From 69476d3a560a14925a2a8a29768c5d5f6d0f7066 Mon Sep 17 00:00:00 2001
From: krzysztofstaszalek <krzysztof.staszalek@netwrix.com>
Date: Wed, 8 Apr 2026 15:19:49 +0200
Subject: [PATCH 1/6] New changes to Endpoint Protector documentation,
 including updates to admin and supportability sections, and addition of a new
 image for server certificate validation.

 Changes to be committed:
	modified:   docs/endpointprotector/admin/agent.md
	modified:   docs/endpointprotector/admin/appliance.md
	new file:   "docs/endpointprotector/admin/servercerti\357\254\201catevalidation.webp"
	modified:   docs/endpointprotector/supportability/client-supportability.md
	modified:   docs/endpointprotector/supportability/server-supportability.md
---
 docs/endpointprotector/admin/agent.md         |  11 ++++
 docs/endpointprotector/admin/appliance.md     |  55 ++++++++++++------
 ...ervercerti\357\254\201catevalidation.webp" | Bin 0 -> 4750 bytes
 .../supportability/client-supportability.md   |  10 ++--
 .../supportability/server-supportability.md   |   2 +-
 5 files changed, 56 insertions(+), 22 deletions(-)
 create mode 100644 "docs/endpointprotector/admin/servercerti\357\254\201catevalidation.webp"

diff --git a/docs/endpointprotector/admin/agent.md b/docs/endpointprotector/admin/agent.md
index ff75b35f5a..7ac2633cc7 100644
--- a/docs/endpointprotector/admin/agent.md
+++ b/docs/endpointprotector/admin/agent.md
@@ -170,6 +170,17 @@ Optional distributions will be provided on the product portal and are available
 
 ![The Agent enforces the Rights and Settings received from the Endpoint Protector Server on the protected endpoints (Windows, Mac, and Linux)](setupagenttwo.webp)
 
+### Increased Communication Security
+
+During interactive installation, the installer wizard includes an **Increased Communication Security** checkbox. When enabled, the EPP Client will use certificate-based authentication during the registration process and for all subsequent communication with the EPP Server.
+This option corresponds to the **Client Registration Certificate** feature configured on the server side. Before enabling it, ensure that a cryptographic identity signed by the EPP Root CA has been deployed to the endpoint and is present in **Certificate Manager** under *Local Computer → Certificates → Personal*.
+
+
+:::note
+This option requires the **Client Registration Certificate** feature to be enabled and configured on the EPP Server ([**Appliance → Server Maintenance → Client Registration Certificate**](/docs/endpointprotector/admin/appliance.md#server-certificate-validation)) before the client is installed. Enabling it without the corresponding server-side configuration will prevent the client from registering.
+:::
+
+
 ### Installation on macOS with Deep Packet Inspection and VPN Traffic Intercept Active
 
 Follow the steps to install on macOS with Deep Packet Inspection and VPN Traffic Intercept active.
diff --git a/docs/endpointprotector/admin/appliance.md b/docs/endpointprotector/admin/appliance.md
index ac020db0cb..2352d24630 100644
--- a/docs/endpointprotector/admin/appliance.md
+++ b/docs/endpointprotector/admin/appliance.md
@@ -86,16 +86,23 @@ In this section you can modify or add a DNS server address and then Save your ch
 
 ![Modify or add a DNS server address and then Save your changes](dnsconfg.webp)
 
-### Client Registration Certificate
+### Communication Security
+
+By default, all communication between Endpoint Protector Clients and the Endpoint Protector Server is encrypted using mutual TLS (mTLS). Both sides present certificates during the TLS handshake, ensuring that data in transit is protected against interception.
 
-From this section, you can register and then verify the Endpoint Protector Client certificate
-signature. The client registration certificate is an additional security measure enabling
-certificate-based authentication.
+To further harden the registration and communication process, Endpoint Protector provides two additional, optional security features that build on this foundation: **Client Registration Certificate** and **Server Certificate Validation**. When enabled, these options introduce certificate pinning into the client lifecycle — verifying not just that communication is encrypted, but
+that both endpoints are who they claim to be. 
 
 :::warning
 The Client Registration Certificate feature is not available for Linux!
 :::
 
+### Client Registration Certificate
+
+The Client Registration Certificate feature enriches the client registration process by adding a certificate verification component: the Endpoint Protector Server validates the client's certificate during the registration phase, ensuring that only clients presenting a cryptographic identity signed by a trusted CA are allowed to register.
+This provides an additional layer of protection in the enrollment flow —   ensuring that only authorized, managed devices can register with the EPP   Server, even when operating on shared or untrusted networks.
+
+**Configuration**
 
 **Step 1 –** Enable the custom certificate setting and then upload the certificate chain, Root CA and
 Intermediate;
@@ -116,6 +123,8 @@ just for testing the signature (for example the Endpoint Protector Client certi
 **Step 3 –** Click **Save** and allow 2 minutes for the information to be validated. You will view a
 successful message confirming the custom certificate was added and the test certificate is valid.
 
+ **Requirements**
+
 :::note
 The client registration authentication certificate and the Endpoint Protector server
 certificate must be issued by the same CA.
@@ -133,30 +142,42 @@ the endpoints.
 
