A user reported a network performance issue at one of their offices where a single computer had downloaded and uploaded several gigabytes of data within approximately the last four hours. They sought a way to determine exactly what data was downloaded and where it was uploaded to after the fact.
ControlUp experts clarified that while ControlUp for Desktops can provide detailed network usage volume information retrospectively, it does not store historical data about the specific destination addresses or detailed process-level network activity. The device’s Performance tab includes historical charts such as Network Usage (MB/s) and Hourly Network Usage (MB), which show the volume of data sent and received over time. This helps confirm the timing and magnitude of a network spike but only at the overall device level, not by specific process or destination.
For live, real-time network connection details—including which process is communicating with which remote IP address—the Network tab and TCP Connections Map can be used. This tab shows detailed, process-to-destination connections but does not retain historical data, so it only helps monitor ongoing network activity. Consequently, if the large data transfer activity occurred several hours ago and is no longer ongoing, ControlUp itself cannot provide retrospective insights into the process or endpoints involved.
To investigate historical transfers of this nature, network security and monitoring should be supplemented with firewall logs, proxy logs, or netflow data, which retain detailed connection records over time. This approach is recommended for network administrators with access to those tools.
For prevention and proactive detection, users can configure static threshold alerts in ControlUp to notify them immediately if network usage exceeds a predefined value in the future. This allows administrators to catch high-volume transfers as they happen and investigate using real-time detail from ControlUp. The documentation for setting static threshold alerts can be found here: https://support.controlup.com/docs/devices-static-threshold-alerts.
Additional guidance on real-time network analysis is available at https://support.controlup.com/docs/live-network-analysis.
Read the entire article here...
Security Related Training & Support Archives
Security training and support-related archives from inside the ControlUp Community on Slack.
Troubleshooting PowerShell Script Execution Failures in User Context with Ivanti Application Control and ControlUp
A user encountered an issue when attempting to run PowerShell scripts on endpoint machines using ControlUp (CU) in the user context. While executing scripts in the system context was successful, running them as the user failed with an error code -1. The environment included Ivanti Application Control, a security solution similar to Windows Defender Application Control (WDAC) or AppLocker, which enforces application execution policies. The user had configured a process rule allowing SipAgent.exe to launch PowerShell.exe, which was confirmed to function correctly via Process Monitor and Process Explorer, as PowerShell.exe briefly appeared. However, the actual PowerShell script never executed, even a simple command like ‘Start-Sleep 1000’ failed to run.
Disabling the Ivanti Application Control service restored the ability to run scripts, indicating a conflict with the security controls. Interestingly, no block events were logged by Ivanti, suggesting the issue was not a straightforward deny event at the application control layer. The user inquired about which processes and system files ControlUp uses during script execution to better understand the interaction.
The root cause was identified as an Ivanti configuration rule that elevated PowerShell processes for the test user account. This elevation interfered with the ControlUp execution mechanism, preventing the script from running properly in user context. The resolution involved creating an exception within the Ivanti elevation rule: PowerShell processes launched with the ‘-file’ parameter were excluded from elevation. This adjustment allowed the scripts to run successfully while maintaining the intended elevation policy for other PowerShell instances.
This case highlights the importance of carefully managing application control and elevation policies in security products like Ivanti when deploying user-context scripts via ControlUp. Explicitly excluding ControlUp-launched PowerShell processes that run script files from elevation can prevent execution failures without compromising security. Users facing similar issues should review their application control and elevation configurations, particularly any rules that modify or elevate PowerShell, and test exclusions for script execution parameters. For more details on ControlUp’s script execution methods and related settings, users can consult the official ControlUp documentation at https://docs.controlup.com.
Read the entire article here...
Read the entire article here...
How to Implement Native macOS and Windows Self-Service Disk Cleanup via ControlUp Edge DX Without External Tools
A ControlUp community member developed a native self-service disk cleanup solution for macOS and Windows users, designed to be triggered via ControlUp Edge DX without requiring IT intervention or external tools. The goal was to allow users to safely free disk space through a simple, native dialog that displays current disk usage and offers a checklist of safe-to-clean areas such as Trash, application caches, container caches, logs, Xcode build cache, and old temporary files. Each item is described in plain language and sorted by the space it occupies, allowing users to select and confirm the cleanup themselves.
