides the 'Color Management' applet from Control Panel.
Disable Credential Manager
Hides the 'Credential Manager' applet from Control Panel.
Disable Date & Time
Hides the 'Date and Time' applet from Control Panel.
Disable Default Programs
Hides the 'Default Programs' applet from Control Panel.
Disable Device Manager
Hides the 'Device Manager' applet from Control Panel.
Disable Device & Printers
Hides the 'Devices and Printers' applet from Control Panel.
Disable Ease of Access Center
Hides the 'Ease of Access Center' applet from Control Panel.
Disable File Explorer Options
Hides the 'File Explorer Options' applet (formerly 'Folder Options' on Win7/8) from Control Panel.
Disable File History
Hides the 'File History' applet from Control Panel.
Disable Fonts
Hides the 'Fonts' applet from Control Panel.
Disable Indexing Options
Hides the 'Indexing Options' applet from Control Panel.
Disable Internet Options
Hides the 'Internet Options' applet from Control Panel.
Disable Keyboard
Hides the 'Keyboard' applet from Control Panel.
Disable Mail (Microsoft Outlook)
Hides the 'Mail (Microsoft Outlook)' applet, installed by Office, from Control Panel.
Disable Mouse
Hides the 'Mouse' applet from Control Panel.
Disable Network and Sharing Center
Hides the 'Network and Sharing Center' applet from Control Panel.
Disable Phone and Modem
Hides the 'Phone and Modem' applet from Control Panel.
Disable Power Options
Hides the 'Power Options' applet from Control Panel.
Disable Programs and Features Control Panel
Hides the 'Programs and Features' applet from Control Panel.
Disable Recovery
Hides the 'Recovery' applet from Control Panel.
Disable Region
Hides the 'Region' applet from Control Panel.
Disable RemoteApp and Desktop Connections
Hides the 'RemoteApp and Desktop Connections' applet from Control Panel.
Disable Security and Maintenance
Hides the 'Security and Maintenance' applet, formerly known as Action Center, from Control Panel.
Disable Sound
Hides the 'Sound' applet from Control Panel.
Disable Speech Recognition
Hides the legacy 'Speech Recognition' applet from Control Panel.
Disable Storage Spaces
Hides the 'Storage Spaces' applet from Control Panel.
Disable Sync Center
Hides the 'Sync Center' applet, which manages Offline Files, from Control Panel.
Disable System
Hides the legacy 'System' applet - the 'About this PC' and advanced system settings surface - from Control Panel.
Disable Work Folders
Hides the 'Work Folders' applet and its per-user sync engine from Control Panel.
Disable Windows Mobility Center
Hides the 'Windows Mobility Center' applet from Control Panel.
Disable Windows Defender Firewall
Hides the 'Windows Defender Firewall' applet, including its advanced-security console link, from Control Panel.
Disable User Accounts
Hides the 'User Accounts' applet, including the advanced user-accounts and Credential Manager surfaces, from Control Panel.
Disable Troubleshooting
Hides the 'Troubleshooting' applet and its diagnostic tools from Control Panel.
Disable Taskbar and Navigation
Hides the 'Taskbar and Navigation' applet (per-user shell-integration surface that Microsoft also forwards to the Win11 Settings > Personalization > Taskbar UWP page) from Control Panel.
Browser Protection
Browser-engine-level controls (Chrome, Edge, Firefox) - Incognito, Extensions, DevTools, downloads.
Tamper Protection
Blocks every standard way to remove the agent - silent uninstalls, the Programs and Features entry, stopping or deleting its service, force-closing it, and deleting its files. It self-heals if any protection is tampered with.
Disable Internet Upload
Kills Microsoft Explorer's upload-to-web wizard so users cannot push files to OneDrive, SharePoint or arbitrary FTP destinations from right-click menus.
Limit Browser Upload Speed
Throttles browser UPLOAD bandwidth (outbound only) to a precise operator-typed KB/s value via Windows native QoS Policy on common browser executables.
Limit Browser Download Speed
Throttles download speed in the major browsers (Chrome, Firefox, Edge, Brave, Opera and Vivaldi) down to a limit you set in KB/s.
Block Ads in All Browsers
Blocks advertisements, trackers and banner networks across every browser (Chrome, Firefox, Edge, Brave, Opera, Vivaldi and IE) by filtering out around 80 of the largest ad-network domains system-wide.
