Product/Feature Deprecation Pre-Notice
Please note that WinMagic is deprecating SecureDoc V4 PreBoot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 PreBoot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.
Important Note
WinMagic has done extensive work to improve, streamline and augment the security surrounding the initial deployment of Key Files during the process of installing the SecureDoc Client software, bearing in mind that many customers have widely divergent requirements relating to how devices are used during and after initial installation. Some customers install SecureDoc while the primary device user is on or will be on the machine, while others may need to protect new devices before the end-users of those devices have been defined, as well as other scenarios.
Please refer to the When SecureDoc server is upgraded to version 7.1SR5 HF4 from previous versions (6.5 or earlier) and the Device Provisioning Rules sections under the Creating Installation Packages for Windows chapter in the SES User Manual to understand how these new settings work, in order to inform your own use of these new features, particularly as they operate in a way that cannot be easily migrated from the previous methodology to the new methodology. Upon upgrading from an earlier version, you will need to adjust each of your existing Installation Packages to reflect the deployment methodology that will meet your security design.
System Requirements
System requirements and supported devices, including tokens and SmartCards, for SecureDoc v7.5 SR1 are listed here.
Note: It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation. More information can be found here: http://msdn.microsoft.com/en-us/library/ms143786(v=sql.100).ASPX
During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.
Note: Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g. Admin desktop) on which it runs, in order for the console to function properly
New Features and Improvements
Reference | Description |
---|---|
SD-18891 |
In this improvement, WinMagic has responded to a customer requirement that will ensure that no key files are available locally after the installation of SecureDoc
|
SD-23239 |
Change Key File deployment to support distinct use-cases including NO Key File, even in non-provisioning mode This addresses the requirements of certain categories of customers whose main objective is that they do not want end-users to have key files on their workstations or servers – these systems will simply use PBN Auto-Boot to authenticate (much in the same way that SecureDoc’s CloudVM does not store local key files on the device). The solution does not stage key files locally - but will continue with the product installation and initial encryption. Since the initial customer whose request triggered this change does not use password synchronization, they cannot use SecureDoc’s existing “automatic provisioning" feature, and this solution provides a smooth installation path even for such customers. |
SD-23267 |
Integrate the new FESF library Version v1.2.3 into SecureDoc File Encryption (SFE) Limitation: Due to limitations in this new FESF version, because FESF 1.2.3 does not support Windows 10 RS3 Build 16281, so SecureDoc SFE will also not support Windows 10 RS3 Build 16281. Limitation: SFE also does not support encrypting SharePoint folders (SD-23982). |
SD-24240 |
SD CloudSync now supports running on top of SecureDoc v7.5 and later versions |
SD-23407 |
Automatically convert Key Files to TPM protection (if so configured) without requiring the user to log into SecureDoc Control Center (SDCC) first. In earlier versions of SecureDoc, where TPM Protection is configured the user was required to log into SDCC in order to have their key file converted to be TPM-protected. This has been improved in 7.5 SR1, and the user's key file is now automatically converted to TPM protection upon logging into Windows. |
SD-23614 |
Issue corrected: Error type 0x7885 logged during SecureDoc client software installation. |
SD-23674 |
USB Media: Removable Media Container Encryption media size warning message improved. Under the FAT32 File System, USB sticks can support files that are a maximum size of 4GB. Since the SecureDoc RMCE Container is actually a file, any USB media that exceeds 4GB in total size will not be able to have an RMCE container created on it that will use 100% of the available space. This 4GB file size limitation does not apply to exFAT or NTFS-formatted USB sticks. a) Cancel the Container creation and b) reformat the media as exFAT. |
SD-23733 |
New ability to suppress incremental (aka Delta) ADSync |
SD-23737 |