On macOS, the dialog is implemented using only built-in osascript capabilities—no additional tools like swiftDialog or extra installations are necessary. For both macOS and Windows, the solution emphasizes safety by running a dry-run by default, excluding critical system folders and personal directories such as Documents, Downloads, Keychains, and SSH keys from cleanup. The cleanup operates within the context of the logged-in user, not root, ensuring user-specific data protection. After cleanup, the system verifies the amount of space reclaimed against the actual free volume.
Triggering this cleanup from an Edge DX alert, either automatically due to disk usage thresholds or on-demand, enables a small dashboard that reports on reclaimable and freed disk space, all without requiring elevated permissions, Intune writes, or admin consent. One of the more challenging technical aspects was delivering the cleanup dialog from a root-level agent into the user’s session, given the restrictions of macOS and Windows environments.
The community member shared that while the script could likely be optimized or shortened by more experienced developers, this version works reliably and safely. Detailed setup documentation is available by request. Additionally, to complement the cleanup tool, the developer created an analytics dashboard to track the cumulative space saved by the script. This solution offers a practical way for organizations using ControlUp Edge DX to empower their end users with safe, controlled disk cleanup capabilities, minimizing helpdesk workload without compromising disk security or user privacy.
For more on creating and managing custom alerts and actions within ControlUp Edge DX, consult the official documentation at https://docs.controlup.com/edge and explore ControlUp Academy at https://cuacademy.controlup.com for training on extending ControlUp functionality.
Read the entire article here...
Read the entire article here...
Managing Access to Microsoft Teams Meeting Recordings: Insights and Permissions
ControlUp does not currently offer direct insights into Microsoft Teams meeting recordings or their access logs. Meeting recordings in Teams are stored in the organizer's OneDrive or SharePoint, depending on the meeting type. For private meetings, recordings are saved to the organizer's OneDrive, while channel meetings store recordings in the SharePoint site associated with the channel. ([learn.microsoft.com](https://learn.microsoft.com/en-us/MicrosoftTeams/tmr-meeting-recording-change?utm_source=openai))
To monitor access to these recordings, organizations can utilize Microsoft Purview, which provides auditing capabilities for Teams content. Purview allows administrators to track activities related to meeting recordings, such as who accessed or shared the recordings. This functionality is particularly useful for compliance and security purposes. ([learn.microsoft.com](https://learn.microsoft.com/en-us/purview/edisc-search-teams?utm_source=openai))
Additionally, meeting organizers can manage access permissions for their recordings directly within Teams. By default, access is set to "Everyone," but organizers can customize this setting to restrict access to specific individuals or groups. This control ensures that only authorized users can view or download the recordings. ([support.microsoft.com](https://support.microsoft.com/en-us/teams/meetings/customize-who-can-access-a-recording-or-transcript-in-microsoft-teams?utm_source=openai))
In summary, while ControlUp does not provide direct insights into Teams meeting recordings, organizations can leverage Microsoft Purview for auditing access and utilize Teams' built-in features to manage recording permissions effectively.
Read the entire article here...
Read the entire article here...
How to Alert on Added Storage Devices by Drive Letter in ControlUp Using os_disk_configuration Filters
A community member sought assistance with creating a ControlUp trigger or alert to detect when storage devices are added to a physical endpoint and assigned a drive letter or mounted. The data relevant to this event is visible in the ControlUp 4D (CU4D) Performance tab under the Operating System location and stored in the *_devices* index. Specifically, the data is found in the os_disk_configuration field, which contains a JSON array showing details about mounted drives, including drive letters. The user’s challenge was to configure an alert that could detect any newly mounted drive except the system drive C:\ without having to set multiple alerts for every potential drive letter (e.g., D:\, E:\, etc.). They noted the lack of regex support in the filter queries limited their options.
