SecureDoc v7.1 Release Notes

SES Version 6.5 SR2

Note: SecureDoc can NOT be upgraded from the SecureDoc 6.5 SR2 version. Currently, there are no upgrades available for SecureDoc 6.5 SR2 version.

SD Client version 6.5 SR2

Note: SecureDoc Client can NOT be upgraded from the SecureDoc 6.5 SR2 version. Currently, there are no upgrades available for SecureDoc Client 6.5 SR2 version.

SecureDoc Mac FileVault2

• 10.9.1
• 10.9.2
• 10.9.3
• 10.9.4

SecureDoc FileVault2 build from versions 6.5 SR1 to 6.5 SR3 with OS version 10.11.x (El Capitan)

Note: Mac OS 10.11. x (El Capitan) will be supported in the 7.1 SR1 release)

Now, SecureDoc supports PBLU (Linux-based pre-boot environment) authentication for both software and hardware encryption.

This option has several advantages including support for WPA -enterprise over Wireless / Wired connections, Touch/Pen inputs and all network protocols. Also, PBLU has the ability to use Linux-based third-party libraries and tools, which is crucial for Smart card support. SES Administrators may use this option with regular SecureDoc package for Windows. By selecting this option in Profiles--> Boot Configuration-->General in SES Console, the PBLU will be installed on the user's system and they will be able to authenticate / login.

For information on how to configure this option in SES, refer to the Enabling Linux-based on UEFI Devices section in the SecureDoc Quick Deployment Guide v7.1 .

SecureDoc smartcard users can now logon at pre-boot using their PIN or passphrase only (No need to enter User ID anymore)

This feature makes it easy for the SecurDoc smartcard users to logon at pre-boot using their PIN or passphrase only. They do not need to enter their user ID anymore.

For information on how to configure this option in SES, refer to the Enabling SmartCard and Password Authentication at Pre-boot (PIN Only login) section in the SeucreDoc Quick Deployment Guide v7 1 or in the SES user guide.

Pre-boot logon information can be collected in a USB drive

It is now possible to collect pre-boot logon information (pba.log) in a USB drive from the devices that use Pre-boot Linux (PBL) for authentication. The USB must have WmPba.ini file in the root folder. If not, the WmPba.ini file (empty) in the USB drive should be created.

OSA installer for Windows is available as a part of the OSA installation package

When creating OSA package files, the OSAInstaller application is created in the RemotePackage folder created by SES installation. This application (OSAInstaller) allows SES Administrators to deploy OSA package from within Windows environment.

For more information on how to install OSA packages using OSA installer, see the Install SecureDoc OSA from Windows OS using OSA Installer section in the SeucreDoc Quick Deployment Guide v7.1 or in the SES user guide.

SecureDoc users' keyfiles protection method (TPM, Token, Password, Fingerprint etc.) can be viewed in SES Console

This new feature enables the SES administrators to view how the users' keyfiles are protected (TPM, Token, Password, Fingerprint etc.). A new column "KeyFile Protection Type" has been added in User and Devices screen in SES Console that displays the keyfile status of the corresponding users/devices. The SES Administrators can also track the key file protection type change events in the Audit Log entry.

For more information, refer to the Viewing Users’ Keyfile Protection Method section in the SecureDoc Quick Deployment Guide v7.1 or in the SES user guide.

SecureDoc supports Intel Enterprise Digital Fence technology

Now, SecureDoc supports Intel Enterprise Digital Fence technology that puts a "digital fence" around the company or employee's home. This new functionality allows the SES administrators to unlock the Self-Encrypting Drives (SEDs) when Digital Fence option is enabled. This new option works with the devices that are equipped with the Intel Digital Fence technology. If Digital Fence functionality is not enabled, on a device, SecureDoc will not allow that to go into the sleep mode, but force it to hibernate and authenticate at pre-boot logon.

For information on how to configure this option in SES, refer to the Intel Enterprise Digital Fence section in the SecureDoc Quick Deployment Guide v7.1.

SecureDoc CloudSync (SDC) is available for Mac OS 10.10.x versions

Now, SecureDoc CloudSync (SDC) is available for Apple Mac devices to synchronize encrypted data to Cloud Service providers. Only cloud folders should be used with SDC. For information on how to install and configure SDC on Mac, refer to the SecureDoc CloudSync for Mac section in the SES Version 7.1 User Manual.

