SecureDoc v7.1 SR2a Release Notes

すべて表示

Product/Feature Deprecation Pre-Notice

Please note that WinMagic is deprecating SecureDoc V4 Pre-Boot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 Pre-Boot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.

 

Important Note

WinMagic has done extensive work to improve, streamline and augment the security surrounding the initial deployment of Key Files during the process of installing the SecureDoc Client software, bearing in mind that many customers have widely divergent requirements relating to how devices are used during and after initial installation. Some customers install SecureDoc while the primary device user is on or will be on the machine, while others may need to protect new devices before the end-users of those devices have been defined, as well as other scenarios.

Please refer to the When SecureDoc server is upgraded to version 7.1SR2a from previous versions (6.5 or earlier) and the Setting up Device Provisioning Rules sections under the Creating Installation Packages for Windows chapter in the SES User Manual to understand how these new settings work, in order to inform your own use of these new features, particularly as they operate in a way that cannot be easily migrated from the previous methodology to the new methodology. Upon upgrading from an earlier version, you will need to adjust each of your existing Installation Packages to reflect the deployment methodology that will meet your security design.

 

System Requirements

System requirements and supported devices, including tokens and SmartCards, for SecureDoc v7.1 SR2a are listed here.

Note: It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation. More information can be found here: msdn.microsoft.com/en-us/library/ms143786(v=sql.100).ASPX

During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.

Note: Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g. Admin desktop) on which it runs, in order for the console to function properly.

Note: WinMagic is deprecating SecureDoc V4 Pre-Boot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 Pre-Boot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.

 

New Features and Improvements

ReferenceDescription
SD-17636

Add and remove devices to Groups with SESCmd.exe

A new functionality has been added to SESCmd.exe to permit the assignment or removal (de-assignment) of a (named) device to/from a (named) group. Using this functionality, SES administrators can (optionally) utilize SESCmd to manage group membership directly without using the SES GUI, permitting mass changes (one device per command line by defining which (named) machine is to be added or removed from a (named) Group. The options are defined as follows:

  • Assign Device to Group:
  • SESCMd AssignDevice (Device Name) (Group Name)
  • Remove Device from Group:
  • SESCmd RemoveDevice(Device Name) (Group Name)
SD-12262

Now, SecureDoc supports Windows Portable Devices

Now, SecureDoc supports the Windows Portable Devices (WPD) connected through the USB cables. This functionality allows the SES administrators to control the access privileges for the Windows Portable Devices. The SES administrators can configure these access rights to the end-users in the Disc Access Control (DAC) settings under the new option called WPD Devices in the SES Profiles section. For information on how to configure WPD access controls, refer to the Disc Access Control section in the SES User Manual / Help file and the Setting up Disc Access Control section in the SecureDoc Client Enterprise User Manual / Help file.

NOTE: This feature only supports the devices that are connected through USB; it does not support other connections, i.e. Bluetooth or other wireless connections to WPD’s. It supports the Media Transfer Protocol (MTP) mode only, thus devices that are not using this mode should be considered standard storage, and the Removable Media option within the Disc Access Control settings should be used for this case.

SD-16836

New Remote Media Encryption (RME) log management functionality

The Remote Media Encryption (RME) Log functionality allows the SES and SESWeb administrators to free up the storage space by managing the RME logs. These logs can be moved to another database within the same or a different database server. If desired, these logs can be disabled. For more information on how to configure the RME logs, click here or refer to the Configuration ->Services>RME Log Encryption section in the SESWeb Help file.

NOTE: This functionality is only available on SESWeb.

SD-16845

Improved performance of Remote Media Encryption (RME) log transition / procession on SES/SDConnex

Now, the Remote Media Log handling on the client devices side (Windows and Mac) as well as log transition and procession on the SecureDoc server side has been significantly improved. The RME log records will be compressed all at once (not individually) at the client side. This will save space and increase the performance of RME log transition.

