Important Note: This version will be available for SaaS deployments starting with May 4th 2026.
Endpoint Protector’s latest release focuses on stronger control, clearer visibility, and modern integrations. A new REST API enables easier automation and integration with external systems. New Exit Policies for ChatGPT and Claude help prevent sensitive data from leaving through generative AI tools. A dedicated Biometric Devices type improves device control on Windows endpoints.
Additional enhancements include richer SIEM exports, UTC-based reporting for better correlation, and clearer SMTP validation feedback. Policy coverage expands with new file types, browsers, and Netwrix Data Classification labels. Features like group duplication, OAuth for Exchange Online, and improved client logging further simplify administration while strengthening consistency, security, and overall data protection.
Want the full details? Click the link below!
What’s New in Endpoint Protector 2604
Logs REST API for Integrations and Reporting (Preview)
Endpoint Protector now includes a Preview of the Logs REST API for customers who need programmatic, read-only access to selected Endpoint Protector log and audit data for integrations and reporting.
The API is intended to help reduce reliance on direct database access when building SIEM pull integrations, reporting dashboards, incident investigation workflows, and internal automation. When enabled, it returns JSON over HTTPS and supports common query patterns such as endpoint discovery, pagination, sorting, time-range filtering, and text search.
This capability is disabled by default and is not automatically exposed after upgrade or installation. Preview access is available by request through Netwrix Support. Support will review the intended use case, assist with enablement, and provide guidance for API key provisioning, network access controls, and operational validation.
Preview coverage includes selected log families such as:
- Device Control logs
- Content Aware Protection logs and alerts
- System Alert logs
- Enforced Encryption / EasyLock logs
- eDiscovery / Data-at-Rest logs
- Admin Actions
- Authentication logs
- SCIM Provisioning logs
Because this capability is in Preview, endpoint coverage, response fields, configuration steps, request limits, and security or operational controls may be refined before general availability. Customers should validate integrations in a controlled environment and should not rely on the Preview API as the sole business-critical log export path unless agreed with Netwrix Support.
New Device Type for Biometric Devices on Windows
This release introduces a dedicated Biometric Devices device type for Windows, making it possible to identify and manage supported biometric hardware separately within Endpoint Protector. By treating biometric devices as their own device category, administrators gain more granular control over how these devices are handled in Device Control policies.
This enhancement is especially useful in environments where built-in or external biometric readers need to be managed differently from other peripheral devices. With this new device type, administrators can apply more targeted access rules and improve policy accuracy for Windows endpoints that use biometric hardware.
Require 2605 EPP Clients
ChatGPT and Claude Added as CAP Cloud Service Exit Points
This release expands Content Aware Protection (CAP) coverage by adding ChatGPT and Claude as supported Cloud Services exit points on Windows and macOS. This enhancement allows administrators to include these AI-based applications in CAP policy definitions and apply content inspection and control more consistently across supported endpoints.
By extending visibility to these applications, Endpoint Protector helps organizations strengthen oversight of data movement through emerging AI and large language model (LLM) tools. This improvement supports more complete browser and application coverage in environments where AI services are part of everyday workflows.
Important: If your CAP policy uses the “All Applications” option, newly added applications will appear as selected after upgrading but will not be enforced until the policy is manually re-saved. After updating to this version, open any affected CAP policies, verify the application selection, and save the policy to apply monitoring to the new applications.
Requires EPP Client version 2605 or higher
Expanded SIEM Event Details for Improved Investigation
This release enhances SIEM event exports by adding more contextual information to Device Control and Content Aware Protection events. Administrators can now view additional details such as department name, Endpoint Protector Client version, and certificate state, giving security and compliance teams better visibility into the endpoint, user context, and protection status associated with each event.
To support faster analysis and more accurate correlation in external SIEM platforms, SIEM logs now also indicate whether an event has an associated file shadow. When a shadow is available, the logs can also identify the shadow storage location, helping administrators understand where the related evidence is stored and simplifying follow-up investigations.
Together, these improvements provide richer event data for monitoring, alerting, and forensic review, while helping teams investigate incidents more efficiently and with greater confidence.
