Note: If you do not use FFE currently, skip this advisory.
IF you are planning to upgrade your existing SES implementation to V6.5 AND your organization uses FFE to protect data on the Network or Locally on user computers, read the following prior to attempting the SES upgrade.
Background: Files that are encrypted using FFE in 6.5 cannot be viewed by SecureDoc clients using FFE v6.4 SR1 or earlier. However, v6.5 FFE clients are able to view fine FFE encrypted files from earlier versions, i.e. 6.4 SR1 and earlier.
This one-way limitation is due to improvements in the V6.5 file encryption header, which now supports multiple keys and passwords.
Please review the following KB article to understand the upgrade considerations relating to use of FFE and upgrading to V6.5’s improved FFE. This article will instruct you in how to remove existing FFE policies and transition existing FFE-protected data to the new FFE protection schema in preparation to implement the V6.5 upgrade: winmagic.com/knowledgebase/article.php?id=399
Please note that WinMagic is deprecating SecureDoc V4 Pre-Boot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 Pre-Boot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.
System requirements and supported devices, including tokens and SmartCards, for SecureDoc v6.5 are listed here.
Note: It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation. More information can be found here: http://msdn.microsoft.com/en-us/library/ms143786(v=sql.100).ASPX
During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.
Note: Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g. Admin desktop) on which it runs, in order for the console to function properly.
Note: WinMagic is deprecating SecureDoc V4 Pre-Boot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 Pre-Boot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.
SecureDoc Cloud Lite (SDCL) – a new tool to synchronize encrypted data to Cloud Service providers
A new set of tools,SecureDoc Cloud Lite (SDCL), is now available to synchronize encrypted data to Cloud Service providers, as well as providing the ability for end users to access and decrypt such files on Windows and IOS devices using a new set of decryption tools collectively called SecureDoc FileViewer.
This same reader technology, SecureDoc FileViewer, can also be used to decrypt files that can be sent securely as email attachments, on USB media, CD/DVD, or through any other transfer method. To learn more about this exciting new offering, refer to the SDCL and FileViewer user manuals.
Change from password protection to token protection at Windows and Pre-boot, based on certificates in AD
SES Administrators can automate the mass-transition from password protection to the use of smart card or token-protection at Windows and pre-boot by adding the following clause in the ADSync Settings section in the WinMagic.SecureDoc.ADSync.Service.exe configure file located in Program Files\WinMagic\SDDT-NT\SDConnex. Once this switch is performed, the users must use the token to log in. The clause to be added is:
This feature is particularly useful for large enterprises who wish to perform mass transition to token protection. For details on how to change from password protection to token protection, refer to Changing from password protection to token protection at Windows and Pre-boot section in SES User manual.
Ability to configure proxy settings in SES console in order to connect client devices to SDConnex
SecureDoc Enterprise Server now offers a means through which the SES Administrator can define that Client Devices can connect to SDConnex (and thereby the SES Server) through network data communication proxy servers.
Ability to disrupt / degrade normal service to enforce licensing compliance for endpoints
SecureDoc Enterprise Server now offers a new account-in-good-standing compliance feature for those customers offering SecureDoc management as a hosted service. When activated, this permits the SecureDoc client itself to present reminder messages and a countdown before the device can be accessed to users whose service payments are delinquent, prompting them to pay and make their accounts current.
New Compliance Reporting Management Tool (CRMT) to report accurate drive list back to SES Console
SES now offers a new Compliance Reporting Management Tool (CRMT) through which both devices protected by SecureDoc, as well as other devices imported from Active Directory can be included into reports for purposes of tracking and analyzing organizational compliance.
New broadened support for Smart Cards and Tokens, offering generalized support for Smart Cards that will work with Open SC as well as a new “Generic Card Type” that uses Microsoft CSP
SecureDoc now supports even more Token and Smart Card types. Where there is no specific driver for the card type to be used, Administrators can now select "OpenSC" card type, or can take advantage of improvements in the handling of various cards under the “Generic Card Type” option, which uses Microsoft CSP rather than requiring specific Token middleware.
Note that where SecureDoc does have specific existing support for a given "known" Card or Token, for best results Administrators are cautioned to select that card/token type when configuring the authentication settings for users/devices on which the known card/token type will be used.
Refer to the SecureDoc User Manual “Key File Settings for Installation Packages” section for detailed information.