SD-16837

The Change Password option is available on the SES Web

Now, SES Web administrators have an option to change their password on the SES Web login page. This option is available on top of the SES Web login page beside the Help option. This option is only available if the SES Web administrators use the SES login credentials to log into the SES Web. If the administrators log into SES Web using their Active Directory (AD) credentials, then this option will be disabled and they will have to change their password in the Active Directory.

SD-16731

Support for the new Mac FileVault2 Operating Systems X 10.11.3 (El Capitan)

Now, SecureDoc extends FileVault2 support for the new Mac OS X 10.11.3 (El Capitan) operating system version. You can create the SecureDoc client package in the SES console and deploy to the Mac FV2 devices that are running this latest operating system.

SD-16909

Support for Intel Skylake devices

Now, SecureDoc fully supports Native UEFI pre-boot (PBU) and Linux pre-boot for UEFI (PBLU) environments for Intel devices that are equipped with Skylake chipsets.

 

Resolved Issues

ReferenceDescription
SD-17481

Excessive CPU usage for SDPin.exe on the SecureDoc-protected (version 7.1 and above) Windows client devices

Issue: An issue arose that affected all SecureDoc-protected Windows 10 client devices that had been upgraded from version 6.5 SR3 to 7.1 or above in which the SDPin.exe component of the SecureDoc client was consuming excessive CPU cycles. This issue also occurred on Windows 7 devices that went through an in-place upgrade to Windows 10, both before and after the OS upgrade.

This issue has now been fixed and SDPin.exe will utilize CPU resources at its normal levels. Further, IT administrators can perform in-place upgrades to Windows 10 without having experiencing excessive CPU utilization issues.

SD-17635

SecureDoc Credential Provider performs Single Sign On (SSO) on warm reboot with Self-Encryption Drives (SED)

Issue: This issue has been reported on the SecureDoc-protected (version 7.1 SR2) Windows client devices that have NVMe OPAL disks. The issue was that following a warm boot, these devices would automatically single-sign-on straight into the Windows Desktop instead of forcing users to authenticate at the Windows login with suitable Windows credentials.

This issue has been fixed. After the warm boot, users must now authenticate at the Windows log in before they are able to access the Windows Desktop.

SD-16538

The unattended (SCCM/Remote Package/Silent Deployment) method of SecureDoc installation fails to initiate Boot Logon when a user is not logged into Windows

Issue: This issue has been reported on the SecureDoc-protected Windows server and client devices that are running SES version of 7.1. When a SES administrator performs an unattended installation of SecureDoc, the Windows client devices are unable to start the Boot Logon until a user logs into Windows.

This issue has been resolved by providing the Wait for the file distribution software to reboot the system option in the Installation Package settings in the SES console. Select this option to help resolve this issue.

SD-16142

The SES Web administrators who have restricted access to folders are able to view the newly created/imported folders

Issue: This issue has been reported on SES Web. When a SES Web administrator is set to have only limited access to a folder and when a new folder is added, they are able to view the newly added folders automatically.

This issue has now been resolved and the SES Web administrators can no longer view the newly added folders.

SD-16279

The Self-Help dialog box is not wide enough to display all the self-help questions

Issue: The default width of the Self-Help prompt window (for password recovery) is very small and not showing up all the questions/answers unless it is manually expanded.

This issue has been resolved by adjusting the width of the fields in the table. Now, SES users will be able to view all the questions/answers in this window.

SD-16592

When assigning a user to a device from SES Web, the user list does not display all the available users

Issue: This issue occurs while adding users to a device from SES Web. The Select Users list window does not show all the available users.

This issue has been fixed. Now, the SES administrators can view all the users in the users list.

SD-16889

The BitLocker Recovery Key is not displayed in the SES Web

Issue: This issue has been reported on SecureDoc servers that are running v 7.1 and above. After the device is encrypted and when the SES Web administrators are attempting to view the BitLocker Recovery Key, the SES Web crashes displaying “500 Error”. However, this key can be viewed from the SES console.

