Device Control Overview
CtrlOne groups its lockdown capabilities into a set of restriction surfaces. This overview explains how they relate so you can navigate to the specific control you need.
How restrictions are organised
Restrictions are grouped by the part of Windows they control - removable storage, application launch, browsers, the desktop and shell, and more. You compose the ones you need into a policy, and the agent enforces them on the endpoint through Group Policy and registry policy.
The main surfaces
- USB and device-class control - allow or deny classes of removable devices for data-loss prevention.
- Application blocking - stop specific apps from launching without touching their files.
- Browser restrictions - apply managed browser policy such as URL blocklists.
- Desktop and shell lockdown - restrict Control Panel, settings surfaces, context menus, and other shell entry points.
Everything is reversible
Every surface follows the same policy-only rule: enforcement is applied through Windows policy mechanisms, so lifting a restriction returns the setting to normal. That makes it safe to tighten and relax controls as your needs change.
Frequently asked questions
Can I turn on just one restriction?
Yes. Restrictions are granular - compose exactly the toggles you need into a policy rather than an all-or-nothing lockdown.
Will locking down break normal Windows use?
Restrictions target specific surfaces. Start from a template, pilot it, and tune - the reversible model makes it easy to relax anything that's too strict.
Dive into a surface
Start with USB control for data-loss prevention, or jump to application blocking and browser restrictions.