Policy-driven automatic encryption of additional disks as they are added to a system
In this version, a new functionality has been added that allows SDClient to automatically encrypt newly added disks. The SES administrators can enable this option while defining Profiles in SES console.
Ability to define a customized pre-boot background for client users in Pre-Boot for UEFI (PBU)
The SES Administrator can now apply a customized pre-boot background image on all Windows platforms.
The SES functionality that permits an Administrator to define a customized background image at pre-boot had not been working for devices using UEFI under Windows 8.x. This has been corrected and a means of defining and correctly scaling such an image has been developed for use in the SecureDoc pre-boot environment for UEFI devices. (Environment acronym is PBU).
Added ability to run Pre-Boot Linux for UEFI native (hardware encryption only) - OSA installations only
With this version, the SecureDoc OS-Agnostic (OSA) client for native UEFI devices can now run the SecureDoc hardened Linux-based Pre-Boot authentication platform (PBL).
This improvement opens up OSA UEFI-native devices to the many benefits of the PBL-based Pre-Boot, such as support for: wireless networking; various USB device classes and high end QT-based graphics at pre-boot. Also, it offers the ability to incorporate additional drivers. These benefits had not been a possibility under the limitations inherent in the native UEFI boot platform.
A new command line tool “SDRecoveryCmd” is now available to script decryption of endpoint devices
A new Command-line tool is now available that can be used to script decryption of endpoint devices. For more information on how to use this command-line tool, refer to “SDRecoveryCmd” section in the SES User Manual.
A new tool allows for the automatic collection of logs on SecureDoc Client
A file ClientSupportInfo.bat in folder C:\Program Files\WinMagic\SecureDoc-NT\Support has been created through which end-users can (upon SES Administrator request) automatically aggregate device-level detail logs. These logs may be required by WinMagic Support to troubleshoot issues on that device. Refer to the “Collecting Support Information and Logs” section in SecureDoc User Manual for detailed information.
When decrypting media, always use fast decryption
In order to improve user experience when needing to decrypt media, SecureDoc now uses the "fast decryption" option, which in this case means that all sectors that contain data will be decrypted back into clear-text, but any sectors that are marked as not containing data will remain encrypted (since those sectors are considered to not contain data). This will substantially shorten the time required to decrypt sparsely used media by not requiring the decryption of sectors that do not contain "live" data.
Installer will auto-adapt to device specifics / technology - The SecureDoc Pre-Boot installer will now make several automated attempts to determine which settings will provide a successful transition from Pre-Boot to allow booting into the Windows OS
This offers a major improvement over previous versions, and will result in reduced need for troubleshooting during installation, as well as more successful installations, even in the face of widely divergent hardware, BIOS/UEFI types/settings and other factors.
Decrypt ALL disks from the SecureDoc Console with a single click of a button
The “Decrypt All Disks” feature enables a user (with Administrator Rights ONLY) to decrypt all the disk of the device in a single process.
Automatic collection of required logs from Mac FV2 client
A new command can be run on SecureDoc-protected Mac computers that will aggregate SecureDoc logs stored locally on the Mac device into a single zip file, suitable for attaching to an email to WinMagic support, where required. This is equivalent to a feature available for SecureDoc-protected Windows devices, and now available for SecureDoc-protected Apple Mac devices. To use this option, run a new command script named collect-sd-logs, located in the /Applications/WinMagic/SecureDoc folder). This script will create an archive named "collectedSDLogs.zip", which will be placed on the current user's desktop.
New Profile Boot Configuration option permits enabling/disabling UEFI driver binding
This functionality lets an SES Administrator to implement SecureDoc on non-UEFI compliant hardware. This option has been added to the Profile Boot Configuration screen. This new option permits the disabling of the drive binding implementation, allowing the SecureDoc implementation to work on non-compliant hardware.
Note: This option is disabled by default
Refer to the “Boot Configuration Advanced Options” section in SES User Manual for detailed information.
SES validated to work with any version of Microsoft SQL 2014
SecureDoc Enterprise Server has been tested and verified against all versions of Microsoft SQL Server 2014.