Touch controls at pre-boot (PBLU) have limitations on MS Surface Pro 4 and 2017 The touch controls do not work on MS Surface Pro 4 and 2017 when pre-boot is configured to use PBLU 64-bit. As a workaround, it is recommended to use pre-boot (PBU) for these devices until a solution is available. |
SD-23532 |
PreBoot Logon GUI supports any screen resolution |
SD-23773 |
SDFileDecryptor - Improvements to the decryption workflow for better User usability |
SD-23909 |
SecureDoc File Encryption (SFE) now supports Windows 10 RS3 |
SD-24277 |
SecureDoc compatibility with Windows 10 RS3 added SecureDoc V7.5SR1 is compatible with both Windows 10 RS3, as well as when upgrading Windows 10 RS2 to RS3. |
SD-24506 |
Visual Improvements for masked password fields for SES Web and SES Consoles Issue: There has been an inconsistency in previous versions of SES and SESWeb between the way the SES Console and the SESWeb console represent the non-existence of a user's password. |
Enhancements and Resolved Issues
Reference | Description |
---|---|
SD-13813 |
SecureDoc OS-Agnostic (OSA) Windows installer and OSA USB do not boot when Secure Boot is enabled |
SD-15330 |
SecureDoc Utility (SDUTIL) did not correctly support the RemoveBL option under PreBoot Logon/V5 profile settings Issue: Customers running V6.5 were unable to successfully remove Boot Logon when executing the command to remove SecureDoc’s Boot Logon from a V5 boot logon device. Under this issue, once the command was executed, the device rebooted but the V5 Boot Logon had not been removed. This issues is now resolved. Note: The feature only works on already-decrypted Software Encryption (all disks have previously been decrypted but BootLogon still remained in effect). Preboot will check if the disk is a plain text regular drive. If not, it will just return without removing boot logon. |
SD-20687 |
Errors occurred when client devices having a large number of local Windows user accounts would register with SecureDoc Enterprise Server, causing a high volume of key files to be transmitted from SDConnex for the Local Windows Accounts Issue: This occurs when the Profile option "Windows Account Feature - Create Boot Users + Personal keys" is enabled. This option allows SES to create NEW key files for all Windows users that have logged onto the computer. However, if there are a lot of users that have logged into the computer then the key file requested from SES can generate an unusually high volume of key file requests. SDConnex may not be able to handle this large request set, i.e. 40 users or more. In this scenario, the installation fails during device registration and error 0x7885 is generated. This issue has now been resolved. Note: Total AdminUser + WinUser amount should not exceed 32. |
SD-21034 |
Microsoft Office Installation failed when SecureDoc File Encryption (SFE) is enabled In a previous version, WinMagic had included a Limitation that required customers to install Microsoft Office before installing SecureDoc (or disable SFE temporarily in order to install Microsoft Office) if the SecureDoc File Encryption feature was to be enabled on the devices, since in that version the version of the third-party encryption library on which SFE depends conflicted with the Microsoft Office Installer. |
SD-21995 |
Under certain circumstances relating to high numbers of local User accounts on devices, those devices were being duplicated in the SES database upon Installation, with a failure to submit the SDForm prompt panel |
SD-22175 |
In KeyFile Deployment, Excluded user key files were still being created even though the rules defined they should not be Issue: User Key Files were being created for users defined in the Exclude List feature. |
SD-23155 |
Timing improvements made to permit SecureDoc Client to update information in SED Shadow MBR more dependably. Improvements were made to the Shadow MBR synchronization sequence on SED’s during the User’s initial login process to the operating system, ensuring that SecureDoc can update information in the Shadow MBR during boot-up. These improvements resolve several rare cases seen during the Secure Moment process of the deployment where the temp user account was not being removed from the system – and the device would remain in provisioning mode. |
SD-23171 |
Profile status column displays incorrect information Issue: In an earlier version, SES would take the “optimistic” path, and would prematurely mark Profile changes as having been successfully applied to devices based only on having transmitted the new profile to the device, and would show the Profile on the device as Up-to-Date. While reasonable, under this older method the status column setting could in rare circumstances be out inaccurate since it did not positively know the status of the profile change at the device. The device had not had a chance to confirm that it had successfully processed that profile change, leading to the rare possibility that any issue on the device itself in applying the new profile would not be visible at the server. Under this improvement, Client devices will now positively confirm back to the server that they have successfully applied the changed profile, which will then actively update their Profile setting to "up-to-date" upon next communication with the server. |
