Skip to main

KasperskyEndpoint Security for Windows (for workstations)

Not all Windows workstation security solutions are equal – and that means a lot of products are letting more of the most dangerous malware and attacks slip through onto the corporate IT networks they’re meant to be protecting.

By combining class-leading security technologies, plus endpoint controls and data encryption – in one integrated solution – Kaspersky Endpoint Security for Windows (for workstations) does more to protect your laptops and desktops. With all functions accessible from one centralized management console, you can also save time on deployment and administration tasks.

  • Multi-layer security

    • Integrated Windows workstation security

      Whereas some other products require you to purchase multiple applications – each with a different management console – Kaspersky Endpoint Security for Windows is a single application that delivers a host of security technologies:

      • Anti-malware – plus firewall & Host-Based Intrusion Prevention System (HIPS)
      • Endpoint controls:
        • Application Control
        • Web Control
        • Device Control
      • Data encryption
    • Choose the security modules you need

      Kaspersky Endpoint Security for Windows (for workstations) is included within our range of integrated security solutions for business:

      • Kaspersky Total Security for Business includes all Kaspersky Endpoint Security for Windows (for workstations) functionality
      • Kaspersky Endpoint Security for Business | Advanced includes all Kaspersky Endpoint Security for Windows (for workstations) functionality
      • Kaspersky Endpoint Security for Business | Select excludes data encryption
      • For more information about Kaspersky Total Security for Business and Kaspersky Endpoint Security for Business, please click here.
    • Flexible upgrade path

      When your security requirements change, it’s easy to upgrade to the next tier of Kaspersky Endpoint Security for Business or to Kaspersky Total Security for Business. You simply use a new license key to access the additional functionality that your new tier provides.

    Anti-malware, firewall and HIPS

    • Multi-layer anti-malware

      Our latest anti-malware engine combines signature-based protection, heuristic and behavioral analysis plus cloud-assisted technologies – to protect your Windows workstations from known, unknown and advanced malware threats.

    • Superior security – plus efficiency

      Pattern-based detection technology improves detection rates and helps us to reduce the size of update files – so you benefit from superior security that consumes less of your communications bandwidth.

    • Cloud-assisted malware detection

      Millions of consenting customers and thousands of businesses let the cloud-based Kaspersky Security Network (KSN) receive data – about malware and suspicious behavior – from their computers. This real-time flow of data helps us to deliver an extremely rapid response to new malware – while also achieving a lower rate of 'false positives'.

    • System Watcher

      By detecting and analyzing suspicious behavior on your workstations, System Watcher technology helps to protect you against new threats that have not yet been added to our signature database. If a malware attack affects the operating system, the system registry or important file types, System Watcher’s activity tracking helps to roll back the changes caused by the attack.

    • Automatic Exploit Prevention

      Our innovative Automatic Exploit Prevention (AEP) technology helps to ensure malware can’t exploit vulnerabilities within the operating systems or applications that are running on your network. AEP specifically monitors the most frequently targeted applications – including Adobe Reader, Internet Explorer, Microsoft Office, Java and many more – to deliver an extra layer of security monitoring and protection against unknown threats.

    • Host-Based Intrusion Prevention System

      For some applications – even though the applications may not be classed as malicious – their activities may be regarded as high-risk. In many cases, it’s advisable that these activities are restricted. Our Host-Based Intrusion Prevention System (HIPS) restricts activities within the endpoint, according to the ‘trust level’ that has been assigned to the application. HIPS works together with our application-level Personal Firewall – which restricts applications’ network activity.

    • Network Attack Blocker

      Our Network Attack Blocker monitors suspicious activity on your network – and lets you pre-define how your systems will respond if any suspicious behavior is detected.

    Flexible endpoint controls

    • Application Control

      Our Application Control tools go much further than many other vendors’ offerings. We’re the only security vendor that has invested in establishing its own Allowlisting that checks applications for security risks. OOur database of allowlisted applications includes over 1.3 billion unique files – and it’s growing by a further 1 million files per day. Application Control and Dynamic Allowlisting makes it easier for you to run a Default Deny policy that blocks all applications, unless they’re on your allowlist. Furthermore, if you’re looking to introduce or update a Default Deny policy, our new test mode lets you set up the policy in a test environment – so you can check your policy is correctly configured, before you ‘go live’.

