Product/Feature Deprecation Pre-Notice
Please note that WinMagic is deprecating SecureDoc V4 Pre-Boot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 Pre-Boot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.
Important Note
WinMagic has done extensive work to improve, streamline and augment the security surrounding the initial deployment of Key Files during the process of installing the SecureDoc Client software, bearing in mind that many customers have widely divergent requirements relating to how devices are used during and after initial installation. Some customers install SecureDoc while the primary device user is on or will be on the machine, while others may need to protect new devices before the end-users of those devices have been defined, as well as other scenarios.
Please refer to the When SecureDoc server is upgraded to version 7.1 from previous versions (6.5 or earlier) and the Setting up Device Provisioning Rules sections under the Creating Installation Packages for Windows chapter in the SES User Manual to understand how these new settings work, in order to inform your own use of these new features, particularly as they operate in a way that cannot be easily migrated from the previous methodology to the new methodology. Upon upgrading from an earlier version, you will need to adjust each of your existing Installation Packages to reflect the deployment methodology that will meet your security design.
System Requirements
System requirements and supported devices, including tokens and SmartCards, for SecureDoc v7.1 are listed here.
Note: It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation. More information can be found here: msdn.microsoft.com/en-us/library/ms143786(v=sql.100).ASPX
During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.
Note: Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g. Admin desktop) on which it runs, in order for the console to function properly.
Note: WinMagic is deprecating SecureDoc V4 Pre-Boot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 Pre-Boot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.
Upgrade Path and Instructions
From | Upgrade Instructions | To | |
---|---|---|---|
SecureDoc Enterprise Server (SES) | SES versions from 5.3 to 6.5 SR1 & 6.5 SR3 | None | SES v7.1 |
SES Version 6.5 SR2 Note: SecureDoc can NOT be upgraded from the SecureDoc 6.5 SR2 version. Currently, there are no upgrades available for SecureDoc 6.5 SR2 version. |
None | NO | |
SecureDoc Enterprise Client | SD Client versions from 5.3 to 6.5 SR1 & 6.5 SR3 | Disable File and Folder Encryption (FFE) prior to upgrading | SD Client v7.1 |
SD Client version 6.5 SR2 Note: SecureDoc Client can NOT be upgraded from the SecureDoc 6.5 SR2 version. Currently, there are no upgrades available for SecureDoc Client 6.5 SR2 version. |
None | NO | |
SecureDoc StandAlone | SecureDoc StandAlone version 5.3 to 6.5 SR1 & 6.5 SR3 | Disable File and Folder Encryption (FFE) prior to upgrading | SD StandAlone v7.1 |
SecureDoc For Servers | SecureDoc for server version 5.3 to 6.5 SR1 & 6.5 SR3 | Disable File and Folder Encryption (FFE) prior to upgrading | SD for Server v7.1 |
SecureDoc Mac FileVault2 |
SecureDoc FileVault2 build older than 6.5 SR2 with OS version:
|
Upgrade to the OS to 10.9.5 (build13F1112) | SDFV2 v7.1 |
SecureDoc FileVault2 build version 6.5 SR3 with OS version 10.9.5 | None | SDFV2 v7.1 | |
SecureDoc FileVault2 build from versions 6.5 SR1 to 6.5 SR3 with OS version 10.10.x up to 10.10.5 latest update | None | SDFV2 v7.1 | |
SecureDoc FileVault2 build from versions 6.5 SR1 to 6.5 SR3 with OS version 10.11.x (El Capitan) Note: Mac OS 10.11. x (El Capitan) will be supported in the 7.1 SR1 release) |
X | Not supported |
New Features and Improvements
Reference | Description |
---|---|
SD-10305 |
Now, SecureDoc supports PBLU (Linux-based pre-boot environment) authentication for both software and hardware encryption. This option has several advantages including support for WPA -enterprise over Wireless / Wired connections, Touch/Pen inputs and all network protocols. Also, PBLU has the ability to use Linux-based third-party libraries and tools, which is crucial for Smart card support. SES Administrators may use this option with regular SecureDoc package for Windows. By selecting this option in Profiles--> Boot Configuration-->General in SES Console, the PBLU will be installed on the user's system and they will be able to authenticate / login. For information on how to configure this option in SES, refer to the Enabling Linux-based on UEFI Devices section in the SecureDoc Quick Deployment Guide v7.1 . |
SD-10874 |
SecureDoc smartcard users can now logon at pre-boot using their PIN or passphrase only (No need to enter User ID anymore) This feature makes it easy for the SecurDoc smartcard users to logon at pre-boot using their PIN or passphrase only. They do not need to enter their user ID anymore. For information on how to configure this option in SES, refer to the Enabling SmartCard and Password Authentication at Pre-boot (PIN Only login) section in the SeucreDoc Quick Deployment Guide v7 1 or in the SES user guide. |
