Please note that WinMagic is deprecating SecureDoc V4 Pre-Boot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 Pre-Boot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.
WinMagic has done extensive work to improve, streamline and augment the security surrounding the initial deployment of Key Files during the process of installing the SecureDoc Client software, bearing in mind that many customers have widely divergent requirements relating to how devices are used during and after initial installation. Some customers install SecureDoc while the primary device user is on or will be on the machine, while others may need to protect new devices before the end-users of those devices have been defined, as well as other scenarios.
Please refer to the When SecureDoc server is upgraded to version 7.1 SR4 from previous versions (6.5 or earlier) and the Device Provisioning Rules sections under the Creating Installation Packages for Windows chapter in the SES User Manual to understand how these new settings work, in order to inform your own use of these new features, particularly as they operate in a way that cannot be easily migrated from the previous methodology to the new methodology. Upon upgrading from an earlier version, you will need to adjust each of your existing Installation Packages to reflect the deployment methodology that will meet your security design.
System requirements and supported devices, including tokens and SmartCards, for SecureDoc v7.1 SR4 are listed here.
Note: It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation. More information can be found here: msdn.microsoft.com/en-us/library/ms143786(v=sql.100).ASPX
During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.
Note: Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g. Admin desktop) on which it runs, in order for the console to function properly.
Note: SDOT for FileVault2 is now available for BETA. SecureDoc PreBoot is now supported on FileVault2 devices to support PreBoot network authentication as well as smartcard authentication. For more information, please see the SDOT FV2 beta guide found in this link http://downloads.winmagic.info/SD7.1SR4/Build_136/SDOTFV2_Beta.pdf
CAVP Certificates for the ANSI X9.31 and FIPS 186-2 PRNGs support after December 31st 2015
Device’s SES folder can be defined in installation package
It is now possible to define, in the installation package, where a device should be stored in SES. The device can be placed in the registration folder, the owner’s folder or a specific other folder.
Windows login message now indicates if login failed because SmartCard/token is absent
This avoids user confusion. A new more focused error message will appear in the case that the smart card is removed. This message will read: No Smart Card or Token detected. Please insert a Smart Card or Token and re-try."
64-bit Linux-based Pre-Boot (PBL) is now available as an alternative Pre-Boot Authentication option (PBA) within the V5 Pre-Boot environment
This was deemed necessary for selected devices where the existing PBL 32-bit is not functional.
Note that this option should only be used on a very narrow range of devices for which 32-bit Pre-Boot does not work, and should NOT be considered a generic solution that will work on all 64-bit processors. In all other cases the 32-bit Pre-Boot is the most suitable and recommended Pre-Boot environment.
When automatic encryption is selected, Mac users will no longer be able to cancel RME (removable media encryption)
The ability to cancel RME when automatic encryption with countdown is selected has been removed as it was seen as inappropriate in the context of mandated encryption. If the user wishes to avoid encrypting a USB device during the countdown, he/she should simply remove the device from the USB port.
Add PBU/PBLU boot configuration profile option to permit force-booting directly into Windows
A new profile setting has been added to define the option of forcing direct boot to Windows – this applies to UEFI devices.
This new option can be found in the Advanced Options tab: Boot Configuration screen within the profile settings shows this new option, entitled: UEFI - Force Direct Boot to Windows.
For SecureDoc FileVault, the recovery account is now transparent to OS X upgrades
The accounts previously used (“.WinMagicPrimaryUserForFV”, a one-time boot hidden admin account, and “.WinMagicRecoveryUser", the boot recovery admin account) have been replaced with a new “WinMagicProprietyUserForFV" account that is transparent to Mac OS X upgrades. The 44 character randomly-generated password of this user stored in SES can be used after Mac OS X upgrade. Upgrading to this version of SecureDoc will cause the SecureDoc recovery/initial user’s password to be re-generated and re-sent to SES before enabling FileVault2.
SecureDoc automatically updates following Mac OS X update
On startup, SecureDoc detects the OS X version in use and updates SecureDoc appropriately.
SecureDoc File Vault installation streamlined
Instead of requiring the user to choose the appropriate installation package, the installer itself now chooses the appropriate package, making installation easier.
