diff --git a/docs/endpointprotector/admin/agent.md b/docs/endpointprotector/admin/agent.md
index ff75b35f5a..4ee1eb7eb1 100644
--- a/docs/endpointprotector/admin/agent.md
+++ b/docs/endpointprotector/admin/agent.md
@@ -170,6 +170,17 @@ Optional distributions will be provided on the product portal and are available
+### Increased Communication Security
+
+During interactive installation, the installer wizard includes an **Increased Communication Security** checkbox. When enabled, the EPP Client will use certificate-based authentication during the registration process and for all subsequent communication with the EPP Server.
+This option corresponds to the **Client Registration Certificate** feature configured on the server side. Before enabling it, ensure that a cryptographic identity signed by the EPP Root CA has been deployed to the endpoint and is present in **Certificate Manager** under *Local Computer → Certificates → Personal*.
+
+
+:::note
+This option requires the **Client Registration Certificate** feature to be enabled and configured on the EPP Server ([**Appliance → Server Maintenance → Client Registration Certificate**](/docs/endpointprotector/admin/appliance.md)) before the client is installed. Enabling it without the corresponding server-side configuration will prevent the client from registering.
+:::
+
+
### Installation on macOS with Deep Packet Inspection and VPN Traffic Intercept Active
Follow the steps to install on macOS with Deep Packet Inspection and VPN Traffic Intercept active.
diff --git a/docs/endpointprotector/admin/appliance.md b/docs/endpointprotector/admin/appliance.md
index 66228288bf..fd94e34959 100644
--- a/docs/endpointprotector/admin/appliance.md
+++ b/docs/endpointprotector/admin/appliance.md
@@ -87,16 +87,23 @@ In this section you can modify or add a DNS server address and then Save your ch
-### Client Registration Certificate
+### Communication Security
+
+By default, all communication between Endpoint Protector Clients and the Endpoint Protector Server is encrypted using mutual TLS (mTLS). Both sides present certificates during the TLS handshake, ensuring that data in transit is protected against interception.
-From this section, you can register and then verify the Endpoint Protector Client certificate
-signature. The client registration certificate is an additional security measure enabling
-certificate-based authentication.
+To further harden the registration and communication process, Endpoint Protector provides two additional, optional security features that build on this foundation: **Client Registration Certificate** and **Server Certificate Validation**. When enabled, these options introduce certificate pinning into the client lifecycle — verifying not just that communication is encrypted, but
+that both endpoints are who they claim to be.
:::warning
The Client Registration Certificate feature is not available for Linux!
:::
+### Client Registration Certificate
+
+The Client Registration Certificate feature enriches the client registration process by adding a certificate verification component: the Endpoint Protector Server validates the client's certificate during the registration phase, ensuring that only clients presenting a cryptographic identity signed by a trusted CA are allowed to register.
+This provides an additional layer of protection in the enrollment flow — ensuring that only authorized, managed devices can register with the EPP Server, even when operating on shared or untrusted networks.
+
+**Configuration**
**Step 1 –** Enable the custom certificate setting and then upload the certificate chain, Root CA and
Intermediate;
@@ -117,6 +124,8 @@ just for testing the signature (for example the Endpoint Protector Client certi
**Step 3 –** Click **Save** and allow 2 minutes for the information to be validated. You will view a
successful message confirming the custom certificate was added and the test certificate is valid.
+**Requirements**
+
:::note
The client registration authentication certificate and the Endpoint Protector server
certificate must be issued by the same CA.
@@ -134,30 +143,42 @@ the endpoints.
### Server Certificate Validation
-From this section, you can configure Server Certificate Validation, which ensures that certificates
-used for all communication requests on Endpoint Protector clients are validated. This feature is
-crucial for maintaining secure communication between various Endpoint Protector products.
+While Client Registration Certificate secures the registration phase, Server Certificate Validation extends certificate verification to all ongoing communication. When enabled, the Endpoint Protector Client validates the server's SSL certificate on every outbound request — ensuring that clients only communicate with a trusted, legitimate Endpoint Protector Server and cannot be redirected to a rogue or impersonated instance.
