CtrlOne Reduced Unauthorized Software Installations by 90%
A company with more than 40 branch offices had a familiar problem: employees installing whatever they wanted on their work PCs. Toolbars, unlicensed apps, cracked software, and random utilities were creating security risk, license exposure, and support headaches. Here is how they brought it under control with CtrlOne.
- 90% - fewer unauthorized installs
- 40+ - branch offices standardized
- 0 - new malware incidents from bad installers
The problem
With local administrator rights common across branches, staff routinely downloaded and installed software the IT team never approved. Some of it carried malware; some created licensing liability; all of it made machines harder to support.
The team needed to stop unauthorized installs without filing a helpdesk ticket for every legitimate tool a branch actually needed.
- Employees installing unapproved, unlicensed, and cracked software
- Malware arriving through downloaded installers
- License and compliance exposure the team couldn't measure
- No consistent standard across 40+ branch offices
- A small central IT team stretched thin supporting drifting machines
The deployment
The company rolled out CtrlOne and switched from an open free-for-all to an allow-by-exception model enforced through native Windows policy.
- Application control allows approved software and blocks everything else by name or signature
- Installer and setup executables are blocked for standard users
- Command Prompt, PowerShell, and Registry Editor are locked down to prevent workarounds
- A single policy template is pushed to every branch for a consistent standard
- Tamper-resistant enforcement keeps the rules in place even offline
We used to find something new and sketchy on a machine every single week. After CtrlOne, unauthorized installs basically stopped - and the exceptions our teams genuinely need are just a policy update away.
The results
Once the allow-list was in place, unauthorized software effectively stopped appearing on managed machines.
- Unauthorized software installations fell by roughly 90% across the fleet
- No new malware incidents traced to downloaded installers
- Every branch now runs the same approved software baseline
- License exposure dropped as unlicensed apps disappeared
- Approved-tool requests are handled by updating one policy, not visiting machines
The benefits
The allow-by-exception model gave the enterprise lasting control that scales with the business.
- A consistent, auditable software baseline across every branch
- Lower security and licensing risk as unapproved and unlicensed apps disappear
- Faster onboarding - new machines inherit the approved baseline automatically
- IT spends time approving genuine tools, not cleaning up after shadow IT
- Enforcement holds offline and policies roll back cleanly when a rule is retired
Frequently asked questions
Does blocking installs frustrate employees who need real tools?
No. CtrlOne uses an allow-by-exception model - approved applications keep working, and adding a new legitimate tool is a single policy change rather than a per-machine visit.
How does CtrlOne stop users from bypassing the block?
Alongside application control, CtrlOne locks down Command Prompt, PowerShell, and Registry Editor, and the agent is tamper-resistant, so common workarounds are closed off.
Can the same rules apply everywhere automatically?
Yes. One policy template is assigned to every device group, so all 40+ branches enforce the same approved-software baseline without manual setup.
Stop shadow IT on your Windows fleet
See how CtrlOne application control blocks unauthorized software and installers while keeping approved tools one policy change away.
This is a representative deployment scenario that illustrates how CtrlOne is used in this industry. Figures are illustrative of typical outcomes, not a verified named-customer result.