Mac devices with SDOT FileVault2 installed can be identified under the Encryption Type column
The SES Console shows devices with SecureDoc installed that are currently using SDOT, which is the preferred combination of SecureDoc’s powerful and flexible Pre-Boot Authentication on a device whose disk encryption is handled by FilevVault. Information shown includes the typical client information (deployed state, OS version, encryption type, etc.).
SDOT FV2 supports PBN AutoBoot
SES can be used to enable PBN AutoBoot for machines using SDOT, allowing them to bypass pre-boot if they are connected to the network and are permitted to do so based on rules within the SES Server.
SDOT FV2 supports CryptoErase
SES can be used to send a crypto erase command to machines using that have the combination of the SecureDoc Pre-Boot and BitLocker Disk Encryption (SDOT), allowing them to be crypto-erased once Mac OS X has loaded.
User authentication to SecureDoc Pre-Boot on FileVault2-encrypted devices (SDOT) is now possible with locally-cached credentials
SecureDoc users can authenticate to the SecureDoc Pre-boot (SDOT) on devices that are encrypted using FileVault2, using locally-cached SecureDoc credentials and thereafter boot into OSX with FileVault2 enabled.
PBN Support for SDOT FV2 devices
This is possible when PBConnex rights are set up properly on the server and the profile allows PBConnex, with the "boot into OSX with FileVault2" option enabled.
The WinMagicProprietyUserForFV recovery account now survives OSX upgrades
In previous versions of SecureDoc for FileVault2, the special account(s) used to protect against disabling FileVault2 and for recovery would be removed or disabled during an upgrade of the OS X operating system.
This version’s solution corrects this, and this new special account will survive an OS X upgrade.
All new installation of SecureDoc for FV2 clients on different OSX can be installed with one script
In order to guarantee successful installation (through the InstallMe script) the underlying PKG files are no longer visible, and therefore cannot be installed directly (e.g. bypassing the InstallMe script).
Upgrades to OSX on machines with FileVault 2/SDOT FileVault 2 installed will automatically upgrade the FileVault version
This applies only when using a version of SecureDoc that has the package for the new OSX version.
7.1SR4 Compatibility offers compatibility with OS X El Capitan version 10.11.6
This release is compatible with OS X El Capitan v10.11.6.
Additional smartcards are now supported for Two-FactorAuthentication to devices protected with the SecureDoc Pre-Boot “on top” of FileVault2 (SDOT FV2)
The following smart cards are now supported:
Microsoft Windows 10 RedStone RS1 is now supported under SecureDoc 7.1 SR4
This 7.1SR4 release is compatible with the Windows 10 RedStone RS1 version.
Please note: For upgrading SecureDoc-encrypted devices to Windows 10 Redstone please follow a procedure documented in our KB article 1518.
New ability to add new users to SDOT FV2 machines, so those new users can authenticate at Pre-Boot
SES can be used to add users to SDOT FV2 machines so those new users can authenticate at Pre-Boot.
Password for Mac FileVault now supports all allowed characters of OS X.
Previously, only upper case letters were supported. This new version opens this up to permit passwords to contain any characters that OS X can recognize.
PBLUx64 Message at boot screen
Profile setting added for forcing direct boot to Windows. The Advanced Options tab (Boot Configuration screen) of profile settings shows this new option: UEFI - Force Direct Boot to Windows.
New cryptographic engine
SecureDoc now utilizes a FIPS-approved Digital Random Number Generator (DRBG) that is compliant with NIST SP800-90A specification. The new DRBG is delivered on Windows and MacOS X platforms, with the SecureDoc Cryptographic Engine 7.2 re-validated under NIST CMVP.
Wireless connectivity does not work in PBConnex
Issue: On Lenovo M93p devices with SecureDoc installed, wireless networks are not detected. The devices are not attempting to obtain an IP address.
This has been resolved
Surface Pro 3 does not connect to wireless via shared access point
Issue: This has been reported on Microsoft Surface Pro 3 devices where a SecureDoc installation package is deployed with the Linux pre-boot for UEFI (PBLU) boot loader option.