Note: Only Dropbox will be supported in this version, and the support for other cloud providers will be implemented in future release.

SecureDoc Pre-Boot with network and two-factor authentication support is now available on the slate devices, such as Microsoft Surface Pro 1, 2, and 3

Now, SecureDoc uses password protector instead of Recovery Pin to support Microsoft Surface Pro, 1, 2, and 3 devices that have Windows 8/8.1 and above Operating Systems (OS) installed. Users will be able to pass the boot logon with their SecureDoc login credentials (when using SDOT) or the device password (when using SecureDoc BitLocker Management).

Support for LANDesk

Moving forward from version 7.1, SecureDoc supports the LANDesk integration with SES database. The LANDesk administrators will now be able to sync data with the SES database so that they can use one console to perform their reporting.

Now, SES Administrators can use SafeNet’s Luna Hardware Security Module (HSM) to protect SecureDoc Key File

This version of SecureDoc provides a new capability: a Hardware Security Module (HSM) can be (optionally) used to protect the SecureDoc Key File used to provide Administrator Access to the SES Database through the Console. When HSM is used, the SES database protection key file is securely stored inside a tamper-resistant HSM device, instead of on the local disks.

For more information on how to use Hardware Security Module (HSM), see Using Hardware Security Module (HSM) section in the SecureDoc Quick Deployment Guide v7.1 or the SES user guide v7.1.

SecureDoc File Encryption (SFE), previously called "File and Folder Encryption"(FFE) now has two important new capabilities for managing Persistent Encryption, as well as SES/User-defined Application Access Lists

SecureDoc File and Folder Encryption (FFE) has been renamed as SecureDoc File Encryption (SFE) with an added ability to support persistent encryption.

When the Persistent Encryption functionality is activated, the files/folders that are in SFE folder(s) will remain encrypted even when they are moved to other destinations or media.

SES administrators also have an option to collect a list of applications that access the encrypted files. The SES administrators can further allow the end-point device users to interactively decide which applications are permitted to access files in decrypted form by putting an application in either the Gray List, or the White List using the Global Application Access Lists application.

For more information on SecureDoc File Encryption (SFE), see the SecureDoc File Encryption section in the SecureDoc Quick Deployment Guide v7.1 or the SES user guide v7.1.

SecureDoc Key File deployment has been re-designed

SecureDoc Key File deployment has been re-designed to make SecureDoc Full Disk Encryption process less disruptive, yet seamless and more robust by eliminating certain complexities and challenges that were associated with the key file deployment in the previous versions of SecureDoc.

For more information in how to set up Key File deployment options, see the Setting up Device Provisioning Rules section in the SecureDoc Quick Deployment Guide v7.1 or the SES user guide v7.1.

Pre-boot Logon Error (0x7842) on Windows 7 devices with two hard drives (SSD and OPAL)

This issue occurs on the Windows 7 OS devices that have two hard drives, i.e., SSD and OPAL. After deploying SecureDoc installation package and when a user attempts to perform pre-boot logon after the reboot, an error message, "ox7842" is displayed.

This issue has been resolved and users can now successfully authenticate at pre-boot log on without having any issues.

Delay in Network file browsing when File and Folder Encryption option is enabled

This issue occurred on the previous SecureDoc-protected client devices when FFE option is enabled. The users experienced very slow network browsing after the FFE driver is enabled on their devices.

Now, this issue has been resolved and the user would not experience any slowdown in browsing network files.

Remote crypto-erase and crypto-erase key sequence functionalities were not working properly on the OSA client devices This issue has been reported on the OSA client devices

The SES administrators were unable to use the crypto-erase functionality from SES console as this option was greyed out in the context menu. Also, the crypto-erase key sequence functionality on the OSA client devices was not working properly.

This issue has now been fixed and the SecureDoc user can execute the crypto-erase functionality from SES console and also perform crypto-erase key sequence from the client devices successfully.

Support for HID OMNIKEY USB smartcard reader

In previous versions of SecureDoc, there were some issues using the HID OMNIKEY 3121 smartcard readers on the Linux-based pre-boot devices.

These issues have been resolved and now most smart cards will be working correctly with HID OMNIKEY in SecureDoc. The SecureDoc users can now successfully log in at pre-boot and/or SDCC using these smartcard readers.