    • Device Control

      Device Control tools make it easy to manage which devices are allowed to access your corporate IT network. You can set up controls that are based on the time of day, geographic location or the type of device. You can also align the controls with Active Directory – for granular administration and policy assignment. Administrators can also use masks in the creation of Device Control rules – so multiple devices can easily be allowlisted for use.

    • Web Control

      Our Web Control tools let you set up Internet access policies and monitor Internet usage. Geographic and time-of-day controls may be aligned with Active Directory – to help in administration and setting policies.

    Data encryption

    • Strong encryption

      By using an AES encryption algorithm that has 256 bits of key length and is NIST approved (#2980), we deliver strong encryption for your confidential information. If files or systems are lost or stolen, unauthorized users will not be able to access your encrypted data. Our encryption has also been designed to be FIPS 140-2 compliant (validation pending).

    • Full Disk Encryption

      For encryption that's 'close to the hardware' – and to make it easy for you to run an 'encrypt everything at once' strategy – Full Disk Encryption (FDE) operates on the physical sectors of the disk. Before a hard disk encryption task is allowed to proceed, the boot hard drive is automatically checked to ensure it is compatible with Kaspersky Endpoint Security for Windows.

    • File-Level Encryption

      File-Level Encryption (FLE) helps you to enable secure sharing of data across your network. For additional security – when a file is encrypted – the original, unencrypted file can be wiped from the hard drive.

    • Encryption of removable media

      To protect data that also needs to be transferred on removable devices, Removable Media Encryption can perform Full Disk Encryption and File-Level Encryption.

    • ‘Portable mode’ encryption

      If you need to transfer sensitive data via email, the Internet or a removable device, you can easily set up password-protected, encrypted, self-extracting packages of files and folders. A special 'portable mode', for File-Level Encryption on removable media, helps enable the secure transfer of data – even onto computers that are not running Kaspersky Endpoint Security for Windows.

    • Simplified sign-on

      When a user switches on their PC and enters their username and password, our Single Sign-On feature will give the user immediate access to the encrypted data on their PC's hard drive. This helps to ensure the encryption & decryption processes are virtually transparent to the user – and that helps to boost efficiency and productivity.

    • Smartcard / token sign-on

      Users can also log on by using a smartcard or token – instead of a username and password. Many popular types of smartcards and tokens are supported.

    • Recovery tools

      In the event of a system fault – even if the operating system cannot boot up – our special recovery tools can be used to decrypt the data.

    • Support for Intel AES-NI and more

      By supporting Intel AES-NI, we enable more rapid encryption and decryption of data – for many Intel processor-based and AMD processor-based systems*. Our Full Disk Encryption technology also supports UEFI-based platforms. There’s also support for non-QWERTY keyboards.

      *Not all processors are supported.

    Centralized management

    • Centralized management console

      Every feature within Kaspersky Endpoint Security for Windows – plus other Kaspersky Lab endpoint security technologies that you’re running – can be managed via one centralized management console. Kaspersky Security Center provides a single easy-to-use console – so you won’t have to waste time getting to grips with a different management interface for every different security technology you need to run. Instead, this one console gives you ‘single pane of glass’ visibility and control of your endpoint security – including:

      • Deploying and managing Kaspersky Endpoint Security for Windows – plus other Kaspersky Lab endpoint security applications – across your corporate network
      • Defining specific anti-malware, endpoint controls & data encryption parameters – within a single policy
      • Generating – and customizing – a wide range of detailed security reports
    • Role-Based Access Control

      In addition, the new Role-Based Access Control* (RBAC) feature makes it easier to divide security management responsibilities between multiple administrators. With RBAC, the Kaspersky Security Center console can easily be customized so that each administrator only has access to the tools and information that are relevant to their responsibilities.

      *Role-Based Access Control is only included in Kaspersky Endpoint Security for Business | Advanced and Kaspersky Total Security for Business.

      For more information on Kaspersky Security Center, please click here.

A part of


Kaspersky's unique combination of big data threat intelligence, machine learning and human expertise enables agile, responsive protection against any kind of threat — with minimal management overheads.

Why Choose Kaspersky Protection Against Ransomware?

Every 40 seconds, a business is attacked by ransomware. Here's how Kaspersky products can help ensure your business isn't held to ransom.