+When enabled, the EPP Client validates the server's SSL certificate on every outbound request, verifying three key properties:
+- **Certificate trust** — the server certificate must be issued by a trusted Certificate Authority recognized by the endpoint.
+- **Expiration date** — the server certificate must be currently valid and not expired.
+- **Hostname matching** — the server certificate's Common Name (CN) or Subject Alternative Name (SAN) must match the hostname the client is connecting to.
+
:::note
-All certificate validation statuses will be reported to the Endpoint Protector Server and
-stored for debugging purposes in Endpoint Protector Client logs.
+Starting from the 5.9.0.0 or later, enabling this option activates Endpoint Protector Server Certificate Validation for all Endpoint Protector Client communication. This strengthens security by ensuring trusted and valid certificates are used.
:::
+**Configuration**
+
+From this section, you can configure Server Certificate Validation, which ensures that certificates used for all communication requests on Endpoint Protector clients are validated.
+
+
+
+Before enabling, verify that:
+- The EPP Server certificate is valid and not expired.
+- The EPP Server certificate is issued by a CA trusted by all managed endpoints.
+- The EPP Server hostname matches the certificate's CN or SAN exactly.
+
+**Client-Side Configuration**
+The server-side configuration alone is not sufficient — the EPP Client must also be prepared to participate in certificate-based registration. This is done at installation time.
+When installing the Endpoint Protector Client on Windows or macOS, the installer wizard includes an **Increased Communication Security** checkbox. Enabling this option instructs the EPP Client to use the certificate-based authentication flow during registration and all subsequent communication with the EPP Server. For detailed installation steps and a walkthrough of the installer wizard, refer to the [Agent Installation](/docs/endpointprotector/admin/agent.md#increased-communication-security) section.
:::warning
-Please use this feature responsibly, as improper certificate usage with certification
-validation might disrupt Endpoint Protector Client to Endpoint Protector Server communication. For a
-successful connection, both server and client certificate validation must be enabled.
+Please use this feature responsibly. Improper certificate configuration combined with enabled certificate validation may disrupt Endpoint Protector Client to Endpoint Protector Server communication.
+**For a successful connection, both server and client certificate validation must be enabled.**
:::
-
:::note
-Starting from the 5.9.0 or later, enabling this option activates Endpoint Protector Server
-Certificate Validation for all Endpoint Protector Client communication. This strengthens security by
-ensuring trusted and valid certificates are used.
+All certificate validation statuses will be reported to the Endpoint Protector Server and
+stored for debugging purposes in Endpoint Protector Client logs.
:::
-
### Appliance Operations
In this section you can perform appliance operations such as Reboot or Shutdown.
diff --git a/docs/endpointprotector/admin/denylistsallowlists/denylists.md b/docs/endpointprotector/admin/denylistsallowlists/denylists.md
index 38333ba1d3..1875b98e51 100644
--- a/docs/endpointprotector/admin/denylistsallowlists/denylists.md
+++ b/docs/endpointprotector/admin/denylistsallowlists/denylists.md
@@ -424,3 +424,7 @@ Label names can be obtained from the NDC administrator. Consider using the exact
:::
+
+:::note
+The NDC labeling feature is supported only on EPP Clients version 2605.x.x.x and later.
+:::
\ No newline at end of file
diff --git a/docs/endpointprotector/admin/servercertalidation.webp b/docs/endpointprotector/admin/servercertalidation.webp
new file mode 100644
index 0000000000..57b246d59b
Binary files /dev/null and b/docs/endpointprotector/admin/servercertalidation.webp differ
diff --git a/docs/endpointprotector/supportability/client-supportability.md b/docs/endpointprotector/supportability/client-supportability.md
index e915083566..fbc2d637a5 100644
--- a/docs/endpointprotector/supportability/client-supportability.md
+++ b/docs/endpointprotector/supportability/client-supportability.md
@@ -116,7 +116,7 @@ By following the official operating system vendor policies, we can:
The following outlines our current OS support approach for Windows, macOS, and Linux environments, including version requirements, exceptions, and links to vendor documentation for up‑to‑date lifecycle information.
