SecureDoc v7.1 SR2a Release Notes

Add and remove devices to Groups with SESCmd.exe

A new functionality has been added to SESCmd.exe to permit the assignment or removal (de-assignment) of a (named) device to/from a (named) group. Using this functionality, SES administrators can (optionally) utilize SESCmd to manage group membership directly without using the SES GUI, permitting mass changes (one device per command line by defining which (named) machine is to be added or removed from a (named) Group. The options are defined as follows:

• Assign Device to Group:
• SESCMd AssignDevice (Device Name) (Group Name)
• Remove Device from Group:
• SESCmd RemoveDevice(Device Name) (Group Name)

Now, SecureDoc supports Windows Portable Devices

Now, SecureDoc supports the Windows Portable Devices (WPD) connected through the USB cables. This functionality allows the SES administrators to control the access privileges for the Windows Portable Devices. The SES administrators can configure these access rights to the end-users in the Disc Access Control (DAC) settings under the new option called WPD Devices in the SES Profiles section. For information on how to configure WPD access controls, refer to the Disc Access Control section in the SES User Manual / Help file and the Setting up Disc Access Control section in the SecureDoc Client Enterprise User Manual / Help file.

NOTE: This feature only supports the devices that are connected through USB; it does not support other connections, i.e. Bluetooth or other wireless connections to WPD’s. It supports the Media Transfer Protocol (MTP) mode only, thus devices that are not using this mode should be considered standard storage, and the Removable Media option within the Disc Access Control settings should be used for this case.

New Remote Media Encryption (RME) log management functionality

The Remote Media Encryption (RME) Log functionality allows the SES and SESWeb administrators to free up the storage space by managing the RME logs. These logs can be moved to another database within the same or a different database server. If desired, these logs can be disabled. For more information on how to configure the RME logs, click here or refer to the Configuration ->Services>RME Log Encryption section in the SESWeb Help file.

NOTE: This functionality is only available on SESWeb.

Improved performance of Remote Media Encryption (RME) log transition / procession on SES/SDConnex

Now, the Remote Media Log handling on the client devices side (Windows and Mac) as well as log transition and procession on the SecureDoc server side has been significantly improved. The RME log records will be compressed all at once (not individually) at the client side. This will save space and increase the performance of RME log transition.

The Change Password option is available on the SES Web

Now, SES Web administrators have an option to change their password on the SES Web login page. This option is available on top of the SES Web login page beside the Help option. This option is only available if the SES Web administrators use the SES login credentials to log into the SES Web. If the administrators log into SES Web using their Active Directory (AD) credentials, then this option will be disabled and they will have to change their password in the Active Directory.

Support for the new Mac FileVault2 Operating Systems X 10.11.3 (El Capitan)

Now, SecureDoc extends FileVault2 support for the new Mac OS X 10.11.3 (El Capitan) operating system version. You can create the SecureDoc client package in the SES console and deploy to the Mac FV2 devices that are running this latest operating system.

Support for Intel Skylake devices

Now, SecureDoc fully supports Native UEFI pre-boot (PBU) and Linux pre-boot for UEFI (PBLU) environments for Intel devices that are equipped with Skylake chipsets.

Excessive CPU usage for SDPin.exe on the SecureDoc-protected (version 7.1 and above) Windows client devices

Issue: An issue arose that affected all SecureDoc-protected Windows 10 client devices that had been upgraded from version 6.5 SR3 to 7.1 or above in which the SDPin.exe component of the SecureDoc client was consuming excessive CPU cycles. This issue also occurred on Windows 7 devices that went through an in-place upgrade to Windows 10, both before and after the OS upgrade.

This issue has now been fixed and SDPin.exe will utilize CPU resources at its normal levels. Further, IT administrators can perform in-place upgrades to Windows 10 without having experiencing excessive CPU utilization issues.

SecureDoc Credential Provider performs Single Sign On (SSO) on warm reboot with Self-Encryption Drives (SED)

Issue: This issue has been reported on the SecureDoc-protected (version 7.1 SR2) Windows client devices that have NVMe OPAL disks. The issue was that following a warm boot, these devices would automatically single-sign-on straight into the Windows Desktop instead of forcing users to authenticate at the Windows login with suitable Windows credentials.

This issue has been fixed. After the warm boot, users must now authenticate at the Windows log in before they are able to access the Windows Desktop.

