SecureDoc v6.5 SR3 Release Notes

すべて表示

Product/Feature Deprecation Pre-Notice

Please note that WinMagic is deprecating SecureDoc V4 Pre-Boot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 Pre-Boot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.

This version of SecureDoc can NOT be upgraded from the SecureDoc 6.5 SR2 version. Currently, there are no upgrades available for SecureDoc 6.5 SR2 version.


System Requirements

System requirements and supported devices, including tokens and SmartCards, for SecureDoc v6.5 SR3 are listed here.

Note: It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation. More information can be found here: msdn.microsoft.com/en-us/library/ms143786(v=sql.100).ASPX

During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.

Note: Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g. Admin desktop) on which it runs, in order for the console to function properly.

Note: WinMagic is deprecating SecureDoc V4 Pre-Boot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 Pre-Boot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.

 

Improvements and Resolved Issues

Reference Description
SD-12559

Ability to customize the font color for text fields in boot logon screens:

Improvement: Now, the SES administrators can customize the font color for text fields (e.g. UserID, Password) in all the boot logon screens. This feature is particularly useful in a scenario where black color is selected for background image at pre-boot and white for the font color. In such a scenario, the text in the text field is not visible. This new option helps resolve such issues

SD-12842

SecureDoc is now capable of activating FileVault2 automatically on Apple devices that are configured with corestorage and non-revertible corestorage

Improvement: Now, SecureDoc has the capability to enable the FileVault2 automatically. The users do not have to manually enable FileVault on their new Apple devices that are configured with the Core storage volume any more.

SD-13019

Now, the SecureDoc users can bind their Pre-boot credentials to an alternate domain and/or local account

Improvement: This option is particularly useful for Single-Sign-On users in a scenario when SecureDoc Credential Provider fails to validate their user credentials at Pre-boot. The users can now select a different domain from the Domain drop-down menu. The selected domain will be bound to the user's pre-boot credentials. When the user logs into that machine, the selected domain will be displayed in the SecureDoc Credential Provider window. If the user desires to rebind, he/she can do so by deleting the "ENC" file located in the User Data (C:\Program Files\WinMagic\SecureDoc-NT\UserData) after which he/she will be prompted again to bind to a new user/domain on next logon.

SD-13384

A new option that allows SES administrators to enable/disable writing Remote Media Encryption Logs to the database or Windows Event Log or to both

Improvement: In previous versions of SecureDoc, the RME logs could either be written to both the database and the Windows Event Log or to none. Now, the SES administrators can configure any of the following options by inserting IDNLW_RME_DISABLED" string into the“dbo.settings” table in the SES database and entering the desired values in the ValNum column:

Option Value
Write to both the database and the Windows Event Log 0
Writes neither to database nor to the Windows Event Log 1
Write to the database ONLY 2
Write to the Windows Event Log ONLY 3

Note: By default the ValuNum field is empty, which means that the RME logs are written to both the database and the Windows Event Log.

SD-13471 /

SD-13473

Now, SecureDoc supports Lenovo ThinkPad OneLink Pro Dock and Lenovo USB3.0 Ethernet Adapter

Improvement: Now, SecureDoc extends support for the Lenovo ThinkPad OneLink Pro Dock and for Lenovo USB3.0 Ethernet Adapter hardware for Linux-based pre-boot (PBL) devices.

The SecureDoc-protected machines with Linux-based pre-boot can now be connected to this device.

SD-11411

Smartcard users with user names longer than 20 characters are unable to perform boot logon

This issue occurs when the smart card users that have user name/user IDs with more than twenty characters attempt to perform boot logon; an error "No private key in token” is displayed.

This issue has been fixed and now the smartcard users with long user names can successfully log on at pre-boot.

SD-11412

SES Administrators are not able to perform Challenge/Response on expired user accounts

In previous versions of SecureDoc, the SES administrators were not able to perform a Challenge - Response on a temporary password that has expired.