 ### Server Certificate Validation
 
-From this section, you can configure Server Certificate Validation, which ensures that certificates
-used for all communication requests on Endpoint Protector clients are validated. This feature is
-crucial for maintaining secure communication between various Endpoint Protector products.
+While Client Registration Certificate secures the registration phase, Server   Certificate Validation extends certificate verification to all ongoing communication. When enabled, the Endpoint Protector Client validates the server's SSL certificate on every outbound request — ensuring that clients only communicate with a trusted, legitimate Endpoint Protector Server and cannot be redirected to a rogue or impersonated instance.
+When enabled,the EPP Client validates the server's SSL certificate on every outbound request, verifying three key properties:
+- **Certificate trust** — the server certificate must be issued by a trusted Certificate Authority recognized by the endpoint.
+- **Expiration date** — the server certificate must be currently valid and not expired.
+- **Hostname matching** — the server certificate's Common Name (CN) or Subject Alternative Name (SAN) must match the hostname the client is connecting to.
+
 
 :::note
-All certificate validation statuses will be reported to the Endpoint Protector Server and
-stored for debugging purposes in Endpoint Protector Client logs.
+Starting from the 5.9.0.0 or later, enabling this option activates Endpoint Protector Server Certificate Validation for all Endpoint Protector Client communication. This strengthens security by ensuring trusted and valid certificates are used.
 :::
 
+**Configuration**
+
+From this section, you can configure Server Certificate Validation, which ensures that certificates used for all communication requests on Endpoint Protector clients are validated. 
+
+![From this section, you can configure Server Certificate Validation.](servercertificatevalidation.webp)
+
+Before enabling, verify that:
+- The EPP Server certificate is valid and not expired.
+- The EPP Server certificate is issued by a CA trusted by all managed endpoints.
+- The EPP Server hostname matches the certificate's CN or SAN exactly.
+
+**Client-Side Configuration**
+The server-side configuration alone is not sufficient — the EPP Client must also be prepared to participate in certificate-based registration. This is done at installation time.
+When installing the Endpoint Protector Client on Windows or macOS, the   installer wizard includes an **Increased Communication Security** checkbox. Enabling this option instructs the EPP Client to use the certificate-based authentication flow during registration and all subsequent communication with the EPP Server. For detailed installation steps and a walkthrough of the installer wizard, refer to the [Agent Installation](/docs/endpointprotector/admin/agent.md#increased-communication-security) section.
 
 :::warning
-Please use this feature responsibly, as improper certificate usage with certification
-validation might disrupt Endpoint Protector Client to Endpoint Protector Server communication. For a
-successful connection, both server and client certificate validation must be enabled.
+Please use this feature responsibly. Improper certificate configuration combined with enabled certificate validation may disrupt Endpoint Protector Client to Endpoint Protector Server communication.
+**For a successful connection, both server and client certificate validation must be enabled.**
 :::
 
-
 :::note
-Starting from the 5.9.0 or later, enabling this option activates Endpoint Protector Server
-Certificate Validation for all Endpoint Protector Client communication. This strengthens security by
-ensuring trusted and valid certificates are used.
+All certificate validation statuses will be reported to the Endpoint Protector Server and
+stored for debugging purposes in Endpoint Protector Client logs.
 :::
 