SD-10022 |
Pre-boot logon information can be collected in a USB drive It is now possible to collect pre-boot logon information (pba.log) in a USB drive from the devices that use Pre-boot Linux (PBL) for authentication. The USB must have WmPba.ini file in the root folder. If not, the WmPba.ini file (empty) in the USB drive should be created. |
SD-11762 |
OSA installer for Windows is available as a part of the OSA installation package When creating OSA package files, the OSAInstaller application is created in the RemotePackage folder created by SES installation. This application (OSAInstaller) allows SES Administrators to deploy OSA package from within Windows environment. For more information on how to install OSA packages using OSA installer, see the Install SecureDoc OSA from Windows OS using OSA Installer section in the SeucreDoc Quick Deployment Guide v7.1 or in the SES user guide. |
SD-10742 |
SecureDoc users' keyfiles protection method (TPM, Token, Password, Fingerprint etc.) can be viewed in SES Console This new feature enables the SES administrators to view how the users' keyfiles are protected (TPM, Token, Password, Fingerprint etc.). A new column "KeyFile Protection Type" has been added in User and Devices screen in SES Console that displays the keyfile status of the corresponding users/devices. The SES Administrators can also track the key file protection type change events in the Audit Log entry. For more information, refer to the Viewing Users’ Keyfile Protection Method section in the SecureDoc Quick Deployment Guide v7.1 or in the SES user guide. |
SD-11587 |
SecureDoc supports Intel Enterprise Digital Fence technology Now, SecureDoc supports Intel Enterprise Digital Fence technology that puts a "digital fence" around the company or employee's home. This new functionality allows the SES administrators to unlock the Self-Encrypting Drives (SEDs) when Digital Fence option is enabled. This new option works with the devices that are equipped with the Intel Digital Fence technology. If Digital Fence functionality is not enabled, on a device, SecureDoc will not allow that to go into the sleep mode, but force it to hibernate and authenticate at pre-boot logon. For information on how to configure this option in SES, refer to the Intel Enterprise Digital Fence section in the SecureDoc Quick Deployment Guide v7.1. |
SD-11388 |
SecureDoc CloudSync (SDC) is available for Mac OS 10.10.x versions Now, SecureDoc CloudSync (SDC) is available for Apple Mac devices to synchronize encrypted data to Cloud Service providers. Only cloud folders should be used with SDC. For information on how to install and configure SDC on Mac, refer to the SecureDoc CloudSync for Mac section in the SES Version 7.1 User Manual. Note: Only Dropbox will be supported in this version, and the support for other cloud providers will be implemented in future release. |
SD-11972 |
SecureDoc Pre-Boot with network and two-factor authentication support is now available on the slate devices, such as Microsoft Surface Pro 1, 2, and 3 Now, SecureDoc uses password protector instead of Recovery Pin to support Microsoft Surface Pro, 1, 2, and 3 devices that have Windows 8/8.1 and above Operating Systems (OS) installed. Users will be able to pass the boot logon with their SecureDoc login credentials (when using SDOT) or the device password (when using SecureDoc BitLocker Management). |
SD-12023 |
Support for LANDesk Moving forward from version 7.1, SecureDoc supports the LANDesk integration with SES database. The LANDesk administrators will now be able to sync data with the SES database so that they can use one console to perform their reporting. |
SD-9879 |
Now, SES Administrators can use SafeNet’s Luna Hardware Security Module (HSM) to protect SecureDoc Key File This version of SecureDoc provides a new capability: a Hardware Security Module (HSM) can be (optionally) used to protect the SecureDoc Key File used to provide Administrator Access to the SES Database through the Console. When HSM is used, the SES database protection key file is securely stored inside a tamper-resistant HSM device, instead of on the local disks. For more information on how to use Hardware Security Module (HSM), see Using Hardware Security Module (HSM) section in the SecureDoc Quick Deployment Guide v7.1 or the SES user guide v7.1. |
SD-9435 |
