SecureDoc V8.2 Release Notes

SD-18445 SD-24799

Increase number of available User Key File "Slots" in kernel mode, to permit more users to concurrently access encrypted files through SecureDoc File Encryption when using RDP or Terminal Services

In order for SFE to run on servers, SecureDoc must support more user slots in Windows to allow for more concurrent users to access encrypted files at the same time. This means that users connecting into the server (via RDP, Terminal Service) will need access and must be able to authenticate to their individual Windows key files.

This improvement has been made, and the maximum number of User Slots is changed from 8 to 128.

Creating Emergency disk for BitLocker encrypted devices to assist with repairing UEFI boot variables for SDOT BitLocker Package

A solution to create Emergency Disk for SDOT & SDBM was developed for a system that is using SDOT and Native UEFI bios with UEFI Boot Order, in order to be able to recover the missing "SecureDoc Boot" option using the Emergency Disk and SDRecovery.

Provide backward/cross-platform-compatible support for long user names in key files

In newer versions of SecureDoc, the maximum length of a User ID was increased to 64 characters, but this caused problems where such User IDs were applied to or used on older-version devices.

This solution ensures that long User IDs can be used in version 8.2 and beyond.

WARNING: Long user names still cannot be used on older devices, so customers must be careful to not add users having long user names to devices whose SecureDoc version is prior to V8.2

NOTE: There are other Release note items relating to long user names/user IDs throughout this document. If your environment uses long user names, please review all of these items carefully.

Use Ubuntu kernel configuration as a base image for PBL

In an effort to reduce kernel development time, SecureDoc has moved to use an Ubuntu-based kernel configuration that can run on hardware without rebuilding the kernel each time a change is needed. Going forward, WinMagic will use the latest Ubuntu source, kernel, driver & firmware as a base for PBL.

Integrating Persistent Encryption into SFE to ensure files remain encrypted Persistent Encryption

(PE) is a new feature available for SFE that helps ensure files remain encrypted for unauthorized applications and processes. PE manages the applications that are allowed to decrypt files – by adding them into a White or Gray List.

Note: PE doesn’t block applications from accessing the contents of the file; PE only prevents applications from decrypting. If applications under the Gray List access an encrypted file, the data will be encrypted and appear as cipher text.

Limitation: SFE does not currently support encrypting SharePoint folders.

Improve support for SCCM deployments by providing Monitor for SDService/SDBat

Many customers that use scripted installation tools like SCCM have found that, due to the design of the SecureDoc installation process, it was very difficult to know when it was “safe” for SCCM or other deployment software to reboot the system. This is due to certain processes continuing to run in the background after the MSI installer has completed. In some cases, rebooting the device while these background processes are running may cause the task to fail with adverse effects on the deployment.

To correct this problem, WinMagic has added a new tool called “SDMon.exe”, which is designed to monitor SecureDoc deployment activities and hold itself open until no background processes are running. By monitoring for the completion status of SDMon.exe instead of the earlier steps, the SecureDoc client can now correctly indicate to SCCM or other scripted installation tools that the device can safely be rebooted.

Customers should include the execution of SDMon.exe and then monitor its completion code, to be either used as a trigger for rebooting the device, or to determine if the installation did not complete cleanly.

Improve SDOT for BitLocker to not display the BitLocker pre-boot screen

In SecureDoc “On Top” of BitLocker (SDOT), SecureDoc previously used a process to pass the BitLocker credentials to unlock the drive which could result in the BitLocker pre-boot screen appearing.

Due to the approach used in SecureDoc to pass the BitLocker unlock credentials to the drive, the BitLocker Pre-Boot Authentication screen would appear (albeit briefly), during which the unlock credentials would be passed.

This approach has been improved, and the drive is not unlocked successfully in all scenarios, without the BitLocker pre-boot screen displayed.

SecureDoc has added a new License Type: SecureDoc Essentials for Windows

In V8.2, WinMagic has implemented a new License Type called SecureDoc Essentials for Windows, for customers requiring basic Full Disk Encryption. The Essentials license uses only BitLocker encryption, and users can authenticate using a password (no Token or Smart Card support).

The primary objective of this initiative is to offer WinMagic customers a new lower-cost and lighterfunctionality option for secure device encryption, while maintaining all the benefits of Enterprise management of endpoint devices through a substantially simplified set of options compared to the regular license type for Windows clients.

Note: The “full” Windows client license has been renamed to SecureDoc Enterprise for Windows.

Allow user to expand partitions if they change the MBR access mode to 3 in cloud branch

CloudVM devices can expand their available disk space if a device Profile is first sent to the device that stipulates the use of MBR Access Mode 3.