SD-23470 |
Microsoft Surface Pro 3 and 4 devices were unable to access dongle-connected or dock-connected Network Interface devices at SecureDoc's Pre-Boot for UEFI devices |
SD-23557 |
SDPin crashing on resume from sleep mode Issue: In version 7.1SR6 HF1, SecureDoc’s WinPin (SDPin) service crashed on SecureDoc’s Bitlocker Management (SDBM) after resuming from Sleep mode. Note: The Issue was caused by Security Software that managed Windows rights which has now been removed. Changing the security settings from High to Medium when monitoring the SecureDoc application resolved the crash. |
SD-23396 |
Error recognizing smart card with an internal reader Issue: When logging in with the incorrect key file using an internal smart card reader it doesn’t work correctly. The issue doesn’t occur with an external smart card reader along with the existing smart card. The end user can successfully log into the system. |
SD-23469 |
Microsoft Surface Pro 3 and 4 devices were unable to access dongle-connected or dock-connected Network Interface devices at SecureDoc's Pre-Boot for UEFI devices SecureDoc will enable the UEFI network stack programmatically so that PBConnex-brokered authentication can be used at Pre-Boot on these devices. |
SD-23543 |
Added Support for Solarflare SFC9240 Network Interface Card (NIC) at preboot Customers must replace the native Linux driver with the one downloaded from the manufacturer's download page. |
SD-23563 | Use of the (web-based) Online Help feature of SESWeb in V7.5 would point to a non-existent web page This has been corrected, and now the correct online help documentation will be displayed. |
SD-23568 |
User accounts listed in the Installation Package settings in SES were being removed when saving the Installation Package after a 7.5 upgrade |
SD-23762 |
Surface 2017 issue: Uninstalling through Control Panel does not work Issue: When testing the un-installation of the SecureDoc Client software on Microsoft Surface Pro 2017 devices having the latest firmware, it was found that by un-installing SecureDoc through the Windows Control Panel, the process would fail to complete successfully, and thereafter the SecureDoc software could not be uninstalled. |
SD-23797 |
User permissions on devices are inconsistent with server settings and are overwritten incorrectly The SES Console displays calculated effective permissions alongside with permissions directly assigned to a user or a user-device. This way administrator can see in real time what effective permissions the user will get on the device any time a keyfile is updated. |
SD-23812 |
Unable to set TPM2.0 protection on Panasonic device (CF-SZ6) Issue: On the Panasonic CF-SZ6 type devices, when the TPM option profile is enabled, the PC user account (keyfile) doesn’t change to TPM protection after login to SecureDoc's Control Center (SDCC), and also the SES console ‘Keyfile Protection Type’ for the Device does not change the user's authentication type shown in the Console to “Password + TPM”. |
SD-23845 |
SecureDoc's Pre-Boot management for BitLocker (SDOT) Boot Logon does not override users from running BitLocker An issue was detected in SecureDoc Version 7.5 where installation of SecureDoc's Pre-Boot management for BitLocker (SDOT) no longer blocks user access to the Bitlocker Management user interface. This access had been blocked in the earlier 7.1 SR5 and SR6 versions. |
SD-23869 |
Unable to update user passwords from the SES Server where the same user existed on more than 100 devices Issue: Limitation on updating Users that have more than 100 Users or more devices. Such as updating the password on the SES Server, the information was not updated accordingly and clients were not able to log on. This issues is now resolved. |
SD-24189 |
Tablet touch-screen calibration during SecureDoc Installation causes issues Issue: During installation touch screen function doesn’t detect at the Calibration process, which keeps the User from being able to complete the installation successfully. |
Limitations
Reference | Description |
---|---|
SD-21492 |
Unable to change User's password with SESCMD when the user has a '@' symbol in their username |
SD-21639 |
Removable Media Container Encryption (RMCE) and Disk Access Control (DAC) issues occur if an encrypted device is opened in Windows Safe Mode |
SD-22171 |
