Product/Feature Deprecation Pre-Notice
Please note that WinMagic is deprecating SecureDoc V4 Pre-Boot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 Pre-Boot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.
Important Note
WinMagic has done extensive work to improve, streamline and augment the security surrounding the initial deployment of Key Files during the process of installing the SecureDoc Client software, bearing in mind that many customers have widely divergent requirements relating to how devices are used during and after initial installation. Some customers install SecureDoc while the primary device user is on or will be on the machine, while others may need to protect new devices before the end-users of those devices have been defined, as well as other scenarios.
Please refer to the When SecureDoc server is upgraded to version 7.1SR2a from previous versions (6.5 or earlier) and the Setting up Device Provisioning Rules sections under the Creating Installation Packages for Windows chapter in the SES User Manual to understand how these new settings work, in order to inform your own use of these new features, particularly as they operate in a way that cannot be easily migrated from the previous methodology to the new methodology. Upon upgrading from an earlier version, you will need to adjust each of your existing Installation Packages to reflect the deployment methodology that will meet your security design.
System Requirements
System requirements and supported devices, including tokens and SmartCards, for SecureDoc v7.1 SR2a are listed here.
Note: It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation. More information can be found here: msdn.microsoft.com/en-us/library/ms143786(v=sql.100).ASPX
During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.
Note: Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g. Admin desktop) on which it runs, in order for the console to function properly.
Note: WinMagic is deprecating SecureDoc V4 Pre-Boot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 Pre-Boot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.
New Features and Improvements
Reference | Description |
---|---|
SD-17636 |
Add and remove devices to Groups with SESCmd.exe A new functionality has been added to SESCmd.exe to permit the assignment or removal (de-assignment) of a (named) device to/from a (named) group. Using this functionality, SES administrators can (optionally) utilize SESCmd to manage group membership directly without using the SES GUI, permitting mass changes (one device per command line by defining which (named) machine is to be added or removed from a (named) Group. The options are defined as follows:
|
SD-12262 |
Now, SecureDoc supports Windows Portable Devices Now, SecureDoc supports the Windows Portable Devices (WPD) connected through the USB cables. This functionality allows the SES administrators to control the access privileges for the Windows Portable Devices. The SES administrators can configure these access rights to the end-users in the Disc Access Control (DAC) settings under the new option called WPD Devices in the SES Profiles section. For information on how to configure WPD access controls, refer to the Disc Access Control section in the SES User Manual / Help file and the Setting up Disc Access Control section in the SecureDoc Client Enterprise User Manual / Help file. NOTE: This feature only supports the devices that are connected through USB; it does not support other connections, i.e. Bluetooth or other wireless connections to WPD’s. It supports the Media Transfer Protocol (MTP) mode only, thus devices that are not using this mode should be considered standard storage, and the Removable Media option within the Disc Access Control settings should be used for this case. |
SD-16836 |
New Remote Media Encryption (RME) log management functionality The Remote Media Encryption (RME) Log functionality allows the SES and SESWeb administrators to free up the storage space by managing the RME logs. These logs can be moved to another database within the same or a different database server. If desired, these logs can be disabled. For more information on how to configure the RME logs, click here or refer to the Configuration ->Services>RME Log Encryption section in the SESWeb Help file. NOTE: This functionality is only available on SESWeb. |
SD-16845 |
Improved performance of Remote Media Encryption (RME) log transition / procession on SES/SDConnex Now, the Remote Media Log handling on the client devices side (Windows and Mac) as well as log transition and procession on the SecureDoc server side has been significantly improved. The RME log records will be compressed all at once (not individually) at the client side. This will save space and increase the performance of RME log transition. |
SD-16837 |
The Change Password option is available on the SES Web Now, SES Web administrators have an option to change their password on the SES Web login page. This option is available on top of the SES Web login page beside the Help option. This option is only available if the SES Web administrators use the SES login credentials to log into the SES Web. If the administrators log into SES Web using their Active Directory (AD) credentials, then this option will be disabled and they will have to change their password in the Active Directory. |
SD-16731 |
Support for the new Mac FileVault2 Operating Systems X 10.11.3 (El Capitan) Now, SecureDoc extends FileVault2 support for the new Mac OS X 10.11.3 (El Capitan) operating system version. You can create the SecureDoc client package in the SES console and deploy to the Mac FV2 devices that are running this latest operating system. |
SD-16909 |
Support for Intel Skylake devices Now, SecureDoc fully supports Native UEFI pre-boot (PBU) and Linux pre-boot for UEFI (PBLU) environments for Intel devices that are equipped with Skylake chipsets. |
Resolved Issues
Reference | Description |
---|---|
SD-17481 |
Excessive CPU usage for SDPin.exe on the SecureDoc-protected (version 7.1 and above) Windows client devices Issue: An issue arose that affected all SecureDoc-protected Windows 10 client devices that had been upgraded from version 6.5 SR3 to 7.1 or above in which the SDPin.exe component of the SecureDoc client was consuming excessive CPU cycles. This issue also occurred on Windows 7 devices that went through an in-place upgrade to Windows 10, both before and after the OS upgrade. This issue has now been fixed and SDPin.exe will utilize CPU resources at its normal levels. Further, IT administrators can perform in-place upgrades to Windows 10 without having experiencing excessive CPU utilization issues. |
