SecureDoc V7.1 SR5 Release Notes

Alles anzeigen

Product/Feature Deprecation Pre-Notice

Please note that WinMagic is deprecating SecureDoc V4 PreBoot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 PreBoot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.


Important Note

WinMagic has done extensive work to improve, streamline and augment the security surrounding the initial deployment of Key Files during the process of installing the SecureDoc Client software, bearing in mind that many customers have widely divergent requirements relating to how devices are used during and after initial installation. Some customers install SecureDoc while the primary device user is on or will be on the machine, while others may need to protect new devices before the end-users of those devices have been defined, as well as other scenarioss.

Please refer to the When SecureDoc server is upgraded to version 7.1 SR4 from previous versions (6.5 or earlier) and the Device Provisioning Rules sections under the Creating Installation Packages for Windows chapter in the SES User Manual to understand how these new settings work, in order to inform your own use of these new features, particularly as they operate in a way that cannot be easily migrated from the previous methodology to the new methodology. Upon upgrading from an earlier version, you will need to adjust each of your existing Installation Packages to reflect the deployment methodology that will meet your security design.


System Requirements

System requirements and supported devices, including tokens and SmartCards, for SecureDoc v7.1 SR5 are listed here.

Note: It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation. More information can be found here:

During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.

Note: Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g. Admin desktop) on which it runs, in order for the console to function properly.


New Features/Improvements

Note: SDOT for FileVault2 is now available for BETA. SecureDoc PreBoot is now supported on FileVault2 devices to support PreBoot network authentication as well as smartcard authentication. For more information, please see the SDOT FV2 beta guide found in this link


Simplifying the upgrade process of SecureDoc with Win 10 RS1 build 14352 and newer

New features in that were included in Windows 10 RS1 builds, starting with build 14347+ have improved things so that customers no longer need to run a manual script provided by encryption product developers to be able to inject encryption drivers in WinRE of the mounted image.

A new command line parameter in Setup has been added that specifies the folder location of any additional drivers that need to be pre-configured. This new flag is called “/ReflectDrivers”, and this parameter will need to be passed when setup.exe is being launched.


A new token type was added in SecureDoc Control Center (SDCC) for Gemalto MD830/840 smart cards

WinMagic has added the Gemalto IDPrime Smartcard as a new supported token type, SecureDoc is now compatible with the following Smart Card readers:

 Lenovo Systems (Alcor Built-in Card Readers)
 OmniKey 3121 USB Card Readers
 DataKey 730 USB Card Readers
 Panasonic CF-C2 Toughbook Card Readers


SecureDoc Client now has support for policy-driven encryption on BitLocker devices

We now support Policy-based encryption for both SecureDoc Software-based Encryption and now BitLocker-encrypted drives.


The SecureDoc client installation now seamlessly halts when ATA security is enabled on OPAL/SED systems

The SecureDoc Client software installation process now checks and gracefully stops the installation at an early stage if it detects that ATA Security has been enabled on OPAL/SED systems.

In earlier versions of the product it would only detect existing ATA Security after attempting to install the SecureDoc pre-boot, which would leave the computer in a state where SecureDoc is not fully installed.

Resolved Issues


The profile status under the Modified Profile column in the Devices tab can incorrectly show as “Out of date”

Issue: After installing SES and deploying the remote packages to client machines and encrypting them, when policy calculations for the policy engine are performed in the background and those profile changes are propagated to client machines, occasionally the Modified Profile column for SES console in the device tab may report that the device’s version of the profile is out of date (not congruent with the profile version on the server).

This issue has been resolved.


SecureDoc Interfering with LAN on HP ProBook 450 G3

Issue: After installing SecureDoc, its PBL (Pre-Boot Linux) and PBLU Pre-Boot Linux for UEFI) environments could interfere with the wired LAN connection in Windows, with the result that wired LAN connections under Windows could remain as Unidentified and would not receive an IP Address.

This issue has been resolved by updating the Realtek driver used by PBL and PBLU. LAN/WLAN switching works correctly.


Slow Performance on the SES Windows console under SES version 7.1SR4

Issue: Extreme lag-times could be encountered while trying to perform administrative task within the SES console. The console can then become unresponsive, showing a “not responding” status in the title bar.

This issue has been resolved.


Single Sign on fails when using UPN as the User ID to login offline at PreBoot

Issue: The environment allows for the end users to login at PBConnex using either and/or both User Principle Name (UPN) or Security Account Manger (SAM) accounts into the device successfully with password sync under Single Sign-On (SSO). At preboot the end user can sign in, but would not be able to complete access to Windows using Single Sign-on if SSO access had been defined.

This issue has now been resolved.