Disable Internet Download
Forces Chrome and Edge to block ALL downloads - every file type, every source, every site - using their enterprise download-restriction policy.
Disable Incognito / Private Mode
The New Incognito / InPrivate Window menu entries disappear. All browsing logs to history.
Disable Browser Extensions
Users cannot install new extensions from the Web Store. Already-installed extensions are also disabled until removed.
Disable Downloads
The browser blocks ALL downloads - every file save returns 'failed - blocked'. Streaming media in the page still plays.
Disable Developer Tools (F12)
F12, Ctrl+Shift+I and the View source / Inspect right-click verbs all refuse to open the DevTools panel.
Force SafeSearch
Adult content is filtered out of Google search results and only moderate-restricted YouTube videos play.
Block Browser Camera & Microphone
Forces every website camera and microphone request to be denied in Chrome, Edge and Firefox, so web pages can't capture video or audio.
Block Proxy & DoH Reconfiguration
Locks proxy settings and DNS-over-HTTPS so users can't reroute traffic to slip past the web filter.
Remote Application Block Protection
Block AnyDesk, RustDesk, UltraViewer and other remote-control tools that bypass corporate VPNs.
Disable Quick Assist
Blocks Microsoft Quick Assist, the in-box remote-help tool that ships on every Win10/11 install and is the canonical scammer delivery vehicle for tech-support fraud.
Disable Chrome Remote Desktop
Blocks the Chrome Remote Desktop host so the PC cannot be controlled through Google's remote-access service, including unattended access.
Disable Parsec
Blocks Parsec (Parsec Cloud Inc., now part of Unity - low-latency game-streaming / unattended-remote-access product, popular for cloud-gaming AND remote-game-development AND increasingly abused for tech-support scams + low-latency lateral movement).
Disable RemotePC
Blocks RemotePC (IDrive Inc.'s unattended-remote-access product, a TeamViewer/AnyDesk alternative).
Disable Zoho Assist
Blocks Zoho Assist (Zoho Corporation's remote-support / unattended-remote-access product, on-demand 6-digit-code AND always-on agent install models).
Disable Splashtop
Blocks Splashtop (Splashtop Inc.'s remote-desktop product family - Streamer / Business / SOS / Personal / Enterprise).
Disable LogMeIn
Blocks LogMeIn (GoTo Technologies, formerly LogMeIn Inc. / Citrix Online - Pro / Central / Rescue / Hamachi product family).
Disable GoToMyPC
Blocks GoToMyPC (GoTo Technologies - the legacy Citrix-era consumer/SMB unattended-remote-access product, separate g2* binary family from LogMeIn proper).
Disable AnyDesk
Blocks AnyDesk, the most-named brand in global tech-support-scam complaint data: a tiny portable binary that needs no install or admin and only requires the victim to read back a 9-digit ID.
Disable UltraViewer
Blocks UltraViewer (DucFabulous Co., Ltd., Hanoi Vietnam - TeamViewer/AnyDesk-clone, dominant scam-vehicle remote-control product across Vietnam / Southeast Asia / India / Bangladesh / Middle East where AnyDesk and TeamViewer have less brand recognition).
Disable TeamViewer
Blocks TeamViewer, historically the #1-named brand in global tech-support-scam complaint data from 2010 to 2025.
Disable RustDesk
Blocks RustDesk, an open-source AnyDesk-clone hosted on GitHub under AGPLv3 by PURSLANE LTD (Hong Kong).
Attachment Block Protection
Stop risky email attachments and downloaded executables from running on protected machines.
3rd Party Mail Software Attachment Protection
Blocks attachment uploads from third-party desktop mail clients - Thunderbird, Postbox, Mailbird, eM Client, Foxmail and The Bat! - by clearing queued attachments and capping the allowed attachment size to almost nothing. Fully reversible.
Disable Gmail / Mail Attachment Downloads
Blocks Gmail attachment downloads in Chrome and Edge. This covers the browser only - downloads through other tools or the Outlook desktop app are not affected.
Block Archive Attachments (.zip .tar .tgz .gz .rar)
Records operator intent that ARCHIVE-class file attachments should be blocked on this PC.