SecureDoc File Encryption (SFE), previously called "File and Folder Encryption"(FFE) now has two important new capabilities for managing Persistent Encryption, as well as SES/User-defined Application Access Lists SecureDoc File and Folder Encryption (FFE) has been renamed as SecureDoc File Encryption (SFE) with an added ability to support persistent encryption. When the Persistent Encryption functionality is activated, the files/folders that are in SFE folder(s) will remain encrypted even when they are moved to other destinations or media. SES administrators also have an option to collect a list of applications that access the encrypted files. The SES administrators can further allow the end-point device users to interactively decide which applications are permitted to access files in decrypted form by putting an application in either the Gray List, or the White List using the Global Application Access Lists application. For more information on SecureDoc File Encryption (SFE), see the SecureDoc File Encryption section in the SecureDoc Quick Deployment Guide v7.1 or the SES user guide v7.1. |
SD-11521 |
SecureDoc Key File deployment has been re-designed SecureDoc Key File deployment has been re-designed to make SecureDoc Full Disk Encryption process less disruptive, yet seamless and more robust by eliminating certain complexities and challenges that were associated with the key file deployment in the previous versions of SecureDoc. For more information in how to set up Key File deployment options, see the Setting up Device Provisioning Rules section in the SecureDoc Quick Deployment Guide v7.1 or the SES user guide v7.1. |
SD-11848 |
Pre-boot Logon Error (0x7842) on Windows 7 devices with two hard drives (SSD and OPAL) This issue occurs on the Windows 7 OS devices that have two hard drives, i.e., SSD and OPAL. After deploying SecureDoc installation package and when a user attempts to perform pre-boot logon after the reboot, an error message, "ox7842" is displayed. This issue has been resolved and users can now successfully authenticate at pre-boot log on without having any issues. |
Resolved Issues
Reference | Description | |||
---|---|---|---|---|
SD-12642 |
Delay in Network file browsing when File and Folder Encryption option is enabled This issue occurred on the previous SecureDoc-protected client devices when FFE option is enabled. The users experienced very slow network browsing after the FFE driver is enabled on their devices. Now, this issue has been resolved and the user would not experience any slowdown in browsing network files. |
|||
SD-11444 |
Remote crypto-erase and crypto-erase key sequence functionalities were not working properly on the OSA client devices This issue has been reported on the OSA client devices The SES administrators were unable to use the crypto-erase functionality from SES console as this option was greyed out in the context menu. Also, the crypto-erase key sequence functionality on the OSA client devices was not working properly. This issue has now been fixed and the SecureDoc user can execute the crypto-erase functionality from SES console and also perform crypto-erase key sequence from the client devices successfully. |
|||
SD-14421 |
Support for HID OMNIKEY USB smartcard reader In previous versions of SecureDoc, there were some issues using the HID OMNIKEY 3121 smartcard readers on the Linux-based pre-boot devices. These issues have been resolved and now most smart cards will be working correctly with HID OMNIKEY in SecureDoc. The SecureDoc users can now successfully log in at pre-boot and/or SDCC using these smartcard readers. |
|||
SD-9460 |
Conflict with Symantec workspace virtualization A previously-encountered incompatibility existed between the SecureDoc filter driver and Symantec Workspace Virtualization software, causing an inability to load Windows (a "hang" condition) after successful user authentication at Pre-boot. This issue has been resolved. SecureDoc-protected devices running Symantec Workspace Virtualization software will now boot successfully into Windows following successful Pre-boot Authentication. |
|||
SD-12918 |
Ability to capture recovery information and create emergency disk for the Mac FileVault2 enabled devices In the previous versions of SecureDoc, an issue has been reported that while installing the SecureDoc on a FileVault2 enabled device, the recovery information (Recovery passphrase, LVGUUID, LVUUID, and PVUUID) was not being sent to the SecureDoc server . As a result of this, the SES administrators were not able to create an emergency disk. This issue has been resolved by providing the Account Recovery Password. The SES administrators can use this Account Recovery Password displayed in the Edit Device Information -> Device FileVault Properties tab in the SES Console to create an emergency disk. |
|||
SD-14867 |
When the global password rules are changed and a key file is sent down from SES, the changed global password rules will overwrite the existing package password rules When the SES administrators make changes to the global password rules, then the existing package(s) password rules will not change. However, when a key file is created and sent down from SES during online installations, the changed global password rules will be applied, not the old password rules of the existing package(s).