This has been resolved.
Sc Control command line command fails
Issue: The command appears to work, but does not. This issue has been reported on a Windows 8 machine in a SES 7.1 SR1 environment, where the client was configured with the "hide SecureDoc icon" option enabled.
This issue has been resolved.
Cannot authenticate at pre-boot with eToken Pro 4100 connected to a USB Alcor Micro Cardreader
Issue: The message "No smart card detected in card reader.(0x7751)" appeared when using this combination of token and cardreader.
This issue was reported in SES 6.3, SES 6.5 SR3, SES 7.1 SR1, and SES 6.4 SR3.
This issue has been resolved. This combination of token and card reader now works.
Cannot apply SecureDoc software encryption to OPAL E-drives, even if those drives have never been encrypted
Issue: Drives accidentally activated as OPEN E-drives could not have software encryption applied to them. The issue has been reported on SecureDoc machines in an SES 7.1 HF2 environment.
This issue has been resolved. SecureDoc Software encryption can be used on any plaintext/unlocked drive regardless of whether it is active or not, if "Force SWE on SED..." is enabled in the SD profile.
On configuring OSA on a device with 2 Opal disks, only one disk was unlocked after successful Pre-Boot Authentication under the Linux-based (V5) Pre-Boot environment
Issue: On a computer with OSA installed and two Opal disks, the second disk did not unlock after successful login at PBL. This issue has been reported on Dell Precision M4700 machines with the Ubuntu operating systems on both disks, in an SES 7.1 SR1 and SES 6.5 SR3 HF2 environment.
This issue has been resolved. Both disks are now bootable in a configuration of this type.
Windows does not load following V5 Pre-Boot on HP 840G1\HP 840G2 devices
Issue: After logging on with the Linux-based V5 Pre-Boot (PBL) on these devices, a black screen with a blinking cursor appears and Windows does not load. Depending on whether or not PBConnex is enabled, a “Wireless Network Device Not Found” message may also appear.
This has been resolved.
Integrated card reader on Dell KB813 keyboard not detected at preboot
Issue: This issue was reported in SES 7.1 and SES 6.5 SR3 environments. The integrated card reader could not be read and an error message appeared.
The issue has been resolved and these integrated card readers now work successfully.
SES Web Console performs slowly
Issue: This issue affected Web Console usage, with occasional "Error 500" errors, long waits to log in, and slow navigation (and even timeout) when navigating around the console interface. It was reported in SES 7.1 SR2a.
The issue has been resolved.
Attempting to login to the V5 Linux-based Pre-Boot (PBL) with a PIV card freezes the device
Issue: This has been reported on a Dell e7470, which cannot proceed with checking the local keyfile.
This issue has been resolved: all PIDS for the new ControlVault2 have been added. eToken 4100 only works with readers supporting LIBCCID. Please find a list of smart card readers supporting LIBCCID: http://pcsclite.alioth.debian.org/ccid/supported.html
Unable to log on to device using eToken 4100 smart card and SafeNet eToken PRO Java smart card
Issue: Error code 0x100 or 0x7730 (No private key in token) appeared when using this combination of smart cards on a Windows 7 machine. It was reported for SES 6.5 SR1, SES 6.5 SR3 HF2. Authenticating with PBConnex produced error code 0x100. Attempting to log in from the smart card produced the error code "No private key in token(0x7730)"
This issue has been resolved. Logging on is now possible with this combination of smart cards.
Activating Autoboot automatically logs on to Windows desktop
Issue: Right-clicking on an Autoboot-enabled device in SES activates Autoboot, then logs the user onto the Windows desktop via SSO. It was reported for SES 7.1 SR2a.
This issue has been resolved. This function now presents the regular Windows login screen.
When the “Force user to input User ID at login” option is used in a profile, the device using that profile fails to auto-boot
Issue: Setting the “Force user to input User ID at login” option in a profile results in the device receiving that profile not being able to auto-boot.
The issue has been resolved. Autoboot now works correctly when this option is enabled.
Encrypted devices are shown as not encrypted in the Web Console.