Block Executable Email Attachments
Records that executable-type email attachments should be blocked on this PC, covering the standard set of high-risk file types such as programs, scripts and installers.
Mail Data Upload Protection
Blocks outbound email data leaks by closing the standard mail-sending and mail-sync channels and disabling attachment uploads in the Outlook desktop app. Stops both webmail and desktop mail clients from sending data off the PC.
Allow Google Drive (whitelist)
Whitelists Google Drive's own apps (installer and sync client) so the live installer-guard doesn't mistake them for blocked setup files.
Block Google Drive Uploads
Blocks file uploads to Google Drive on the web across Chrome, Edge, Brave, Vivaldi and Opera, including the insert-image/file picker in Docs, Sheets and Slides.
Block OneDrive / SharePoint Uploads
Blocks web uploads to OneDrive personal, OneDrive for Business and SharePoint Online tenants, plus the new Outlook-on-the-web upload path.
Block Dropbox Uploads
Blocks file uploads to Dropbox on the web and its upload API. The desktop Dropbox client is handled separately.
Block WhatsApp Web File Sharing
Blocks sending documents, photos and videos through WhatsApp Web by cutting off its media-upload servers.
Block Telegram Web Uploads
Blocks sending files, photos and videos through Telegram Web, including drag-drop and pasted screenshots.
Block Gmail Attachment Uploads
Blocks attaching files in Gmail on the web, including drag-drop and pasted screenshots.
Restrict Browser Uploads to PDF Only
Only lets users upload PDF files from the browser - any other file type is cancelled at the file picker across every browser.
Restrict Browser Uploads to Images Only
Only lets users upload image files (JPG, PNG, GIF, WebP and more) from the browser - anything else is cancelled at the file picker.
Premium Protection
Top-tier shields - tamper protection, ransomware storm detection, offline fail-closed, per-app time budgets, screen-time report card, disk / SMART early warning, webcam-mic notifier, HKLM hive signing, GUI crash watchdog and silent self-update.
Mass File Rename Protection
Watches Documents, Desktop, Pictures, Videos, Music and Downloads for bulk-rename storms. Triggers when more than 20 files are renamed within 5 seconds in a single folder - kills the offending process, restores original filenames from a rolling shadow journal, and logs the incident. Honey-file canaries detect ransomware-style scans before user files are touched.
Mass File Extension Change Protection
Detects bulk extension swaps (e.g. .docx → .locked, .jpg → .enc) on user document folders. Same 20-in-5-seconds threshold as mass rename, with extension-class heuristics for the canonical ransomware suffix list (.locked, .enc, .crypt, .crypted, .pay, .ransom, .888, etc.). Process killed, files restored from journal, incident logged.
Ransomware Protection
A layered ransomware shield: decoy files that trip an alarm when encrypted, protection for Windows backup snapshots, detection of known ransomware programs and startup tampering, and detection of dropped ransom notes. It automatically quarantines the offending program and records the incident.
Offline Fail-Closed Enforcement
Per-policy 'after N days offline, drop into the strictest restriction set' safeguard. Prevents an attacker from killing connectivity to escape lockdown. Window is rollback-aware - restoring an old policy version restores the safeguard with it.
Per-Application Time Budgets
Set daily time limits and optional time-of-day windows for individual apps (for example, 30 minutes a day of a game, only between 4-6pm). Tracked per user and kept across reboots.
Local Screen-Time Report Card
End-user-visible daily summary fired as a tray balloon at 18:00 local. Shows top apps + total active minutes for the day so the user sees what was tracked. No cloud round-trip required.
Low-Disk + SMART Early-Warning Probe
SYSTEM-only background probe runs every 5 min. Surfaces low-disk and predictive SMART failure attributes long before Windows itself notices, so a failing drive becomes a heartbeat alert instead of a Monday-morning crash.
Webcam / Microphone In-Use Notifier
User-session GUI polls the Capability Access Manager every 5s and flashes a tray balloon when a new app starts using the webcam or mic. Catches apps that bypass the indicator LED on cheaper laptops.
Config Value Signing
The four guarded configuration values (Server URL, Account Username, Account Password Hash, Launch Password Hash) carry an HMAC-SHA256 sibling signature. Tampering with a value without resigning is detected and reverted on the next agent tick.