After that profile has been sent to the CloudVM device, the disk space can be expanded. Once the expansion is complete, and the device has been rebooted, customers are advised to send down the original profile as it had been before the MBR access mode 3 changes was made, if they wish to continue to protect changes to the partition layout.

Implement full support for pre-configured XML which overrides device configuration settings

In V8.2, WinMagic has introduced a new feature that will go far in ensuring that endpoint devices will receive tested and proven settings (normally those affecting Pre-Boot and how the device will transition from Pre-Boot to load the Operating System). This is accomplished through the automatic deployment of an XML file that contains the override values by device make and model.

The XML file will be automatically copied into each installation package from the "master" copy, which is stored in the same directory in SES (normally C:\Program Files\WinMagic\SDDB-NT\Binary Installation Files\WindowsPC) where the version's installation executable files are stored (and from which they are copied into individual installation packages).

If the customer should wish to not use the XML file for any reason, it can simply be deleted prior to running the installation.

Customers are recommended to NOT delete the master copy. WinMagic will make available updated versions of the XML file on an ongoing basis, which customers can download to update SES’s handling of devices even if they do not frequently update their version of SES. For an updated list of devices, customers are recommended to check the SES Knowledge Base.

Note: This file may also be customized by WinMagic engineers to specific environments.

Notification of Failed login attempts should disappear after a set time

Currently, if a user fails to login at Pre-Boot, once successfully logged in to Pre-Boot and Windows, a notification appears stating the number of failed login attempts. This message remains open until the user manually clicks to close the message. All other messages in the system messaging center are automatically closed after a specific time.

To allow for the same behavior as other messages, two new settings have been added that can be manually added to the SecureDoc Device Profile:

"AutoCloseWarningNotifySeconds" (for warning notifications); and
"AutoCloseErrorNotifySeconds" (for critical/error notifications)

When these strings are specified with an appropriate number of seconds, and manually added to the [General] section of a Profile, they will cause the automatic closure of any Warning or Error messages after the defined number of seconds.

Note: If not specified, the warning and error message behavior remains the same as in previous versions

Improve the User experience of SD File Decryptor by allowing users to double-click 'SDE' files to launch the password dialog and decrypt the file

In earlier versions, if a file was encrypted with the SD File Encrypt application, the file had an extension of ".SDE". To decrypt this file, the SecureDoc the user was required to right-click on the file, and then select "Decrypt file".

Several improvements have been made to the SD File Decryptor application that provides a better user experience when decrypting files. Users can now double-click on encrypted (.SDE) files to decrypt and access the contents.

Option "User must complete sending of MachineInfo file to the server" has been removed from Installation package settings

This option has been noted for deprecation for a number of years, and has now been removed from the SES Console and Device Profile settings.

Introduce an option for SD configuration protection against administrative users

A new option has been added to the Profile Advanced Options (SES Console and Windows profile only) panel which permits blocking Administrator-level users from manually altering the contents of Profile files on endpoint devices.
The objective of this option is to ensure that such devices will only have the settings that were configured for them by the SES Administrator, blocking local changes to the device profile settings.

Enable debug logging on SES console

WinMagic has added advanced logging from within the SES Console application (similar to what exists in the SecureDoc Client), which can be enabled through the manual setting of a value in the system registry.
As with the Windows Client, if the user adds the appropriate 32-bit DWord to the HKLM\Software\WinMagic key, the SES Console will now generate debug logs in the UserData folder.

The location in the Registry varies according to whether the SES Server is running on a 32-bit or a 64- bit version of Windows Server. The options are shown here

SES debugging on a 32-bit Windows platform:
[HKEY_LOCAL_MACHINE\SOFTWARE\WinMagic]
"DebugEnabled"=dword:00000005
(same as for Client, above)

SES debugging on a 64-bit Windows platform:
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WinMagic]
"DebugEnabled"=dword:00000005

NOTE: A setting of dword:00000009 (instead of dword:00000005) provides the deepest level of debug logging, but should rarely be required.

SecureDoc now uses SHA-256 driver signing, which may cause incompatibilities with un-patched Windows 7, Windows Server 2008 R2 devices

Issue: Windows 7 and Windows Server 2008 R2 (unpatched) as well as previous versions of Windows do not trust code signed with any SHA-256 certificates, and also lack Support for multiple signatures, causing issues supporting kernel-mode code signed with a SHA-256 certificate.

Note: SHA-256 is now the industry-standard signature hash algorithm for code signing certificates. It also provides stronger security and is the recommended replacement algorithm to SHA-1. This migration is a natural progression to the more secure SHA-256 algorithm and not a response to any immediate security threat.