-
 ### Appliance Operations
 
 In this section you can perform appliance operations such as Reboot or Shutdown.
diff --git "a/docs/endpointprotector/admin/servercerti\357\254\201catevalidation.webp" "b/docs/endpointprotector/admin/servercerti\357\254\201catevalidation.webp"
new file mode 100644
index 0000000000000000000000000000000000000000..57b246d59bbb7c04c43c58394c0f1f89339d087a
GIT binary patch
literal 4750
zcmYM2Wl$VSu!Wa}4elhkEgLkrEChGA#WlDEhY*50i+gYj5G+6-XmEEA?(Vt?9(dgQ
z?yJ{Tr~0d&p40Pds%BvFGBRNV0Dz9PgqpS*zb*y<06=?IED#V306bTeBJlwL_Sh~O
zz@Hae^)VEBKOf6ivrZ}T3FFDlDZd3Xmt`?^=dTeKP%`U7!i}JDzuiSZYL?E*Uzi3_
z^qPjigozf3Hrk6E>6a3!xl^Bloo;fYb6rgjrs^pZ-5wc|Bz3(}Q?Q!*>nZn+&b+M~
z${N}f`mdP1%$N8c7wR1ZnZg{FWQJBAk>^Ca>mBG&t6W4_=KP`d5GL6D4b@w(zU0Jm
zhdBL+B6l<B>z3G88f&26$)M%$z}W!ej#uYdp)~$$_rCt(sN1Hv3!Q6C?U{@yGf22Y
zp%gNChufJ+lJZcR?w<VDyN>otZ*!VqRu~?sQ}w*+1+I@zxGYO+nKG+)lymhJJj9!&
zox-e*aq;-ReU@Q9M>MC#z#pnlwET$_4WuuCBpgcYoXtWxG*3@YlCVd`rTTP-rFw^@
z?1cNldYMmW7wPr}YsVQUE<^RL-nZmdY-e;!Ao2Q>+87cC|B4dD)5x@Rg9CqB6jT5j
zRDMO{-_7*`-rm33=KN6|>6jAV<9fxCT3Jy8pi57+lWI@AQwli{9yF)Ug&@-xyGk_s
z+xV_nJ6a>qfHL#M@@{OP<*OTN;aGBcSfMd{+W3n;+Tu7;qsDBf?3WtR=1X>$Pfn7C
zNYW;;T6<Y1V!GrR`=aCx4v@f^<weIej_tMtYCV;*BB>Njw3Rl8>|;#RDJZ&cA>L2l
z`{eoW^dtDDkwg*@>#Eob(XI5dgRG#Jpmi(%-&$%+&<5a0AA|_Tr1}VrIn10{_pkP<
z-|V)7Pk1P>6ljZ8^9{sNk&R$Tlki^bi=lV#@(2d?B*qZA9ks9U`EJT;AEv#Fh~uz-
zu&GsQuYILJIgr&nJ@#giPw8Xv)(48}o|Wv3g#doL;5n5iR-#3?o_h(8k*exQUi26?
zM)m0;j7=A)_2lrg#wDV`>TlSMC|8t(m=fHvR<lbPO*7<8P&75^*4(;M1O~~M<O78<
zf$+k<Tk{CzLb3ra%IZB+&OJW4V=I3Yf7yzF5!u~v>;NI4+ywLh!_MfyCW!bRyVFBP
zaWnGtF*WEzXB$d_E=s^L|E=EOU;Xv#waSq%H~1UN*|7{bXwqDU%wP*r$lb$fGCE^z
zlXTWQ<S?-au`SuHh_0MU_w>N?Boa1oa{WYF%pkQ7n14!&)xuuXgMcQQVdSE>Z?75_
z#00|2v-lB=EGbq({S|N!YNg&Wi$Yrwe_Fx+Yk-nADB8TNFC^k&LIl7FI_exoXQ@k-
z{HjeP%H^nLlHXMU0o9N9_V*=m=#zqFDRr=8y>57?UmFVL@F&yvIdDL23Nq*CJ*RTg
zLhm~+e3G7e7Z+w1`w)BNZ@u5Hl5FR$$;CL-UepwOltaB9DFpB$mWpED*>kPXelbYk
zeORukjL9qU9e$#rhk<}dc(*b}$N_cBBX^nYcyxla97Ch>a$$lOQ+MQL!gVad12)!}
zl*9opNCEp`OHSuc_O)Mg@l&X7>Oz|98v-s~sgc;%UghFLLG+{op)Kfi8T>3i6`(#@
zl8-kqLGZws`)TDn9`&F(Bf@IRhj~X->JB)Wb}tOelu0!<SRe~)e-63!<qa2`wxt7}
z>2}HiVG&{yhGQ%HaDS7)_5qHS=x|K2IiZ;)+1vGU!HXq~<8h@_l4T^hNu65Gzny!6
zKEou!0;AHpNChDIyO`p<_$4*W-!Hs|fq@Kvr1hSMn=^q5(z}sWqBJG-$u~C>i|BmU
zs#msRU+4%}a}m<SuU%awRGkpb3sLQULy+Dw5b}Xyo(~7KGS!$I-7NPmJ%eBt|43IU
zS)V$tX8+3JL-KNS1%zzNpZ?Ct&|*Q@x<=hV+Nm5oQ}{wN!r;0b@B78$?}KZm{G4gm
znpXYg!xPJ&Z{CU6-a<ND;dvFb75X2!8j5cqJfzE`i!zN7a|*xKL+)H8l-bm3zS07T
z_itS{Ln7mOH$%u){evda`6plK>&qGlS7QtT!t6>1idw)syKofzqhuTm?>`%~{TTyq
zPI+C)1Igx6_g(tJ@rAsvMzTBB_r`H4U90lEL+MdPMYqM*^Ch>nNTH|Ofvg5NYATUk
zC+LNe6(-Gu1cq_ettcU4OGouXUfDVPLbsr#M~WHauA*$AnO*n?6hm68+(dD4Q61mR
zp}(;v^14~i=l;@5x=Q-NDl4Gi6CK><f_?y1oa&awIe|IA>Je8Re0dCB9yEL<`sb;@
zH?rNeSa*pjGf?i{XoMt>F|>6z(?OwED99G-ja0SMIPs&ZyWMx0xHGn7h7S+BQJOX4
zY*A@Q(g$usm#?&;aiC*;fUCfuey1_DfUep3N>T8@AE;E^8X_ta2sc-NEC@@t{>*qe
z!)^GnH%)WtoQ2=EGw*NhMsNSxF`T&(v`=NhgP5O0#{UT6W#CFsHb&$A3Fk@8y4QT0
z(l)PoC$)sauUjeq$hCfJ-8I?Ic(T352U!(<j9e54q*U;ao#JA+2HS{NUFZ;rO1Cy|
zkV6CVrQ+@4ll`+_A!(u~M*ez;WX1)&%bgR9vxBk1X(GR|9NDl`>3A{(g&+42CP3Cm
z74?s*?qkUN{*YiVfhLFc2_ib^mOU<{h}fB6!J8nE4G=4QoC?Paue4TkyL2PBC%jx&
z{mY7ZDok9QkExFNBZvFe4Jfy(ScHPmHpdm+nOIhgWC*Y_3#60RU<V?@CzmJjR6Go?
z-6Y17UUi<hg`1(pT@>njrqZb<P3c*SU{YuizT{jV2xUw9nVx;jV*7ES&NI80W#<iR