Conflict with Symantec workspace virtualization

A previously-encountered incompatibility existed between the SecureDoc filter driver and Symantec Workspace Virtualization software, causing an inability to load Windows (a "hang" condition) after successful user authentication at Pre-boot. This issue has been resolved.

SecureDoc-protected devices running Symantec Workspace Virtualization software will now boot successfully into Windows following successful Pre-boot Authentication.

Ability to capture recovery information and create emergency disk for the Mac FileVault2 enabled devices

In the previous versions of SecureDoc, an issue has been reported that while installing the SecureDoc on a FileVault2 enabled device, the recovery information (Recovery passphrase, LVGUUID, LVUUID, and PVUUID) was not being sent to the SecureDoc server . As a result of this, the SES administrators were not able to create an emergency disk.

This issue has been resolved by providing the Account Recovery Password. The SES administrators can use this Account Recovery Password displayed in the Edit Device Information -> Device FileVault Properties tab in the SES Console to create an emergency disk.

When the global password rules are changed and a key file is sent down from SES, the changed global password rules will overwrite the existing package password rules

When the SES administrators make changes to the global password rules, then the existing package(s) password rules will not change. However, when a key file is created and sent down from SES during online installations, the changed global password rules will be applied, not the old password rules of the existing package(s).

Maximum Failed Login feature is NOT working for the local key files

The issue occurred because the pre-boot login was not properly counting the number of failed logins for PBConnex. As a result of this, the user was never locked out after exceeding the failed login attempts threshold.

Now, this issue has been resolved and the user will be logged out after reaching the maximum number of failed login threshold.

Slow boot up on Lenovo X1 carbon devices (UEFI)

An issue has been reported about slow boot up on the SecureDoc-protected Lenovo Carbon X1 device.

Now, this issue has been resolved and the boot up time has been significantly improved.

SES Web users who have administrator privileges cannot be added in SES Console as Administrators

Limitation:
When an SES Administrator attempts to add a SES Web administrator group user an error message, "A user with this ID already has access to this database. Please choose a different user's key file" is displayed. This is because the user already has administrator privileges (because he/she is a member of an admin group). However, this user is not displayed in the SES console even though they exist.

Work-around:
First, delete the user from “dbo.Admins” in SQL and then immediately add this user from SES Console as an Administrator.

Note: If this user logs into SES Web after the deletion and before being added in SES Console, he/she will be re-added as SES Web administrator.

Lenovo Tablet 10 x64 Touch Screen does not work when Linux pre-boot for UEFI devices (PBLU) option is selected for boot loading

Limitation:
An issue that renders the Lenovo Tablet 10 pre-boot touchscreen nonfunctional has been reported when the Linux pre-boot for UEFI devices (PBLU) option is selected for boot loading in SES Console.

Work-around:
Use Native UEFI pre-boot environment for Lenovo tablets.

Windows 8 UEFI / Toshiba Tecra z40 (Self-encryption Drive) Client devices are unable to load Windows when PBLU boot loader option is selected in SES

Limitation:
When a SecureDoc installation package is created and deployed on to a Windows 8 UEFI and/or Toshiba Tecra z40 (Self-encryption Drive) client device with Pre-boot Linux based UFFI (PBLU) boot loader option enabled, the pre-boot logon screen is showing up repeatedly after login, instead of loading Windows. This issue may occur on other Toshiba devices as well.

Work-around:
N/A

Hidden files and folders in SecureDoc CloudSync encrypted folders cannot synchronize into alias (Linked) folder

Work-around:
N/A

FFE_DEVICE_KEY does not work for Mac SecureDoc CloudSync

Limitation:
The device key macros cannot be used from SES to send a SecureDoc CloudSync policy.

Note:  The device key macros will work for Windows devices, however, it is NOT recommended to use this macro for SecureDoc CloudSync policy.

Work-around:
N/A

If a file in the Alias folder is edited multiple times, a warning message, “The file has been changed by another application” is displayed

Limitation: This issue occurs in when a user opens a file in the Alias folder, edits, saves, (but does not close the file), and after a while, edits the file again, and then saves it. In such a scenario, a warning message, “The file has been changed by another application” is displayed.

Work-around: Save and close the file immediately after editing.

