aidarrow-end-inversearrow-endarrow-left-angulararrow-left-angularWhy choose AvectoAchieve complianceOperational efficiencycompliancedefendpoint-coloureddefendpoint-thin-2DesktopScaleResources.iconsAsset 21insider-threatsavecto-logo-smallquotation-marksransomwareArticleUse caseWebinarResources.iconssafePrevent attacksAsset 19social-engineeringTrustedtriangleStop insider attacksAsset 20Resources.iconsResources.iconszero-days

Secure and compliant endpoints

Prevent breaches without hindering productivity. Defendpoint deploys in hours - not months - and combines privilege management and application control technology in a single agent, making admin rights removal simple and scalable across desktop and servers.

Combining privilege management and application control technology

  • Eliminate admin rights, achieve least privilege

  • Whitelist trusted apps and block malware

  • Insight and analysis to make informed decisions

Eliminate admin rights

Defendpoint allows you to grant privileges to individual applications, tasks and scripts, never to users. Ensure a positive user experience with customized messaging, seamless elevation and flexible prompts.

  • All users run as standard users
  • Delegation of privileged actions
  • On-demand elevation of privileges
  • Customized messages and prompts
  • Trusted applications are whitelisted
  • Detailed reports and analysis

Why Defendpoint?

Defendpoint's seamless integration between privilege management and application control makes it easy to achieve compliance, prevent attacks, and operate efficiently.

We’ll keep you on track with compliance requirements

Defendpoint meets least privilege and access management guidelines by removing privileges and whitelisting trusted applications across all endpoints - even in the data center - while trend reporting and analysis demonstrates compliance with NIST, DFARS, HIPAA, PCI DSS, GDPR and many more.


Free your users from security barricades

The turn-key Quick Start policy makes security achievable overnight, while a single lightweight agent makes maintenance simple. Users operate from the safety of standard user accounts while enjoying the flexibility of admin accounts - all without burdening IT.


Remove the keys to the kingdom

Remove admin rights from all users - even sysadmins in the data center - and assign privileges to the applications, tasks and scripts they need, rather than to the individuals.

By ensuring all employees have just the right level of access to perform in their daily job functions, you create a highly secure environment to mitigate accidental or deliberate insider threats.


Don't leave cyber security to chance

80% of security breaches involve privileged credentials*. Proactively prevent attackers from gaining access to data by removing local admin rights, and prevent malware from executing by controlling the applications allowed to run in your environment.



Available for desktops and servers

Defendpoint for desktops

Defendpoint protects your Windows and macOS desktops, enabling least privilege across even the largest enterprises and most highly regulated environments.

  • Windows migrations

    Moving from an older OS such as Microsoft XP to Windows 10 provides the ideal opportunity to review your best practice security measures. Defendpoint makes your migration easier, providing auditing and reporting capabilities and increased user flexibility.

  • Visibility of privileges

    Defendpoint ensures that you have control and visibility over activities within your business. You see which applications are being used and installed, which tasks and applications require privileges and how many users are running with local admin rights.

  • Legacy systems / applications

    Old software and outdated applications create vulnerabilities and are used as a target for hackers, particularly where admin rights are needed for them to run. Defendpoint allows you to create pragmatic whitelists to manage trusted applications and block unauthorized or old versions of software.

  • Targeted malware

    Up to 90% of malware is unique to your organization, with hackers drawing on social engineering tactics to gain entry to systems and data. Detection-based antivirus solutions are unable to prevent unknown strains of malware. Defendpoint’s proactive approach prevents malware from executing and spreading.

  • Remote workers

    Home or mobile users typically require flexibility to change settings, install software and update applications regardless of their location. Defendpoint’s policy approach based on Workstyles allows you to grant the privileges needed based on job role, ensuring productivity and security.

  • Mac users

    A common misconception is that macOS endpoints are more secure than Windows equivalents. With a rise in malware targeting Mac users, the same security principles apply regardless of platform. Defendpoint allows you to achieve least privilege for all Windows and macOS users.