A new feature now enables Smartcard-based Single Sign-on (SSO) into endpoint devices. This is defined in the SecureDoc Profile in SES, as well as offering extended SES/SDCC Credential Provider options
SecureDoc Enterprise Server adds functionality to permit and manage Single Sign-on (SSO) when using Smart-Cards or Tokens. Having authenticated with a Smart Card or Token, the user's underlying credentials will be accessed and utilized to complete the single sign-on process, transitioning the user into the Windows desktop directly without requiring further authentication.
A warning message will be displayed when configuring ADSync service without selecting a Master Keyfile
A new warning message will appear if an SES Administrator configures the ADSync service but has selected a Keyfile that does not contain the AES key.
Improved SDRecovery utility to work with UEFI based encrypted systems
SDRecovery utility has been improved to now work with UEFI device, to analyze and perform data recovery automatically. Previously, this utility did not work with UEFI devices, but this limitation has been removed.
Enable debug log: Simplified procedure in enabling/disabling logging
A new “Diagnostics” screen has been added in SecureDoc Control Center that provides a regular (non-admin) user with the ability to enable detailed logging in the SecureDoc Client environment. This will normally only be needed when requested by WinMagic SecureDoc technical support, to provide detailed log information for analysis.
Once enabled, because of the load that detailed logging places on the computer, this feature is designed to disable itself automatically after 48 hours, on the assumption that two days of log information should normally provide the detail to aid in troubleshooting.
Ability to disable UDP packets to the client devices to avoid “flooding” SDConnex server
In this version of SES, the affected devices will be provided with a new Group Key only when the device connects to the server during its normal scheduled "check in", or at OS start-up (e.g. when Windows starts and the SecureDoc client communication service is loaded into memory).
In the previous versions of SES, when keys are added to a Group, UDP packets would be sent to all affected client devices in order to get them “call in” to the server to receive a new key file containing the key(s) added to the Group. In very large SES implementations, the resulting flurry of inbound client connection requests and resulting key file distributions could “flood” the SDConnex server.
This is being implemented to eliminate the possibility of clients "flooding" the SDConnex server and should dramatically even out the responsiveness of the SDConnex server, particularly in very large SES implementations.
A new option for SES Administrators to generate “Random key name”
An option has been added that permits the SES Administrator to ensure that any device key names auto-generated by SES do not contain the endpoint device name within in the actual key name.
Instead, when this option is enabled, random key names will be generated for device keys, and a reference to the device to which it belongs will be incorporated into the Key Description field. Though this feature is not expected to be broadly used, it may be an important element in overall security design for certain categories of SecureDoc-using customers.
SES Administrators can now ensure that only locally attached storage is encrypted
A new functionality is available that permits the SES Administrator to define precisely which Disk Types are going to be permitted to be encrypted, and which are not to be encrypted.
This permits the definition of disks to be encrypted or remain in clear-text by bus-type: e.g. SCSI, ATAPI, ATA, 1394 (FireWire), , SSA, Fibre, USB, RAID, iSCSI, SAS, SATA, SD (Secure Digital), MMC.
For further information on this, refer to " Disk type-specific encryption option (available from V6.5) permits EXCLUSION of disk bus types for encryption. If not used, all disk types will be encrypted" article (#393) in the Knowledge Base.
Prevent BitLocker recovery key screen from appearing when in Windows 7 legacy mode
This improvement ensures that the BitLocker Recovery Key no longer appears unless the user has specifically entered recovery mode.
In previous version that supports BitLocker, the BitLocker Recovery Key would appear briefly during pre-boot on Windows 7 devices configured to use the BIOS (instead of UEFI).
Ability to delete temporary Encryption files (PH1/PH2) option added to SecureDoc Control Center encryption panel
This new option allows users to delete the temporary files (PH1/PH2) that are generated during encryption process. If the encryption process is disrupted for any reason (e.g. computer shutdown), these PH1/PH2 files will be stored in the respective disks / USBs and may prevent them from being encrypted.
Now, users have an option to delete these files by clicking the PH1/PH2 button in SecureDoc Control Center.
In Installation Packages for SDFV2, add the same UserID creation options available to Windows installation packages
In the previous versions, SES user ID customization was not supported when SD FileVault2 is installed on a Mac device.
For version 6.5. Mac FileVault2 clients will support SES user ID customization similar to the existing Windows client feature, for example allowing the normal user ID to be used (the default behavior), or permitting appending information such as @+domain name, @+device name or appending an administrator-defined string of custom characters. This functionality has existed for Windows clients for a long time, and is now available for FileVault2 client devices.
