SecureDoc v6.4 Release Notes

View All

System Requirements

Note: It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation. More information can be found here:

During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.

Note: Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g. Admin desktop) on which it runs, in order for the console to function properly.

New Features


SD-5191 SecureDoc Enterprise Server can now manage BitLocker-protected devices.

The v6.4 SES User Guide and the v6.4 SecureDoc Stand-alone/Enterprise User Guide offer extensive information on BitLocker Management.

The list below articulates some of the functionality and feataures of SecureDoc's support for BitLocker management.

Sub items:

(SD-4985) - A new "Encrpyt drives" option has been added to the profile for BitLocker management, which permits the Administrator to specify granular encryption: e.g. "OS Drive only", or "OS & Data drives". This option also permits the Administrator to define a volume/partition exclusion list, shown as: "Do not encrypt partitions:" followed by a list of partitions to be excluded.

(SD-6323) - Upon managing a BitLocker protected Windows device, SecureDoc will articulate the type of protection for the Key (e.g. "BitLocker TPM" or "BitLocker Passphrase", etc). There are ten variants detected and displayed to inform the Administrator how a given device is protected.

(SD-6324) - Supports encryption and decryption of discrete drive Volumes using BitLocker.

(SD-7117) - Audit log information regarding BitLocker-based encryption and decryption events are available within the Client device logs, as well as being centralized to the SES Server for Admin/Auditor inspection.

(SD-7985) - "Encrypt Drives" option has been added to the profile.

SD-6455 Support added for Mac OS X 10.9, 10.9.1, and 10.9.2 Mavericks.

(SD-6454, SD-6762) - Kernel support for Mac OS X 10.9 has been added. Kernel drivers will also be installed to /library/Extensions for Mac OS X 10.9, 10.9.1, 10.9.2 Mavericks.

(SD-6460, SD-6620) - User mode processes have been improved.

SD-6971 Additional Windows 8 UEFI Refresh/Reset support has been added.

Windows 8 has two factory reset options, named Refresh and Reset. Both reset a computer to a fresh, factory default state.

Refresh preserves user files and installed programs, while Reset removes everything on the system. SecureDoc now offers additional support for Refresh/Reset, permitting the device to remain protected/encrypted by SecureDoc when refreshed.

(SD-6973) Additionally, profile settings have been added to configure Refresh/Reset mode of operation.


The process of enabling and managing FileVault 2 can be finished with one restart.

This feature will allow the currently logged-in user user to perform the setup, and that admin user will appear in the boot list. When using this option, it will ensure that the WinMagicPrimaryUserforFV account will not be accessible with any known/defined password.

SD-7332 An option has been added to SES to allow for installation of FileVault 2 - based encryption using the account of the Admin that is currently logged in.

This will allow the user to do the setup and the admin user will appear in the boot list. Using this option will make the WinMagicPrimaryUserforFV to not be accessible with any known/defined password.

SD-7333 Encryption/Decryption can be forced during an upgrade or as a result of the Import Profile and SES remote command.

For FileVault2-capable Mac devices, Encryption/Decryption can be forced during an upgrade of the SES Client software, or as a result of the Import Profile and SES remote command. This can help ensure that devices that are not compliant will be encrypted through an upgrade, when the Administrator sends a refreshed Profile specifying encryption to the device, or through a remote command.


A configurable computer restart countdown has been added for Mac Devices, with a default value set at 120 seconds.

This new option permits the Administrator to define a more reasonable period before the device will reboot during SecureDoc Installation, to permit the user to perform an orderly close of any open applications or documents. This option, if selected allows for Administrators to set his/her own time for when the device will restart after the installation.



Subtask for SD-7331: An installation package can be created with the option to prevent a restart following a package install/update.
SD-7428 Subtask for SD-7333: The following settings have been implemented for the SecureDoc package.
  • If FileVault is enabled, then RME/RMCE must be disabled (as incompatible)
  • If RMO is enabled, then FileVault should be disabled
  • If Idle mode is selected/enabled, then FileVault & RME/RMCE should be disabled
SD-7549 Additional support has been added to OSA for Server.
  • G Enterprise drive support has been added for OSA

  • Support has been added for Serial Attached SCSI (SAS) drives

  • OSA will consume one "Windows Server" license instead of an "OSA Client" license count, if during installation one or more TCG Enterprise drives are detected on the device on which it is being installed.