Solution: In order to support SHA-256, Windows 7 clients should be update via the recommended operating system software update, which is available from Microsoft TechNet: Microsoft Security Advisory 3033929.

The following link points to an article that provides further information:

https://charismathics.zendesk.com/hc/en-us/articles/231993568-How-to-enable-SHA2-Support-onWindows-7

SDFileDecryptor/SDFileEncryptor - Prompt to overwrite the file if the file already exists at the destination

The previous behavior of the SDFileDecryptor/SDFileEncryptor was to create multiple copies of the same filename upon decryption, e.g. file.doc, file(1).doc, file(2).doc if the file already existed in the destination.

The product behavior has been improved to now prompt the user, indicating that the destination file already exists, and then asks the user if he/she wishes to overwrite the existing file.

An option has been added to SDBAT to suppress Reboot and/or Shutdown when removing Boot Logon.

When removing the Pre-Boot authentication (BootLogon) on a device, there had been no way to defer the device restart after removal is complete, and customers needed a way to defer that restart.

This has been improved, and a /Silent option has been added to prevent the client from automatically restarting Windows.

Similarly, when removing the Pre-Boot authentication from the SecureDoc Control Center (SDCC), the user will be presented with an option to either reboot now or defer until later.

Keyboard detection failure corrected; PBConnex autoboot issues resolved on Surface Book 2 when using Windows 10 RS3 and 7.5SR1 PBLU – stronger Surface Boot 2 support added in SES V8.2

PBConnex autoboot was found to not work on the Surface Book 2 with Windows 10 RS3 and 7.5SR1 PBLU, and customers reported that their keyboards were not being detected.

These issues have been corrected and other general improvements have been made in SES V8.2 to add stronger support for Microsoft Surface Book 2 devices.

OPAL information was not sent to SES after initial Activation and a device reboot had been required before this information could be transmitted.

In previous versions, OPAL drive recovery information was not being sent to SES until after the devices first post-management/encryption reboot.

This improvement allows the SecureDoc client to send recovery information to SES directly after Boot Logon has been installed, thus allowing for more rapid completion of this essential step.

Remove support for Mobile Device Management (MDM) from SES Web & SDConnex

Issue: MDM has been deprecated, and Mobile Devices such as IOS or Android Smart Phone/Tablet devices are no longer supported on SES 8.2.

Solution: All management panels, lists and configuration options relating to Mobile Device Management, communication settings and device setup have been removed from the console and services configuration.

Change ADSync to configure the ADDistName setting to use the short domain form (domainname vs domainname.local)

Importing User Name information from Active Directory with the Global Setting engaged that adds the Domain name to the User name would result in the full domain name being appended (e.g. JohnD@ABC.LOCAL), yet the user name would utilize the “short” domain version (e.g. JohnD@ABC), causing issues in resolving the correct user name.

This has been improved so that when this Global setting is enabled, the short domain identifier will be applied.

A Crypto-erase command will no longer expire

Issue: It was discovered in previous versions of SecureDoc that Crypto-erase commands were expiring under certain circumstances (e.g. where the SES Server could not receive confirmation of receipt from the endpoint device).

Solution: In V8.2, Crypto-erase commands have been improved so that they cannot expire like regular commands. They will now remain active until either confirmed received at the client device or cancelled by the SES Administrator.

Implement full 64-bit pre-boot loader processor architecture

In previous versions of SecureDoc, an option was present to use a 64-bit preboot kernel. This was only advised to be used on specific devices. In version 8.2, additional improvements have been made to allow wider compatibility for the 64-bit kernel. However, as development and testing are ongoing, the default setting remains as 32-bit.

Incorrect time stamp when using the RMCE Viewer

Issue: The RMCE Viewer did not show the updated system time when copying or moving any file to the RMCE container. This was caused by the RMCE Container Viewer app being unable to reliably detect time zone when files were being added to container.

Resolution: The SecureDoc RMCE Viewer now successfully detects the time zone independently when files are added to an encrypted container, even when added on different systems.

Pre-Boot Freezing when external Video device attached at Pre-Boot Logon

Issue: In some cases, the Pre-Boot logon process would “freeze” when an external monitor was attached.

This has been resolved.

SecureDoc fails to install SecureDoc OSA on Lenovo X270 and X1 Carbon device types

Issue: SecureDoc OSA for SED’s would fail to install on X270 and X1Carbon devices.

This has been resolved.