FileVault2 fails to install if the Mac recovery partition is missing
The SecureDoc for FileVault2 installer now checks for the existence of the FileVault2 Recovery Partition (a native requirement for FileVault2), and if this partition cannot be found on the Mac computer's drive, the SecureDoc installation will be halted and an alert message will be shown. The message articulates the specifics of the problem, and provides recommended steps to remedy the situation before installation of the SecureDoc client software can be re-attempted.
SecureDoc does not log the login when resuming from hibernation
When signing into Boot Logon while the system is hibernated, SecureDoc did not log the log in attempts. This issue has been fixed by now storing the following information in SecureDoc :
When using “RemoveUser" command with SESCmd.exe, “Error code =-11” is displayed
In a previous version of SecureDoc, the use of the "RemoveUser" commands could yield an error code -11, which indicated that though the user had been dissociated from the device in the SES database, the user Key File had not been removed from the device.
This has now been corrected, and the use of the "RemoveUser" command will now successfully remove the user's Key File from the device as well.
SDConnex: "User existence is required" doesn't work with Hosting Solution
This is a configuration issue. For the "User existence is required" feature to work in the Hosted Solution, the folder of where the installing user exists and destined for must be specified in the installation package. If the folder is not specified, SDConnex will not be able to find the user and fail the installation.
Port Control and USB 3.0 support
In a previous version, the Port Control functionality available in the SecureDoc Client (and manageable through the Device Profile for SES2 clients) was able to enforce rules that can allow access to USB1.2- and USB 2.0-connected devices, but was not able to enforce access rules for devices via a USB 3.0 port.
This issue has been resolved, and SecureDoc Port Control rules now fully work with and support access limitations on USB 3.0 ports.
Review SDVCE kernel driver for issue of LARGE volume bigger than 2TB (including sector size of 512 and 2048)
In this version, very large USB-connected drives can be supported through SecureDoc's new support for 4KB logical sector size, and can now be successfully encrypted using Removable Media Container Encryption (RMCE). Similarly, Magneto-Optical (MO) drives that use 2KB logical sector sizes are now also supported.
RMCE: Creating container for 3 TB HDD is failed with error: "file size 0x0 too small..."
SecureDoc client devices can now create encrypted containers in excess of 2TB in size using the Removable Media Container Encryption (RMCE) facility built into the SecureDoc Client. For such huge-capacity devices, SecureDoc can now work with sector sizes of between 512 bytes and 2048 Bytes.
This removes a previous issue that would occur in which error "C0002" would be displayed when attempting to create a container on media of 2TB or greater size.
SES Admin Role: Prevent deletion of encryption keys
SecureDoc Enterprise Server now offers a means of limiting (to specific Administrators) the capability of deleting Encryption Keys from the SES Database, such that only those Administrators defined as having that right will be able to delete Encryption Keys from the database.
A new option checkbox defines this capability, and the rules implicit in this new functionality apply both to the SES client-server console, as well as to the SESWeb web-based console. For all administrators that lack the Delete Encryption Key right, the Delete menu option will be disabled in all Key-related context menus, and use of the Del (Delete) keyboard key will not result in the deletion of an Encryption Key if selected and the Del key is pressed.
Option to Hide UserID: Lock and Log Off
SecureDoc Enterprise Server now permits the SES Administrator to define that the User ID should no longer appear on the screen lock log-in screen. This option allows for strengthened security, since a potential attacker no longer has any visual cues as to which user had locked his screen that could be used to aid in attacking the device.
Users Mac account being deleted from the device while removing their SecureDoc account
In a previous version of the SecureDoc client for Mac FIleVault2, the deletion of a user's SecureDoc account (through which the user would authenticate to a FileVault2-protected device) would erroneously also delete/remove that user's Mac account from the device.
In this version, this issue has been resolved, and only the user's SecureDoc account information will be removed. The user's Mac account, all files and settings will remain on the computer following removal of the SecureDoc account.
Need a progress indicator when creating/upgrading SES database
When upgrading SES database, there was a long delay between the “Successful Database Backup” and “The database updated successfully” messages. This would confuse the users such that they would thing the upgrade has stopped/frozen. This issue has been resolved by displaying live indicator (progress bar) with a message “Please wait while database is upgraded” while upgrading database.