This issue has now been resolved and SES administrators can now perform a Challenge-Response on the expired user accounts.

SD-11413

Token-protected users cannot log on at pre-boot on UEFI devices using their temporary password after the device reboot

This issue affects the smartcard protected accounts on Windows client devices. When a Challenge-Response is performed on token-protected accounts on UFFI devices, users were able to logon at pre-boot using the temporary password for the first time. However, when the device re-boots / restarts, they were unable to logon with the same password.

This issue has now been resolved and the smart card users can successfully log into the pre-boot using their temporary credentials even after the device reboot.

SD-11646

Display of two confusing messages while a user with temporary password performing a Challenge-Response for a second time at Pre-boot on UEFI devices

This issue has been reported in Windows 8 DATAEV environment. If a user forgets his/her temporary password and attempts to perform a Challenge-Response for a second time at pre-boot on UEFI (PBU) client device, two separate dialog boxes with messages: "The password must be changed whenever password recovery is performed” and “Disk encryption password will expire in x day(s) ...” are displayed simultaneously causing some confusion.

This issue has been resolved and now these messages will appear in a proper sequence.

SD-12010

The encrypted CDs from SecureDoc v5.3 SR2 cannot be accessed from SecureDoc v6.4 SR1 devices

An issue was reported where SecureDoc V 6.4 SR1 client devices were not able to read CD ROM disks that were encrypted by using SecureDoc V 5.3 SR1.

This issue has been fixed and the encrypted CDs from SecureDoc v5.3 SR2 can be accessed from SecureDoc V6.4 SR1 devices.

SD-12129

SecureDoc token-protected users cannot log into SecureDoc Control Center (SDCC) with their temporary password after performing Challenge-Response on SecureDoc Control Center

This issue occurs on the Windows client devices. After performing a token recovery through Challenge-Response (CR) on SDCC, the users are unable to log into SecureDoc Control Center (SDCC) using their temporary login credentials.

Now, this issue has been resolved and the users can successfully log into the SDCC with the temporary password.

SD-12237

SDConncex consuming a very high CPU usage

A new setting to SDConnex service has been added to resolve this issue. This setting will allow the SES administrators to disable logging to application log and saving to a database for Remote Media Encryption (RME) logs.

To add this setting:

  1. INSERT [dbo].[Settings] ([Name], [ValNum]) VALUES ( N'IDNLW_RME_DISABLED' in the SES database from SQL Manager
  2. Restart the SDConnex service

SD-12302

Computers freeze randomly after deploying SecureDoc

This issue has been reported on SecureDoc protected devices. The computers may freeze randomly after deploying SecureDoc to the client devices. This issue occurred due to some problems in handling paging I/O in SDISK2K.sys driver.

This issue has now been fixed by updating the driver and now the users will no longer have this freezing issue.

SD-12318

Vulnerability scanner detecting “e2.bin” file as vulnerable

In the previous versions of SES, the Pre-boot Linux used the old Linux kernel that contains "glibc" library in the root file system. This was detected as a vulnerable file when running anti-virus scan.

This issue has been fixed in the current version by updating the Linux kernel to the latest version.

SD-12322

Polish (programmers) keyboard layout can now be configured in SES Profiles

In previous versions of SES, the keyboard layout option had to be manually set to Polish on each device.

This issue has now been resolved by allowing the SES administrators to configure this option in SES Profiles (Boot Configuration Settings -> Keyboard Layout).

SD-12397

With the "Hide pre-boot until user's credentials are synchronized “ option enabled in SES Profiles, Windows users cannot log into Windows with their Windows login credentials after the Boot Logon installation

This issue has been reported in SES 6.5 and 6.5 SR1 versions. In a scenario where a package is created and deployed onto the client device with the "Hide pre-boot until user's credentials are synchronized" option in SES Console enabled , Windows users were unable to log into Windows with their Windows credentials after the Boot Logon installation.