Panasonic Devices were failing to upgrade from 7.1SR6 to 7.5SR1

Customers with Panasonic devices were encountering problems when attempting to upgrade from SecureDoc V7.1SR6 to V7.5 SR1. This has been corrected, and either version can be upgraded successfully to V8.2

Added Support for Wireless communication in SecureDoc Linux-based 64-bit Pre-Boot for UEFI (PBLU) environment.

Issue: The 64-bit version of PBLU was missing wireless communication support, and it has been a limitation noted regarding the 64bit pre-boot environment in previous SecureDoc versions. In previous versions, pressing the “Scan” button at pre-boot to search for wireless networks would produce error message: “Wireless error 2”

Resolution: SecureDoc now uses a common configuration file location for both 32 and 64 bit preboot environments.

Excel Column headers offset and various other data export issues when Exporting report from SDWeb

Issue: When exporting Device and User reports using Microsoft Excel (97-2003) option, the column headers were offset and also in a different order than the data.

This has been corrected in V8.2

SecureDoc PBLU cannot unlock Micron 1100 drive on HP 1040 G3

Issue: The PBLU system works fine at first on the HP 1040 G3, with a Micron 1100 SED (that is on our compatibility list). PBLU will load for a few days and then they are stuck in a boot loop. Once it is in this loop, the only way to get back into the system is to press 'a' to load PBU, and PBLU no longer is able to be used.

This issue has been resolved.

In SESWeb, if an Administrator failed to login, the failure would trigger 5 unsuccessful attempts to log in through AD, locking the user’s AD account

Issue: The SESWeb authentication method was found to produce an excessive number of AD authentication attempts on failed logins.

This issue has been resolved.

When Caps Lock is enabled, the special characters are not interpreted correctly at pre-boot (German Keyboard)

Issue: When "Caps Lock" key is active the special characters on keys like "1", "2", "0","ß", " are not interpreted correctly at pre-boot (PBU, PBLU, PBL).

Resolution: CAPS LOCK on German Keyboard layout now works same as Shift key when pressing number characters (PBU, PBL/U).

SecureDoc Encrypt (SDFileCL.exe) - existing .sde file is automatically overwritten without notice or warnings

Issue: When an existing .sde file (encrypted via Context menu with SDFileCL.exe) is re-encrypted, it is replaced by a new .sde file instead of asking the user whether he wishes to overwrite the file or create it under a new name.

This has now been resolved. A 'Confirm File Replace' dialog will appear on file encryption. The caption of the encryption window now contains the file name and extension (the file extension was missing in previous versions). If no key is logged-in, the input focus of the encryption window is set to the 'Password' field. After decryption is complete, the decrypted file is opened in the default viewer for that file type (e.g.: .txt files will open in Notepad).

SESWeb Page Numbers Disappear

Issue: When a user has more than 50 installation packages and the list extends beyond the 1st page, if client attempts to go to the next page, then a new internal frame is generated within the Installation package area and the user is unable to scroll listing of remaining packages once it goes to the second page listing. Additionally, in the Windows 10 Edge browser, the pagination links at the bottom disappear when the page automatically refreshes.

In IE/Chrome/Firefox, the pagination links remain. In all cases, even though the URL shows?page=2, only the beginning of the package list is displayed.

This issue is now resolved.

[SDFV2] macOS 10.13.x support: Handle recovering with emergency disk

Issue: Due to changes in the Apple File System under macOS High Sierra, there are changes to how the Emergency disk will work. The old version of the Emergency Disk worked for Sierra and earlier macOS versions, not after High-Sierra.

This issue is now resolved.

IMPORTANT NOTE: DO NOT REBOOT THE MACHINE until 100% decryption is complete, and only then reboot the machine. This is because while still decrypting, FileVault is still active and needs a user password to unlock the FileVault 2 preboot.

[SD CloudSync] Failed to encrypt OneDrive for Business folders

Issue: SecureDoc CloudSync does not work with OneDrive Business but does work with OneDrive Personal edition.

This issue is now resolved.

USB CD drive categorized as unknown after RS2 upgrade

Issue: Client is upgrading devices from Windows 10 version 1607 to 1703. Everything works but some USB devices like the Dell USB CD drive are placed into the unknown category.

This issue is now resolved.

RCME_viewer.exe German display incorrect (both Text and AES Key name)

Issue: When an RCME encrypted USB flash drive is inserted into a system that does not have SecureDoc installed, after selecting "Forgot password" in the window for Challenge & Response, the message text is overlapped by the next line. A few keys in the encryption key displayed are truncated. In addition to the key text overlapping by other text.

This issue is now resolved.