Extend the period of time the crypto-erase command is active before it expires
A new option “Command Expiry in Days” has been added in SES console Tools -> Options -> General. This lets you specify the length of time for the remote control commands (except crypto-erase command) to be retained for the client device. After the lapse of specified number of days, the command will expire. The default value is 30 days.
Note: For crypto-erase command, the expiry date is set to 10000 days. Users cannot configure this duration. If a pending Crypto-erase command is no longer needed, the Administrator should cancel it.
When deploying SecureDoc Version 5.2 SR4 clients in a SES Version 6.4 SR1-managed environment, keys would inadvertently be routed to the recycle bin
The bug has been fixed. The new keys will now appear in the correct folder.
PBL V5: Can NOT launch the Boot Configuration page
An issue was reported that affects users of the V6.4 and V6.4 SR1 versions of the SES-managed SecureDoc client, in which a user (even with a full Admin-rights Key File) cannot access the Configuration options from the V5 Pre-boot environment, forcing the user to use the V4 Pre-boot environment (where this functionality is available using function key F8).
This problem has been fixed and the users having an Admin-rights Key File can now access the configuration options from within the V5 Pre-boot environment.
In certain tablets, the calibration screen is displayed occasionally even though SecureDoc is not configured
In certain tablets calibration screen is occasionally shown during boot up time even though SecureDoc is not configured for that tablet.
Now, this issue has been resolved.
“Maximum PBA failed logins (Intel AT)” does not work every time when device is rebooted
Intel AT (4.0 & 5.0) system had an issue where the device was not marked as stolen after exceeding the failed attempt only during system warm-boot.
The issue is addressed so that once user exceeds the limit, the system will now be marked as stolen.
Enabling beep sound in V5
In this version, SecureDoc implements beep codes into the Version 5 pre-boot environment. Beep codes may be (optionally) used during Pre-Boot as an audible prompt system for visually-challenged users, providing them with guidance regarding when they are to enter User ID, a Password or other credentials, or when errors have occurred during the Pre-Boot Authentication process.
Since typical assistance technologies for visually impaired users rely upon the availability of a full Operating System (e.g. Windows, Mac OS X), these beep codes offer specific prompts for visually-impaired users to complete successful Pre-Boot Authentication, so that the Operating System can load, and their high-functionality visual assistance technologies can inter-operate with the OS.
The setting of keyboard language of PBA is different from EFI and MBR
As for other pre-boot environments, SecureDoc's UEFI-based Pre-Boot is now able to store the user's Keyboard type (useful for non-US keyboards) and will subsequently prompt the user at Pre-Boot using the correct Keyboard Mapping for his/her specific language requirements.
Increase the number of Network Interface Cards (NICs) that are initialized at pre-boot
Now, SecureDoc supports up to 10 network cards at pre-boot (previously it was 5)
Disk Access Control (DAC) cannot control external CD / DVD drive
Previous versions of SecureDoc client did not enforce DAC on external CD/DVD drives. The issue is addressed and SecureDoc will enforce DAC on external CD/DVD drives.
SecureDoc OS - Agnotic (OSA) pre-boot fails to load on crypto-erased drive (HP Zbook and HP EliteBook 840G1)
There was a bug in OSA installation process that caused the system not to boot after activating encryption through OSA. This issue affected certain device types (HP & Dell) having Self-Encrypting Drives to be able to boot.
This issue has been resolved, and these device types will now boot cleanly.
NTFS-formatted USB Media would not format with option to format and move existing files back into container: Error message was “Failed to format the removable drive. Error code 0xd0000000”
Under some circumstances NTFS-formatted removable media/volumes were failing to format during the “media migration to encrypted container” process when the option had been selected to “Encrypt entire space and move files into container” within in RMCE settings in SecureDoc Control Center.
This issue has been resolved.
SecureDoc crashes when attempting to encrypt a 3 TB External WD GPT drive
SecureDoc is now capable of encrypting external WD GPT drives with up to 3-TB capacity.
Ability to login at pre-boot with a smartcard whose password contains certain accented characters (e.g. öäüß§)
The ability for the SecureDoc V5 Pre-boot to handle Unicode characters has been improved, particularly where authenticating to a Token.
