About This Release

Endpoint Data Protection 26.1 provides new and improved features that have been implemented. During the development of this version, we have been focusing on valued feedback from our customers and partners to provide an ideal feature selection. For a quick overview of the most important enhancements in this release, take a look at our Release Highlights video on the Matrix42 YouTube channel (coming soon).

Build Information

• Current Status: Technical Release
• Download: Marketplace
• Initial Build Version: 26.1.0.0

Important Announcements

Before you start the update, please review the following information. 

Full Disk Encryption 26.1 Release

At the beginning of April, we officially released Matrix42 Full Disk Encryption 26.1, marking the first public major release of the new Full Disk Encryption generation. This release concludes a long and carefully validated development journey that started with Full Disk Encryption 25.0 Update 1, which was previously provided through a Controlled Rollout. Since then, extensive architectural improvements, security‑critical updates, as well as numerous bug fixes and stability enhancements have been implemented based on internal development efforts and direct feedback from Controlled Rollout participants. Full Disk Encryption 26.1 consolidates this work into a stable, production‑ready release and represents a significant milestone for customers using Matrix42 Full Disk Encryption in enterprise environments. For additional information, please refer to Release Notes Full Disk Encryption 26.1 and UEFI CA 2023 Compliance.

Code Signing Certificate Provider Change

We have changed the code signing certificate provider used to sign our product binaries. Previously, our software packages were signed using certificates issued by DigiCert. Starting with Endpoint Data Protection 25.4.0.5, the software is signed with certificates issued by GlobalSign. To avoid issues with updating to the new Release version, please ensure first if your server is already trusting the GlobalSign root and intermediate certificates. Perform a right-click on the executables, select Properties and navigate to Digital Signatures. After selecting Matrix42, press Details, press View Certificate and navigate to Certification Path to check the chain. In case the certificate(s) chain is not fully trusted, please review the following article: Code Signing Certificate Provider Change – GlobalSign Root Certificate Requirement.

System Requirements and Deprecations

Over time, there have been changes to system requirements as well as deprecations of certain features. To ensure a smooth update process and avoid unexpected issues, we strongly recommend reviewing the Update Guide: Endpoint Data Protection beforehand. It provides an overview of both recent and historical changes that may impact your environment.

Overview

New Features

• Comprehensive Search Results for Users and Devices
• Exclude M365 Groups from Directory Synchronization
• Encryption State Diagnostics & Recovery Improvements
• Scalable Network Share Encryption Management

New Improvements and Changes 

• Fixes and Improvements included in this Release
• Additional Improvements
• Fixes and Improvements already distributed as Hotfixes

New Features

Please find all new features and major improvements in Endpoint Data Protection 26.1 below.

Comprehensive Search Results for Users and Devices

In large directory environments, searching for users or computers within a hierarchical directory structure can be time‑consuming—especially when names occur frequently or are shared across multiple organizational units. Previously, entering a search term would automatically navigate through the directory tree to the next matching object, which could make it difficult to get a comprehensive overview of all matching results.

To simplify and improve the search experience, the directory view has been enhanced with a dedicated Search tab in addition to the existing Directory view.
The Directory tab retains the existing behavior: entering a search term and pressing Enter navigates through the directory structure as before. This ensures backward compatibility for users who rely on the navigation‑based search.

When switching to the new Search tab and performing a search, the results are displayed as a list of all matching objects. This applies to both users and computers and includes additional context such as the associated domain or organizational unit (OU), making it significantly easier to identify the correct object.

This improved search experience is available wherever the directory service structure view is used, providing a more efficient and user‑friendly way to locate directory objects—especially in large or complex environments.

Exclude M365 Groups from Directory Synchronization

In large Entra ID (formerly Azure AD) environments, the number of Microsoft 365 (M365) groups often grows continuously. While these groups are essential for collaboration and cloud workloads, they typically do not provide value for administration within Endpoint Data Protection (EDP). As a result, synchronizing all M365 groups can significantly clutter the management console, increase database size, and negatively impact performance, especially in large enterprise environments.

To address this, Endpoint Data Protection now provides an option to exclude Microsoft 365 groups from the “All Domains” synchronization. When this option is enabled, M365 groups from Entra ID are no longer synchronized into the EDP database. Existing M365 groups are marked as deleted and removed according to the configured “Delete objects removed from the directory” retention timeframe, ensuring they no longer appear in the management console. This reduces noise in the directory view, improves usability, and helps administrators focus on security‑relevant objects, such as users, computers, and security groups, that are required for EDP administration.

The exclusion setting is applied globally to ensure consistent synchronization behavior and to avoid configuration complexity. All changes to synchronization settings are fully audited and visible in the revision and reporting views. This feature is particularly valuable for organizations with large Entra ID tenants, helping to improve performance, clarity, and overall administrative efficiency.