zA#ZN-Zfc*8%TagG%wY_kM&Qw`u$WXsz4M}aqs8%jb%C?^QfD#}PN@XVaAC5JkGIh>
zOV#G3N`}cb73O=BMvZLR95XlJV_N6@s&-$JA6i9L&AE8-;X819HW+2u5mG#oxwW0|
zeDv_d<%WpLtRoY00IYPteR$@<FXK{Jn@N$JfZG6J5Lb8THAfYfP@0J>Y^%>@6l>*o
zZRO`|+2pqUw|<rpsPBS5sk~R|n))7qsk;+}(&8DRFf_V>QC*wa+GJ%$LBmuRofo*_
zPI!|;k;+11NaHc5!F|X5tM^B_aRl&3M||b9cX=dzbN>uYV2xr~8vI&P^VB!scZxAn
zTpY3CKw#a&Fvt<BGnQFl3S4sVx|&#iM$Ttv%lj-YBWljL4=z6=lP5ta7S)q;?Z*h*
zt*P2mcxbG{3jhsa(_QJQS_-cX$EJ73((;RL=RrX-ngNl3LY_C#6x%7*?b>Sy0)PFS
zwS*sDZ}zlZd~NGwF%8Q{a8I5x5gH7SAEqw9IsFkH4!_FxLCYJia2;-P)0y4{YD+5D
z=sd||`;R~fq>eRe0_Hpjq?Eqm_TMn;FWQj*oKZ+@oCdXAS*OW~ovti~4(gHGk6^lL
zII&A2m=L`pNtwc=ZB25VEZiLVk(&b~5z2vpD)<W$6YnaN6huu^FhlsVROcx6pun~3
z5$)%Rpss@xOJQOb_SFqg@n(GRnKn%HvoROKUrbfOszQ;p#p8kU^P>(zYBMH-;$Fi<
zbn&mai?6|sWi0hIcItSgzW?Zafd#DyRbGeWL%NaW9DhuL5wHWCe#AcQr;6}SfBAfG
zF`sOwxi?lw!R*IW9r0Ff0p@IsHdsz!u5zb=%7(gW=o6n>X)@ZTu68Kwb~mIwl(xb;
zhPF2QD|!tiU9wRjd@dpJ%bS5Dh}R2RTqO;t=_O`6eH3gYtR;FT`<Hf{Dh-FV1j2Db
zL-NI*vjV%5?^B=r(!ZF+*MWTTzP;0}_Gii1N<ZI?LDSY4tc5Ejfq4gNnZyXoPy~?M
zwSAHm1<|cB>8;^{;zCXnYkfpt^5V^kz2lwjR>oVmVqbbcH8M$=0P?<vkcV?iq0<FY
zs<3)tb_2PYuhWwI&G?4UdI-LJ7aJ&Jgeo<jG7wR(Tkz9VVPKe$5vU{_UVVK_2y<9O
z>CpL(E?~@jl0@AC(q<&i<a&ETn=YKzLiCrT&w^Is!Ckzs{Ju%@5M<nVHKr}_6Q-M9
zDZTkro*oGnjP;+0HLF2vgvQS=TSB3MJ47}0#bRZ8WQ#TF_?xe#!sV=XAwSA@YY9tt
zQt$(V)#_bQwj%GsmV&o9`nJ`j;9r?zE3>lk&Y-QWWy!yEH_pm3RBOsNhb<CbLy_wy
zP0^$=h4;L?wd6s4YT3)nl)4p;#jdi7k2xjrJ24444R0O#?DhvKY&P%KG^nevY?`tL
z9uzE+sPw0>gEE!w{|uXtJaiI*Yg5%$^Azg@e0UuIvZg*MLUj0>6qWrnZQTL4^BF1Y
ze=%A{qN57Rd+{Z$O1d%IC~X<XB2enx?b2wqSOY(X<PYErihR9K5DRYrbr8HA+aO6|
z<<a(qtEG~`kPFey=KBSce2eU>yy&Zr=8Ha8fRy^wBYaE0;qHly$>o!@^Tu3sO(<>A
zTqt#APZ+9r+8_Y$)9KwqJ+E42WiBXh&ISAYBFXm98pXa<Zv5HS_0fI9{OD&5MWokO
zy25T54%8SO=P<|PL}KTzb&Z?1XAGoWgxXo=A!8&NatbQHr$eu`n2=XrJAx5@CGq6d
zz|VMUY84`#&PIPC(p+rKJh7JOY1}_Ak|*yoSgSYO9jWw~j<{-`6+zlbquNHNmwmds
z<nB`Ik2AAIhY_$U49<v8TdR$&-&+Y5v0WA<@j4k8s?2alzbi6jCRf_L&IWCid14)B
zQ8;Q~YsO8(2dauje0NUeL=IynzU~;KA$l%^&^JB}+V`M3QRiic?37UOZWZvc5&+(H
z&?npsr=p#J;p>V}iOlz3<G!T0)qssx<lM-}R2ZYU+zZ5KI~1wGROoa(iSSpL<H}uN
zg;Oah@0AMza;L}`Hbhtba%VgX2^XqjtcjV{i~0rFTfOiC<2m|I!4QJ&n037#yoiwF
z*RsEaq=;?|T&VCux*-y=X8;P+iOSI`JfTS(sVt+A>7lV<zaN;HvZ~Si;*pSj><{zo
zZYWZN<Q6TiK?tf%P!(W_mP^k7?3g&X`!gV=VORl}u_>|eNu%dPcgGpCRx=V$LQ@1K
zUe#Z}IoZ@L!4C@qUx&_w7ljsmXSgSs!O!U{%xAST?H!7NNX-7E*f<9I6jTmx->FCF
zPvZ~#xOlPKD`#|eWrLVz57Q+FVV0K@m(EkwztDRx{;tqLzUarUa&ELDT{A^-Dql%k
zuzSa;Q9NCy7s1e0w8>(g-%U6Nso&%fqqd$7hp;=V#!haX3tJn3()ZHD$k!JmzmteN
zU-M(n_e0G*(fRJqwlWdt1iHyr7o+~37plF!J_u4{9}T}ar_;`;k3%OHqb{Bod^O%R
z&`t9uaumG3na4AgR2@;?3TJ~W0acb~`y#vd-`<G;PUolJc)CDg-mW^z)+7Um+46f-
zCIC3iW#xG4TS|eRZ{5X_&1)lt;yojif3;TmJY9Gby<O+FaL9a?EWjm&2)EsJB`=@S
znc8vhj)9t0N>xX(sG)4jK5V%~@2zc$7n>GeehQp#e%r)cU@1D{2E!SJ?U}$WHXed`
zC%1E2cFQLo=jsI-45`+hA0sZQ|Kb``XxUHVL;5MfCqMZ1*YidRiOx|MA7Ul?_d5#8
zptBvHt_}hZb2_71Bd<PSRXDdmRP7KT$^Lal9;b+LeKEeZE+hq_vsah`HKB^<X60aC
zSK_P&6~cir-fqQO^qioc?{1I1krFKu{lN(?k9q?&tRWpybr`JMm1CH*>moh+M>pS5
zBaYsg(X|4QHmC1$-Lpm2U+4`1L-ul_U!siVYp=jOtLcNV7s^9(zhU1)UyGCmM!T@v
z^$hC@e6!3QN$aTXp4TJw!{Kzsh`#Jv?<D|{`TTfk9I~U_wt&Mf@gdo1tRt%FlIJEY
zIJNgQ!fCcE%H<&AW|yypB(oA_O(~4nd|T;!)XURWJ_9TpY>m^}hE|nQ-NLCUgdoec
zqSVpi<s3DU)|Ho;eg2=3muLR>pXLRC00|j@^j!HzWJsWYv-UHS|HsD9%=ljq@R>Q0
zfB?MbZ1pVLaFl=hJ)ZfWFnQKLKL3~1Ol=+A*;J%8X?WQ<*`NRr01%G~KzZ)q;Ns>$
v%KQJxz`Xx;ihCY`{2zxr_ksT7#%KN~fY1KGe;r@~{Ll2C8z%?HKdb)(+ws*c