Agent GUI Crash Watchdog
Closes the gap where killing the agent + watchdog as a pair (e.g. taskkill /IM by image name) would leave the GUI down. A SYSTEM-side watchdog respawns the GUI on next user logon and flags the kill in the audit trail.
Agent Silent Self-Update
Hourly cloud poll for a newer build. The SYSTEM-elevated copy downloads, verifies, and runs the silent NSIS upgrade in-place. User session resumes against the new EXE on the next login - no operator touch needed.
WTS-Probe 3-Strike Sentinel
Before restarting the desktop to apply restrictions, the agent checks that it can safely do so. If the check fails three times it leaves the desktop running untouched, so tightly locked-down PCs never end up with a blank screen.
Browser Controls
Live browser actions: homepage, allow/blocklists, kiosk, SafeSearch, DNS filtering, data wipe.
Close All Browsers Now
Force-close any running browser windows on this PC so policy changes take effect immediately.
Open URL in Default Browser
Launch the user's default browser pointed at a URL - useful for pushing onboarding links, intranet pages, or compliance notices.
Set Homepage / Start Page
Force a URL as the start page for Chrome and Edge using managed policy. Operator chooses the URL; takes effect on next browser launch.
Block URLs
Add websites to a system-wide block list, one per line, so they fail to load in every browser and app - not just Chrome and Edge.
Unblock URLs
Remove websites from the system-wide block list. Enter one per line; changes apply immediately.
Whitelist Mode (Chrome/Edge)
Allow ONLY the listed URL patterns and block everything else in Chrome and Edge. Pure kiosk-style browsing.
Clear Whitelist Mode
Remove the allow-list / block-list policy so Chrome and Edge browsing is unrestricted again.
Disable Incognito / Private Mode
Disable Incognito Mode in Chrome and InPrivate Mode in Edge so users cannot bypass history / audit by going private.
Disable Browser Extensions
Block installation of all extensions in Chrome and Edge - stops side-loaded VPNs, ad-blockers, and rogue add-ons.
Disable Downloads
Block all file downloads in Chrome and Edge. Useful for kiosk PCs and data-loss-prevention scenarios.
Disable Developer Tools (F12)
Disable the developer tools (F12 inspector) in Chrome and Edge so users cannot bypass site rules.
Parental Control (Family DNS)
Switches every active network adapter to CleanBrowsing Family DNS, blocking adult, proxy and mixed-content sites system-wide for ALL apps and browsers.
Force SafeSearch
Enforce Google + Bing SafeSearch and YouTube Restricted Mode via managed policy so search results are family-safe by default.
Launch in Kiosk Mode
Open Chrome full-screen with no browser chrome on a single URL - turns the PC into a single-purpose terminal.
Clear Browsing Data
Wipe history, cookies, cache and form data from Chrome and Edge on the target PC for a clean handover or shared-PC reset.
Clear Saved Passwords
Erase saved passwords stored in Chrome and Edge - important when an employee leaves or a shared-kiosk PC is being repurposed.
Reset All Browser Policies
Strip every Chrome/Edge managed policy that this agent has applied so the browsers behave like a fresh install again.
Content Filter
Category-based website blocking - adult, gambling, drugs, piracy, social, streaming, gaming and more, applied system-wide.
Block Adult / Pornography
Blocks well-known adult and pornography sites system-wide using a managed hosts-file block list.
Block Gambling / Betting
Blocks well-known gambling and betting sites system-wide using a managed hosts-file block list.
Block Drugs / Substance
Blocks well-known drug and substance sites system-wide using a managed hosts-file block list.
Block Piracy / Torrents
Blocks well-known piracy and torrent sites system-wide using a managed hosts-file block list.
Block Proxies / VPN bypass
Blocks well-known proxy and VPN-bypass sites system-wide using a managed hosts-file block list.
Block Malware / Phishing
Blocks well-known malware and phishing sites system-wide using a managed hosts-file block list.
Block Social Media
Blocks well-known social media sites system-wide using a managed hosts-file block list.
Block Streaming / Video
Blocks well-known streaming and video sites system-wide using a managed hosts-file block list.
Block Gaming Sites
Blocks well-known gaming sites system-wide using a managed hosts-file block list.