Group Duplication for Faster Policy Setup
This release introduces a new Duplicate option in Device Control > Groups, making it easier to create new groups based on existing configurations. Administrators can now clone an existing group and reuse its rights, settings, and related configuration as a starting point, reducing the time required to build similar groups manually.
Duplicated groups remain fully editable, allowing administrators to adjust rights, settings, descriptions, department assignment, and other configuration details independently from the original group. This is especially useful when managing multiple groups that require only small variations in access rights, fallback policies, or transfer limit settings.
To support predictable administration, duplicated groups are created with the lowest priority by default and can be reordered later as needed. The duplication process is limited to the group configuration itself and does not automatically copy the group’s usage into other areas where the original group may already be referenced, helping prevent unintended policy assignments. Also, the new cloned groups are simple regular groups and not smart groups.
Optional Notifications in Hidden Icon Mode
This release adds a new Show notification in Hidden Icon mode setting for environments using the Hidden Icon client mode. Administrators can now choose whether Endpoint Protector client notifications remain visible while the notifier icon stays hidden, providing more flexibility in how endpoint activity is presented to end users.
The new setting is available in the Endpoint Protector Client configuration section for Computers, Users, Groups, and Global Settings, and appears when Hidden Icon mode is selected. This allows administrators to preserve the discreet behavior of Hidden Icon mode while still displaying user-facing notifications when needed for policy awareness, guidance, or operational clarity.
With this enhancement, organizations can better balance a low-visibility client experience with the need to communicate relevant policy actions to users, while maintaining centralized control over how notifications are delivered across managed endpoints.
Improved SMTP Testing Feedback and Troubleshooting Visibility
This release improves the administrator experience when configuring and validating SMTP settings in Endpoint Protector. The WebUI now provides clearer feedback during test email operations, including a confirmation message when a test email is sent successfully, helping administrators verify their configuration more easily.
To support faster troubleshooting, SMTP-related failures now provide more meaningful error context for common connection and delivery issues. This includes clearer feedback for scenarios such as hostname resolution problems, timeouts, TLS or SSL negotiation failures, and SMTP server response errors. These improvements make it easier to identify configuration problems and reduce the effort required to diagnose email delivery issues.
Together, these changes improve visibility into SMTP test outcomes and help administrators validate email server settings with greater confidence.
UTC Timestamp Visibility in Content Aware Reports
This release adds a new Date/Time (Client UTC) field to Reports and Analysis > Content Aware Report, giving administrators direct access to the client-side event timestamp in Coordinated Universal Time (UTC). This enhancement helps teams that standardize investigations and incident analysis around UTC work more efficiently across distributed environments and time zones.
The new field is available in the Show/Hide Columns options, filters, exports, and audit records for Content Aware events. This makes it easier to review, search, and correlate Content Aware activity using a consistent time reference, especially when comparing Endpoint Protector events with SIEM data and other security logs.
Auth Support for Microsoft Exchange Online SMTP Authentication
This release adds support for OAuth-based SMTP authentication for Microsoft Exchange Online, helping organizations align with Microsoft’s deprecation of Basic Authentication for SMTP AUTH. Administrators can now configure Endpoint Protector to use OAuth 2.0 for email delivery when integrating with supported Microsoft mail services.
To support this change, email configuration has been moved to a dedicated Mail Settings section under System Configuration, where administrators can choose between Basic and OAuth authentication methods. When OAuth is selected, Endpoint Protector provides the fields required for Microsoft-based SMTP authorization, including tenant and application details, client secret, and redirect URI.
This enhancement improves compatibility with modern Microsoft email security requirements while helping ensure continued delivery of alerts, notifications, and test emails in environments that rely on Microsoft Exchange Online.
Netwrix Data Classification Label Definitions for CAP and eDiscovery Policies
This release introduces support for defining Netwrix Data Classification (NDC) labels in the Denylists interface and using them in Content Aware Protection (CAP) and eDiscovery policies. This enhancement extends Endpoint Protector’s label-based policy capabilities and gives administrators a structured way to incorporate NDC classifications into content detection workflows. This functionality requires EPP Client version 2505 or later.