literal 0
HcmV?d00001

diff --git a/docs/endpointprotector/supportability/client-supportability.md b/docs/endpointprotector/supportability/client-supportability.md
index e915083566..0af2e16836 100644
--- a/docs/endpointprotector/supportability/client-supportability.md
+++ b/docs/endpointprotector/supportability/client-supportability.md
@@ -116,7 +116,7 @@ By following the official operating system vendor policies, we can:
 
 The following outlines our current OS support approach for Windows, macOS, and Linux environments, including version requirements, exceptions, and links to vendor documentation for up‑to‑date lifecycle information.
 
-## Windows Client and Server OS Support
+### Windows Client and Server OS Support
 
 Netwrix Endpoint Protector (EPP) Agent supports all **Microsoft Windows client and server operating systems** that remain within Microsoft’s **Mainstream Support** or **Extended Security Update (ESU)** phase. This includes:
 
@@ -133,20 +133,22 @@ When a Windows OS transitions from **Mainstream** to **Extended Support**, Netwr
 
 However, customers should be aware that **legacy operating systems may lack compatibility with modern security components**—such as updated encryption libraries or secure communications mechanisms—which are increasingly required in current environments. These limitations are outside our control and may impact agent reliability or feature availability.
 
-_Windows 10 End of Life Note_
+#### Windows 10 End of Life Note
 
-Windows 10 is currently in the final stages of support, with official end-of-service dates approaching for various editions. Once these dates pass, Netwrix will treat Windows 10 the same as other Extended Support operating systems:
+Windows 10 is end of support, with official end-of-service dates approaching for various editions. Netwrix will treat Windows 10 the same as other Extended Support operating systems:
 
 - No development fixes will be committed for OS-specific issues
 - Operation is “best effort” only
 - Any known incompatibilities will be noted in the Netwrix Community Release Notes
 
+[Source: Microsoft announcement](https://support.microsoft.com/en-us/windows/windows-10-support-has-ended-on-october-14-2025-2ca8b313-1946-43d3-b55c-2b95b107f281#:~:text=Windows%2010%20support%20has%20ended%20on%20October%2014%2C%202025%20%2D%20Microsoft%20Support.)
+
 _General Guidance_
 
 Customers are strongly encouraged to plan migrations to supported operating systems ahead of published Microsoft EOL timelines. This ensures continued compatibility, access to full product capabilities, and ongoing support.
 