This issue has been resolved and now the SES Web administrators will be able to view the BitLocker Recovery Key from the SES Web.

SD-16948

A black screen appears after installing SecureDoc on top of the Window 8 BitLocker devices

Issue: This issue occurs after installing SecureDoc on Windows 8 devices that are encrypted with BitLocker. In such a scenario, after the pre-boot authentication, the device stops at the black screen.

This issue has been resolved. Now, the black screen does not appear after performing the authentication at the pre-boot.

SD-16989

The device encryption fails after canceling the Boot Logon installation

Issue: This issue occurs when the Boot Logon is being installed and when users cancel this by clicking the close (X) button in the upper right corner of the installation window. In this scenario, the device encryption fails as the boot logon is required for encryption to start.

This issue has been resolved by removing the close (X) button from the Boot Logon message header.

SD-12552

Changes made to the columns in the SES Console are NOT saved

This issue has been reported on the devices that have SecureDoc v6.5 and v6.5SR1 installed. When the columns are re-arranged and/or removed under the devices tab in the SES Console, these changes are not saved when the SES Console is closed or re-opened.

Now, this issue has been resolved and the changes made to the columns in the SES console will be saved.

 

Known Limitations

Note: For the Known Limitations other than the ones mentioned below, refer to the “Known Limitations” section in the SecureDoc Release Notes v 7.1 SR1.

ReferenceDescription
SD-16274

The User ID is not displayed correctly in the SecureDoc Web after migration from SES V6.5 SR3 to V7.1

Limitation:
This issue occurs after SES migration from V6.5SR3 to V7.1. After launching the SES Web, the User information under the User ID column is not shown properly.

Work-around:

  1. After the upgrade, clear the browser cache.
  2. Log into SecureDoc Web.
  3. Make sure that the time stamp for the file C:\Program Files (x86)\WinMagic\SDDB-NT\SDWeb\Scripts\grid_user.js has been updated after upgrade.
SD-16321

While upgrading SecureDoc Windows 10 client devices to version 7.1 SR1, the Desktop displays a blue screen

Limitation:
This issue occurs while upgrading the Windows 10 client devices to SecureDoc version 7.1 SR1. In such a scenario, the Windows Desktop is not displayed normally (user won’t be able to view the Desktop items) while SecureDoc is preparing to restart the device.

Work-around:
NA

SD-17073

The “Maximum number of permitted failed logins at Boot logon” feature does not work

Limitation:
This issue occurs when a SecureDoc profile is created and deployed to the client devices with the “Maximum number of permitted failed logins at Boot logon” and the “Enable SUSAM” options enabled in the Boot Configuration settings. In such a scenario, the user is not locked out even after reaching the maximum number of unsuccessful login attempts.

Work-around:
Disable the SUSAM option in the Boot Configuration Settings.

SD-16903

Read Only Access mode does not work with the third-party application (HTC Sync Manager)

Limitation:
This issue occurs when a SecureDoc package is deployed to a Windows client device with the “Read Only Access” option enabled for the Windows Portable Devices. In such a scenario, the device cannot connect to the HTC Sync Manager. During the connection, the HTC Sync Manager tries to write to the device, which is denied due to the Disk Access Control (DAC) policy.

Work-around:
Users will only be able to access data using Windows Explorer or other MTP compatible applications.

SD-16907

When the “No Access” option is selected for Windows Portable Devices (WPD), users are still able to access the HTC data

Limitation:
This issue occurs on Windows 7 client devices. The HTC Sync Manager driver package doesn't allow the kernel mode client over the Windows Portable Devices (WPD) Media Transfer Protocol (MTP) user mode driver. SecureDoc WPD filter driver is a KMDF driver which is installed as an upper filter over WPD MTP UMDF driver. This causes the device to not be recognized after it is plugged into the system. This is an issue with the HTC driver package.