|
|||
SD-15871 |
Maximum Failed Login feature is NOT working for the local key files The issue occurred because the pre-boot login was not properly counting the number of failed logins for PBConnex. As a result of this, the user was never locked out after exceeding the failed login attempts threshold. Now, this issue has been resolved and the user will be logged out after reaching the maximum number of failed login threshold. |
|||
SD-8994 |
Slow boot up on Lenovo X1 carbon devices (UEFI) An issue has been reported about slow boot up on the SecureDoc-protected Lenovo Carbon X1 device. Now, this issue has been resolved and the boot up time has been significantly improved. |
Known Limitations
Reference | Description |
---|---|
SD-11795 |
SES Web users who have administrator privileges cannot be added in SES Console as Administrators Limitation: Work-around:
|
SD-13215 |
Lenovo Tablet 10 x64 Touch Screen does not work when Linux pre-boot for UEFI devices (PBLU) option is selected for boot loading Limitation: Work-around: |
SD-13827 |
Windows 8 UEFI / Toshiba Tecra z40 (Self-encryption Drive) Client devices are unable to load Windows when PBLU boot loader option is selected in SES Limitation: Work-around: |
SD-12614 |
Hidden files and folders in SecureDoc CloudSync encrypted folders cannot synchronize into alias (Linked) folder Work-around: |
SD-14010 |
FFE_DEVICE_KEY does not work for Mac SecureDoc CloudSync Limitation:
Work-around: |
SD-13525 |
If a file in the Alias folder is edited multiple times, a warning message, “The file has been changed by another application” is displayed Limitation: This issue occurs in when a user opens a file in the Alias folder, edits, saves, (but does not close the file), and after a while, edits the file again, and then saves it. In such a scenario, a warning message, “The file has been changed by another application” is displayed. Work-around: Save and close the file immediately after editing. |
SD-13740 SD-73741 |
Conflicting copies of a file are created in the Cloud provider folder if two or more devices have the same SD Cloud policy and the same keys on Windows and Mac SecureDoc devices Limitation: Work-around: |
SD-12460 |
SecureDoc File Encryption (SFE) : If DllHost.exe is in the White List, users are able to view image files using Windows Phot Viewer Limitation: Work-around: |
SD-13947 |
SecureDoc File Encryption (SFE): Google Drive and One Drive root folders (e.g. C:\Users\<user name>\Google Drive; C:\Users\<user name>\One Drive) cannot be encrypted Limitation: Work-around: |
SD-10198 |
The SESWeb does not launch on Window Server 2008 x32 Limitation: Work-around:
|
SD-13216 |
The Wireless option for Linux-based pre-boot for UEFI devices (PBLU) boot loader does not work on Lenovo Tablet 10 Limitation: Work-around: |
SD-13437 |
PBConnex does not work on Surface Pro 3 devices Limitation: Work-around: |
SD-13832 |
Users with administrator privileges are unable to see their administrator rights after performing Challenge-Response (C/R) or Self-Help on SecureDoc-protected client devices Limitation: Work-around: |
SD-12832 |
The touchpad for Microsoft Surface Pro 3 with Native UEFI Pre-boot (PBU) environment does not work properly Limitation: Work-around: |
SD-12119 |
If Dllhost.exe is in the Gray List, the "Send to Compressed (zipped) File" option in the Windows Explorer context menu will not work for SecureDoc File Encryption (SFE) Limitation: Work-around: |
SD-12465 |
SecureDoc File Encryption (SFE): On Windows 8 and 10 Operating Systems (OS), the pre-existing files on the Google Drive will not be encrypted on the cloud Limitation: Work-around: |
SD-11067 |
SecureDoc client devices do not prompt users to change their initial passwords after deploying a package with a default user and the Change Initial password option enabled Limitation: Work-around: |
SD-13852 |
The Default User ID key file that provides users with one time login to Boot Logon does not get removed when 6.5 and lower installation packages are installed against an SES 7.1 version Limitation: In a scenario where the new SecureDoc version 7.1 is installed against the client devices with older installation packages, the default user ID key file is not deleted. Work-around: |
SD-14502 |
Emergency Disk cannot be created on a device that has more than 50 users Limitation: Work-around: |
SD-14122 |
The convert from password to token/UPEK (FingerPrint Reader) functionality does not work if the Always include personal key in key files option is enabled in the Key Files tab in SES Limitation: Work-around: |
SD-14114 |
Removable Media Container-based Encryption (RMCE) error : Failed to format Container Limitation: Work-around: |