SDPin.exe/SD icon doesn't display information correctly in German

Issue: The SD icon/SDPin.exe doesn't show encryption information after encryption is finished at tray icon in active language "German". But after switching SD language to English the tray icon shows the encryption information. This error seems to be a language specific error. The error comes up on different devices with manufacturer/models and also in VM.

This issue is now resolved.

VerMaj (Caps lock) key does not work for digits at preboot (French Keyboard)

Issue: At UEFI pre-boot (PBU, PBLU), the French keyboard doesn’t allow the use of digits with caps lock. Shift tab works and allows user to type numbers at preboot.

This issue is now resolved.

SD executes removing the Bootloader but Windows Registry doesn't update the DWORD

Issue: After removing pre-boot and restarting Windows, the pre-boot was confirmed as being removed. However, after checking the Windows registry to confirm status had changed for the Boot logon registry key, in some cases it was found that the registry key had not updated. As a result, the client is unable to continue with the remaining steps for uninstalling SecureDoc.

This issue is now resolved.

A wrong AD password entered Pre-Boot using PBConnex will increment the AD failed password count twice

Issue: The entry of a single incorrect AD password using PBConnex AD-validated logon at preboot will increment the "Bad password count" in Active Directory up to two, while SecureDoc’s own "Bad password count" is incremented only by one.

Reason: SDConnex would ask every Domain controller at the location to validate the password where the configured AD Sync Service has been configured such that the whole Domain was synchronized to SES.

This issue is now resolved.

'Encrypt Media' context menu option available with no Media Encryption options configured

Issue: The Encrypt Media option remained available to the user, even when not configured in the Device profile.

This issue is now resolved.

Error message "Not Authorized to perform this operation. (0xa204)" was appearing when customers attempted to use SDUtil to script decryption of hard drives, and drives were not being decrypted.

Issue: Customers were receiving the error "Not Authorized to perform this operation. (0xa204)" when using SDUtil scripting tool to decrypt disk and the drives were not being decrypted.

This issue is now resolved.

Various Dell Latitude devices would not start the Operating System if they had an Inserted SD card in their onboard SD card slot

Issue: With an SD card (encrypted or not) inserted at start up, after authenticating at preboot, Windows fails to load with a Window Boot Manager Error. But after removing the SD card and restarting device, the OS boots normally. The error exists with different SD card manufacturer and SD card models.

This issue is now resolved.

Communicate with Random SDConnex within Priority Group not working as intended at Preboot

Issue: Customer is using multiple SD connex servers (3 servers) with option to "Randomize" the connections instead of using a load balancer. Pre-Boot is randomizing the servers from the entire list, and not respecting the priority group while Server 1 and Server 2 is a part of priority group 1 (Enabled PBN Autoboot). Server 3 is a part of priority group 2 (Disabled PBN AutoBoot).

This issue is now resolved and pre-boot now correctly respects the priority group as configured.

Password with Space prevents the saving of user properties in SES

Issue: AD accounts for Administrator-level users whose Password contains one or more spaces will be permitted to log in to SES Console or SESWeb, but will be prevented from being able to save any changes to the user information.

This issue is now resolved.

The appearance of the right-click context menu is delayed 1-2 seconds when right-clicking on an object in Windows Explorer

On devices running SecureDoc encryption, when right clicking on an object in Windows Explorer the loading circle shows for 1-2 seconds, and then the context menu shows up.

This issue has been corrected

Unable to export reports in the proper format through SES web console

Issue: When reports were being exported into Excel, the exported data was not being reflected in the correct row and column. Customers wish to produce a spreadsheet that has the same structure as is shown in the SDWeb report. However, the exported data did not match the header when exporting in CSV format.

This issue is now resolved.

SecureDoc V7.5 client using HP Wireless Keyboard connected to Docking Station would not receive the first 4 keystrokes from keyboard; Worked fine without docking station and with docking station in previous versions.

This issue has been corrected. This keyboard type will work correctly whether connected to a docking station or not.

Challenge Response with RMCE Viewer doesn’t work when SD is installed on same device

Issue: Challenge Response doesn't work on RMCE viewer on the machine with SD installed but a non-SD device can recover the container password with C/R.

This issue is now resolved.

7.1SR5 and 7.5 RMCE Viewer fails to copy a large number of files

Issue: When copying large numbers of files into a SecureDoc-encrypted container on Removable Media protected with SecureDoc RMCE, not all files would be copied into the destination container.

This issue is now resolved.

