Getting Started with CtrlOne
CtrlOne locks down and monitors Windows PCs from a single console. This guide orients you to the moving parts and the shape of a typical rollout so the rest of the documentation makes sense.
What CtrlOne does
CtrlOne is a multi-tenant platform for locking down and managing Windows devices. Operators sign in to a web console, group devices under a tenant, and apply policies that enforce restrictions on each endpoint - from USB and application controls to browser and desktop lockdown.
Enforcement is policy-only. CtrlOne applies restrictions through Windows Group Policy and registry policy, then service control. The agent never renames executables, deletes application files, changes install paths, or patches binaries - so changes are clean, reversible, and cleanly undone when the product is removed.
The pieces you will work with
- Admin console - the web app where operators manage tenants, devices, policies, reports, and integrations. Runs from the hosted cloud at ctrlone.online or on-premises with the LAN server for air-gapped networks.
- Windows agent - the software installed on each managed PC. It runs as a service with a companion watchdog, checks in to the console, and enforces the assigned policy.
- Agent Console (desktop) - an optional local app for the managed PC itself. It talks to the agent over a loopback bridge so a technician standing at the machine can review and apply policy locally.
- Installer - the NSIS-based setup (and an MSI build) that deploys the agent, registers the service, and claims the device into your tenant.
How a rollout flows
Most teams follow the same path: create a tenant and an operator account, download the installer with your claim key, deploy it to one pilot PC, confirm the device checks in, then apply a policy template. Once the pilot looks right, you repeat the deployment across the fleet and refine policies per group.
The console's onboarding wizard walks a new tenant through exactly these four steps - claim key, installer download, first device check-in, and applying a starter policy template.
Cloud or on-premises
You can run CtrlOne two ways with the same console and controls. The hosted cloud console needs no infrastructure of your own. The on-premises LAN server runs the console and enrollment inside your network for air-gapped or data-residency-constrained environments.
Frequently asked questions
Do I need to install anything to use the console?
No. The admin console is a web app - open it in a browser and sign in. Only the managed Windows PCs get the agent installed.
Which Windows versions are supported?
CtrlOne targets Windows 10, Windows 11, and Windows Server. See the Compliance & Compatibility page for the current compatibility matrix and known limitations.
Is CtrlOne an antivirus?
No. CtrlOne is built for lockdown and control, not signature scanning. It complements AV/EDR rather than replacing it, and can report on Defender and BitLocker posture.
Ready to install?
Follow the installation guide to deploy the agent on your first Windows PC, then wire up policies from the console.