 **Important:**
-Netwrix EPP is **not supported** on of Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2008, Windows 7, Windows XP, or any earlier versions. The final EPP Agent build with “best effort” support for these operating systems is 5.9.4.0 (Windows version 6.2.3.1010). No future builds will be produced for them.
+Netwrix EPP is **not supported** on of Early build of Windows 10 64bit, Windows 10 32bit, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2008, Windows 7, Windows XP, or any earlier versions. The final EPP Agent build with “best effort” support for these operating systems is 5.9.4.0 (Windows version 6.2.3.1010). No future builds will be produced for them.
 
 ### macOS Clients
 
diff --git a/docs/endpointprotector/supportability/server-supportability.md b/docs/endpointprotector/supportability/server-supportability.md
index 6b02648dfd..d4d613a724 100644
--- a/docs/endpointprotector/supportability/server-supportability.md
+++ b/docs/endpointprotector/supportability/server-supportability.md
@@ -18,7 +18,7 @@ Here is the current state of all versions of Endpoint Protector Server.
 
 | **Discontinued Support** | **Limited Support** | **N-1 Track (Active Support)** | **N Track (Active Support)** |
 | --- | --- | --- | --- |
-| All versions prior to 5.9.4.1 | 5.9.4.2 (5942)<br/><br/>In Limited Support from Oct 14, 2025 to Feb 11, 2026. (120 days)<br/><br/>No new feature development or critical fixes.<br/><br/>Support is limited to configuration guidance for 5942. | There is no N-1 track at this time. | 2509.0.1.0 (25.9)<br/><br/>Released Oct 14, 2025.<br/>Full Active Support. [Link to release notes](https://community.netwrix.com/t/major-version-announcement-endpoint-protector-server-version-2509/114025) |
+| All versions prior to 5.9.4.2 <br/> Limited support endend Feb 11, 2026. | | There is no N-1 track at this time. | 2602.0.1.0 (Base image 2509/2510)<br/><br/>Released Feb 5, 2026.<br/>Full Active Support. [Link to release notes](https://community.netwrix.com/t/endpoint-protector-2602-0-1-0-server-patch-released/121912) |
 
 # Support Definitions Used In This Document
 

From 9f54d0393ed8c93858069e0d828774b46209fc81 Mon Sep 17 00:00:00 2001
From: krzysztofstaszalek <krzysztof.staszalek@netwrix.com>
Date: Wed, 8 Apr 2026 17:19:13 +0200
Subject: [PATCH 2/6]  Changes to be committed: 	modified:  
 docs/endpointprotector/admin/agent.md 	modified:  
 docs/endpointprotector/admin/appliance.md 	modified:  
 docs/endpointprotector/supportability/client-supportability.md 
 modified:   docs/endpointprotector/supportability/server-supportability.md

---
 docs/endpointprotector/admin/agent.md                  |  2 +-
 docs/endpointprotector/admin/appliance.md              | 10 +++++-----
 .../supportability/client-supportability.md            |  4 ++--
 .../supportability/server-supportability.md            |  2 +-
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/docs/endpointprotector/admin/agent.md b/docs/endpointprotector/admin/agent.md
index 7ac2633cc7..cd9a12d67d 100644
--- a/docs/endpointprotector/admin/agent.md
+++ b/docs/endpointprotector/admin/agent.md
@@ -177,7 +177,7 @@ This option corresponds to the **Client Registration Certificate** feature confi
 
 
 :::note
-This option requires the **Client Registration Certificate** feature to be enabled and configured on the EPP Server ([**Appliance → Server Maintenance → Client Registration Certificate**](/docs/endpointprotector/admin/appliance.md#server-certificate-validation)) before the client is installed. Enabling it without the corresponding server-side configuration will prevent the client from registering.
+This option requires the **Client Registration Certificate** feature to be enabled and configured on the EPP Server ([**Appliance → Server Maintenance → Client Registration Certificate**](/docs/endpointprotector/admin/appliance.md#server-certificate-validation)) before the client is installed. Enabling it without the corresponding server-side configuration will prevent the client from registering.
 :::
 
 
diff --git a/docs/endpointprotector/admin/appliance.md b/docs/endpointprotector/admin/appliance.md
index 484ec3416b..3c702a6432 100644
--- a/docs/endpointprotector/admin/appliance.md
+++ b/docs/endpointprotector/admin/appliance.md
@@ -101,7 +101,7 @@ The Client Registration Certificate feature is not available for Linux!
 ### Client Registration Certificate
 
 The Client Registration Certificate feature enriches the client registration process by adding a certificate verification component: the Endpoint Protector Server validates the client's certificate during the registration phase, ensuring that only clients presenting a cryptographic identity signed by a trusted CA are allowed to register.
-This provides an additional layer of protection in the enrollment flow —   ensuring that only authorized, managed devices can register with the EPP   Server, even when operating on shared or untrusted networks.
+This provides an additional layer of protection in the enrollment flow — ensuring that only authorized, managed devices can register with the EPP Server, even when operating on shared or untrusted networks.
 