SD-13740

SD-73741

Conflicting copies of a file are created in the Cloud provider folder if two or more devices have the same SD Cloud policy and the same keys on Windows and Mac SecureDoc devices

Limitation:
When a SecureDoc CloudSync policy is deployed on to multiple devices with the same group key and when a file is uploaded to a Cloud provider folder (e.g. Dropbox) directly on the web, conflicting copies of this file are created in the cloud provider folder.

Work-around:
Do NOT add files to the cloud provider folders using their web browsers; instead, add files to the Alias/ Linked folder.

SecureDoc File Encryption (SFE) : If DllHost.exe is in the White List, users are able to view image files using Windows Phot Viewer

Limitation:
This issue occurs on SecureDoc File Encryption enabled devices. When dlhost.exe file is put in the White List, the users are able to view the image files in Windows Photo Viewer. This happens because the Windows Photo Viewer uses dllhost.exe for processing.

Work-around:
N/A

SecureDoc File Encryption (SFE): Google Drive and One Drive root folders (e.g. C:\Users\<user name>\Google Drive; C:\Users\<user name>\One Drive) cannot be encrypted

Limitation:
The root folders of the Google Drive and the One Drive cannot be encrypted.

Work-around:
For Google Drive, close the explorer before performing the encryption on the root folder
For One Drive, close both the explorer and the One Drive root folder before performing the encryption on the root folder.

The SESWeb does not launch on Window Server 2008 x32

Limitation:
This issue has been reported on Windows 2008 server 2008 x 32. Users are not able to launch SESWeb after installing SecureDoc. This issue occurs due to a binding issue to sites.

Work-around:

1. Run inetmgr from the Windows Start. The IIS Manager window appears.
2. Click to expand Sites from the left navigation menu.
3. Right-click SESWeb.
4. Click on the Edit Binding option. The Site Bindings window appears.
5. Click the ADD button. The Add Site Bindings window appears.
6. From the Type drop-down menu, select https.
7. Enter the port number in the Port field.
8. Select the SSL certificate from the SSL Certificate drop-down menu.
9. Click OK.

The Wireless option for Linux-based pre-boot for UEFI devices (PBLU) boot loader does not work on Lenovo Tablet 10

Limitation:
This issue occurs on Lenovo Tablets because this device is not supported by Linux Kernel.

Work-around:
N/A

PBConnex does not work on Surface Pro 3 devices

Limitation:
The Surface Pro 3 is failing to detect the network connectivity at pre-boot through a USB network adapter.

Work-around:
N/A

Users with administrator privileges are unable to see their administrator rights after performing Challenge-Response (C/R) or Self-Help on SecureDoc-protected client devices

Limitation:
This issue occurs on SecureDoc-protected Windows client devices. If a user with administrator rights performs Challenge-Response or Self-Help recovery, he/she is only able to log into the device with the user rights only (not the admin rights).

Work-around:
After performing Challenge - Response or Self-Help, log off and log in again into SecureDoc Control Center (SDCC) to gain full rights.

The touchpad for Microsoft Surface Pro 3 with Native UEFI Pre-boot (PBU) environment does not work properly

Limitation:
While performing a warm boot on Microsoft Surface Pro 3, the click functionality of the touchpad does not work properly at pre-boot; however, it works fine on cold boot.

Work-around:
Use the touchscreen at pre-boot instead.

If Dllhost.exe is in the Gray List, the "Send to Compressed (zipped) File" option in the Windows Explorer context menu will not work for SecureDoc File Encryption (SFE)

Limitation:
This issue occurs on the SecureDoc-protected end-point devices when the SecureDoc File Encryption (SFE) option is enabled. When a user is attempting to send a compressed a file and/or folder by right-clicking and selecting the Compressed (zipped) Folder option in the Windows context menu, the compression fails and an error message, The Compressed (zipped) Folder is invalid or corrupted, is displayed.

Work-around:
N/A

SecureDoc File Encryption (SFE): On Windows 8 and 10 Operating Systems (OS), the pre-existing files on the Google Drive will not be encrypted on the cloud

Limitation:
This issue occurs on the SecureDoc-protected devices that have Windows 8 and Windows 10 Operating Systems. When the Google Drive folder is added to the White List using SecureDoc Folder Encryption (SFE), the files that already existed in that folder will not be encrypted on the cloud. However, if these files are edited locally, then they get encrypted on the cloud.