The unattended (SCCM/Remote Package/Silent Deployment) method of SecureDoc installation fails to initiate Boot Logon when a user is not logged into Windows

Issue: This issue has been reported on the SecureDoc-protected Windows server and client devices that are running SES version of 7.1. When a SES administrator performs an unattended installation of SecureDoc, the Windows client devices are unable to start the Boot Logon until a user logs into Windows.

This issue has been resolved by providing the Wait for the file distribution software to reboot the system option in the Installation Package settings in the SES console. Select this option to help resolve this issue.

The SES Web administrators who have restricted access to folders are able to view the newly created/imported folders

Issue: This issue has been reported on SES Web. When a SES Web administrator is set to have only limited access to a folder and when a new folder is added, they are able to view the newly added folders automatically.

This issue has now been resolved and the SES Web administrators can no longer view the newly added folders.

The Self-Help dialog box is not wide enough to display all the self-help questions

Issue: The default width of the Self-Help prompt window (for password recovery) is very small and not showing up all the questions/answers unless it is manually expanded.

This issue has been resolved by adjusting the width of the fields in the table. Now, SES users will be able to view all the questions/answers in this window.

When assigning a user to a device from SES Web, the user list does not display all the available users

Issue: This issue occurs while adding users to a device from SES Web. The Select Users list window does not show all the available users.

This issue has been fixed. Now, the SES administrators can view all the users in the users list.

The BitLocker Recovery Key is not displayed in the SES Web

Issue: This issue has been reported on SecureDoc servers that are running v 7.1 and above. After the device is encrypted and when the SES Web administrators are attempting to view the BitLocker Recovery Key, the SES Web crashes displaying “500 Error”. However, this key can be viewed from the SES console.

This issue has been resolved and now the SES Web administrators will be able to view the BitLocker Recovery Key from the SES Web.

A black screen appears after installing SecureDoc on top of the Window 8 BitLocker devices

Issue: This issue occurs after installing SecureDoc on Windows 8 devices that are encrypted with BitLocker. In such a scenario, after the pre-boot authentication, the device stops at the black screen.

This issue has been resolved. Now, the black screen does not appear after performing the authentication at the pre-boot.

The device encryption fails after canceling the Boot Logon installation

Issue: This issue occurs when the Boot Logon is being installed and when users cancel this by clicking the close (X) button in the upper right corner of the installation window. In this scenario, the device encryption fails as the boot logon is required for encryption to start.

This issue has been resolved by removing the close (X) button from the Boot Logon message header.

Changes made to the columns in the SES Console are NOT saved

This issue has been reported on the devices that have SecureDoc v6.5 and v6.5SR1 installed. When the columns are re-arranged and/or removed under the devices tab in the SES Console, these changes are not saved when the SES Console is closed or re-opened.

Now, this issue has been resolved and the changes made to the columns in the SES console will be saved.

The User ID is not displayed correctly in the SecureDoc Web after migration from SES V6.5 SR3 to V7.1

Limitation:
This issue occurs after SES migration from V6.5SR3 to V7.1. After launching the SES Web, the User information under the User ID column is not shown properly.

Work-around:

1. After the upgrade, clear the browser cache.
2. Log into SecureDoc Web.
3. Make sure that the time stamp for the file C:\Program Files (x86)\WinMagic\SDDB-NT\SDWeb\Scripts\grid_user.js has been updated after upgrade.

While upgrading SecureDoc Windows 10 client devices to version 7.1 SR1, the Desktop displays a blue screen

Limitation:
This issue occurs while upgrading the Windows 10 client devices to SecureDoc version 7.1 SR1. In such a scenario, the Windows Desktop is not displayed normally (user won’t be able to view the Desktop items) while SecureDoc is preparing to restart the device.

Work-around:
NA

The “Maximum number of permitted failed logins at Boot logon” feature does not work

Limitation:
This issue occurs when a SecureDoc profile is created and deployed to the client devices with the “Maximum number of permitted failed logins at Boot logon” and the “Enable SUSAM” options enabled in the Boot Configuration settings. In such a scenario, the user is not locked out even after reaching the maximum number of unsuccessful login attempts.

Work-around:
Disable the SUSAM option in the Boot Configuration Settings.

Read Only Access mode does not work with the third-party application (HTC Sync Manager)

Limitation:
This issue occurs when a SecureDoc package is deployed to a Windows client device with the “Read Only Access” option enabled for the Windows Portable Devices. In such a scenario, the device cannot connect to the HTC Sync Manager. During the connection, the HTC Sync Manager tries to write to the device, which is denied due to the Disk Access Control (DAC) policy.