SD-14698 |
Crypto-erase functionality is NOT supported in native UEFI pre-boot environment (PBU) for Windows 8/8.1/10 Limitation: Work-around: |
SD-14812 |
Unable to de-register the Hardware Protection Manager (Lenovo) client devices from SES console after upgrading SecureDoc server to v7.1 Limitation: Work-around: |
SecureDoc File Encryption (SFE) functionality does not support Windows 10 | |
SD-15287 |
Windows password sync is not happening immediately after upgrading SecureDoc client from 6.4 SR1 to 7.1 Limitation: Work-around:
|
SD-15453 |
Unable to detect network card on Windows 8.1 client devices when SecureDoc package is installed with PBU option This issue has been reported on the Windows 8.1 client devices with AMD CPU's. When a SecureDoc package is deployed to the client devices with Native UEFI Pre-boot (PBU) option, a message "Configuring TCP/IP protocols. Please wait...". is displayed after the reboot of the device. This message is never timed out. Work-around: |
SD-15168 |
The Distribution File System (DFS) share is not accessible while using the SecureDoc File Encryption (SFE) feature Limitation: Work-around: |
SD-15589 |
The import functionality of SecureDoc CloudSync cannot be used for Box cloud provider service application Limitation: Work-around: |
SD-15743 |
SecureDoc password is NOT auto-synchronized when upgrading HPDE to SecureDoc with the Password Sync option enabled Limitation: Work-around:
|
SD-12809 |
SDConnex and ADSync are not registered automatically after upgrading from old version Limitation: Work-around: |
SD-15639 |
Hardware Encryption: The message “Boot logon is being installed, after which this device will automatically reboot. Do not manually reboot this device during this process” is displayed while installing the boot logon After deploying an installation with hardware encryption, the system will automatically shut down (not reboot). There is an error in the message (reboot instead of shut down) which will be corrected in future version. |
SD-15851 |
Offline installation for non-provisioning packages is not supported Limitation: Work-around: |
SD-15873 |
Computers with Symantec Endpoint Protection (SEP) with USB device connected crash while installing SecureDoc Limitation: Work-around: |
SD-8604 |
The Password Hint feature does NOT work with V5 or V4 boot logon for SecureDoc Enterprise client devices Limitation: Work-around: N/A |
SD-12552 |
Changes made to the columns in the SES Console are NOT saved Limitation: Work-around: N/A |
SD-12966 |
The devices that are in auto-boot mode are being taken out of auto-boot when a profile is modified and a new profile is added Limitation: Work-around: |
SD-13069 |
Windows users are not able to perform pre-boot logon and/or log into SDCC when system time is changed Limitation: Work-around: |
SD-14674 |
The Unlock feature on Android devices running Android Operating System 5.1 is NOT working properly Limitation: Work-around: Perform the following steps:
|
SD-14577 |
The upgrade from SecureDoc StandAlone to SecureDoc client failed when only the boot logon is installed but the disk is NOT encrypted Limitation: Work-around: |
SD-14957 |
File and Folder Encryption feature (in SecureDoc version 6.5 and earlier versions of SecureDoc) and SecureDoc Folder Encryption feature (in 7.1) does NOT support Windows 10 Limitation: Work-around: |
SD-15662 |
Single Sign-On (sso) feature does not work properly On Windows 8.1 64-bit UEFI machines with Software Encryption after the device resumes from hibernation when fast-start option is turned on Limitation: Work-around: |
SD-16015 |
The Windows Desktop on the client devices is NOT displayed normally while upgrading them from SecureDoc version 6.5 SR3 to 7.1 Limitation: Work-around: N/A |
SD-15841 |
Migration error after upgrading SES and SecureDoc client devices from 6.5 SR3 version to 7.1 with SecureDoc File Encryption (SFE) enabled Limitation: Work-around: |
SD-16093 |
Files encrypted with SecureDoc version 6.4 File and Folder Encryption (FFE) feature cannot be decrypted using the new 7.1 SecureDoc File Encryption (SFE) feature Limitation: Work-around: |
SD-16005 |
When the SecureBoot option is enabled on HP G2 Models, Windows fails to load and the "Start PXE over IPv4" message is displayed after the boot logon Limitation: Work-around: |
SD-16172 |
When SecureDoc package is deployed to a client device with Windows SmartCard users, the device gets stuck in the Provisioning state and cannot move to Secured state Limitation: Work-around: N/A |
Please note that WinMagic is deprecating SecureDoc V4 Pre-Boot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 Pre-Boot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.” |