Administrators can now create NDC label definitions directly in the WebUI by specifying label details and choosing how Endpoint Protector should identify them. Detection can be configured using the NDC name property value, the NDC label value, both values together, or the Keywords document property. This provides greater flexibility when aligning Endpoint Protector policies with how NDC labels are defined and stored in documents.
For customers who previously used custom dictionaries to manage these labels, the new interface also provides a clearer and more centralized way to onboard and maintain NDC label definitions going forward. This helps simplify ongoing administration and makes label management easier and more consistent across environments.
Requires EPP Client version 2605 or higher
HEIC File Type Support in CAP and eDiscovery Policies
This release adds HEIC image support to Content Aware Protection (CAP) and eDiscovery file type definitions, allowing administrators to include HEIC files in policy configuration and detection workflows across supported platforms. This enhancement improves coverage for environments where HEIC is used as a standard image format, helping ensure these files are evaluated consistently alongside other monitored content types.
To support more accurate identification, Endpoint Protector now recognizes the relevant HEIC file type and associated MIME types used for this format. With this addition, administrators can define CAP and eDiscovery policies that account for HEIC-based content more effectively, improving policy completeness and reducing the risk of image files being overlooked during content inspection.
Requires EPP Client version 2605 or higher
Extended Yandex Browser Coverage in CAP Policies
This release extends Yandex Browser support in Content Aware Protection (CAP) policies to Windows and Linux, expanding coverage beyond the existing macOS implementation. Administrators can now use Yandex Browser as a policy exit point across all supported operating systems, improving consistency in browser-based content monitoring.
With this enhancement, organizations that use Yandex Browser in mixed-platform environments can apply CAP policies more uniformly and reduce gaps in coverage across endpoints. This helps ensure that browser-based data movement through Yandex Browser can be monitored and controlled more effectively as part of a broader data protection strategy.
Requires EPP Client version 2605 or higher
Updated Default Client Logging Settings for New Deployments
This release updates the default Client Debug Logging configuration for new Endpoint Protector deployments. The default logging level is now set to Error instead of None, helping ensure that important client-side issues are captured more consistently from the start.
In addition, Obfuscate Sensitive Data is now enabled by default. This helps improve privacy and reduce exposure of sensitive information in client debug logs while still preserving useful troubleshooting data.
These updated defaults apply to new deployments only and do not modify existing customer configurations, helping preserve backward compatibility while improving the out-of-box logging behavior.
Upcoming Deprecations
| Component | Description | Case # | Targeted Release |
|---|---|---|---|
| General | Contextual Detection under SYSTEM PARAMETERS will be discontinued in future updates and replaced by ‘Context Detection Rules’ in the ‘Content Detection Summary’ section of CAP Policies. | EPP-8941 | Upcoming release |
| General | The File Shadow Maintenance feature, which provides functionality for listing and managing File Shadows stored locally on the EPP Server will be discontinued in future. | Upcoming release | |
| Log Interval / Shadow Interval | The Log Interval and Shadow Interval settings are scheduled for deprecation in an upcoming release. As client upload behavior moves toward immediate log and shadow delivery, these settings will become obsolete and are planned for removal in version 5.9.6.0. | 426325 | Upcoming release |
Bug fixes
| Module | Description | ADO Number | Salesforce Number |
|---|---|---|---|
| Alerts | Content Aware Alert Email Delivery - Fixed an issue where Content Aware alert emails were not generated in certain configurations that included both computers and users. In these cases, incorrect policy association in backend processing could prevent the alert from matching the expected policy and stop the email from being sent. Alert evaluation now works correctly, and email notifications are generated as expected. | 320002 | 00029809 |
| SIEM Integration | Administrator Username in SIEM Logs for SSO Authenticated Users - Fixed an issue where SIEM exports displayed the Azure UUID instead of the administrator username for users authenticated through Single Sign-On (SSO) with Azure AD. Endpoint Protector now sends the correct username in SIEM logs, improving event readability and audit traceability. | 377615 | 00437325 |