Preboot Authentication application cannot be found -HP Z440 and HP Z840

This issue, and a number of other device-specific issues, are readily corrected through the use of the KnownConfigs.XML file functionality available in V8.2

Problem to migrate suspend mode /sleep mode/shutdown

This issue, and a number of other device-specific issues, are readily corrected through the use of the KnownConfigs.XML file functionality available in V8.2

Upgrading 7.1 SR6 client to 7.5SR1 - Inaccessible boot device error message

Issue: When attempting to upgrade the SES V7.1SR6 client to version 7.5SR1, a BSOD “Inaccessible Boot Device” would be displayed after attempting to start Windows. Investigation indicated that certain SecureDoc drivers were becoming marked as disabled in the Registry.

This issue has been corrected in both 7.5SR1 HF6 and V8.2

Database failed to upgrade from 7.1SR5 to 7.5SR1

Customers having very large databases and large numbers of SES Administrators had encountered issues when attempting to upgrade SES from 7.1SR5 to 7.5SR1. The problem occurred at the point after the SES Upgrade process upgrades the database. Upon first attempt to log in at the SES console, the console application would crash.

This issue has been resolved.

SFE policy does NOT work when configured using and the deploying package specifies that Users are identified with "Append domain name" option enabled.

Issue: SecureDoc File Encryption would not correctly resolve user Personal Key names where User IDs have the Domain ID appended to them (e.g. JohnDoe@domain).

In previous versions, where the "Append domain name" option had been applied to add the Domain ID to the User name automatically at the time that the user is identified, the resulting personal key name (which uses only the first portion of the domain ID) would not be correctly tied to the user if the user logged on with the full domain-qualified user id (e.g. JohnDoe@domain.com)

This issue has been resolved.

PBL32/PBLU32 WiFi doesn’t work on Lattitude 7280 device at preboot

Issue: Users of Dell Latitude 7280 devices found the devices were unable to scan for any wireless networks at pre-boot, so the WiFi was undetectable.

This issue is now resolved.

Devices do not start encrypting after Boot Logon is installed if SDConnex is configured with: "Allow re-use of existing user IDs" option enabled ONLY (the option "Use password from user record for existing users" is DISABLED), making it appear that SecureDoc does not allow the user of the re-use of existing User IDs option.

This issue also occurs when both the following options are enabled:
• "Allow re-use of existing user IDs" and
• "Allow update of information for existing users"

Effect: The device does not start encrypting

Work-around: This issue does NOT occur when SDConnex is configured and started with these options both enabled:
• "Allow re-use of existing user IDs" option enabled AND
• "Use password from user record for existing users"

This issue does NOT occur when these options are all enabled:
• Allow re-use of existing user IDs,
• Allow update of information for existing users,
• Use password from user record for existing users,
• Move devices into Recycle Bin in case of re installation of SD

Installation of SDLinux package on default/standard Ubuntu Linux 14.04.3 LTS environment (based on default Google Cloud) image will fail with an error message: "_ ERROR: Install preboot hook failed, exiting..._"

Note that this does NOT occur:

• with a default/custom Ubuntu 16.04 LTS image on Google Cloud. or
• with a custom Ubuntu 14.04.3 LTS image on Google Cloud.

Old client devices (e.g. V7.5SR1) cannot communicate with an SES v8.2 server when the user is attempting to logon to SecureDoc Control Center (SDCC) using a truncated long User ID after such a long User ID (up to 64 characters) has been assigned to the device

SecureDoc V8.2 clients and SES v8.2 now support up to 64 character-long User IDs, whereas clients on previous versions did not.

If a Long-ID user account is added from SES 8.2 to an existing 7.5 SR1 or earlier client, communication will fail. If this occurs, the customer will need to update that client version to 8.2, after which communication will be successful.

Work-Around: If the use of long User IDs is a factor in your SES Environment, it is recommended that all Client devices for such users should be upgraded to SecureDoc V8.2.

There is no support for long User IDs under the V4 Pre-Boot environment

Work-Around:
Ensure the device has been upgraded to SecureDoc V8.2 or utilize V5 Pre-Boot

[Dell XPS 9350] PBLUx64/PBLUx32 - The virtual keyboard shows incorrectly at preboot

Dell XPS 9350 Devices will encounter a problem in which the on-screen keyboard appears smaller than standard size.

This issue was detected when a Device profile (with Auto detect enabled) was deployed to a device. The installation proceeded successfully, the device was rebooted, the user performed the tablet screen calibration step, and successfully saved the configured tablet calibration values.

Upon requesting the onscreen keyboard, the virtual keyboard appeared at Boot Logon in a small size.

This issue might apply to other devices, though at this point WinMagic has only encountered it on Dell XPS 9350 model devices.