Issue: Encrypted devices continue to be shown with an encryption status of unknown (white) in the SES console. It was reported in SES 7.1 SR2a with devices having FFE (File and Folder Encryption, since renamed to SecureDoc File Encryption or SFE) active.
The issue has been resolved. The status of devices is now correct in Web Console.
Touch screen does not work following installation of PBL and device encryption
Issue: This was reported on a Dell Venue 11 Pro 7000 Series Tablet running Windows 8, in a SES 7.1 environment.
The issue has been resolved.
Software Encrypted eDrive cannot be unlocked or recovered
Issue: Software-encrypted eDrives were not showing as “encrypted” in SDRecovery (they have a status of “Locked=No”), so could not be unlocked or recovered. This was reported on a Windows 7 OS device in a SecureDoc 7.1 SR1 environment.
SDRecovery did not recognize an Activated eDrive as having SW encryption: since the drive appears to not be locked, it could not be unlocked.
This issue has been resolved: the drives can be managed normally.
Generating an SES Web report for "All" entities causes SDConnex to crash
Issue: A report for all users, all devices, all keys, etc. causes an out of memory.
This has been resolved.
Dell Latitude E7470 freezes after user enters logon credentials
Issue: Dell Latitude E7470 machines load the Pre-Boot for native UEFI devices (PBU) successfully, but after authentication, the machine freezes with the message “Error loading operating system”.
This has been resolved. Such devices require that the SUSAM option be set to ON (for Software-Encrypted devices only) or Ymode should be set to 4 (which will work with Software- or Hardware-encrypted devices).
Intermittent network connectivity at preboot while using Lenovo OneLink+ Dock
Issue: This was reported on a Lenovo Yoga 260 attached to OneLink + Dock, running Windows 7, in an SES 7.1 SR2a environment. Network connectivity was only intermittently available following pre-boot, impairing the user’s ability to log in.
The issue has been resolved. Consistent network connectivity at pre-boot is maintained.
SDRecovery 32 Bit does not run in 32 Bit WinPE
Issue: When SDRecovery.exe (32Bit) was run on a WinPE (32Bit) machine. a "Side by Side" error appeared. This was reported in an SES 7.1 SR2a environment.
This issue has been resolved: SDRecovery.exe can be run on a WinPE machine in this environment.
Boot Logon installation failed on Samsung devices
Issue: This issue was reported in a SES 7.1 SR2 HF2 environment on devices running Win7 X64 Enterprise Edition, with both standalone and enterprise packages.
This issue has been resolved. Installation and encryption now occurs as expected.
Lenovo P50 device with dual NVMe SSD cannot boot following encryption
Issue: After deploying an SES 7.1 SR2a installation package, encryption succeeds but the device does not boot.
This has been resolved
Local Mac admins cannot add users to FV2 unlock list
Issue: The only user who can unlock FV2 is the internal WinMagicProprietyUserForFV user.
This issue has been resolved.
Computer does not wake up from sleep after SecureDoc Client Installed
Issue: A computer in sleep mode would not wake up after 10 - 15 minutes and had to be powered back up again, losing any unsaved work. This issue was reported for a Lenovo M900 / M93 device in an SES 7.1 SR1, SES 7.1 SR2a environment.
The issue has been resolved: computers with this issue can now be successfully woken up from sleep mode.
User credentials cannot be validated for an encrypted device
Issue: This issue had been reported in an SES 7.1 HF2, SES 7.1 HF1 environment. The client device was encrypted but the applicable AD Users were not imported to the SES database, causing a “Please Contact Support” message when the user attempted to log on.
This issue has been resolved.
Clicking on a node in the Users or Devices tab folder tree of SES Web Console collapses the tree
Issue: This is not the normal behaviour for a folder tree.
This issue has been resolved: clicking on a node no longer collapses the folder tree.
Unable to create machine key file in SES Web
Issue: Creating and saving a machine key file in SES Web Version 7.1 SR2A HF2 was not possible without the Manage Folders permission.
This issue has been resolved: the permission is no longer necessary for this function.
Slow Performance on the SES console (Windows)
Issue: The 7.1 SR4 SES console on Windows operates very slowly when performing administrative tasks such as looking for users and devices.
This has been resolved.