SD-17635 |
SecureDoc Credential Provider performs Single Sign On (SSO) on warm reboot with Self-Encryption Drives (SED) Issue: This issue has been reported on the SecureDoc-protected (version 7.1 SR2) Windows client devices that have NVMe OPAL disks. The issue was that following a warm boot, these devices would automatically single-sign-on straight into the Windows Desktop instead of forcing users to authenticate at the Windows login with suitable Windows credentials. This issue has been fixed. After the warm boot, users must now authenticate at the Windows log in before they are able to access the Windows Desktop. |
SD-16538 |
The unattended (SCCM/Remote Package/Silent Deployment) method of SecureDoc installation fails to initiate Boot Logon when a user is not logged into Windows Issue: This issue has been reported on the SecureDoc-protected Windows server and client devices that are running SES version of 7.1. When a SES administrator performs an unattended installation of SecureDoc, the Windows client devices are unable to start the Boot Logon until a user logs into Windows. This issue has been resolved by providing the Wait for the file distribution software to reboot the system option in the Installation Package settings in the SES console. Select this option to help resolve this issue. |
SD-16142 |
The SES Web administrators who have restricted access to folders are able to view the newly created/imported folders Issue: This issue has been reported on SES Web. When a SES Web administrator is set to have only limited access to a folder and when a new folder is added, they are able to view the newly added folders automatically. This issue has now been resolved and the SES Web administrators can no longer view the newly added folders. |
SD-16279 |
The Self-Help dialog box is not wide enough to display all the self-help questions Issue: The default width of the Self-Help prompt window (for password recovery) is very small and not showing up all the questions/answers unless it is manually expanded. This issue has been resolved by adjusting the width of the fields in the table. Now, SES users will be able to view all the questions/answers in this window. |
SD-16592 |
When assigning a user to a device from SES Web, the user list does not display all the available users Issue: This issue occurs while adding users to a device from SES Web. The Select Users list window does not show all the available users. This issue has been fixed. Now, the SES administrators can view all the users in the users list. |
SD-16889 |
The BitLocker Recovery Key is not displayed in the SES Web Issue: This issue has been reported on SecureDoc servers that are running v 7.1 and above. After the device is encrypted and when the SES Web administrators are attempting to view the BitLocker Recovery Key, the SES Web crashes displaying “500 Error”. However, this key can be viewed from the SES console. This issue has been resolved and now the SES Web administrators will be able to view the BitLocker Recovery Key from the SES Web. |
SD-16948 |
A black screen appears after installing SecureDoc on top of the Window 8 BitLocker devices Issue: This issue occurs after installing SecureDoc on Windows 8 devices that are encrypted with BitLocker. In such a scenario, after the pre-boot authentication, the device stops at the black screen. This issue has been resolved. Now, the black screen does not appear after performing the authentication at the pre-boot. |
SD-16989 |
The device encryption fails after canceling the Boot Logon installation Issue: This issue occurs when the Boot Logon is being installed and when users cancel this by clicking the close (X) button in the upper right corner of the installation window. In this scenario, the device encryption fails as the boot logon is required for encryption to start. This issue has been resolved by removing the close (X) button from the Boot Logon message header. |
SD-12552 |
Changes made to the columns in the SES Console are NOT saved This issue has been reported on the devices that have SecureDoc v6.5 and v6.5SR1 installed. When the columns are re-arranged and/or removed under the devices tab in the SES Console, these changes are not saved when the SES Console is closed or re-opened. Now, this issue has been resolved and the changes made to the columns in the SES console will be saved. |
Known Limitations
Note: For the Known Limitations other than the ones mentioned below, refer to the “Known Limitations” section in the SecureDoc Release Notes v 7.1 SR1.
Reference | Description |
---|---|
SD-16274 |
The User ID is not displayed correctly in the SecureDoc Web after migration from SES V6.5 SR3 to V7.1 Limitation: Work-around:
|
SD-16321 |
While upgrading SecureDoc Windows 10 client devices to version 7.1 SR1, the Desktop displays a blue screen Limitation: Work-around: |
SD-17073 |
The “Maximum number of permitted failed logins at Boot logon” feature does not work Limitation: Work-around: |
SD-16903 |
Read Only Access mode does not work with the third-party application (HTC Sync Manager) Limitation: Work-around: |
SD-16907 |
When the “No Access” option is selected for Windows Portable Devices (WPD), users are still able to access the HTC data Limitation: Work-around:
This change will allow kernel mode client over the WPD MTP user mode driver. After this change, re-connect the device. Then device driver will be installed successfully. The new INF file, WPDMTPHW.INF, has been attached to this ticket. |
SD-13235 |
iTunes reports error when connecting iPhone when Windows Portable Devices (WPD) for Disk Access Control (DAC) is set to "Read Only" mode Limitation: Work-around: |
SD-16841 |
HP 850G2/450G2/Folio 1040 client devices fail to reboot into Windows after deploying SecureDoc package Limitation: Work-around: |
SD-16704 |
Microsoft Surface Pro 3 UEFI devices are unable to connect to Enterprise Wi-Fi Protect Access(WPA2) Limitation: Work-around: |
SD-17248 |
AzureWave BrodCom 802.11ac wireless PCI-E cards are not supported at Linux pre-boot for UEFI (PBLU) on Lenovo T-460 laptops Limitation: Work-around: |
SD-16902 |
The Remote Media Encryption (RME) does not support full user separation Limitation: Work-around: |
SD-17229 |
Mac FileVault2 devices automatically reboot after panic when the Remote Media Encryption (RME) settings are enabled Limitation: Work-around: |
SD-17212 |
Lenovo M900 devices with Windows Server 2012 R2 and SQL 2014 or Windows 10 x64 UEFI are unable to load up pre-boot Limitation: Work-around: |
Please note that WinMagic is deprecating SecureDoc V4 Pre-Boot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 Pre-Boot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.” |