-## Windows Client and Server OS Support
+### Windows Client and Server OS Support
Netwrix Endpoint Protector (EPP) Agent supports all **Microsoft Windows client and server operating systems** that remain within Microsoft’s **Mainstream Support** or **Extended Security Update (ESU)** phase. This includes:
@@ -133,20 +133,22 @@ When a Windows OS transitions from **Mainstream** to **Extended Support**, Netwr
However, customers should be aware that **legacy operating systems may lack compatibility with modern security components**—such as updated encryption libraries or secure communications mechanisms—which are increasingly required in current environments. These limitations are outside our control and may impact agent reliability or feature availability.
-_Windows 10 End of Life Note_
+#### Windows 10 End of Life Note
-Windows 10 is currently in the final stages of support, with official end-of-service dates approaching for various editions. Once these dates pass, Netwrix will treat Windows 10 the same as other Extended Support operating systems:
+Windows 10 has reached end of support. Netwrix will treat Windows 10 the same as other Extended Support operating systems:
- No development fixes will be committed for OS-specific issues
- Operation is “best effort” only
- Any known incompatibilities will be noted in the Netwrix Community Release Notes
+[Source: Microsoft announcement](https://support.microsoft.com/en-us/windows/windows-10-support-has-ended-on-october-14-2025-2ca8b313-1946-43d3-b55c-2b95b107f281#:~:text=Windows%2010%20support%20has%20ended%20on%20October%2014%2C%202025%20%2D%20Microsoft%20Support.)
+
_General Guidance_
Customers are strongly encouraged to plan migrations to supported operating systems ahead of published Microsoft EOL timelines. This ensures continued compatibility, access to full product capabilities, and ongoing support.
**Important:**
-Netwrix EPP is **not supported** on of Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2008, Windows 7, Windows XP, or any earlier versions. The final EPP Agent build with “best effort” support for these operating systems is 5.9.4.0 (Windows version 6.2.3.1010). No future builds will be produced for them.
+Netwrix EPP is **not supported** on Early build of Windows 10 64bit, Windows 10 32bit, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2008, Windows 7, Windows XP, or any earlier versions. The final EPP Agent build with “best effort” support for these operating systems is 5.9.4.0 (Windows version 6.2.3.1010). No future builds will be produced for them.
### macOS Clients
diff --git a/docs/endpointprotector/supportability/server-supportability.md b/docs/endpointprotector/supportability/server-supportability.md
index 1a49cc2f7d..955d39bc4e 100644
--- a/docs/endpointprotector/supportability/server-supportability.md
+++ b/docs/endpointprotector/supportability/server-supportability.md
@@ -18,7 +18,7 @@ Here is the current state of all versions of Endpoint Protector Server.
| **Discontinued Support** | **Limited Support** | **N-1 Track (Active Support)** | **N Track (Active Support)** |
| --- | --- | --- | --- |
-| All versions prior to 5.9.4.1 | 5.9.4.2 (5942)
In Limited Support from Oct 14, 2025 to Feb 11, 2026. (120 days)
No new feature development or critical fixes.
Support is limited to configuration guidance for 5942. | There is no N-1 track at this time. | 2509.0.1.0 (25.9)
Released Oct 14, 2025.
Full Active Support. [Link to release notes](https://community.netwrix.com/t/major-version-announcement-endpoint-protector-server-version-2509/114025) |
+| All versions prior to 5.9.4.2
Limited support ended Feb 11, 2026. | | There is no N-1 track at this time. | 2602.0.1.0 (Base image 2509/2510)
Released Feb 5, 2026.
Full Active Support. [Link to release notes](https://community.netwrix.com/t/endpoint-protector-2602-0-1-0-server-patch-released/121912) |
# Support Definitions Used In This Document