SecureDoc File Encryption causes an error to be displayed if a user attempts to send a selection of SFE-encrypted files to a Compressed (Zip) file

This will occur under the following conditions:

1. SFE has been deployed with "Persistent encryption” enabled
2. The SD client device has an Encrypted folder (e.g. Desktop\SFE)
3. In the SFE application access list manager, dllHost.exe is in the white list

If the user selects several files from inside the SFE-protected folder, then right-clicks on the selection and chooses "Send to" --> "Compressed File" from the pop-up menu that appears, the user will get an error message: "The Compressed (zipped) Folder is invalid or corrupted."

Note:
This issue also occurs when dllHost.exe is in the gray list.
This issue does not occur when compressing an entire Encrypted folder, only when trying to compress selected files within an encrypted folder.

Lenovo X1 Yoga and PBL32: The Pre-Boot logon screen layout (placement of prompts and text on the Pre-Boot Screen) is jumbled when the onscreen keyboard is shown on the screen.

Work-Around:
Consider plugging in an external Key Board and avoiding the use of the On-Screen pre-boot keyboard for this model when using the V5 32-bit Linux-based Pre-Boot.

RMCE – BSOD when Driver Verifier is enabled

Issue: On the client device after enabling the Driver Verifier, BSOD displays.

Work-around: After a 10 minute wait the device boots to Windows normally.

PBLU32/HWE – PBA crashes when logging in with a key file protected by 2048bit certificate on token

Issue: PBA crashes when a User logs in with a key file protected by 2048bit certificate on token.

Work-around: Switching device to PBU or PBLU64 and using the same certificate on token will allow the User to successful login.

The DataKey 330 does not work with Omnikey CardMan 3121 card reader in the 64-bit Linux-based Pre-Boot for UEFI (PBLU64)

Work-Around:
Consider using the 32-bit PBLU preboot, which does not exhibit this issue, until WinMagic is able to develop a correction for this problem.

PBU – Safenet eToken 410 unable to login at preboot with User protected by certificate on token

Issue: User cannot login preboot using Safenet eToken 410.

This is currently a limitation, this issue does not occur with a different token using the same private key certificate.

In the SecureDoc V5 Pre-boot for Native UEFI, when using an IDCore 30B eToken the user is Unable to login at preboot where the user’s Key File is protected by cert on token. Error 0x7727 is displayed.

Issue: IDCore 30B tokens are not supported by PBU.

Work-Around:
Consider changing the Pre-Boot environment for affected devices to utilize either the Linux-based V5 Pre-Boot (PBL) or Linux-based Pre-Boot for UEFI devices (PBLU).

PBL32 – Latitude 7280 Device – Ethernet network isn’t properly detected in preboot

Issue: After preboot and the device connect to Ethernet cable the light indicator didn’t turn green to indicate that the network is connected.

This is currently a limitation.

PBL32 – Latitude 7280 – USB is not detected at preboot

Issue: After preboot connects USB port is not detected.

This is currently a limitation

HP EliteOne 800 G3 – Fails to load Windows after PBU

Issue: Device fails to load to Windows after PBU on HP EliteOne 800 G3 device.

The FileVault 2 recovery account is shown while deploying a SDOTFV2 installation package on a fresh SecureDoc installation on devices that have macOS Sierra PLUS the latest security update

Issue: The installation of the latest security update on top of macOS Sierra has shown to have the effect that the resulting upgraded macOS Sierra environment exhibits many of the issues that have required special handling for macOS High Sierra discussed elsewhere in these release notes.

Work-Around:

Either: Customers are asked to:
• Install SecureDoc on macOS Sierra devices first. After SecureDoc has been successfully installed, they can then
• Deploy the latest Security update.

Or
If the device has been upgraded, the user can can simply:
• Reboot the device and hold while rebooting and then
• Manually choose WinmagicBootPartition to login, then
• Go to System Preference Startup Disks to manually choose WinMagicBootPartition and lastly restart the device.

Users of SDOTFV2-protected devices that have AD-based Passwords fill find that changes to their AD password on the client device will not cause synchronization with their FileVault 2 password, so they must still use their old password at FileVault preboot. This affects primarily macOS 10.13.4 client devices

Where customers are using AD-validated passwords on macOS 10.13.4 devices, due to limitations in macOS AD password changes made on the device will not synchronize to change their FileVault 2 password, with the result that they would have to use their old/previous password to unlock FileVault 2 using the recovery process.

Work-around:

To avoid this macOS limitation and to force synchronization, such users should make their password changes in AD on another (e.g. Windows) device, then log in to their macOS device at the SDOTDFV2 login using these new credentials.