CCID card readers are incorrectly detected in PBL
This has been resolved. Please follow these steps:
1. Install SecureDoc v7.1 SR4
2. Install the latest Broadcom Firmware from Dell’s website:
It is possible to deploy a 64 bit package to a 32 bit machine, causing Boot Logon to fail on that machine
Caution: Care must be taken to not enable the 64 bit pre-boot option (it is disabled by default) for new deployments. In the future a warning message will display when this option is selected.
Dell XPS machine fails to start successfully following encryption
Issue: After the machine reboots following successful deployment and encryption, the machine fails to start. This was reported on a Dell XPS machine in UEFI (rather than BIOS) mode, running Windows 10.
This has been resolved.
On Dell Precision 7710 machines, PBU and PBLU cannot load
Issue: After the machine reboots following successful deployment and encryption, the Pre-Boot for native UEFI (PBU) devices as well as the Linux-based Pre-Boot for UEFI (PBLU) devices logon screen does not appear. (The Recovery screen, however, does appear.)This was reported on a Windows 10 Pro X64 machine, with SecureDoc 22.214.171.124 installed.
This issue has been resolved.
Note: For the Known Limitations other than the ones mentioned below, refer to the “Known Limitation” section in the SecureDoc Release Notes v 7.1.and 7.1 SR1
Preboot Logon cannot be installed on Lenovo P500 devices with an NVMe (Non-Volatile Memory express) drive
Limitation: After package deployment, these devices continue to present the Windows login, bypassing Preboot Logon.
Work-around: NA – At this time, SecureDoc is not able to secure NVMe Drives on the Lenovo P500 device.
Client should not be installed on devices where UEFI is enabled and specific FBO variables are present
Limitation: This applies to devices where the BIOS are set to native UEFI and where the "FilterBootOrder" and "FilterBootOrderSupport" variables are not present or accessible. The SDClient installation will be performed but will render the device unbootable (instead of the installer failing).
Error message appears if the Windows drivers necessary for SD installation are missing or out of date
Limitation: If the Windows drivers necessary for SD installation are missing or out of date, the user sees an error message rather than an informative message suggesting their update their drivers.
Dell Latitude E7250 and E7450 devices do not boot in UEFI mode for OSA
Limitation: This issue occurs because the internal drive is power-cycled during system reboot.
Work-around: None available. Until this is resolved in a future version do not install SecureDoc OSA on Dell Latitude E7250 or E745 models.
Touch screen does not work following pre-installation changes
Limitation: Following successful deployment of SecureDoc, changing the UEFI Boot Loader value to PBLU (in the SecureDoc Control Center), updating Boot Logon results and then rebooting results in the touch screen not working. This was reported in an environment using SES 7.1 build 457, with a Windows 8 client on a Dell Venue 11 Pro 7000 Series Tablet (7140).
Deploying an installation package (with tablet support auto detect, auto provisioning and auto SM enabled) successfully installs SecureDoc and encrypts the disk, but the touchscreen does not respond at the Linux-based Pre-Boot (PBL). (The touchscreen does work in PBU). This was reported in an environment using SES 7.1 build 457, with a Windows 8 client on a Dell Venue 11 Pro 7000 Series Tablet (7140).
Work-around: NA – Until this is resolved, owners of such devices will need to attach an external keyboard/mouse in order to be able to enter their Pre-Boot Logon credentials.
SecureDoc does not support SafeNet middleware SAC 10
Limitation: Currently, SecureDoc supports only SafeNet 8.2 and SafeNet 9.0.
Work-around: Until this can be resolved in a forthcoming service release, please continue to an earlier version of SafeNet.
An obsolete option, DVD Mode, appears in the SD and SES interfaces
Limitation: In SES, the profile boot configuration Advanced Options screen includes this option. In the SD Client, it appears in the Advanced Settings screen.
Dell Tablet touchscreen does not work at PBL
Limitation: Deploying an installation package (with tablet support auto detect enabled) successfully installs SecureDoc and encrypts the disk, but the touchscreen does not respond at the Linux-based PreBoot (PBL). This was reported in an environment using SES 7.1 SR4 Build 36, on a Dell 5179 series tablet.