Defendpoint for servers

Extend protection to the data center and remove admin rights from your most powerful users. You benefit from the same management console and experience as with Defendpoint for desktops.

  • On-demand privilege elevation

    Through integration into the Windows shell menu, Defendpoint can be configured to replace the “Run as Administrator” option, providing specific users with the ability to elevate their privileges using an appropriate approval method. This ensures users can gain the access they need for one-off requests, without ever exposing the administrator account or password.

  • Anti-tamper security

    With in-built security, Avecto’s patented anti-tamper feature prevents any changes to local privilege groups (including the administrator account/group) to prevent any user elevating their privileges. Users are also prevented from changing or altering the Defendpoint technology, ensuring the deployment is protected.

  • Service control

    One of the most common administrative tasks performed on servers is the stopping and starting of Windows services. The Windows Service type allows individual service operations to be whitelisted, so standard users are able to start, stop and configure services without the need to elevate tools such as the Service Control Manager.

  • Remote PowerShell management

    Remote PowerShell authorizes targeted sysadmins to connect remotely to a computer via WinRM with standard user credentials, which would normally require local administrator rights. Once connected, the sysadmin is then able to execute PowerShell scripts or cmdlets that Defendpoint can elevate, block or audit using a flexible rules engine.

  • Advanced policy filtering

    Defendpoint policies can be filtered to accommodate for advanced use cases associated specifically with servers. Filters can be based on Security Group membership, machine or host name, time of day/week, and can be set with a date/time to expire.

  • Third party access

    Granting admin rights to external users is a security risk. Defendpoint ensures third parties are able to just do the job they need to, on only the servers required, using only approved applications and processes and during a specific timeframe from an approved location.

Ready to learn more?

Eliminating privileges is one of the most essential risk mitigation strategies for any organization. Learn what makes Avecto a leader in privilege management and how Defendpoint helps organizations achieve secure and compliant endpoints.

Why choose Avecto?

  • Leader in privilege management since 2008

  • Trusted by over 1100 global brands

  • Over 8 million users work productively without admin rights

  • Proven to scale from 100 to 500,000 desktops

  • Integrated desktop and server technology from a single vendor


Choice of management platforms to suit your existing infrastructure

Unlike traditional privilege management products that can take months to properly configure, Avecto Defendpoint’s innovative Quick Start policy gets you up and running in mere hours. We’ve leveraged years of deployment scenarios to create out-of-the-box workstyles meant to cover the vast majority of enterprises and significantly reduce implementation efforts. No other product can offer this level of convenience, flexibility, and speed during deployment.


ePO edition

Avecto is an accredited McAfee SIA partner for certified integration with McAfee ePolicy Orchestrator. This option provides easy deployment into your existing ePO infrastructure, delivering Defendpoint policy with ePO's precise targeting features. Extensive auditing and reporting is accessed directly in the ePO console.

You also benefit from informed policy changes with McAfee Threat Intelligence Exchange (TIE/DXL) integration.


Group Policy edition

Defendpoint for Windows deploys into your existing Microsoft enterprise technology, with minimal new hardware requirements. It aligns with your existing enterprise change control processes for endpoint configuration.

Deliver policy based on Active Directory groups and organizational units with extensive auditing and reporting on endpoint activities.


Cloud or on-premises

Avecto's own management platform provides scalable cloud-based or on-premises management for Defendpoint for Windows and Mac. Built to capitalize on Microsoft Azure and Amazon Web Services (AWS), iC3 may be used as the primary Defendpoint management platform. You can dynamically scale to adjust capacity as needed and maintain contact with your endpoints wherever they are deployed.

With iC3, decisions to allow unknown activity and applications to run become smarter, faster and more dynamic.

140,000 endpoints protected at an American aerospace & defense organization

What Avecto did

"Avecto initially replaced a competitor product thanks to our simplicity and ease of use. We have worked collaboratively with the customer over the last seven years, developing product functionality to support the expanding needs of this global organization."

Mark Austin, Co-CEO, Avecto

Where would you like to go next?