The original issue had been identified as the SecureDoc V5 Pre-boot environment's inability to handle certain accented characters, such as these found commonly in German: öäüß§
In "All Folder" tab – very large customers could experience truncation of the list of registered users and devices in the SES console’s Users or Devices views
This issue affected only very large customers having in excess of 65,000 folders in the SES Folder view. Due to the size of the resulting data selection, the “ALL Folder” tab in SES console was unable to select and display all Users/Devices. This issue occurred because the MS SQL database cannot handle any SELECT statement that exceeds 340 kb in size.
This issue has been fixed. This folder will now be able to show any number of users and/or devices.
Pre-boot does not display Challenge Response (C/R) on install
This issue has been corrected. Where the use of recovery tools is defined in the SES environment, the prompt for Challenge Response recovery will be available to end users at all times.
In version 6.4 SR1, the Challenge Response button was not always being displayed when users click on the Forgot Password assistance link. This issue affects only devices running the V5 Pre-Boot environment.
Eliminated incompatibility between Symantec Workspace Virtualization software and SecureDoc
A previously-encountered incompatibility existed between the SecureDoc filter driver and Symantec Workspace Virtualization software, causing an inability to load Windows (a "hang" condition) after successful user authentication at Pre-boot.
This issue has been resolved. SecureDoc-protected devices running Symantec Workspace Virtualization software will now boot successfully into Windows following successful Pre-boot Authentication.
SDService now terminates promptly
In previous versions, SDService could normally take up to 3 minutes to shutdown, and could thus delay other operations like automatic upgrades.
In this version, this service now shuts down rapidly, and will auto-terminate any open existing communication channels.
SecureDoc should dismount RMCE container volume if user triggers "Eject" command on an RMCE drive
When using a USB device protected with SecureDoc's Removable Media Container Encryption (RMCE), if the user uses the Windows function to eject removable media, SecureDoc will now silently close up, dismount the container volume before dismounting and ejecting the USB Media itself. This corrects an earlier issue where use of Eject in this fashion would throw an error message when a user attempted to eject a virtual RMCE drive (the "mounted" encrypted container) - as distinct from the physical mount that contains both the Media Viewer application and the container host file.
[PBU] Lenovo tablet 10 - on screen keyboard at pre-boot is very sluggish and slow to respond
Sluggish on-screen keyboard touch response at Pre-Boot encountered with Lenovo series 10 tablets has been corrected. Users will now find that the use of the on-screen keyboard is much more responsive.
Support for Windows 8 & 8.1 BIOS mode
SecureDoc now supports Windows 8 & 8.1 running in BIOS mode.
Getac F110 PBL Calibration now supported under V5 Pre-Boot
The ILITEK Multi-Touch device found on Getac v110 Tablet computers is now a supported device type in the V5 Pre-Boot. SES Administrators can configure such devices using a new "Auto-Detect" option available in the Boot Configuration panel within the device profile settings. Once installed on a Getac v110 device, the user will be prompted to go through the initial calibration process, after which the ILITEK Multi-Touch device will work with the on-screen keyboard at Pre-Boot.
SES Profile Creator now has "Auto detect" option for tablet devices
A new "Auto-detect" drop down option has been added when defining Profiles intended for Tablet devices. This new setting appears in the Boot Config section of the profile, and allows for auto-detection of Tablets, in order to improve the process of determining the On-screen keyboard. In previous versions of SES, there was logic to load tablet-specific drivers. However, with the updates in the V5 PBL (Linux-based Pre-Boot) this is no longer required. PBL will auto-determine what Tablet is being deployed-to, and will automatically load the required drivers.
Reinstate access to recovery and other functions through Function Keys
The Password Recovery features function keys (F8, F9) have been reinstated into the SecureDoc V5 Pre-boot Authentication environment. Many customers had requested that the Password Recovery function keys be reinstated into the Pre-Boot Authentication environment, after having been removed in V6.4 in favor of the use of a new mouse-accessible "Forgot password" link.
Now, both the function keys and the “Forgot password” link are supported.
When USB 3.0 is enabled in the BIOS, the Token is not recognized at Pre-Boot (affects Windows 7 based deployment only)
In the previous versions, the key-file authentication for USB based tokens (iKey 2032, Datev KOBIL) was not functional at PBL (Pre-Boot Linux only) when the BIOS USB mode was set to USB 3.0.
The issue is resolved and PBL can now detect and work with these tokens .
