Important Update: Endpoint Protector Hosted Support Policy Change

Dear Valued Customer,

At Netwrix, we are committed to ensuring your Endpoint Protector environment remains secure, stable, and fully supported. As part of our ongoing efforts to deliver consistent performance and timely improvements, we are updating our support policy for all Hosted Endpoint Protector environments.

Note: This change transitions your Hosted Environment to SaaS (Software as a Service.)

Effective Aug 15, 2025, Netwrix will begin automatically applying all server-side upgrades and patches to Hosted Endpoint Protector instances.

Previously, Hosted customers could choose when (or if) to apply server updates. Going forward, all Hosted environments will be kept current by Netwrix—ensuring your server instance benefits from the latest features, security enhancements, and bug fixes without requiring manual intervention on your part.

This change applies only to the server-side. You will continue to be responsible for updating the client software on your endpoints.

About This Document: This is a living document and may be updated periodically. Before opening a support case, please ensure your question has not already been addressed here. Come back as needed for further updates.

FAQ

Q: What is changing?

Starting on or around Aug 15, 2025, Netwrix will automatically apply all server-side upgrades and patches to Endpoint Protector Hosted environments. Customers will no longer be able to delay or skip server updates.

Q: Why is this an improvement?

By having Netwrix automatically apply all server-side upgrades and patches, you will always be sure you’re up to date with both features and resolved security concerns.

Q: What stays the same?

Customers are still responsible for keeping client software up to date. This can be done manually (SCCM, Intune, etc.) or by using the existing Client Software Upgrade mechanism within the Endpoint Protector Server.

To update clients:

• Download the latest client installer.
• Upload the file into your Hosted server via Offline Patch Uploader, then use the Client Software Upgrade functionality if you wish to use the Endpoint Protector server to update the clients.

This process is unchanged and continues to give you full control over client deployment timing.

Q: Why are client installers no longer bundled with server updates?

To simplify update workflows and reduce coupling, client installers are now distributed separately. This allows server updates to proceed automatically while giving you flexibility to roll out clients as needed.

Q: Do I need to respond or take any action?

No action is required if you accept this policy change. Your Hosted server will begin receiving automatic updates as of Aug 15, 2025.

Q: What if I prefer not to have my Hosted server automatically updated?

If you prefer to control both server and client update timing, you must transition to the on-premises/self-hosted version of Endpoint Protector. When you transition to an on-prem/self-hosted version of Endpoint Protector, you can be in control of your server editions and patch levels. You will only be notified of new editions, patches and security updates via Netwrix Community announcements; and no automatic updates will be performed on your on-prem/self-hosted version of Endpoint Protector.

Q: What Virtual Appliance Formats may I transition to for On-Prem or Self-Hosted?

For On-Premise Deployment, we provide two image formats to suit different virtualization needs.

OVF Format - This versatile format works seamlessly with several platforms, including:

• VMware Player
• VMware Workstation
• Oracle VM VirtualBox
• VMware vSphere (ESXi)
• VMware Fusion Professional

VHDX Format - Specifically designed for compatibility with:

• Microsoft Servers
• Hyper-V

Simply install the Appliance in a Virtual Environment and request a license file from your Netwrix Account Manager.

Q: How do I opt out and begin the transition from Netwrix Hosted to On-Prem or Self-Hosted?

To opt out, you must open a support ticket before the new policy goes into effect. You can open a support ticket here.

Then initiate your transition to the on-premises/self-hosted version. If no ticket is opened by Aug 15, 2025, your Hosted server will be included in the automatic update program starting on or around Aug 15, 2025.

Q: What details do I provide support if I want to opt out and host my own on-prem/self-hosted version?

We need a few pieces of information. Please tell us:

• Your URL of your Endpoint Protector hosted instance. Example:dlr1234.hosted.endpointprotector.com
• Your Server ID
• License end date

Example screenshot of how to discover all three items can be found below:

[/wrap]

Q: How do I backup and restore my server? And what is lost in that process?

Support will create a backup for you that you can restore to your new on-prem/self-hosted server. This will maintain your configuration and policies.

Note that logs and File Shadows are lost in transition. Support can help you back these up for an archival reference; but they don’t survive a backup/restore.

Q: How do I re-point my existing endpoints from the Netwrix Hosted server to my on-prem / hosted server ?

Netwrix support can provide a script to enable you to run on your endpoints (using your own tool, like SCCM, Netwrix EPM Scripts & Triggers, etc) to point your machines at your new address.

Q: If I opt out and get my own on-premises/self-hosted version, how long until my Hosted Environment is disabled?

This could vary from customer to customer but we can discuss your specific case after you open a ticket.

Q: How much downtime should I expect per patch or update? ?

Sometimes there’s no downtime at all—we simply run a script or apply the patch in the background, and you won’t notice any disruption.

Other times, when downtime is required, we schedule it based on your local time zone. For example, patches for the USA are typically applied during the night, and similarly for the Europe and other regions. In general, expected downtime will be brief—usually within a 2–3 hour window in the middle of the night.

Q: Will I experience data loss during patching downtime?