Work-around:
Users will only be able to access data using Windows Explorer or other MTP compatible applications.

When the “No Access” option is selected for Windows Portable Devices (WPD), users are still able to access the HTC data

Limitation:
This issue occurs on Windows 7 client devices. The HTC Sync Manager driver package doesn't allow the kernel mode client over the Windows Portable Devices (WPD) Media Transfer Protocol (MTP) user mode driver. SecureDoc WPD filter driver is a KMDF driver which is installed as an upper filter over WPD MTP UMDF driver. This causes the device to not be recognized after it is plugged into the system. This is an issue with the HTC driver package.

Work-around:
Uninstall the driver and delete the default driver files. To resolve, modify the HTC driver INF file and add the following line under [MTPHW.NT.Wdf]section.

UmdfKernelModeClientPolicy=AllowKernelModeClients

This change will allow kernel mode client over the WPD MTP user mode driver. After this change, re-connect the device. Then device driver will be installed successfully. The new INF file, WPDMTPHW.INF, has been attached to this ticket.

iTunes reports error when connecting iPhone when Windows Portable Devices (WPD) for Disk Access Control (DAC) is set to "Read Only" mode

Limitation:
This issue occurs when users set Disk Control Access (DAC) to “Read Only” option and then connect iPhone to the SecureDoc client device that has iTunes installed on it. In such a scenario, iTunes reports an error because iTunes cannot be used when WPD for DAC is set to “Read Only”. During the connection, iTunes attempts to write to the device which is denied due to the “Read Only” DAC policy.

Work-around:
Users will only be able to access data using Windows Explorer or other Media Transfer Protocol (MTP) compatible applications.

HP 850G2/450G2/Folio 1040 client devices fail to reboot into Windows after deploying SecureDoc package

Limitation:
This issue occurs on the HP 850G2/450G2/Folio 1040 client devices. When a SecureDoc installation package is deployed to these devices with the “use hardware encryption, if available” option, the devices fail to boot into Windows after the boot logon authentication.

Work-around:
NA

Microsoft Surface Pro 3 UEFI devices are unable to connect to Enterprise Wi-Fi Protect Access(WPA2)

Limitation:
This issue occurs on Microsoft Surface Pro 3 devices when SecureDoc installation package is deployed with the Linux pre-boot for UEFI (PBLU) boot loader option. In such a scenario, users are unable to log into WPA2 (Enterprise).

Work-around:
NA

AzureWave BrodCom 802.11ac wireless PCI-E cards are not supported at Linux pre-boot for UEFI (PBLU) on Lenovo T-460 laptops

Limitation:
A network error message “wireless error: 7” is displayed at pre-boot when users click on the Wireless Settings icon and attempt to scan the available wireless settings on Lenovo T-460 laptops that have AzureWave BrodCom 802.11ac wireless PCI-E cards.

Work-around:
NA

The Remote Media Encryption (RME) does not support full user separation

Limitation:
This issue occurs when a SecureDoc package is deployed with the “boot key file for AD users” and “Personal key files for Windows users” options enabled to a Windows client device that has multiple users already logged in before the deployment. In such a scenario, when one user encrypts a remote media device (e.g. USB) using his/her personal key, the other logged in users are also able to open and view the contents of this encrypted remote media device.
As per the current Remote Media Encryption design, the full user separation for RME is NOT supported.

Work-around:
N/A

Mac FileVault2 devices automatically reboot after panic when the Remote Media Encryption (RME) settings are enabled

Limitation:
This issue has been reported on the Mac FileVault2 devices that are running 10.11.2 OS. However, this issue may occur on other Mac FileVault2 OS as well. This issue occurs when updating a device profile with “Enable Removable Media and Removable Media Container Encryption management” option enabled. In such a scenario, when a USB is attached to the device for configuring the container, the device automatically reboots after panic.

Work-around:
NA

Lenovo M900 devices with Windows Server 2012 R2 and SQL 2014 or Windows 10 x64 UEFI are unable to load up pre-boot

Limitation:
This issue has been reported on Lenovo M900 devices in UEFI mode. When a SecureDoc package is created and deployed, these devices are not able to load up pre-boot after the encryption.

Work-around:
NA