Block Shopping / E-commerce
Blocks well-known shopping and e-commerce sites system-wide using a managed hosts-file block list.
Block Dating Sites
Blocks well-known dating sites system-wide using a managed hosts-file block list.
Block Crypto Exchanges
Blocks well-known crypto-exchange sites system-wide using a managed hosts-file block list.
Admin Console
The web app your operators live in - dashboards, onboarding wizard, policy versioning + rollback, compliance evidence pack, employee portal, bulk actions, saved views, scheduled reports, outbound integrations, SSO, API tokens, BitLocker posture, endpoint isolation and more.
Devices Console
Single-pane fleet view of every PC running CtrlOne - search, filter, group, and drill into per-device restriction status, last-seen, and live actions.
Policies
Reusable bundles of restriction toggles you can apply to one PC, a group, or your whole fleet. Versioned, named, and easy to roll out or roll back.
Device Groups
Organise PCs into logical groups (offices, roles, kiosks) so policies and bulk commands target exactly the right machines without one-by-one work.
Feature Groups
Curated bundles of restrictions for common scenarios (kiosk, finance team, contractor laptop) so operators don't have to remember which toggles belong together.
User Management
Invite teammates as admins or auditors, manage permissions, reset passwords, and audit sign-in history. Email-based invites and password-reset flows included.
Block Events
Real-time stream of every blocked action on every PC - what was blocked, by which restriction, and when. Filter by device, user, or restriction.
Asset Management
Full hardware and software inventory for every managed PC - CPU, RAM, storage, OS build, installed applications, licence keys and device identifiers - collected at check-in and updated on every sync. Query, filter and export the fleet's asset register from the admin console without touching a single machine.
Enterprise Security Baseline
Curated, opinionated security defaults across screen, recording, USB, clipboard, print, network and apps - flip an entire hardening baseline in one click.
Browser Control Center
Push browser homepages, allowlists, blocklists, kiosk mode, SafeSearch, DNS filtering, and live URL blocking from one screen across the fleet.
Premium / Licence Management
Track licence keys, seat counts, subscription tier per device and per tenant. Activate, deactivate, transfer, and audit licence usage in one place.
Org Settings
Configure email delivery, branding, retention, audit-log cleanup, password policy, and other tenant-wide preferences without opening a config file.
Restriction Test Bench
QA-friendly screen that lets operators trigger and verify each restriction without touching production policies - invaluable during onboarding.
Uninstall Master
Remotely uninstall, reset, or rotate keys on devices that are leaving the fleet - including a forced-clean mode that takes the agent off the PC entirely.
Alerts Engine
Background engine that watches for offline devices, suspicious block-event spikes, licence expiry, and email-delivery failures - and emails the right operator.
Admin Audit Log
Tamper-evident record of every admin action: policy edits, command queues, user invites, password resets, restores. Filter, export, and retain per policy.
Tenant Onboarding Wizard
Guided 4-step flow at /onboarding: claim key -> installer download -> first device check-in -> apply policy template. Polls every 5s while waiting for the first device so the operator sees the moment it arrives.
Policy Versioning + Rollback
Every policy edit snapshots the prior state into policy_versions. Newest-first list with diff-vs-current and a one-click Restore. Rollback itself snapshots first so it stays undoable.
Compliance Evidence Pack
Streams a ZIP with audit log, policies, policy versions and device posture in CSV + JSON, plus a framework-specific README mapping evidence to controls. Ships HIPAA, SOC 2 and ISO 27001 templates. Manifest carries SHA-256 of every file.
Per-Tenant Dashboard
Single-fetch /dashboard summary: devices online/offline/unclaimed, open alerts, operators, 7-day audit volume, agent-version mix and recently enrolled PCs. Auto-refreshes every 30s. Master-admin gets the cross-tenant rollup.
Employee Self-Service Portal
Cookie-gated /portal for end-users. The local agent mints a short-lived signed link the user clicks; they see their device, the restrictions currently on, and can submit unblock-app / temp-unrestrict / other requests for an admin to decide.
Bulk Device Actions
Selection bar above the device list for bulk reassign, bulk uninstall and bulk re-policy. Audited per-action; admin / owner only for destructive ones.
Saved Device Views
Save the current filter, search, sort and column set as a named view. Private-by-default with a per-tenant share toggle so the whole console can land on the same starting page.