Work-around:
Uninstall the driver and delete the default driver files. To resolve, modify the HTC driver INF file and add the following line under [MTPHW.NT.Wdf]section.

UmdfKernelModeClientPolicy=AllowKernelModeClients

This change will allow kernel mode client over the WPD MTP user mode driver. After this change, re-connect the device. Then device driver will be installed successfully. The new INF file, WPDMTPHW.INF, has been attached to this ticket.

SD-13235

iTunes reports error when connecting iPhone when Windows Portable Devices (WPD) for Disk Access Control (DAC) is set to "Read Only" mode

Limitation:
This issue occurs when users set Disk Control Access (DAC) to “Read Only” option and then connect iPhone to the SecureDoc client device that has iTunes installed on it. In such a scenario, iTunes reports an error because iTunes cannot be used when WPD for DAC is set to “Read Only”. During the connection, iTunes attempts to write to the device which is denied due to the “Read Only” DAC policy.

Work-around:
Users will only be able to access data using Windows Explorer or other Media Transfer Protocol (MTP) compatible applications.

SD-16841

HP 850G2/450G2/Folio 1040 client devices fail to reboot into Windows after deploying SecureDoc package

Limitation:
This issue occurs on the HP 850G2/450G2/Folio 1040 client devices. When a SecureDoc installation package is deployed to these devices with the “use hardware encryption, if available” option, the devices fail to boot into Windows after the boot logon authentication.

Work-around:
NA

SD-16704

Microsoft Surface Pro 3 UEFI devices are unable to connect to Enterprise Wi-Fi Protect Access(WPA2)

Limitation:
This issue occurs on Microsoft Surface Pro 3 devices when SecureDoc installation package is deployed with the Linux pre-boot for UEFI (PBLU) boot loader option. In such a scenario, users are unable to log into WPA2 (Enterprise).

Work-around:
NA

SD-17248

AzureWave BrodCom 802.11ac wireless PCI-E cards are not supported at Linux pre-boot for UEFI (PBLU) on Lenovo T-460 laptops

Limitation:
A network error message “wireless error: 7” is displayed at pre-boot when users click on the Wireless Settings icon and attempt to scan the available wireless settings on Lenovo T-460 laptops that have AzureWave BrodCom 802.11ac wireless PCI-E cards.

Work-around:
NA

SD-16902

The Remote Media Encryption (RME) does not support full user separation

Limitation:
This issue occurs when a SecureDoc package is deployed with the “boot key file for AD users” and “Personal key files for Windows users” options enabled to a Windows client device that has multiple users already logged in before the deployment. In such a scenario, when one user encrypts a remote media device (e.g. USB) using his/her personal key, the other logged in users are also able to open and view the contents of this encrypted remote media device.
As per the current Remote Media Encryption design, the full user separation for RME is NOT supported.

Work-around:
N/A

SD-17229

Mac FileVault2 devices automatically reboot after panic when the Remote Media Encryption (RME) settings are enabled

Limitation:
This issue has been reported on the Mac FileVault2 devices that are running 10.11.2 OS. However, this issue may occur on other Mac FileVault2 OS as well. This issue occurs when updating a device profile with “Enable Removable Media and Removable Media Container Encryption management” option enabled. In such a scenario, when a USB is attached to the device for configuring the container, the device automatically reboots after panic.

Work-around:
NA

SD-17212

Lenovo M900 devices with Windows Server 2012 R2 and SQL 2014 or Windows 10 x64 UEFI are unable to load up pre-boot

Limitation:
This issue has been reported on Lenovo M900 devices in UEFI mode. When a SecureDoc package is created and deployed, these devices are not able to load up pre-boot after the encryption.

Work-around:
NA

  Please note that WinMagic is deprecating SecureDoc V4 Pre-Boot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 Pre-Boot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.”

 

 すべて表示 Release Notes