 **Configuration**
 
@@ -124,7 +124,7 @@ just for testing the signature (for example the Endpoint Protector Client certi
 **Step 3 –** Click **Save** and allow 2 minutes for the information to be validated. You will view a
 successful message confirming the custom certificate was added and the test certificate is valid.
 
- **Requirements**
+**Requirements**
 
 :::note
 The client registration authentication certificate and the Endpoint Protector server
@@ -143,8 +143,8 @@ the endpoints.
 
 ### Server Certificate Validation
 
-While Client Registration Certificate secures the registration phase, Server   Certificate Validation extends certificate verification to all ongoing communication. When enabled, the Endpoint Protector Client validates the server's SSL certificate on every outbound request — ensuring that clients only communicate with a trusted, legitimate Endpoint Protector Server and cannot be redirected to a rogue or impersonated instance.
-When enabled,the EPP Client validates the server's SSL certificate on every outbound request, verifying three key properties:
+While Client Registration Certificate secures the registration phase, Server Certificate Validation extends certificate verification to all ongoing communication. When enabled, the Endpoint Protector Client validates the server's SSL certificate on every outbound request — ensuring that clients only communicate with a trusted, legitimate Endpoint Protector Server and cannot be redirected to a rogue or impersonated instance.
+When enabled, the EPP Client validates the server's SSL certificate on every outbound request, verifying three key properties:
 - **Certificate trust** — the server certificate must be issued by a trusted Certificate Authority recognized by the endpoint.
 - **Expiration date** — the server certificate must be currently valid and not expired.
 - **Hostname matching** — the server certificate's Common Name (CN) or Subject Alternative Name (SAN) must match the hostname the client is connecting to.
@@ -158,7 +158,7 @@ Starting from the 5.9.0.0 or later, enabling this option activates Endpoint Prot
 
 From this section, you can configure Server Certificate Validation, which ensures that certificates used for all communication requests on Endpoint Protector clients are validated. 
 
-![From this section, you can configure Server Certificate Validation.](servercertificatevalidation.webp)
+![From this section, you can configure Server Certificate Validation.](servercertificatevalidation.webp)
 
 Before enabling, verify that:
 - The EPP Server certificate is valid and not expired.
diff --git a/docs/endpointprotector/supportability/client-supportability.md b/docs/endpointprotector/supportability/client-supportability.md
index 0af2e16836..fbc2d637a5 100644
--- a/docs/endpointprotector/supportability/client-supportability.md
+++ b/docs/endpointprotector/supportability/client-supportability.md
@@ -135,7 +135,7 @@ However, customers should be aware that **legacy operating systems may lack comp
 
 #### Windows 10 End of Life Note
 
-Windows 10 is end of support, with official end-of-service dates approaching for various editions. Netwrix will treat Windows 10 the same as other Extended Support operating systems:
+Windows 10 has reached end of support. Netwrix will treat Windows 10 the same as other Extended Support operating systems:
 
 - No development fixes will be committed for OS-specific issues
 - Operation is “best effort” only
@@ -148,7 +148,7 @@ _General Guidance_
 Customers are strongly encouraged to plan migrations to supported operating systems ahead of published Microsoft EOL timelines. This ensures continued compatibility, access to full product capabilities, and ongoing support.
 
 **Important:**
-Netwrix EPP is **not supported** on of Early build of Windows 10 64bit, Windows 10 32bit, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2008, Windows 7, Windows XP, or any earlier versions. The final EPP Agent build with “best effort” support for these operating systems is 5.9.4.0 (Windows version 6.2.3.1010). No future builds will be produced for them.
+Netwrix EPP is **not supported** on Early build of Windows 10 64bit, Windows 10 32bit, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2008, Windows 7, Windows XP, or any earlier versions. The final EPP Agent build with “best effort” support for these operating systems is 5.9.4.0 (Windows version 6.2.3.1010). No future builds will be produced for them.
 
 ### macOS Clients
 
diff --git a/docs/endpointprotector/supportability/server-supportability.md b/docs/endpointprotector/supportability/server-supportability.md
index 2d772e1b29..955d39bc4e 100644
--- a/docs/endpointprotector/supportability/server-supportability.md
+++ b/docs/endpointprotector/supportability/server-supportability.md
@@ -18,7 +18,7 @@ Here is the current state of all versions of Endpoint Protector Server.
 
 | **Discontinued Support** | **Limited Support** | **N-1 Track (Active Support)** | **N Track (Active Support)** |
 | --- | --- | --- | --- |
-| All versions prior to 5.9.4.2 <br/> Limited support endend Feb 11, 2026. | | There is no N-1 track at this time. | 2602.0.1.0 (Base image 2509/2510)<br/><br/>Released Feb 5, 2026.<br/>Full Active Support. [Link to release notes](https://community.netwrix.com/t/endpoint-protector-2602-0-1-0-server-patch-released/121912) |
+| All versions prior to 5.9.4.2 <br/> Limited support ended Feb 11, 2026. | | There is no N-1 track at this time. | 2602.0.1.0 (Base image 2509/2510)<br/><br/>Released Feb 5, 2026.<br/>Full Active Support. [Link to release notes](https://community.netwrix.com/t/endpoint-protector-2602-0-1-0-server-patch-released/121912) |
 