The issue arises because the os_disk_configuration field holds a JSON array with multiple drive entries, and filtering out drive_letter "C:\" naively removes all entries due to the structure of the array. Attempts to use a “does not contain” filter eliminated all Windows devices, only showing macOS devices, complicating detection on Windows endpoints. The user also tried to narrow the focus to removable media but learned that their security team's use case requires alerting on any disk, mounted by drive letter, which remains the best indicator available.
Advice provided during the discussion included adding filters for platform or OS to ensure the alert targets only Windows devices (e.g., platform set to 1 or OS equals Windows). This helped reduce irrelevant results but did not completely solve the filtering problem. Suggestions included playing with additional filters such as combining conditions to exclude drive_letter "C:\" while explicitly including removable devices, though this required trial and error. A recommendation was to test filter configurations in the CU4D index view, including setting the platform to 1 to target Windows devices specifically.
Ultimately, the thread highlights the challenge in using ControlUp’s current filtering capabilities on complex JSON arrays like os_disk_configuration for dynamic drive letters without regex support. The workaround involves narrowing the scope by platform/OS filters and experimenting with composite negation filters, although a straightforward out-of-the-box solution for this specific alert scenario is limited. Users needing comprehensive coverage for any drive letter other than C:\ must create a series of alerts or await enhanced filter features. For now, leveraging the detailed disk configuration data in the *_devices* index with strategic filter layering is the best approach.
For further reading on creating and troubleshooting alerts and filters in ControlUp, users can consult official documentation at https://docs.controlup.com and explore ControlUp Academy resources at https://cuacademy.controlup.com.
Read the entire article here...
Read the entire article here...
How to Diagnose Microsoft Teams SlimCore Optimization in Citrix and Other VDI Environments Using PowerShell Scripts
This discussion highlights two PowerShell scripts developed to aid tracking and diagnosing Microsoft Teams SlimCore Optimization specifically within Citrix environments, with potential applicability to Azure Virtual Desktop (AVD), Windows 365 (W365), and VMware Horizon sessions. SlimCore is an optimized media stack used in virtual desktop infrastructure (VDI) scenarios to enhance Teams call performance by offloading audio and video processing to the client side.
Read the entire article here...
Read the entire article here...
Widget Wednesday #24: Managing Dashboard Access with Roles and Tags
Widget Wednesday #24 explores new dashboard roles, tags, and sharing capabilities in ControlUp Dashboards, helping administrators organize dashboards and control user access more effectively.
Read the entire article here...
Read the entire article here...
Creating a Public Link for Custom NOC Display Dashboards in ControlUp
A user is interested in creating a public link for their customized NOC display dashboard using ControlUp's built-in Big Screen Dashboard feature. Other users have also expressed a need for this feature and it seems to be gaining momentum. ControlUp knows about the request but has not found a secure way to implement it yet, as each widget on the dashboard is a live query requiring a token from the user. The suggestion is to create a service account and properly set up permissions for the dashboard to display it on digital signage.
Read the entire article here...
Read the entire article here...
How to Export Audit Logs for Dex Platform Using ControlUp APIs and Workflows
The topic of exporting Audit Logs for the Dex platform arose in Slack, and several members provided possible solutions using ControlUp APIs and workflows. The API article can be found at https://api.controlup.io/reference/orgauditlogpubliccontroller_getall and events overview can be found at https://support.controlup.com/docs/incidents-and-events-overview?highlight=Vdi%20event. The user was looking to export the logs to a different location, specifically Azure Sentinel.
Read the entire article here...
Read the entire article here...
Troubleshooting Access to VDI Console in ControlUp Academy
A user was having trouble accessing the VDI console and reached out for help. Another member asked for the support ticket number and suggested checking the organization member group settings. Eventually, the issue was resolved by temporarily setting the permission to "Deny" and then back to "Allow". It was noted that this issue had been ongoing for a year in another tenant manager.
Read the entire article here...
Read the entire article here...