SecureDoc version 7.1SR4 does not boot to Windows desktop after encryption Lenovo M900 Tiny

Issue: After encrypting the platform with SecureDoc version 7.1SR4 (build 94), the machine is unable to boot to Windows desktop after authenticating at Pre-Boot for UEFI (PBU) or Pre-Boot Linux for UEFI (PBLU).

This issue has been resolved. After authenticating at PBU/PBLU you’ll successfully boot to the Windows Desktop.


Server is not booting after partition encryption process (Full Disk Encryption is not affected).

Issue: Once the package is installed and the device encrypted, when authenticating to Pre-Boot the error “Please contact WinMagic Technical Support” pops up and the user is unable to login.

This issue has been resolved. After the device has been encrypted and then has been rebooted, users will be able to successfully login and have full access to OS and all drives.


SecureDoc clients running SecureDoc 6.5 were having problems with on-screen keyboard support for Helix 2 devices, when using Pre-Boot Linux for UEFI (PBLU)

Issue: Helix 2 devices running the Version 6.5 SecureDoc Client software had problems with the on-screen keyboard, affecting their ability to authenticate at pre-boot.

This issue has been resolved. Such devices should be upgrade to this version.


Devices running the SecureDoc client version are unable to authenticate past PBL/PBA if authenticating with Ikey 2032 tokens that are configured to use the key file on token definition.

Issue: If the device is configured to use the V5 boot logon with V4 as an alternate and if using “key file on token” authentication mode with Ikey 2032 tokens and when there is a local key file in the SecureDoc Space… then when the user tries authenticating, the key file from the SecureDoc Space is improperly enumerated, and corrupts the key file from the token. This issue prevented the user from being able to authenticate correctly.

This issue is now resolved. Users will again be able to authenticate with Ikey 2032 tokens that use the “key file on token” authentication mode.


User is unable to authenticate against Windows Active Directory (AD) after Microsoft patch MS16-101

Issue: After updating Microsoft patch MS16-101 on Windows Server containing SES Server, if the administrator then created a new user account in AD with the flag “Password must be changed at next login” an error would occur at SecureDoc’s PBConnex network-brokered Pre-Boot that indicated that the user cannot authenticate against Windows AD.

This issue has been resolved. Users are now able to authenticate at preboot with PBConnex enabled.


SecureDoc’s File Encryption (SFE) functionality had an issue: It was unable to encrypt network shares on servers where the server name either began with a number, or where the server was identified by an IP address rather than a DNS name.

Issue: When configuring an FFE policy, if the Server where the share exists to be encrypted either: a) had a share name having that started with a number (e.g. 1ShareServer\ShareName) or b) the server was defined using its IP address (e.g.\ShareName), then the data sent to the share from a given device would not be encrypted once the profile/policy had been applied to that device.

This issue has been resolved.


Initial User is not registered when the Hosting Solution function is enabled

Issue: When setting “Hosting Solutions” parameter in version 7.1 SR4, the SecureDoc clients were not registering their initial users, so Pre-Boot Authentication was not working as a result. The windows logon screen would appear, without having required SecureDoc Pre-Boot authentication before getting to Windows.

This issue has been resolved. After encrypting the client’s storage, the initial user is successfully registered and PBA requires users to authenticate at PreBoot.


Users were not being prompted to set a new password after SES had sent a new/updated Key File that had the “Change Initial Password” setting defined.

Issue: After enabling “Change Initial Password”, users were able to logon at pre-boot and then to login to Windows, but did not receive a prompt requiring them to create a new password.

This issue has been resolved.


Version 7.1 SR4 SES Management Console fails to open when the system has “FIPS compliant algorithms for encryption, hashing, and signing” enabled

Issue: Upgrading to version 7.1 SR4 from a prior version of SES on which the “FIPS compliant algorithms for encryption, hashing, and signing” option was enabled would be unsuccessful. After the failed upgrade, the SES Management Console could not be opened.

This issue has been resolved.


The SecureDoc Client software was not being successfully installed on DELL 5270 devices

Issue: The Preboot GUI would not appear as it should after installing the SecureDoc Client software on DELL 5270 model devices.

This issue has been resolved.


SES and SecureDoc v7.1 SR4 HF3 and newer versions now support having FIPS Mode functionality enabled as policy on Windows Server and client operating systems. The specific option is entitled “FIPS compliant algorithms for encryption, hashing and signing”.


Disk access control is not resetting to its default settings (no restrictions) when Profiles were being sent to endpoint devices

Issue: If a given device that had restrictive Disk Access Control settings (anything other than “No restrictions”) was subsequently sent an updated profile that returned the Disk Access Control setting to “No restrictions” (the default), the change would not be applied and the device would continue to have the more restrictive setting, so the “no restriction” settings were not being applied.

This issue has been resolved. Client devices will now have no Disk Access Control restrictions after a “no restrictions” profile had been applied.