This issue has been resolved and SecureDoc users can successfully log into Windows using their Windows login credentials.

SD-12450

Device certificates (802.1 x) are not updated upon renewal

In the previous versions of SES, the device certificate could not be updated upon renewal on SD client devices that are configured to authenticate for 802.1x with EAP-TLS (device-based authentication).

This issue has been resolved and now the device certificates get updated upon renewal.

SD-12508

Adding a key to ‘All User Group’ is not updating the keyfile for all the users in that group

An issue was reported where adding a key file to All User Group in SES console was failing to update key file for the users belonging to that group.

This issue has been fixed and now adding the key to All User Group updates the keyfile for all the users in that group.

Note: Make sure the "Automatically update keyfile on device when group keys modified" option is enabled in the global options in SES console.

SD-12563

Adding Boot keyfile for a Windows user is creating all encryption keys available to the user rather than just the disk encryption key

This issue occurs in a scenario where the "create boot key for Windows users" and "Windows KeyFile" options are enabled in SES Console. The boot keyfile with all encryption keys available to the user are being created rather than just the disk encryption key.

This issue has now been resolved and now only the boot keyfile for the user is created.

SD-12643

Delay in initialization of USB drives

An issue has been reported regarding the delay in initialization of USB flash drives on both 2.0 and 3.0 ports on SecureDoc v6.5 protected machines. It takes longer than usual time to detect the USB flash drives.

This issue has been resolved and USB drives will now be recognized without much delay.

SD-12481

Group keys are not distributed successfully to the end-user keyfiles on their local machines

An issue has been reported where the group keys are created and the option "When key file is created for the device, automatically send it to device" is enabled in SES console (Global Options -> Keyfile Options), these group keys are not being delivered to the end users keyfiles on their local machines.

This issue has now been resolved and the group keys will be successfully distributed to the end users.

SD-12817

Hardware Password Manager (HPM) registration error

When a SecureDoc client installation package is deployed with “Hardware Password Manager” setting on the client devices and when a user attempts to enroll the HPM, an error message "Hardware Password Manager experienced an internal error. Please retry your request" is displayed.

This issue has been fixed and now the SecureDoc users will be able to enroll Hardware Password Manager using their login credentials.

SD-12908

Self-help links are not shown when the “Forgot Password” button is clicked on pre-boot Linux based devices (PBL)

This issue occurs on Pre-boot Linux based devices (PBL). In previous SES versions, when the "Forgot Password" button is clicked on the pre-boot logon screen, the Self-Help links are shown only to the default users.

This issue has now been fixed. If the user's key file contains self-help answers, then the "Self-Help" as well as "Challenge - Response" buttons are displayed, otherwise, only the "Challenge-Response" button is displayed.

SD-12927

SecureDoc cannot be installed on the Mac devices that do not contain any host name

An issue has been reported that SecureDoc installation is failing on Mac devices when the device does not contain any host name.

This issue has now been resolved. The SecureDoc can now be installed on such devices. Such device names will be shown as "nohostname" in the SES Web Devices tab.

SD-13193

Mac FileVault2 cannot be manually de-activated from the SecureDoc installed Mac 10.8.x devices

This issue has been reported on the Mac 10.8. x devices when a user manually de-activates FileVault2 on Mac OS (SecureDoc is still installed), an error "0x7885" is received.

This issue has been fixed and users can now manually de-activate FileVault2.

SD-13462

ADSync Errors after upgrading SecureDoc version from 6.4 SR1 to 6.5

This issue occurs while upgrading the SecureDoc from version 6.4 SR1 to 6.5. After the upgrade, the ADSync is displaying a few "exception" errors in the Event Log.

This issue now has been resolved by disabling the computer object sync (adsync.ldap.filter.computer) in the parameter settings in ADSync.