Work-around:
N/A

SecureDoc client devices do not prompt users to change their initial passwords after deploying a package with a default user and the Change Initial password option enabled

Limitation:
This issue has been reported on the client devices that have SecureDoc version 6.5 and when SES is upgraded to 7.1 version. When a SecureDoc package is created and deployed with a default user ID and the change initial password option enabled, and when the change initial password prompt appears after the first reboot, the users cannot change the password from the default user.

Work-around:
Reboot the device to change the initial password.

The Default User ID key file that provides users with one time login to Boot Logon does not get removed when 6.5 and lower installation packages are installed against an SES 7.1 version

Limitation:
This issue occurs ONLY when older SecureDoc installation packages (version 6.5 and lower) are installed against a 7.1 SES environment. This issue only affects installation packages that are setup with a Default User ID account. Note that the Default User ID feature is used once to log into the boot logon and then when the next Windows user logs into the system, the user will receive their own key file.

In a scenario where the new SecureDoc version 7.1 is installed against the client devices with older installation packages, the default user ID key file is not deleted.

Work-around:
Use the new SecureDoc version 7.1 client package or manually remove the Default User ID from SecureDoc Control Center (SDCC).

Emergency Disk cannot be created on a device that has more than 50 users

Limitation:
If an SES administrator attempts to create an emergency disk on a machine with 50+ users an error message "7824 Incorrect data length" is displayed.

Work-around:
N/A

The convert from password to token/UPEK (FingerPrint Reader) functionality does not work if the Always include personal key in key files option is enabled in the Key Files tab in SES

Limitation:
When a SecureDoc installation package is created and deployed with the “Always include personal key in key files” option enabled, the client device does not prompt the user(s) to convert to UPEK (FingerPrint) and/or token protection.

Work-around:
Create and assign a personal key to the user(s) before deploying the package.

Removable Media Container-based Encryption (RMCE) error : Failed to format Container

Limitation:
This issue has been reported in VM environment only. It occurs when the container-based removable media encryption option is enabled in SecureDoc Control Center (SDCC). When a user attempts to encrypt a USB, sometimes an error message "Failed to format container" may be displayed.

Work-around:
Format the USB and try again

Crypto-erase functionality is NOT supported in native UEFI pre-boot environment (PBU) for Windows 8/8.1/10

Limitation:
The remote crypto-erase command does not work in PBU on Windows 8/8.1/10 devices.

Work-around:
Use Linux pre-boot for UEFI (PBLU) option.

Unable to de-register the Hardware Protection Manager (Lenovo) client devices from SES console after upgrading SecureDoc server to v7.1

Limitation:
This issue occurs when the SES administrators attempt to deregister the HPM client devices from SES console after upgrading the SecureDoc server to version 7.1.

Work-around:
Manually, de-register the HPM device. For information on how to force-deregister the HPM device, refer https://knowledgebase.winmagic.com/article.php?id=240

Windows password sync is not happening immediately after upgrading SecureDoc client from 6.4 SR1 to 7.1

Limitation:
This issue occurs after upgrading the SecureDoc client from 6.4 SR1 to 7.1 version, with the "Synchronize with matching Windows account" option enabled in the package settings. In such a scenario, the pop-up message, "The password has synchronized with Windows password" is not displayed and the users cannot log into Windows with their SecureDoc password.

Work-around:

1. Open SDCC and Log in with SecureDoc password.
2. Log out from SDCC.
3. Log in to SDCC using Windows password.

Unable to detect network card on Windows 8.1 client devices when SecureDoc package is installed with PBU option

This issue has been reported on the Windows 8.1 client devices with AMD CPU's. When a SecureDoc package is deployed to the client devices with Native UEFI Pre-boot (PBU) option, a message "Configuring TCP/IP protocols. Please wait...". is displayed after the reboot of the device. This message is never timed out.

Work-around:
Use the Linux pre-boot for UEFI devices (PBLU) option.

The Distribution File System (DFS) share is not accessible while using the SecureDoc File Encryption (SFE) feature

Limitation:
This issue occurs while using the SecureDoc File Encryption (SFE) feature on a device that is connecting to the DFS shares. In such a scenario, the users receive permission/network errors and are unable to copy, modify, create or save any files on that device.