| CAP | Paste Restriction Enforcement for KakaoTalk on macOS - Fixed an issue where Content Aware Protection paste restrictions were not enforced for KakaoTalk on macOS when the option to apply paste restrictions to all monitored applications was enabled. This occurred because the localized KakaoTalk process name was not recognized correctly. KakaoTalk is now identified properly and paste restriction policies are enforced as expected. | 412474 | 00463597 |
| Reports and Analysis | Log Export for Administrators Assigned to Multiple Departments - Fixed an issue where log exports could fail when initiated by an administrator assigned to multiple departments. This affected export generation from reports such as Device Control, Content Aware Protection, and File Tracing. Log exports now complete successfully regardless of the number of departments associated with the administrator. | 415113 | 00468236 |
| Reports and Analysis | Historical CAP Policy Type Display After 2602 Upgrade - Fixed an issue where historical Content Aware Protection logs created before the 2602 update could be displayed incorrectly as Outside Network instead of Standard in Reports and Analysis after the patch was applied. Historical log entries now retain the correct policy type in reports. | 416392 | 00469556 |
| Single Sign-On | SSO Redirect Handling After Login - Fixed an issue introduced after the 2601 upgrade where Single Sign-On (SSO) authentication could complete successfully, but the console did not redirect users correctly and displayed a failure message instead. This issue affected environments using PingID. Users are now redirected to the Endpoint Protector dashboard as expected after successful authentication. | 417621 | 00468481 |
| System Maintenance | System Backup Import with Legacy Database Schemas - Fixed an issue where System Backup import could fail when the backup was created from an older database schema and restored on a newer Endpoint Protector server version. System Backup imports now complete successfully in legacy schema migration scenarios. | 417735 | 00466840 |
| Reports and Analysis | CAP Log Details for Delegated Administrators - Fixed an issue where administrators with access to the Reports and Analysis section, but without Super Administrator privileges, could not expand and view Content Aware Protection log details. CAP event details now load correctly for delegated administrators with the appropriate permissions. | 419361 | 00470747 |
| General | QuickLogs Recovery and Ingestion Handling - Improved handling for scenarios where oversized QuickLogs directories could interrupt log ingestion. However, this process should still go through flagged by customers and go through Netwrix Support for a quicker fix. | 423709 | 00472377 |
| Directory Services | Active Directory Sync for Organizational Units with Special Characters - Fixed an issue where Active Directory sync could fail to display Organizational Units and related objects in the Directory Browser when Organizational Unit names contained special characters, such as %, , parentheses, braces, or brackets. Associated objects, including groups, computers, and users, are now displayed and synchronized correctly. | 425953 | 00474344 |
| Reports and Analysis | Okta not able to create groups through SCIM - Fixed an issue where group provisioning from Okta through SCIM could fail because the Department attribute was required during group creation. Endpoint Protector now supports Okta SCIM group creation without requiring this attribute, improving compatibility with Okta group provisioning workflows. | 418944 | 00470914 |
Known limitations
| Component | Description | Case # |
|---|---|---|
| Contant Aware Protection | An error is returned when enabling CAP and eDiscovery modules on a new server: ”An error occurred. Please ensure the Endpoint Protector Server has a functional Internet connection or that the required domain and ports have been whitelisted for outgoing traffic." This is not a blocking limitation, as the modules can be enabled after trying to click “Save” and enable them a second time. | |
| Content Aware Protection / Reports and Analysis | For Content Aware Protection logs generated before version 2602, the Policy Type shown in Reports and Analysis may display incorrectly after applying the 2602 patch. This affects historical logs only. Logs generated in later versions display the policy type correctly, but previously stored records cannot be corrected retroactively. | 416392 |
Need help with this update?
There are many different ways to get help with our products!
| Situation | Action |
|---|---|
| There are many different ways to get help with our products! | Contact Support |
| If you have a question you’d like to ask other experts… | Create a discussion in the community: Endpoint Protector Discussions & Questions |
| If you have a feature request… | Let our product team know directly: Endpoint Protector Ideas |
| If you have something cool to show… | Show everyone what you built: Endpoint Protector Show & Tell |
What are your thoughts?
We are always happy to hear from our users on what you like, and what you hope to see in the future. Please, share your thoughts below!