  • OSA Profile now has Linux kernel "Boot Parameters" configuration options, to permit setting of boot parameters if needed.

  • OSA profile now has a new "Require to communicate with SDConnex at pre-boot" option.

  • Offline authentication is not possible if this option is enabled

Subtask for SD-7333: Idle Mode has been implemented.

In reference to SD-7667, if neither "Enable FileVault2" nor "Enable RME/RMCE Handling" is checked, it means that only SES communication will be active.



SD-7333: Ability to configure FileVault2, RME or both and to see the resulting status in the SES console.

The settings for FileVault2 and RME will be shown in the SES console.

FVAdvanced 337x339

Added the options: Enable FV2 Mode and Enable RME/RMCE Handling.



Subtask for SD-7333: KeyChain data updated in SES database.

Ensures that KeyChain and Master password are accessible, and can be applied for Mac recovery partition.



OSA - Some BootConfig options have been enabled, including Boot Parameters and Boot Configuration settings.

Profile Option for BitLocker > Advanced Settings to manage OPAL drives.


Bug Fixes and Improvements


SD-3939 SecureDoc will now support keyboard layout for Microsoft Office 2010 IME Language Packs for Japanese.

Currently there is no support for other IME Lanuage Pack double-byte languages (ie. Chinese and Korean).


SESCmd logic improved to ignore users that have been placed in the Recycle Bin.

This allows new user accounts to be created, without reinstating or attaching to accounts in the Recycle Bin.


A new user is not created when updating a password for a user that does not exist when using SEScmd.

When using SESCmd to update a user password, if the specified user does not exist, SecureDoc will ignore it instead of creating a new user account.

SD-6554 The font size in the boot message text has been fixed.



Redesigned the existing scripts to upgrade functionality.

Improvement to handle build pkg version, SES resources and to change Xcode project.

Added 3 resource files (cert, ini, and spf) to the /SES-Resources folder.

SD-7347 The "warning days" alert will now display to notify the user that the password must be changed within the number of days shown/specified in the message.
SD-7526 SDconnex will notify Administrators on failed PBConnex user logons.

Emails will be sent on failed PBConnex user logons, Audit Log will also record this information.


Prompt for password change is shown after doing challenge response at pre-boot (OSA).


When users login to access KeyChain the password is hashed.
SD-7606 "Password is incorrect" error no longer occurs with logging into key file on token.
SD-7689 The word "Contacter" is now spelled correctly without the space in the French message.

Based off of the error message under:

Profile > Boot Text and Color > Lock Prompt

SD-7704 The user can enable FileVault manually while SecureDoc is already installed.

This can be detected by the SecureDoc monitor and reported to SES.

SD-7758 When installing a SDMacFV package it will ask the user to reboot before starting the FileVault encryption.
SD-7779 ADSync will pull in new users to AD.

Issue with duplicate users and adding new users with the same information may have caused issues when trying to sync new users.



The uninstall procedure has been improved.

Fixed the issues relating to FileVault being enabled/disabled manually, causing the uninstall procedure to fail.

SD-7956 Wireless PBConnex is now compatible with Broadcom Adapters.
SD-8000 "Hardware Encryption" column has been renamed to "Encryption Type".


Known Limitations





Disk Access Control (DAC) does not work with two partitions.

When DAC has been setup to: "Read only, unless encrypted", on internal drives, currently the user can still write to a drive, even though it is plain text.

SD-6979 SecureDoc Login screen will display when performing self-help recovery for the user.

When performing password recovery on a machine with Fast Startup enabled in Windows 8 or later operatingsystems; Single Sign On will not work if the user performing the password recovery is different than the user that originally shutdown the machine.


SecureDoc Container Encryption doesn't support volumes larger than 2 TB.

SD-7531 Selecting Automatic login to Windows will cause it to time out.

After creating a profile in SES server -> Credential Provider. Check "Automatically log in to Windows with Credentials entered at boot logon", ensure that "Automatic login to Windows will time out after X minutes" is NOT checked. After clicking OK and clicking on General options again, the "Automatic login to Windows will time out after X minutes" has been selected.


PBConnex has a limitation with a Lenovo USB 3.0 Adapter PN 4X90E51405.