Work-around:
Disable the offline file access feature for DFS shares.

The import functionality of SecureDoc CloudSync cannot be used for Box cloud provider service application

Limitation:
When the SecureDoc cloud policy is successfully applied to one of folders from Box cloud provider, the hidden configuration file (.SDCloud.spf) in the original Box folder is not synced to the cloud on the internet.

Work-around:
N/A

SecureDoc password is NOT auto-synchronized when upgrading HPDE to SecureDoc with the Password Sync option enabled

Limitation:
The SecureDoc password fails to synchronize with Windows password while upgrading the machines with HPDE to SecureDoc version 7.1. After the successful upgrade, when a user attempts to perform the pre-boot authentication using Windows login credentials; the SecureDoc Password Synchronization dialog box is displayed.

Work-around:

1. Click the Cancel button on the SecureDoc Password Synchronization dialog box.
2. Reboot the machine and perform the boot logon.
3. Log into Windows. The SecureDoc password will now be synchronized automatically with Windows password.

SDConnex and ADSync are not registered automatically after upgrading from old version

Limitation:
When upgrading SES from the earlier versions to 7.1, the configuration settings of SDConnex and ADSync are not applied automatically.

Work-around:
Register and set up the configuration settings for SD services again.

Hardware Encryption: The message “Boot logon is being installed, after which this device will automatically reboot. Do not manually reboot this device during this process” is displayed while installing the boot logon

After deploying an installation with hardware encryption, the system will automatically shut down (not reboot). There is an error in the message (reboot instead of shut down) which will be corrected in future version.

Offline installation for non-provisioning packages is not supported

Limitation:
When a SecureDoc installation package is created and deployed with the "No Provisioning" and "In case of communication error, continue installation offline" options checked in the SES console, an error message, “Error 0x782e Please contact Technical Support” is displayed.

Work-around:
N/A

Computers with Symantec Endpoint Protection (SEP) with USB device connected crash while installing SecureDoc

Limitation:
This issue occurs when installing SecureDoc on the machines that have Symantec End Protection installed and USB device(s) connected to them.

Work-around:
Remove all USB before installing SecureDoc.

The Password Hint feature does NOT work with V5 or V4 boot logon for SecureDoc Enterprise client devices

Limitation:
The Password Hint feature does not work for SecureDoc Enterprise client devices with V4 or V5 boot logon options.

Work-around: N/A

Changes made to the columns in the SES Console are NOT saved

Limitation:
This issues has been reported on the devices that have SecureDoc v6.5 and v6.5SR1 installed. When the columns are re-arranged and/or removed under the devices tab in the SES Console, these changes are not saved when the SES Console is closed or re-opened.

Work-around: N/A

The devices that are in auto-boot mode are being taken out of auto-boot when a profile is modified and a new profile is added

Limitation:
When the devices are in permanent auto-boot mode with V4 boot loader and the profile is modified and a new profile is sent to the client devices, the auto-boot feature is not working on those devices anymore. Instead of auto-booting, the devices reboot after the profile update. Some devices may get stuck at the pre-boot authentication as well.

Work-around:
Send another profile to these devices in order to activate the auto-boot.

Windows users are not able to perform pre-boot logon and/or log into SDCC when system time is changed

Limitation:
This issue occurs on Windows 8.1 OS devices with native UEFI pre-boot (PBU) environment. An error message, "system time incorrect. Not authorized to login" is displayed in a scenario Where a Windows/ System administrator changes the system time from BIOS to a future date, and when a non-administrative user attempts to change the system time back to the current date from the Operating System (OS). The user is not able to perform a pre-boot logon, or unable to log into SDCC after performing Challenge- Response.

Work-around:
To resolve this issue, the Windows / System administrator should log in and log off at the pre-boot first and then the non-administrative users will be able to authenticate at pre-boot without any issue.

The Unlock feature on Android devices running Android Operating System 5.1 is NOT working properly

Limitation:
This issue has been reported on the Android devices that are running the operating system 5.1.

Work-around:

Perform the following steps:

1. After sending the unlock command from SES to the Android device, press the Power button
2. Swipe the screen on the Android device to unlock the device. A blank screen may appear. Do any one of the following:
   • Press the power button off and swipe the blank screen to unlock the device. (OR)
   • Press the "go back" button (the triangle icon) located at the bottom left corner and swipe the screen to unlock the device.