 # Support Definitions Used In This Document
 

From 52de30eb7abda2daa571481d5af81fb5d6c056ce Mon Sep 17 00:00:00 2001
From: krzysztofstaszalek <krzysztof.staszalek@netwrix.com>
Date: Wed, 8 Apr 2026 17:45:32 +0200
Subject: [PATCH 3/6] renamed:   
 "docs/endpointprotector/admin/servercerti\357\254\201catevalidation.webp" ->
 docs/endpointprotector/admin/servercertifiatevalidation.webp

---
 .../admin/servercertifiatevalidation.webp           | Bin
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename "docs/endpointprotector/admin/servercerti\357\254\201catevalidation.webp" => docs/endpointprotector/admin/servercertifiatevalidation.webp (100%)

diff --git "a/docs/endpointprotector/admin/servercerti\357\254\201catevalidation.webp" b/docs/endpointprotector/admin/servercertifiatevalidation.webp
similarity index 100%
rename from "docs/endpointprotector/admin/servercerti\357\254\201catevalidation.webp"
rename to docs/endpointprotector/admin/servercertifiatevalidation.webp

From bab0cf453b29fb1e1cb930300a4a59d27da500af Mon Sep 17 00:00:00 2001
From: krzysztofstaszalek <krzysztof.staszalek@netwrix.com>
Date: Wed, 8 Apr 2026 18:52:38 +0200
Subject: [PATCH 4/6]

---
 docs/endpointprotector/admin/denylistsallowlists/denylists.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/endpointprotector/admin/denylistsallowlists/denylists.md b/docs/endpointprotector/admin/denylistsallowlists/denylists.md
index 38333ba1d3..1875b98e51 100644
--- a/docs/endpointprotector/admin/denylistsallowlists/denylists.md
+++ b/docs/endpointprotector/admin/denylistsallowlists/denylists.md
@@ -424,3 +424,7 @@ Label names can be obtained from the NDC administrator. Consider using the exact
 :::
 
 ![Confguration for Netwrix Data Classification](NDCClassification.png)
+
+:::note
+The NDC labeling feature is supported only on EPP Clients version 2605.x.x.x and later.
+:::
\ No newline at end of file

From b10c77b85a80fb71cb74b9e7460163634ff0de1a Mon Sep 17 00:00:00 2001
From: krzysztofstaszalek <krzysztof.staszalek@netwrix.com>
Date: Wed, 8 Apr 2026 19:14:06 +0200
Subject: [PATCH 5/6] 	modified:   docs/endpointprotector/admin/appliance.md 
 renamed:    docs/endpointprotector/admin/servercertifiatevalidation.webp ->
 docs/endpointprotector/admin/servercertalidation.webp

---
 docs/endpointprotector/admin/appliance.md           |   2 +-
 ...iatevalidation.webp => servercertalidation.webp} | Bin
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename docs/endpointprotector/admin/{servercertifiatevalidation.webp => servercertalidation.webp} (100%)

diff --git a/docs/endpointprotector/admin/appliance.md b/docs/endpointprotector/admin/appliance.md
index 3c702a6432..fd94e34959 100644
--- a/docs/endpointprotector/admin/appliance.md
+++ b/docs/endpointprotector/admin/appliance.md
@@ -158,7 +158,7 @@ Starting from the 5.9.0.0 or later, enabling this option activates Endpoint Prot
 
 From this section, you can configure Server Certificate Validation, which ensures that certificates used for all communication requests on Endpoint Protector clients are validated. 
 
-![From this section, you can configure Server Certificate Validation.](servercertificatevalidation.webp)
+![From this section, you can configure Server Certificate Validation.](servercertalidation.webp)
 
 Before enabling, verify that:
 - The EPP Server certificate is valid and not expired.
diff --git a/docs/endpointprotector/admin/servercertifiatevalidation.webp b/docs/endpointprotector/admin/servercertalidation.webp
similarity index 100%
rename from docs/endpointprotector/admin/servercertifiatevalidation.webp
rename to docs/endpointprotector/admin/servercertalidation.webp

From 3ce1408671bff63eff1bbfa80f678e010199c888 Mon Sep 17 00:00:00 2001
From: krzysztofstaszalek <krzysztof.staszalek@netwrix.com>
Date: Wed, 8 Apr 2026 19:27:43 +0200
Subject: [PATCH 6/6] 	modified:   docs/endpointprotector/admin/agent.md

---
 docs/endpointprotector/admin/agent.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/endpointprotector/admin/agent.md b/docs/endpointprotector/admin/agent.md
index cd9a12d67d..4ee1eb7eb1 100644
--- a/docs/endpointprotector/admin/agent.md
+++ b/docs/endpointprotector/admin/agent.md
@@ -177,7 +177,7 @@ This option corresponds to the **Client Registration Certificate** feature confi
 
 
 :::note
-This option requires the **Client Registration Certificate** feature to be enabled and configured on the EPP Server ([**Appliance → Server Maintenance → Client Registration Certificate**](/docs/endpointprotector/admin/appliance.md#server-certificate-validation)) before the client is installed. Enabling it without the corresponding server-side configuration will prevent the client from registering.
+This option requires the **Client Registration Certificate** feature to be enabled and configured on the EPP Server ([**Appliance → Server Maintenance → Client Registration Certificate**](/docs/endpointprotector/admin/appliance.md)) before the client is installed. Enabling it without the corresponding server-side configuration will prevent the client from registering.
 :::