SecureDoc v7.3 Release Notes

すべて表示

Product/Feature Deprecation Pre-Notice

Please note that WinMagic is deprecating SecureDoc V4 PreBoot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 PreBoot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.

 

Important Note

WinMagic has done extensive work to improve, streamline and augment the security surrounding the initial deployment of Key Files during the process of installing the SecureDoc Client software, bearing in mind that many customers have widely divergent requirements relating to how devices are used during and after initial installation. Some customers install SecureDoc while the primary device user is on or will be on the machine, while others may need to protect new devices before the end-users of those devices have been defined, as well as other scenarios.

Please refer to the When SecureDoc server is upgraded to version 7.3 from previous versions (6.5 or earlier) and the Device Provisioning Rules sections under the Creating Installation Packages for Windows chapter in the SES User Manual to understand how these new settings work, in order to inform your own use of these new features, particularly as they operate in a way that cannot be easily migrated from the previous methodology to the new methodology. Upon upgrading from an earlier version, you will need to adjust each of your existing Installation Packages to reflect the deployment methodology that will meet your security design.

 

System Requirements

System requirements and supported devices, including tokens and SmartCards, for SecureDoc v7.3 are listed here.

Note: It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation. More information can be found here: http://msdn.microsoft.com/en-us/library/ms143786(v=sql.100).ASPX

During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.

Note: Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g. Admin desktop) on which it runs, in order for the console to function properly.

 

Resolved Issues

Reference Description
SD-18446

SFE v7.3 Features, Improvements, and Limitations in 7.3

NEW FEATURES:

• SecureDoc File Encryption (SFE) now supports then latest version of DMK (FESF v1.1). This version addresses many incompatibilities the older SFE version had with application conflicts.

• Encrypted files now display a lock overlay icon directly on the file – for better user experience to know the state of the encryption: Green icon shows that the file is encrypted (and the user has the correct key) and the Red icon shows that the file is encrypted (but the user does NOT have the correct encryption key).

• Network folder encryption policies now support built-in monitoring from SFE agents – to make sure that all files copied into the SFE protected network folder are automatically encrypted

• Improved (local) logging is available for SFE that helps determine why files are not being encrypted, i.e. due to file permissions, etc.

• Users must have full local SecureDoc privileges on the device in order to remove SFE folder policies that were deployed by SES • Password rules are now applied within the SFE Context Menu

IMPROVEMENTS AND FIXES:

• SD-4354 - Network folders that have more than 800 GB of data can be successfully encrypted

• SD-18264 – Performance issues found when closing Excel files that are encrypted within a folder on a NAS

• SD-13418 – Fixed a crash issue in Windows 10 when a PDF file was opened by a Metro Application

• SD-14038 – Resolved an issue with File folder browsing being slow on Internet VPN connection when SFE is enabled on the client

• SD-15747 – Improvement to the time it took to copy large files (Mail Data) to an encrypted folder – compared to a non-encrypted folder

• SD-18345 – Resolved an issue with the environment variable for not working when the policy was deployed from SES

• SD-19569 – A symbolic link issue with non-Windows operating systems was resolved

• SD-20569 – SFE now supports encrypting folders on servers that names start with a number

• SD-15628 – SFE now supports using IP addresses instead of the server name for network folder policies

LIMITATIONS FOR SFE IN THIS LIMITED 7.3 RELEASE:

IMPORTANT: There is no backwards compatible support with earlier SFE versions. All existing folders that have been encrypted with SFE using earlier versions MUST be decrypted – folders removed from policy.

IMPORTANT: There is no upgrade support for existing SFE clients. SFE on existing devices MUST be fully removed before upgrading the clients to 7.3 – that contains the new SFE agent.

• SFE in 7.3 only supports key-based policies – password support is not available

• No persistent encryption support in SFE v7.3. All existing persistent encryption GUI will be disabled in 7.3

• No control for double-encryption of files – Meaning, if an encrypted file is copied into a different SFE folder (that has a different key) – it will be reencrypted with the new key

• Encrypted SFE files are not compatible with SD CloudSync or the FileViewers

• SFE cannot encrypt files in folders that are read-only. The user must have proper access, i.e. read/write to the file in order for the SFE agent to be able to encrypt the contents

• SFE - Files do not decrypt after the process of “drag/drop” and/or “cut/paste” from SecureDoc File Encryption (SFE) folder Limitation: The files are still encrypted.

• Microsoft Office (MS) installation fails when SecureDoc File Encryption is enabled

Limitation: It is required to have MS Office 2016 installed on systems prior to installing SFE. If SFE is installed on the system first, the MS Office 2016 installation process will report errors and fail.

SD-11261

Increased data security during the RMCE process

Improvement: During the RMCE creation process, RMCE will now create and copy file from the removable media into a local encrypted container on the local hard drive. Once the encrypted container has been successfully created on the removable media, the files from the local container will then be copied into the container on the removable device.

The new security benefits are to ensure the data being copied onto the local hard drive are protected, in case the RMCE process is interrupted and the local hard drive is not encrypted.