Work-around: NA - For such devices, until this is resolved it will be necessary to connect an external keyboard/mouse to enable the user to logon.
The incorrect user ID is shown at SDCP when machine is resumed from sleep
Limitation: When a machine where both the default user and a PBN user have logged on to Boot Logon successfully has been resumed from sleep, the SDCP shows the default user, not the PBN user, and the PBN user cannot log on.
Work-around: NA. Close the SecureDoc Control Panel, reboot the device and login again before attempting to log into the SecureDoc Control panel again when Windows resumes.
Performance in SES Windows console sub-optimal
Limitation: Some administrators had found the SES Windows console sluggish when trying to perform administrative tasks such as adding or searching for users/devices. This has been reported in an environment running SES 7.1 SR2a.
PBLU does not work on devices equipped with LiteOn CV3 Solid State Drives
Limitation: PBLU does not work on devices equipped with LiteOn CV3 Solid State Drives (SSDs), including Lenovo Yoga 260 and Dell E7470 devices, preventing access to Windows on such devices. This limitation has been reported in 7.1S R4 environments. A UEFI bootable USB stick cannot be used to avoid this issue, since it also cannot load PBU or accept correct passwords to load Windows.
Workaround: Attach the SED to a SATA adapter and use SD Recovery to unlock, and then de-activate, which allows Windows to load.
Login/Logout suspended for SES Web after 850+ sessions
Limitation: Automated stress testing reveals that the system performance begins to degrade when many users are using the system concurrently. Ourt test framework simulated 850 login/logout sessions, and found that approximately 2%-4% of these logins would timeout. Simple reloading the login page and logging in again resolves this problem.
Workaround: Multiple SDConnex/SES Web installations behind load balancer would help.
Wireless card not functional from PBL
Limitation: Deploying an installation package successfully installs SecureDoc and encrypts the disk, but wireless networks cannot be detected from the Linux-based Pre-Boot (PBL). This was reported in an environment using SES 7.1 SR4 Build 90, on an HP Zbook 17 G2 with an Intel N-7260 wireless card.
Work-around: NA – For such devices, until this is resolved if the user needs to authenticate using the Network (e.g. Network-brokered PBConnex-based authentication) the device will need to be connected to a wired network.
Unable to use card reader at Boot Logon
Limitation: The user cannot log in at Boot Logon using the Smart card’s password, instead seeing a card reader error. This was reported in an environment using SES 7.1 SR4 with a smart card built-in reader and using a DataKey 330 smart card.
Work-around: NA – Until this is resolved, the SES Administrator will need to either switch such users to another Smart Card, use an external Card Reader or change the affected users over to authentication using a User ID + Strong Password, temporarily.
Power settings on devices with SED drive are not affected after upgrading SecureDoc to 7.1SR4
Limitation: Updating a protected device with a package that defines system behaviour on resumption from sleep and hybrid sleep modes does not cause the device’s power settings to change. This has been reported in an environment using SES_7.1_SR4_build_102, on a variety of client devices.
SecureDoc File Encryption (SFE) is not supported on Windows 10 RS1 systems
Limitation: SFE policies are not deployed to windows 10 RS1 as SFE drivers are not compatible with windows 10 RS1.
The PBLU boot code cannot be updated on SED systems during a SecureDoc client upgrade process
Limitation: Only PBLU and SED systems are affected. After a SecureDoc client has been successfully upgraded to 7.1 SR4 107, the PBLU boot code remains at the existing version, i.e. 126.96.36.199.
Work-around: To update the PBLU boot code on SED systems, the SED drive must be unmanaged first, and then re-managed with the new 7.1 SR4 107 version.
PBN user unable to login at Boot Logon for SDOTFV2
Limitation: Logging in with PBN user at boot logon with an inserted USB drive is unsuccessful. An error message is displayed at the time.
Unable to login a new user after device upgrade from Windows 10x64 TH2 to Windows 10x64 RS1
Limitation: Only applies to devices that upgrade from Windows 10x64 TH2 to Windows 10X64 RS1. Unable to login after adding a new user in SecureDoc Control Center.