Preventing Unauthorized Applications in Windows
By CtrlOne Team ·
Unauthorized applications - unapproved tools, shadow IT, personal software on work machines - widen the attack surface and complicate support. Preventing them means controlling both what can run and what can be installed. This article covers how to stop unauthorized applications in Windows and how CtrlOne enforces it.

Two things to control
Stopping unauthorized software has two parts: preventing unapproved programs from executing, and preventing users from installing new ones in the first place. Addressing only one leaves a gap - blocking execution without blocking installs still fills disks with unwanted software, and vice versa.
How CtrlOne prevents them
CtrlOne uses Windows AppLocker and Software Restriction Policies to control execution, and restricts installation paths and installer behavior to stop new software going on. Combined and applied by group, this keeps a managed machine to its approved software set rather than whatever a user chooses to add.
Enforced by policy, held in place
CtrlOne enforces these controls through Windows policy - it never renames executables, deletes files, or patches binaries. Enforcement is tamper-resistant and re-asserts after restarts and off-network, so a user cannot quietly disable it to run or install something unauthorized.
Control, not detection
This is about permission, not malware analysis. CtrlOne decides which applications a machine may run and install; it does not scan files to determine whether they are malicious. That detection role belongs to antivirus and EDR, which run alongside CtrlOne's execution control.
Frequently asked questions
How do you stop unauthorized applications in Windows?
Control both execution and installation - prevent unapproved programs from running and stop users from installing new ones. CtrlOne does both through Windows policy, applied by group.
Does CtrlOne delete unauthorized software?
No - it enforces by policy, deciding whether Windows will run or install a program. It never renames, deletes, or patches files, so enforcement is clean and reversible.
Does this detect malware?
No - it controls which applications are permitted, not whether a file is malicious. Malware detection belongs to antivirus and EDR, which run alongside CtrlOne.
Keep machines to approved software
See how CtrlOne prevents unauthorized applications from running or installing on Windows.