The upgrade from SecureDoc StandAlone to SecureDoc client failed when only the boot logon is installed but the disk is NOT encrypted

Limitation:
This issue occurs when a SecureDoc StandAlone Windows client device (with only the boot logon installed and the disk is not encrypted) is being brought into SES management. In such a scenario, the client device fails to establish communication with the SecureDoc server.

Work-around:
Install the boot log on and make sure the device is encrypted prior to deploying the installation package created from SES.

File and Folder Encryption feature (in SecureDoc version 6.5 and earlier versions of SecureDoc) and SecureDoc Folder Encryption feature (in 7.1) does NOT support Windows 10

Limitation:
The Windows 10 installation on the SecureDoc-protected Windows 8 machines fails if File and Folder Encryption (FFE) or SecureDoc File Encryption (SFE) feature is enabled.

Work-around:
Disable SFE feature before upgrading to Windows 10.

Single Sign-On (sso) feature does not work properly On Windows 8.1 64-bit UEFI machines with Software Encryption after the device resumes from hibernation when fast-start option is turned on

Limitation:
This issue has been reported on Windows 8.1 64-bit UEFI HP HP750G1 devices. This issue occurs only when the fast startup option is enabled. When a SecureDoc installation package is created with a SSO option enabled and deployed this package to a client device with fast-start option turned on. In such a scenario, the primary user is able to perform single sign on into Windows, however, when another user is added to this machine and when that machine goes into hibernation, he/she is not ble to perform SSO into Windows after the machine resumes from hibernation.

Work-around:
Disable the fast-start option

The Windows Desktop on the client devices is NOT displayed normally while upgrading them from SecureDoc version 6.5 SR3 to 7.1

Limitation:
This issue occurs while upgrading the SecureDoc Windows client devices from version 6.5 SR3 to 7.1 with the Remote Media ONLY (RMO) option enabled. In such a scenario, Windows explorer is not available, and the desktop is blanked out with the countdown time. After the countdown time is complete, the client device will reboot and upgrade successfully.
It is recommended that users save their work and close all open programs prior to upgrade.

Work-around: N/A

Migration error after upgrading SES and SecureDoc client devices from 6.5 SR3 version to 7.1 with SecureDoc File Encryption (SFE) enabled

Limitation:
An error "SDD-CheckTorunCC" is shown after migrating the SecureDoc client devices with the SecureDoc File Encryption (SFE) option enabled from SecureDoc version 6.5 SR3 to 7.1

Work-around:
Disable SFE option on the client devices before upgrading to SES version 7.1

Files encrypted with SecureDoc version 6.4 File and Folder Encryption (FFE) feature cannot be decrypted using the new 7.1 SecureDoc File Encryption (SFE) feature

Limitation:
This issue occurs after upgrading the SecureDoc client devices from the version 6.4 to 7.1 with the SecureDoc File Encryption (SFE) option enabled. In such a scenario, the previously encrypted files cannot be decrypted using the new 7.1 SecureDoc File Encryption option.

Work-around:
Decrypt all the encrypted files before upgrading to 7.1.

When the SecureBoot option is enabled on HP G2 Models, Windows fails to load and the "Start PXE over IPv4" message is displayed after the boot logon

Limitation:
This issue has been reported on all the HP G2 Model computers (e.g. HP Elite Book 850 G2, HP Probook 450 G2, etc.). This issue happens when a SecureDoc package is deployed to these client devices with SecureBoot option enabled. In such a scenario, after installing the boot logon, the device fails to load the Windows Account screen and a message "Start PXE over IPv4" is displayed. This issue occurs on both software and hardware encryption.

Work-around:
Disable the SecureBoot option in the BIOS.

When SecureDoc package is deployed to a client device with Windows SmartCard users, the device gets stuck in the Provisioning state and cannot move to Secured state

Limitation:
This issue occurs with the Windows users that have Smartcard authentication. When a SecureDoc package is created and deployed to a Windows client device, and when a user with Smartcard performs authentication, this Windows user ID does not match with the user ID in SecureDoc submit form. In such a scenario, the device gets stuck in the Provisioning state and cannot achieve Secure Moment.

Work-around: N/A