Per-Tenant Device + Operator Caps
Hard ceilings on devices and operators, enforced server-side as a safety floor independent of plan + seat overrides. Stops a runaway script from enrolling 10,000 PCs into a 50-seat plan.
Per-Tenant Custom Branding
Per-tenant logos, colours and installer product names. Branding applies to the admin console, the employee portal, and the NSIS installer's UI strings.
Scheduled Reports (PDF / CSV)
Cron-style report schedules that email a PDF or CSV to a distribution list. Built-in templates for fleet posture, audit summary and policy drift.
Outbound Integrations
Per-tenant outbound dispatcher pushes alerts to Slack, Teams, PagerDuty, generic webhooks, Splunk HEC and Microsoft Sentinel. Secret rotation and per-channel filters are first-class.
Per-Tenant SSO (SAML + OIDC)
Each tenant brings its own IdP. State between login start and IdP callback is carried in HMAC-signed envelopes so there's no shared session store to scale or leak.
Service-Account API Tokens
Mint, scope and revoke long-lived tokens for service accounts. Tokens are role-aware so a CI runner can read inventory without being able to issue commands.
Endpoint Isolation
One-click 'cut this PC off the network' that drops a deny-by-default Windows Filtering Platform rule keeping only the agent's cloud channel reachable. Reversible from the same button.
Remote Control Tooling
Operator-initiated remote sessions via the device's installed remote-control tool (AnyDesk-class). Agent reports installed/running status and can wipe the tool's saved ID for a clean session.
Patch Enforcement
Force-install missing security patches, surface the per-device patch backlog and roll up across the fleet. Pairs with the offline fail-closed window so unpatched offline PCs degrade automatically.
BitLocker Posture
Per-device BitLocker enable/disable/pause/resume plus a fleet posture rollup: which volumes are protected, which are suspended for the next reboot and which are unprotected.
AV / EDR / Defender Health
Heartbeat surface for Defender real-time, signature freshness, Tamper Protection, and any 3rd-party AV / EDR registered with Security Center. A drift in any of these becomes an alert.
Network Telemetry
Per-device adapter, IP, gateway, DNS, public IP and last-seen-on-which-Wi-Fi data. Used by the geofence and the 'this PC moved off the corporate network' alert.
USB DLP
Per-device USB write events: which file, which volume, which user, when. Pairs with USB Storage Lockdown so the operator can flip from monitor to enforce on a single PC or the whole fleet.
Auto Scheduler
Time-based restriction windows that auto-apply and auto-restore - block camera, internet and recorders on a daily schedule with no manual touch.
Scheduled Camera Block
Disables every webcam and camera device on the PC during scheduled windows. Re-enables automatically the moment the window ends - no manual toggle, no agent restart.
Scheduled Internet Block
Cuts network connectivity (Wi-Fi + Ethernet + cellular) for the scheduled period. The PC stays usable for offline work; access is restored automatically when the window closes.
Scheduled Recording Block
Terminates and prevents launch of screen / audio recorders (OBS, Bandicam, Camtasia, Snagit, Xbox Game Bar, etc.) for the duration of the scheduled window.
Multiple Time Windows Per Day
Stack as many time ranges as you need on a single schedule - e.g. 09:00-12:00 and 14:00-18:00. Each window applies and lifts independently.
Cross-Midnight Schedules
Windows that wrap past 00:00 (e.g. 22:00 → 06:00) are handled correctly. The engine evaluates start / end on the right calendar day every time.
Automatic Apply & Restore
Once a schedule is saved no operator action is needed. The server fires the restriction ON at start and OFF at end automatically - even if the operator is offline.
Instant Sync to Device
Schedule edits propagate to the agent in seconds via the existing command channel. No PC restart, no re-install, no operator intervention required.
Strict Enforcement Mode
While a window is active the user cannot bypass blocked features - the agent re-asserts the block continuously and logs every bypass attempt to the audit trail.
Per-Device Schedules
Each PC has its own schedule list - pick the restrictions to enforce, the time windows, and toggle the schedule on or off without affecting other devices.
Schedule Activity Log
Every automatic apply / restore is recorded with timestamp, restriction id, schedule id and outcome - visible in the device activity feed for compliance review.