Encryption State Diagnostics and Recovery Improvements

In real‑world environments, encryption or decryption processes can be interrupted, for example due to system restarts, connectivity issues, or user interference. This can leave files in an inconsistent state, making troubleshooting, auditing, and recovery difficult and often requiring manual intervention. This release introduces enhanced diagnostic and remediation capabilities for NSE‑encrypted folders, covering both managed systems with an EgoSecure Agent and unmanaged systems without one.

With the Cryption Informer, administrators and support engineers can now analyze NSE‑encrypted folders and determine the encryption state of individual files. When the EgoSecure Agent and the required encryption keys are present, the Cryption Informer can also repair interrupted encryption or decryption processes, restoring a consistent and operational state without reconfiguration.

For systems without an EgoSecure Agent, a new standalone analysis script is provided. The script allows administrators to inspect NSE‑encrypted folders and export the encryption state of files (for example, encrypted vs. unencrypted) without requiring agent installation or access to encryption keys. This is particularly useful for audits, investigations, and environments where remediation is not required. 

Together, these additions significantly improve transparency, reduce manual effort, and support common troubleshooting scenarios observed in production environments. For additional information, please refer to Checking and Repairing NSE Encryption States on Managed and Unmanaged Systems.

Encryption state via Cryption Informer
Executed Scan with the standalone script

Scalable Network Share Encryption Management 

In large environments with thousands of network shares, managing Network Share Encryption can become challenging. We received feedback about significant usability and performance issues when navigating or searching through extensive lists of shares, leading to delayed responses and a frustrating administration experience. To address this, the Network Share Encryption view has been redesigned with a strong focus on scalability, responsiveness, and efficient navigation.

The console now renders only the rows currently visible on screen, which dramatically improves scrolling performance and overall responsiveness, even when working with very large datasets. In addition, the header and top bar can be collapsed, reducing visual clutter and allowing administrators to focus on the relevant information. 

Search behavior has also been refined to optimize responsiveness in large environments. Filtering is now executed only when the search field loses focus or when the Enter key is pressed, rather than re‑evaluating the result set on every keystroke. This significantly reduces unnecessary processing and prevents delays when working with large numbers of network shares, while preserving the existing search logic. To further improve navigation and discovery, network shares can now be grouped by host or domain, making it easier to locate and manage specific shares in complex environments. 

Default View with expanded top bar

List grouped by host name and collapsed top bar

Together, these improvements reduce the time administrators spend locating network shares, improve usability at scale, and ensure that the Network Share Encryption view remains responsive and manageable for enterprise customers.

New Improvements

Please find all new fixes and improvements in Endpoint Data Protection 26.1 below.

Fixes and Improvements included in this Release

Resolved Problems

• Fixed an issue where access restrictions for USB floppy drives were not enforced correctly. In affected configurations, where floppy drive access was disabled and no individual device permissions were defined, users could still access USB floppy drives even though No Access was configured and correctly displayed in the Agent and logs. With this fix, USB floppy devices are no longer treated as system disks, ensuring that configured access restrictions are now properly enforced without requiring individual device permissions. (PRB38466)
• Fixed an issue where comments could not be saved for users, computers, or groups that exist in both on‑premises Active Directory and Entra ID in hybrid environments. In affected versions, attempting to add a comment resulted in an error indicating a duplicate SID, and the comment was not stored. With this fix, the domain relationship of directory objects is now correctly taken into account when editing such entries, ensuring that comments can be saved reliably regardless of whether the object exists in one or multiple directory sources. (PRB39116)
• Fixed an issue where groups were not synchronized into the directory service structure when synchronizing an Entra ID domain with the “Include groups” option enabled. Due to the flat structure of Entra ID (without organizational units), the Groups container remained empty, even though group synchronization was requested. With this fix, groups are now correctly retrieved and populated when synchronizing the directory structure from Entra ID, while the existing “Include groups” option continues to apply only to on‑premises Active Directory environments. (PRB39343)
• Fixed an issue where non‑ASCII characters from Microsoft Entra ID were displayed incorrectly in the EgoSecure Console. In affected versions, user and group names containing special characters—such as German umlauts or other extended Latin characters—were shown with corrupted or invalid symbols when synchronized from Entra ID, while the same data appeared correctly when sourced from on‑premises Active Directory. With this fix, Unicode handling has been corrected to ensure all special characters are displayed properly and consistently for Entra ID–synchronized objects. (PRB39169)
• Fixed an issue where temporarily granted access rights for device classes were not displayed correctly after expiration when the original access right was inherited. In affected versions, once a temporary full access grant expired, the Console briefly showed no access (not inherited) instead of restoring the previously inherited access right, although the correct permission was still enforced on the Agent. With this fix, the Console now correctly restores and displays the inherited access state immediately after the temporary access period ends, and the revision history accurately reflects the restored permission without requiring a manual refresh. (PRB38540)
• Fixed an issue where Audit report exports generated incorrectly formatted CSV files when file names contained special characters. With this fix, all values are now properly enclosed in quotation marks to ensure that embedded delimiters are correctly escaped and the CSV structure remains intact (PRB39121).
• Fixed an issue where the EgoSecure Management Console crashed when assigning users to computers or computers to users via the management interface. Although the assignment itself was successfully saved in the backend, the console terminated unexpectedly during the post-save processing, likely due to an issue in UI handling. This has been resolved by correcting the array handling logic, preventing the inclusion of invalid elements and ensuring stable operation of the console (PRB39490).