SD-16632

The server address can now be hidden from the PBU screen

Improvement: We have added a new option in the Boot Configuration settings that allows the server to be hidden from Boot Logon in PBU mode.

SD-19099

The Boot Logon installation prompt now correctly shows the message based on the options selected in the installation package

“Wait for the file distribution software to reboot the system”

Improvement: If the above option is enabled, the BL message prompt will clarify that a restart is required to complete the process. If the option is disabled, the message will explain that an automatic reboot will occur after the completion of Boot Logon being installed.

SD-20180

Linux Kernel updated to the latest version 4.7.5

Improvement: The PBA Linux kernel has now been updated to the latest version 4.7.5 that provides SecureDoc’s PBA with the latest updates to existing drivers, new drivers, and updates.

Limitations: Although the new kernel will provide beneficial updates, and we can expect to see improvements with newer hardware/firmware on systems, there may be unknown issues found during the PBA installation that may require specific boot configuration settings to be modified.

SD-21034

Removable Media Container Encryption (RCME): User experience has been improved if the user cancels the container creation process

Improvement: There is now a “Cleanup" stage when the user clicks Cancel during the container creation phase. The cleanup will now delete the viewer and other container files from the removable device, and will not block the main windows from being unresponsive. The "Abort" button should remain disabled during the cleanup.

SD-21239

Unable to decrypt with SecureDoc File Encryption (SFE) when using context menu and password encryption

This issue has now been resolved. SecureDoc File Encryption successfully decrypts without error.

SD-21261

Increased data security during the RMCE process

Improvement: During the RMCE creation process, RMCE will now create and copy file from the removable media into a local encrypted container on the local hard drive. Once the encrypted container has been successfully created on the removable media, the files from the local container will then be copied into the container on the removable device.

The new security benefits are to ensure the data being copied onto the local hard drive are protected, in case the RMCE process is interrupted and the local hard drive is not encrypted.

 

Limitations

Limitations for SFE in this limited v7.3 release

 No backwards compatible support with earlier SFE versions. Existing folders encrypted with SFE will need to be decrypted and re-encrypted from SFE policies in 7.3.
 No upgrade support for existing SFE clients. SFE will need to be disabled fully on the client before upgrading with SFE v7.3.
 No persistent encryption support – all existing GUI options will be disabled.
 No password protection on files deployed from SES.
 Possible double-encryption of files – If an encrypted file is copied into a different SFE folder (that has a different key), it will be re-encrypted with the new key.  Files will remain encrypted when a user uses Drag/Drop and Cut/Paste when moving files out of SFE protected folders.
 Encrypted files are not compatible with SecureDoc CloudSync or the FileViewers.

Reference Description
SD-14762

RMCE Viewer does not display files and folders from Western Digital Element 3TB HDD on machines without SecureDoc installed

Limitation: The RMCE Viewer does not properly display folders and files on the Western Digital Element 3TB portable HDD when attached to a non-SecureDoc device. It is recommended that RMCE only be used on this HDD when sharing encrypted files among SecureDoc devices.

SD-19000

PBL/PBLU – Pre-boot network doesn’t work with the e1000e network card adapter

Limitation: SecureDoc may experience pre-boot network issues with the e1000e network adapter card using PBL and PBLU modes. WinMagic is currently investigation these issues, but if PBConnex is a requirement on device having these cards, please use PBU.

SD-21034

Microsoft Office installations fails if SecureDoc File Encryption (SFE) is already installed on the client

This issue affects MS Office 2010 and 2016.

Workaround: It is required to have MS Office 2010 and 2016 installed on systems prior to installing SFE.

SD-20370

Boot Logon hangs and is unresponsive after pressing “enter” multiple times when authenticating to PBN

Limitation: If a user presses the “enter” key multiple times at Boot-logon prompt to authenticate, the system may enter a hang state as the device is continuously trying to communicate with SecureDoc server.

SD-20757

64-bit PBA does not support PBL mode for Boot Logon

Limitation: Currently, the 64-bit pre-boot does not support PBL mode for Boot Logon. 64-bit pre-boot should only be used with PBLU and PBU modes.

SD-20758

PBL/PBLU: Wireless network currently does not work for 64-bit preboot

Limitation: Wireless network is not supported in 64-bit preboot using PBL and PBLU. Please note that this will be added into future versions.

SD-20785

In cases of Hardware Encryption (HWE) packages, SecureDoc PBA is not created in the Lenovo UEFI BIOS (32bit PBLU)

Limitation: SecureDoc boot order is not properly loaded on a Lenovo X260 having an SED disk and UEFI BIOS. The root cause was found to be related to the older Lenovo BIOS not handling UEFI boot order properly.

Work-around: To resolve this issue, please update the Lenovo BIOS to R02ET50W (1.23), 9/20/2016.

SD-21034

Microsoft Office (MS) installation fails when SecureDoc File Encryption is enabled

Limitation: It is required to have MS Office 2016 installed on systems prior to installing SFE. If SFE is installed on the system first, the MS Office 2016 installation process will report errors and fail.