Note (Applicable only if you are using Compliance Reporting Tool): This change might affect Compliance Reporting. Some duplicate devices may show up in the reports because the information from ADSync is used to identify the devices in compliance reporting. If any such duplicate device is shown up in the Compliance Reporting, the SEs administrators can enable the computer sync option by editing the value string in Parameter Settings for adsync.ldap.filter.computer parameter, i.e. chaning objectClass=Komputer to "objectClass=Computer".

SD-13480

When a user is disabled from Active Directory (AD), SecureDoc generates multiple remove user commands for the same user

When a user has been deleted from AD, the SecureDoc server is generating multiple remove user commands. These commands are shown up in SecureDoc Commands window (Devices tab (Right-click on the selected device)->Show commands).

This issue has now been fixed and SES will generate only one command for the deleted user in the Active Directory.

SD-13789

A warning message "Error number: b0 Session Closed" is displayed after the SD client device resumes form hibernation

After the installation of SecureDoc version 6.5 SR3 (Build 23), a warning message Error number: b0 Session Closed populates when a SED drive resumes from hibernation. However, this does not impact the functionality or performance or security of the device. When this issue occurs, just restart the client device.

 

Known Limitations

Reference

Description

SD-13361

An error message "Object reference not set to an instance of an object" is displayed after performing Challenge/Response for Remote Media Container Encryption in SecureDoc Web

Limitation: An error message "Object reference not set to an instance of an object" is displayed when a SES Administrator enters the challenge string in SecureDoc Web (User -> Folder-> Challenge Response). This occurs in a scenario when a user is attempting to perform challenge response for Remote Media Container Encryption through RMCE viewer. This issue will be resolved in the next version.

Work-around: N/A

SD-13600

An error "SQLException retry exceeded" is displayed in SDConnex when two SDForms (registration) from different client devices are submitted at the same time

Limitation: This issue occurs when SDConnex receives registration requests at the same time from two different client devices. The first client device will be able to submit the request successfully, while the other client will receive “0x7885” error message.

Work-around: Re-run the registration on the failed machine.

SD-13363

SDConnex is stopping automatically displaying "Unhandled exception" error message while working "Remote Kill Pill" and then "Recovery from Stolen" on Intel-AT

Limitation: This issue occurs on the devices that use Intel AT feature. When a device is marked as stolen (send kill pill) and then the recovery from the Stolen device is performed by boot logon challenge-response method. In this scenario, SDConnex is stopping automatically displaying "Unhandled exception" error message in the View Event Log screen.

Work-around: N/A

SD-13790

Some basic features are not working on Mac FileVault2 (MacFV2) devices after upgrading them to SecureDoc version 6.5 SR3 and then upgrading their Operating System to 10.10.4

Limitation: This issue occurs when SecureDoc is upgraded to version 6.5 SR3 on Mac FileVault 2 (MacFV2) devices and subsequently that MacFV2 device Operating System (OS) is upgraded to 10.10.4. In such a scenario, certain basic functionalities are not working such as Remote Media Encryption (RME), Remote Media Container Encryption (RMCE), adding a user to a device, and device locking.

Work-around: First upgrade the Mac FV2 Operating System to 10.10.4 and then upgrade SecureDoc.

SD-13637

When a new user is assigned manually by right clicking on a device and assigning a user to that device the “All User Group keys” are NOT added to this user

Limitation: When a new user is manually added to All User Group through SES, the All User Group key is not sent down to this newly added user.

Work-around:

  • If a user logs on through PBConnex, the group keys are assigned correctly.
  • SES administrators can add keys to “Real Groups” from Active Directory (AD) to ensure that the keys are pulled through manual process
SD-13788

When a new group is linked to All User Group and when All User Group is modified, only some or none of the accounts are updated

Limitation: This issue occurs when a new group(s) is linked to the All User group and when the All User Group is modified (add/remove keys), only some or none of the user accounts get updated.

Work-around: Unlink any user group from the All User Group

  Please note that WinMagic is deprecating SecureDoc V4 Pre-Boot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 Pre-Boot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.”

 

 すべて表示 Release Notes