Additional Improvements

• Updated terminology across the Management Console to reflect Microsoft’s current naming by replacing references to Azure AD with Entra ID. This ensures consistent terminology throughout the product and aligns the user interface with Microsoft’s latest platform branding and documentation
• Updated all hardcoded links in the Management Console to reference the new Matrix42 Help Center at docs.matrix42.com.
• Improved domain synchronization logging by adding wide‑character (Unicode) support. Special characters are now written and displayed correctly in domain synchronization logs
• Updated the access handling of the GetMSIParams to align it with the intended execution context. The method is now limited to requests originating from the Management Console and the Admin Tool, ensuring consistent behavior and preventing unintended usage scenarios. 

Fixes and Improvements already distributed as Hotfixes

• Endpoint Data Protection 25.4.0.6
  • An issue was fixed where the Presence approved files filter did not correctly enforce access restrictions. In affected version, files added to external storage after a successful Presense scan could still be accessed by the EgoSecure Agent, although access should be restricted to scanned and approved content only. With this fix, the Agent now correctly validates external media content against the Presense scan report and only allows access to files that are marked clean and whose hash matches the report. Any unscanned or modified files are properly blocked as intended. (PRB39197)
• Endpoint Data Protection 25.4.0.5
  • Fixed an issue with AD synchronization where the tenantId variable was not reset after the main sync loop, causing a stale value to be used when creating parent OUs for moved entities in the deletion check loop. This resulted in OUs being assigned an incorrect tenantId (from the last processed entity in the main loop). (PRB39332)
• Endpoint Data Protection 25.4.0.4
  • Fixed a performance degradation issue that occurred when the EDP Application Control module was used together with certain third‑party security solutions, such as Trend Micro Worry‑Free Business Security Agent. (PRB38413)
  • Fixed an issue that occurred in environments where AD objects from the same domain were distributed across multiple tenants. Deleting a parent AD object in one tenant could previously cause device permissions associated with child AD objects in other tenants to be processed incorrectly. This sometimes led to allowed devices being treated as blocked, forcing users into an unnecessary challenge‑response workflow to regain access. With this fix, device permissions for child AD objects are now handled correctly across all tenants when a parent AD object is deleted, ensuring that allowed devices remain accessible as intended. (PRB38786)
  • Fixed an issue where the email or expiredAccount attributes of on‑premises AD user objects were not correctly synchronized when a full synchronization was executed with “Synchronize only objects changed within the last X days” disabled. This issue affected all versions from 25.0.0.2 through 25.4.0.3. (PRB39211)
• Endpoint Data Protection 25.4.0.3
  • Fixed an issue where Active Directory group synchronization could result in missing group members by improving how direct group memberships are resolved.
  • Updated the embedded 7-Zip library (7z.dll) to version 25.0.1.
• Endpoint Data Protection 25.4.0.2
  • Resolved an issue causing port exhaustion during device inventory uploads from agents. (PRB39026)
  • Optimized server handling of maxClients to ensure connections stay within configured limits. (PRB39026)
  • Database optimization: Added indexes to key device-related tables to improve performance and scalability in large environments. (PRB39026)
  • Fixed an issue where the device-computer mapping was not displayed in the Management Console. (PRB39056)
  • Added an option in the Admin Command-Line Tool to enable or disable the Login As feature quickly for all or specific tenants. To enable or disable the "Login As" feature via command line, use the following command and set 1 for enabled and 0 for disabled. After /tenant, specify a tenant name or use all to apply the setting to all tenants: 

AdminTool.exe /loginAsOnAgent 0 /tenant all

• Endpoint Data Protection 25.4.0.1
  • ​​​​​​Added missing Agent translations for the recently introduced option to keep the Cryption Informer open. 
  • Added a new registry key to explicitly allow Logins with Active Directory Credentials. If you want to activate or keep the Logins with Active Directory credentials within your Endpoint Data Protection environment, perform the following after the update: 
    • Open the Registry on your Endpoint Data Protection server
    • Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EgoSecureServer\Parameters
    • Create a new DWORD (32-bit) value named WindowsAuthenticationOn and set 1 as value.

Knowledgebase  

The following new Knowledge Base articles have been added:

• Overview of Administrator Login Methods and Configuration
• Checking and Repairing NSE Encryption States on Managed and Unmanaged Systems.