SD-21257

T410, W510, HP 750G1 – The systems fails to load the operating system when returning from hibernation – if hibernation interrupts the conversion process

Limitation: If the initial conversion process is interrupted by the system entering hibernation, the device will not successful log back into the OS when logging back into Boot Logon (from hibernation). This issue does NOT occur if the encryption process has completed successfully. This is a limitation that was found with the new kernel 4.7.5

Work-around: This issue is not seen when Y-Mode = 40

SD-21261

Unable to decrypt with SFE Utility when using context menu and password decryption

Limitation: The machine is unable to decrypt files that are protected with passwords

SD-21299

SDOTFV2/SDFV2: SecureDoc application crashes on first login opening and closing the “About” windows pane for macOS 10.12.2

Limitation: Currently, the “About” window pane closes, and SecureDoc icon disappears and can’t be access through the menu bar. The activity monitor for SecureDoc processes is also not visible

SD-21314

Boot Logon remains at the loading screen - “please wait this might take several seconds… “ for several minutes

Limitation: There is a delay in how long it takes for the boot-logon to load into the operating system after authenticating at Boot Logon.

Workaround: Configure pci=noacpi in the boot configuration settings

SD-21325

SFE - Users are able to delete the encrypted File and/or Folders on client machines without the required key

Limitation: SecureDoc users who have access to SFE folders and files, but do not have ownership to the corresponding encryption keys, are still able to rename and delete the files and folders.

SD-21329

Unable to decrypt with SFE Utility when using context menu and password decryption

Limitation: The machine is unable to decrypt files that are protected with passwords

SD-21331, SD-21341,

Issues with Dell E7450 and E6530 devices

Wi-Fi scan does not work on the Dell E7450 and E6530 models
Limitation: After installation and deployment completes, at pre-boot selecting the Wi-Fi icon to scan doesn’t work.

SD-21332,

USB device is not detected at pre-boot on Dell E7450
Limitation: USB device is not recognizable with the Dell E7450 device.

Workaround: Configure pci=noacpi in the boot configuration settings

SD-21419

RAID Controller on Dell 6540/7470 - No bootable device appears after installing Boot Logon and restarting on Dell E6540

Limitation: SecureDoc may not support the RAID controller card on the system.

Workaround: Change SATA controller to use AHCI

SD-21344

Bootable device not found when PBA loads with RAID on for Dell E6540 device

Limitation: After deploying the package and restarting, at pre-boot the device has a “black screen” and the error message “no bootable device found”.

Note: When selecting the boot order there is “WinMagic SecureDoc Logon” presented and you can manually select to reproduce the issue twice on the device.

SD-21356

Dell Venue 11 Pro 7139 device issues

PBL 64bit – BSOD has occurred after successful authentication to Boot Logon

Limitation: PBL 64-bit has exhibited random BSOD after successfully authenticating to Boot Logon

Workaround: Use 32-bit PBA on the Venue 11 Pro7139

SD-21460

When the Tablet PC Support option is set to AutoDetect in the profile, the device is stuck in the calibration screen
Limitation: Calibration screen is frozen and unable to see the pre-boot screen.

Workaround: Use PBU

SD-21468

The Venue 11 Pro 7130 has issues bypassing Boot Logon
Limitation: After successful authenticate to Boot Logon, the device is unresponsive, unable to detect the keyboard and mouse, and remains at a black screen.

Workaround: Use PBU

SD-21356

SecureDoc client crashes when attempting to map a folder with more than 124 characters in the full path

Limitation: The SecureDoc SDPin process may experience issues if trying to map a network drive with a folder containing more than 123 characters.

Dell Tablet 5179 model

SD-21385

PBL32/PBLU32 - Black screen appears after successfully authenticating to Boot Logon

Limitation: Device is stuck at a black screen after authenticating to Boot Logon.

Workaround: Configure to use ACPI=OFF. Enable Legacy in the BIOS configuration before installing Boot Logon

SD-21435

Touch screen and keyboard isn’t working and showing at pre-boot

Limitation: The touch screen isn’t responding and the on-screen keyboard does not appear for this device Workaround: Use PBU

SD-21425

The encryption status on the SecureDoc icon incorrectly shows “no encryption” when a local Windows administrator account is logged into the computer with SFE enabled – on Windows 10

Limitation: SDPin's status displays as “no encrypted drive” (red icon) when it should be fully encrypted (full yellow). This issue does not occur on Windows 7. This issue ONLY occurs with a local admin Windows account.

SD-21441

SecureDoc SDOT for Bitlocker is unable to start conversion for offline installation

Limitation: SDOT for Bitlocker is currently not supported for offline installation.

SD-21465

Custom background image for Boot Logon is not supported in 7.3

Limitation: The custom background image is not supported for Boot Logon. This will be corrected in the next release.

SD-21461

VMware compatibility changes with SecureDoc

Limitation: When using EFI firmware with Windows 10, the hard drive must be set to SCSI mode – due to EFI BIOS.

Legacy BIOS for Windows 7 should still use SATA.

 すべて表示 Release Notes