Windows Lockdown vs Antivirus: Why You Need Both
By CtrlOne Team ·
Most IT teams already run antivirus on every Windows PC, so a fair question is: if we have AV, why add lockdown software? The short answer is that they solve different problems. Antivirus is a detector. Lockdown is a set of guardrails. One looks for known-bad files after they arrive; the other decides what a person or program is even allowed to do. On a shared kiosk, a classroom PC, or a call-center desk, the guardrails often matter more than the scanner.

What antivirus actually does
Antivirus and its modern cousin EDR watch files, processes, and behavior for signatures and patterns that match known threats. When something matches, the product quarantines or kills it. This is reactive by design - it is very good at stopping malware that has been seen before, and increasingly good at spotting suspicious behavior.
But antivirus has almost nothing to say about a user who copies a customer database to a personal USB stick, installs an unapproved remote-access tool that is perfectly legitimate, or changes the system clock to bypass a licence check. None of those are malware. They are allowed actions performed by an allowed account.
- Detects and removes known malware and risky behavior.
- Blind to policy violations that use legitimate tools.
- Cannot stop a permitted user from an unwanted-but-legal action.
What lockdown software actually does
Lockdown software works the opposite way. Instead of hunting for bad things, it removes the ability to do unwanted things at all. It disables the surfaces you do not want touched - USB storage, the command prompt, Task Manager, unapproved installers, browser downloads, control-panel applets - using Windows Group Policy and registry enforcement rather than by scanning.
Because the control is enforced at the policy layer, there is nothing to detect and nothing to catch up to. A restriction that says 'this account cannot run an unapproved installer' simply never runs one, whether the installer is a year old or released this morning.
- Removes the ability to perform unwanted actions instead of detecting them.
- Enforced through Group Policy and registry, so there are no signatures to update.
- Works the same on brand-new software as on old software.
Why one without the other leaves a gap
Run only antivirus and a standard user can still exfiltrate data, disable protections through the UI, or install shadow-IT tools that AV happily allows. Run only lockdown and a determined piece of malware that slips through an allowed channel - say a malicious document macro - has no scanner watching for it.
The two are complementary. Lockdown shrinks the attack surface so there are far fewer channels for anything to come in or go out. Antivirus watches the channels you must keep open. Together they cover both 'what is allowed' and 'what is malicious.'
How to layer them in practice
Keep your antivirus or EDR exactly where it is. Add lockdown as a second, independent layer that defines the baseline of what each class of device is permitted to do. Kiosks get the tightest policy, staff laptops a looser one, lab machines something in between.
CtrlOne is built for that second layer. It applies hundreds of named restrictions through policy, keeps the agent tamper-resistant so users cannot switch it off, and fails closed when a device goes offline - all without replacing the antivirus you already trust.
Frequently asked questions
Does CtrlOne replace my antivirus?
No. CtrlOne is a lockdown and endpoint-control layer, not a malware scanner. Keep your existing antivirus or EDR and run CtrlOne alongside it for policy-level control.
Will lockdown and antivirus conflict with each other?
They operate at different layers - antivirus inspects files and behavior, CtrlOne enforces Windows policy - so they run side by side without competing for the same job.
Is lockdown only for kiosks?
No. Kiosks use the strictest policies, but staff laptops, lab machines, and call-center desks all benefit from a right-sized restriction baseline.
See the lockdown layer in action
Explore the full catalogue of named restrictions, or read why CtrlOne is built for control rather than scanning.