These new credentials will be validated against AD, the user will be given access to the device, and SecureDoc on the device will see that the user's credentials are different and will synchronize to these new credentials.

HP850 G2 + Win10 Legacy and UEFI modes supports PBLx32/x64 pre-boot with certain settings required. These are shown below:

LEGACY:

32-bit PBL combined with a Hardware-Encrypted Drive (SED):
Requires Profile be set with Ymode=c

32-bit PBL combined with Software-Encryption:
Requires Profile be set with Ymode=4

64-bit PBL with Hardware-Encrypted Drive (SED)
No specific settings required, use defaults

64-bit PBL combined with Software-Encryption
Failed with Ymode=4. Customers are recommended to either use 64-bit PBLU or 32-bit PBL

UEFI:

Pre-boot for Native UEFI
No specific settings required, use defaults

Linux-based Pre-Boot for UEFI - 32-bit
No specific settings required, use defaults

Linux-based Pre-Boot for UEFI - 64-bit
No specific settings required, use defaults

Single Sign-on (SSO) does NOT work (on devices having Self-Encrypting Drives, e.g. Opal) after the device OS has been upgraded from Windows 10 RS3 to Windows 10 RS4

Work-Around:

a) Create a copy of the existing device profiles in use on such devices (only those that enable Single Sign-on) e.g. if profile is called ABC, copy could be called ABC_NoSSO
b) Disable the Single Sign-on feature in these new _NoSSO copies of the existing profiles
c) Send the new _NoSSO profiles to all devices that have an existing profile that enables SSO
d) Upgrade the devices to Windows 10RS4 while SSO has been thus disabled
e) Reinstate SSO by sending down to the devices the original device Profiles
f) Once there are no devices still running the _NoSSO versions of the Device Profiles (indicating that all have been returned to their original versions of the Device Profiles that enable Single Sign-on), then the _NoSSO versions of the device profiles can be Deleted from the Console and the SES environment.

NOTE: Alternatively, simply deleting the .enc file on such devices will permit them to reset their Single Sign-on behavior (e.g. if for example they had been upgraded to Windows 10 RS4 without performing the above steps)

The Windows 10 upgrade from RS3 to RS4 will fail if SecureDoc File Encryption is enabled on the client device at the time of the upgrade.

WinMagic has determined that if an existing SecureDoc-protected Client device that has SecureDoc File Encryption ENABLED is permitted to be upgraded from Windows 10 RS3 to Windows 10 RS4, that Windows upgrade will fail.

Work-Around:

For Devices that have SecureDoc File Encryption ENABLED, customers should:

g) Create a copy of the existing device profiles in use on such devices (only those that enable the SecureDoc File Encryption feature) e.g. if profile is called ABC, copy could be called ABC_NoSFE
h) Disable the SecureDoc File Encryption feature in these new _NoSFE copies of the existing profiles
i) Send the new _NoSFE profiles to all devices that have an existing profile that enables SFE
j) Upgrade the devices to Windows 10RS4 while SFE has been thus disabled
k) Reinstate SFE by sending down to the devices the original device Profiles
l) Once there are no devices still running the _NoSFE versions of the Device Profiles (indicating that all have been returned to their original versions of the Device Profiles that enable SFE), then the _NoSFE versions of the device profiles can be Deleted from the Console and the SES environment.

NOTE: The above considerations do NOT apply for fresh installations of the SecureDoc client on a Windows 10 RS4 device (with or without SecureDoc File Encryption enabled). Such installations will work fine, with no issues.

SecureDoc Enterprise Server support for Virtualized Desktops extends only to VDI devices under XenDesktop Citrix Studio or VMWare Horizon 7

There is no support at present for any other VDI Management Solutions, but more will be added as WinMagic has the opportunity to validate this solution against other VDI management solutions.

Virtualized Desktops under SecureDoc Enterprise Server’s support for VDI allows for only 64-bit Windows 7, 8, 8.1 and 10 Operating Systems

There is no support at present for any other operating systems

SecureDoc Enterprise Server support for VDI has no support for RME, but supports FDE (for Persistent VDI implementations) and SFE

SecureDoc Enterprise Server support for VDI has no support for Removable Media Encryption, but supports Full Disk Encryption (for Persistent VDI implementations) and SecureDoc File Encryption to protect information written to Network Shares accessible to VDI devices.

SecureDoc Enterprise Server support for VDI has no support for Port Control

SecureDoc Enterprise Server support for VDI has no support for defining access rules relating to USBaccessible device types through the Port Control settings.