When an adapter is inserted during the SecureDoc pre-boot, PBConnex will not be able to communicate with the server.

Workaround: If the adapter is left in the device and a warm-boot or cold-boot is initiated, during the next power cycle the device will be able to connect to SES at PBL.

SD-7651 The option "Automatically reboot machine after active force permanent auto boot by remote command" does not work.


On SES, try to assign that profile to the device. The device will automatically be rebooted after communicating with SES successfully.


SecureDoc encryption does not continue when deploying an installation package with BitLocker management on an unsupported OS system.

An installation package which supports BitLocker will have "SecureDoc Pre-boot for BitLocker" mode enabled. After trying to install the package, the system will notify the user that the "OS doesn't support BitLocker encryption” and the SD client will discontinue the installation.


Currently BitLocker is only available as an extra for Windows Vista, so the following steps will need to be completed to resolve the issue:

  • Install BitLocker the Windows Vista Ultimate Extras app.
  • Run the BitLocker Drive Preparation tool. This is done automatically in Win 7 and Win 8 systems, but the tool is different for Windows Vista.
  • Install the package with "SecureDoc Pre-boot for BitLocker mode" enabled.
SD-7909 An error message occurs when installing BitLocker package with PassPhrase enabled.

When a BitLocker package with "PassPhrase" and "User-Configurable" checked, deploying it on a Slate device will cause an error.


A Group Policy Setting must be enabled

  • Navigate to the Local Group Policy Editor
  • Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

  • Click on "Enable use of BitLocker authentication requiring keyboard input on slates"
  • Click on the "Enabled" radio button
SD-8024 When creating an extra SecureDoc user and enabling the option "Append domain name to default User ID", there will be a Local Windows user and AD Windows user with the same name.

The additional user will have to be removed manually.

SD-8050 The dialog box for "Change key file Password" will show after successfully changing the password.

This message will appear again after the password is changed successfully and the machine is rebooted.


Instead of restarting the machine, a shut-down and power start will prevent this message from occurring.




Windows Personal Devices (WPD) cannot be blocked using DAC and Port Control.

While connecting to smartphone devices through MTP, the user is still able to get full access to internal & external storage.

SD-8069 The option "Encrypted CD/DVD can be accessed with password" does not work properly

The setting does not save the password that has been set in the field after a reboot. The setting will also be unchecked and the password field is disabled.

SD-8189 SES encounters an improper argument and crashes when trying to add a key to user in SES.


Open registry and clear all contents in the View Folder:


SD-8197 BitLocker: Unable to re-encrypt hard disk after decrypting it

When a drive is encrypted and then decrypted, trying to re-encrypt the drive will cause an error with a message "No key found".


SecureDoc would have to be uninstalled and reinstalled to re-enable BitLocker encryption.

SD-8254 An error is shown after deploying a remote package to a machine encrypted by BitLocker PIN.


  • SecureDoc BitLocker Management package with TPM and Fixed-PIN configuration
  • Device encrypted with BitLocker TPM and Fixed-PIN
  • Existing PIN is a simple PIN
  • Fixed PIN is an enhanced PIN

Trying to deploy on this device with those settings will cause an error 0x8031009a, and will prompt the user to configure a simple PIN.

This issue does not affect deployments on unencrypted devices or deployments already using enhanced PIN functionality.

SD-8345 Machine freezes when switching from v5 to v4.

When switching from v5 bootloader to v4, the machine freezes. This only occurs on German HP machines.

SD-8422 Cancelling a SecureDoc Standalone install and rebooting the machine will cause a BSOD.
SD-8526 SecureDoc Preboot for BitLocker: Crypto-erase does not work on a client when using a key sequence.
SD-8608 Unable to login at boot logon after successfully deploying UPEK fingerprint.

After deploying on a machine with a UPEK FingerPrint reader, the user will not be able to login.

SD-8642 If the maximum failed login attempts has been reached, a successful login with another administrator will not unlock the locked user.


In order to unlock the locked user, a challenge response will have to be completed.

  The Disk Access Control feature does not prevent data from being burned onto CD/DVD discs.


Known Limitations (HPDE Only)


SD-6484 Machine does not encrypt when upgrading HPDE to BitLocker.

If Drive encryption is enabled without the HDD encrypted and a package is deployed with TPM only, the HDD does not start the encryption process.

 View All Release Notes