When a server is down, communication stops and is held locally at each endpoint. When the server is started again after the maintenance window, clients simply push up their known logging data.

Q: How will I know my proposed downtime & update timeframe?

All updates regarding what is being patched and what approximate day will be posted to Community. However the exact timeframe will be based upon your customer instance time-zone and be performed outside of office hours.

Q: What if something goes wrong with my update?

We take system snapshots twice a day. If needed, we can roll back to a previous state quickly and safely.

Q: I am a paid Pre-Production (STAGING) customer. What is the “Preview Program” (Paid SaaS Customers Only)

Who this is for
Customers with a paid Endpoint Protector STAGING instance who want early access to a SaaS release before general rollout.

What you’re opting into
By enrolling your STAGING instance for a preview window (scheduled with Support), you accept that we may deliver builds as full-appliance images (e.g., VMX/OVF/VHDX/AMI), not incremental patches. We may replace the entire appliance more than once during the preview as issues are found and addressed.

Translation: during the preview, STAGING is ephemeral. Treat it as disposable.

Data & State Implications (Read This)

During full-appliance replacements and certain corrective actions, the following may be lost on your STAGING instance:

• Operational data collected after the last snapshot: logs, alerts, audit trails, and File Shadows

• Runtime state: queued server-side events, job history, cached reports

• Local uploads: client installers you uploaded to the STAGING server (you may need to re-upload)

• Ad-hoc config changes made after the captured baseline (see “Baselines & Snapshots”)

What we preserve/restore when feasible

• We take snapshots periodically (typically twice daily) during the window and maintain a configuration baseline (policies, rules, users, roles, settings) we aim to re-apply to each new image.

• Endpoint behavior: when the server is down, endpoints buffer communications and resume when the server returns.

• Certificates/SSO/integrations: we attempt to carry these forward; if the new image requires a different trust chain or connector version, you may need to re-establish them.

Do not treat STAGING as a system of record. If you need testing evidence or audit history, export it before and after each validation run.

Customer Responsibilities (Before You Opt In)

1. Acknowledge data volatility: You accept potential loss of logs/File Shadows and other runtime state on STAGING during the preview.

2. Back up what you care about: Export policies, reports, and any artifacts you’ll want to compare across builds.

3. Harden your test plan: Keep a short, repeatable validation script (e.g., CAP rules, Device Control, Smart Groups, EE workflows).

4. Have installers handy: Keep your client packages ready to re-upload if needed.

5. Name a contact & window: Provide an instance time zone, a preferred maintenance window (local night hours), and an on-call contact for fast decisions.

6. Use non-production data where possible: STAGING is for validation, not long-term retention of sensitive data.

Baselines & Snapshots

• We capture a configuration baseline before the first cut-over. Subsequent replacements aim to start from that baseline.

• Snapshots are point-in-time; if we replace the appliance, we may roll forward from the baseline rather than merge all interim changes.

• If a rollback is required, we roll back to the last good snapshot of that image, not to intermediate states you created later.

Support & Rollback

• If a preview build misbehaves, we may (a) hotfix, or (b) replace the appliance again.

• If neither is acceptable, we can roll STAGING back to the pre-preview state (with the same data-loss caveats above).

How to Request Your STAGING Preview (Not Automatic)

Open a support ticket with the following:

Subject: REQUEST: EPP STAGING Pre-Release (Preview Window)
Fields to include:

• Company name

• STAGING URL (e.g., dlr1234.hosted.endpointprotector.com)

• Server ID and License end date

• Instance time zone and preferred maintenance window

• Primary on-call contact (name, email, phone/Teams)

• Integrations in STAGING (SSO/IdP, SMTP, SIEM, Webhooks)

• I acknowledge the STAGING data/state terms (checkbox text below)

• Optional: specific fixes/features you intend to validate

Required Acknowledgement (paste into your ticket)

I am an authorized representative of . I request enrollment of our paid STAGING Endpoint Protector instance in a pre-release preview window. I acknowledge that during this preview Netwrix may replace the entire appliance (e.g., VMX/OVF/VHDX/AMI) and that operational data and runtime state on STAGING may be lost, including logs and File Shadows captured during the window. I will export any data I need to retain. I understand that integrations and uploads may require re-configuration or re-upload. I accept the associated downtime, data-volatility, and rollback model described in this notice.

After Each Cut-Over — Your Quick Checklist

• Re-run smoke tests (auth, dashboards, CAP/Device Control enforcement, Smart Groups resolution, reporting)

• Verify integrations (SSO login, SMTP test, SIEM delivery)

• Re-upload client installers if using server-side client upgrades in STAGING

• Capture a brief validation summary and share issues via the ticket

Bottom line: STAGING is where we move fast. Expect whole-image cut-overs, brief night-time downtime, and possible loss of STAGING-only data. If you need full control and data stability, don’t enroll—or run your tests after GA on a pinned image.

Final Thoughts…

We believe this change will deliver a more reliable and secure Hosted experience, while continuing to provide flexibility where it matters most. If you have any questions, please don’t hesitate to reach out.

Thank you for your continued partnership.

Sincerely,
The Netwrix Endpoint Protector Team