OneDrive for Business folders template not supported in Windows

Issue: SecureDoc CloudSync is unable to detect the correct folder variable name for a OneDrive for Business folder.

This issue has been resolved.


The RME Audit Log was not created after copying/modifying/deleting folders

Issue: After successfully deploying package on partition that is encrypted, any form of editing, creating, modifying, deleting, copying of files or folders should be logged.

This issue has been resolved. In this version the log files were correctly written to the RME log after these forms of changes had been made on RMEprotected devices.


German Keyboard Layout Problems

Issue: At PBL a few keys were not working, such as the backslash with AltGR key did not respond.

This issue has been resolved.




Upgrading to version 7.1 (SR1 or SR2) from (version 6.4 or 6.5) ignores previous SDConnex Data Cache settings

Limitation: This issue applied if customers had disabled the Data Cache Layer in their current (version 6.4 or 6.5) SDConnex installation, and then upgraded to SES V7.1 SR1 or SR2. In this situation, the Data Cache Layer option is being reset to its default settings instead of continuing to be disabled as it had been in the earlier version.

Work-around: Manually disable Data Cache Layer in your SDConnex installation immediately after upgrading from V6.4 or V6.5 to V7.1 SR1 or SR2


SecureDoc Pre-Boot for FileVault2 (aka SecureDoc On Top of FileVault 2 or SDOT FV2) Pre-Boot Networking (PBN) does not work with “Server’s network name”

Limitation: Unable to login PBN user at boot logon for SDOT FV2.

Work-around: Until this has been corrected, please define your SDConnex server(s) by IP address rather than by DNS name.


Boot Logon Device info overwritten, cannot register devices due to object length too long

Limitation: When installing the client, error 0x8031 “Object Length Too Long” pops up, and the SDConnex logs there are multiple errors occurring.

Work-around: Please follow these steps.

1. Upgrade client to V7.1SR5
2. Delete the device from the SES Devices tab.
3. Force the client device to Communicate with SES to re-register itself as a legitimate device. a. Please note an error will pop up at the client, and the device user will need to force the device to communicate one more time (step 4)
4. Force the client device to communicate with SES to re-register a second time


SecureDoc Pre-Boot for FileVault2 (SDOT FV2) encryption does not fully complete on devices that have more than 3 partitions

Limitation: Encryption is unsuccessful with devices that have 3 or more partitions, errors occur.

Work-around: N/A. This will be fixed in the next release.


SecureDoc File Encryption (SFE) Status is displayed as “Not Activated” for SFE-enabled clients

Limitation: After installation, the status shows as “Not Activated”.

Work-around: N/A.


Recovery Key ID on the device is different from the Key ID on SES console

Limitation: It can occur that the BitLocker protector (used for recovering access to a BitLocker protected device) that appears on a Windows 7 device will differ from the one stored inside the SES database for that device.

Work-around: By design, Windows 7 prompts for the protector that is first on its list of configured protectors, but all its protectors can be used.


SecureDoc Pre-Boot for FileVault2 (SDOT FV2) does not support Removable Media Container Encryption (RMCE) when a USB memory stick is formatted with “Mac OS Extended (Journaled)” filesystem with specific free space percentage

Limitation: Container created with media formatted by Mac OS Extended (Journaled or not Journaled) can’t be used in Windows environment, but in MacOS only.

Work-around: N/A. WinMagic recommends that USB memory sticks be formatted using FAT32 (if 4GB in size or less) or xFAT if >4GB in size.


Activate Autoboot automatically logs on to Windows desktop

Limitation: After successfully deploying and installing the package, client devices will bypass SecureDoc’s Pre-Boot Authentication (Boot Logon) and will launch into the Windows Desktop without requiring the user to enter a Windows password.

Work-around: N/A. .


Bitlocker recovery screen appears after installations of RMO package on Windows 7 X64

Limitation: If a device is encrypted with Bitlocker and there is subsequently installed a RMO (Removable Media Only) SecureDoc Installation Package on it, the Bitlocker recovery screen appears after installation.

1) On a Bitlocker enabled Win7 machine, if a new partition is created on the boot disk, it has to be authorized with the BitLocker recovery key on the next reboot. However, it does not require any such authentication on Win10 machine (it probably takes the new config on its own).
2) After the new partition is authorized using the Recovery Key (in Windows7) and the device boots to Windows, the new boot config can be fed to BitLocker just by using the "Suspend" and "Resume" functionality in the SecureDoc Control Center’s BitLocker configuration panel; this needs to be done just once. No recovery key will be requested thereafter (it is a one-time process).

The same workaround can be used after installing SecureDoc:
1) Feed the recovery pin ONCE after Secure Doc installation has completed (when requested).
2) Suspend & Resume BitLocker once after booting to Windows.

 Alles anzeigen Release Notes