Sharepoint’s “View in File Explorer” option does not work with SecureDoc File Encryption (SFE) enabled |
SD-23577 |
WinPin (SDPin) crashes after resuming from Sleep mode Issue: This was caused by Security Software that managed Windows rights and removed them. |
SD-23702 |
Atos CardOS DI 5.3 - No private key in token 0x7730 with certificate length 2048 Issue: Customers testing use of the Atos CardOS DI 5.3 card found that it doesn’t work with 2048 bit certificates, but does work with 1024-bit certificates (which are no longer used). With 2048 bit certificate length, an error (0x7730, No private key in token) occurs at pre-boot Atos CardOS DI 5.3 card provided doesn’t work with 2048-bit certificate. The security standard now is 2048 or 4096-bit. Work-around: The smart card requires longer APDU. When APDU is longer than 255 bytes the smart card requires APDU length one byte longer. Limitation: 4096-bit certificate length (4k) is not supported at the moment. |
SD-23982 |
SecureDoc File Encryption feature (SFE) will NOT encrypt files located on a SharePoint folder when the SFE policy was created on the Client device. Limitation: SecureDoc File Encryption does not currently support the encryption of WebDAV paths, which is what SharePoint shares are. |
SD-23988 |
Under SecureDoc File Encryption (SFE), customers have encountered an issue where overlay icon would not appear when mapping a network connection to DFS (Windows Distributed File System) |
SD-24027 |
Black screen on SecureDoc Linux-based Boot Logon affects certain device types (see below) Issue: After installing SecureDoc's Linux-based Boot Logon (PBLU) on an HP X2 210 G2, the system remains at a black screen |
SD-24202 |
Hewlett Packager HP Pro x2 612: Touch screen does not work under SecureDoc's Linux-based Pre-Boot For UEFU devices (PBLU) |
SD-24318 |
Pre-boot authentication screen delay on Dell E7250 system Limitation: There have been cases reported in which the pre-boot authentication screen has taken 10-15 minutes to appear on the Dell E7250 system. |
SD-24339 |
The external mouse does not work on Lenovo T570 with PBU |
SD-24343 |
Pointer functions at pre-boot (PBLU) do not work using the touch pad |
SD-24419 |
HP ProBook 645 G3 (HWE) - Windows error (0xC0000411) appears after returning from hibernation mode |
SD-24420 |
Additional implementation protection for WPA2 KRACK vulnerability in PB Linux After undertaking an assessment of risk for our SecureDoc customers, WinMagic is advising that while KRACK does impact our pre-boot wireless support because SecureDoc uses standard Linux Wi-Fi drivers, the risk is mitigated by the fact that PBConnex runs an encrypted protocol on top. Nevertheless, WinMagic has provided additional protections in this SecureDoc 7.5 Service Release 1 (SR1). |
SD-24429 |
HP Folio 1040 G2 touch screen unavailable Issue: The touch screen at pre-boot (PBU) does not work on this device. Limitation: The on screen keyboard controls do not work on the HP Folio 1040 G2 using PBU. It is recommend either using PBLU on these systems or using your external mouse device. |
SD-24503 |
Pointer functions at pre-boot (PBLU) do not work using the touch pad Limitation: The mouse controls do not work on the X260 using the built-in touch pad. It is recommended to either use PBU on these systems or use your external mouse device. |
SD-23702 |
Atos CardOS DI 5.3 - No private key in token 0x7730 with certificate length 2048 |
SD-24541 |
Features for tablet does not correctly work with SecureDoc’s Linux-based Pre-Boot for UEFI devices (PBLU) Issue: The touch pad, mouse track, and on-screen keyboard do not work with PBLU for ThinkPad X1 Tablet 2 model. Workaround: For the ThinkPad X1 Tablet 2 device, the external keyboard can be used when configuring pre-boot to use PBLU. |
SD-24542 |
Lenovo ThinkPad X1 Carbon 5 devices encounter a SecureDoc Linux-based Pre-Boot error, failing with a "Bad Address" error when using Windows 7 and Hardware Encryption (e.g. SED drives) Issue: SecureDoc's pre-boot authentication screen doesn't appear after powering on the device - and instead the system remains at a black screen with the error "bad address" shown in the top left corner of the monitor. This issue only occurs when using the ThinkPad X1 Carbon 5 device with Windows 7 and Hardware Encryption (HWE) such as with OPAL self-encrypting drives.Workarounds: Use a newer Windows operating system on this device, i.e. Windows 10, or if needing to use Windows 7, use Software Encryption. |
SD-24543 |
Lenovo ThinkPad X1 Tablet 2 issues: Touchpad, mouse track, and external mouse do not work at SecureDoc’s native UEFI Pre-boot (PBU) Issue: The touch pad, mouse track, and external mouse do not work on the ThinkPad X1 Tablet 2 in SecureDoc’s PBU (native Pre-Boot environment for UEFI devices) during pre-boot authentication |