SES Administrators can create SES support User IDs with blank character(s)
SecureDoc Enterprise Server now permits the SES Administrator to create User IDs that contain mid-string blank characters.
In previous versions, SES has had the ability to import such User IDs from Active Directory or LDAP sources for some time, but to this point it treated the creation of User IDs having embedded blanks as an error condition and did not permit the Administrator to manually create such User IDs to be created.
When using a smartcard at PBL it takes 20 minutes after "Login successful" before the OS loads on a Lenovo W540
Lenovo W540 devices will now boot into Windows following Smart Card-based authentication rapidly. An issue that caused Lenovo W540-model laptops to take an inordinately long time to boot into Windows after having used Smart Card-based authentication at Pre-Boot has been resolved.
RMCE Viewer does not show hidden file and folders
The RMCE File Viewer is now capable of displaying hidden files and folders.
In previous versions, the RMCE File Viewer was unable to display hidden files and hidden folders, thereby denying users access to those objects.
Maintain historical Audit Log information indefinitely
In previous versions, historical Audit Log information would be automatically cleared after 90 days through a stored procedure that would be run automatically.
Now, the historical Audit Log information will be maintained indefinitely until it is explicitly purged by the SES Administrator. To clear out unnecessary Audit Log information, the Administrator must execute a stored procedure entitled:
Refer to the SES User Guide for information on how to use this Stored Procedure, the arguments that must be passed to it and its resulting behavior.
TPM reset counter error: “0xb0000803 TPM fails. Please contact WinMagic Technical Support”
In previous version, TPM would lock itself after five unsuccessful logins. As a result, the users cannot authenticate their key-file to log into Windows. The reason behind this was that each failed login attempt from keyfile was counted as two failed logins for TPM.
This has been corrected. Now for every one failed login attempt is counted as one failed login from TPM.
Communication over IPv6 is not working over VPN
In this version, the SD Service communication library has been modified to use IPv6- compatible functions.
In previous versions, when a SecureDoc encrypted client is connected through Direct Access VPN configured for IPv6 only, the SecureDoc client would attempt to communicate using IPv4 address.
Ikey2032 >Token has Pin Dell Venue 11 Pro UEFI (7130) USB 3.0 6.4 SR1
PBU can now support iKey Token for authentication.
Seagate DriveTrust does not work with pre-boot (PBL)
There was an issue with Seagate drive trust which caused user to not authenticate at pre-boot (PBL) and log in at Windows.
This issue is resolved now.
SecureDoc 6.4 SR1 -0x9204 Pinfile.sys patch
SDPin will always check WMG file upon first time loading. During the process of this checking, the protection for WMG file is temporarily suspended. As soon as the verification is complete, WMG file protection is resumed. The problem was that the protection failed to resume after the verification.
This issue has been resolved and WMG file protection resumes as usual after the verification.
Google Chrome no longer functions because of FFE on 6.4 SR1
An client-device incompatibility was discovered between SecureDoc V6.4 SR1 and the Chrome (Google) browser, which would prevent the Chrome Browser to launch successfully if the SecureDoc Client software was configured with a Device Profile that enables File and Folder Encryption (FFE). This issue was detected on devices running the Windows 7, 64-bit operating system, but other operating systems/versions may be affected.
This issue has been resolved and now SecureDoc File Encryption (SFE) supports Google Chrome.
PBConnex does not authenticate on warm boot on systems with Intel I217-LM NIC
PBConnex was not working during warm boot (restarts) on certain laptops that have Intel 1217-LM NIC, such as Lenovo M83, Lenovo T440p. The issue was related to old Intel network driver.
This issue has been resolved by updating WinMagic Intel network driver support in the Pre-Boot environment.
Unable to register a HP device because of 0x7885 error
In previous version on HP machines, when “IDNLW_Hosting_Solution” option in “dbo.Settings” was set, users were unable to register a new installation. The installation would fail and an error “0x7885” is displayed.
In this version, this issue has been resolved. Users can now register new HP devices successfully.
Standalone SD Client Installations will have the “maximum failed login attempts” feature disabled
In the SecureDoc Stand-alone product, if a user sets a non-zero value for the "maximum failed login attempts" feature, breaching that maximum value can cause standalone users to be locked out of their SecureDoc-protected device with no way to recover access. This has been corrected in this version. Stand-alone SD Client installations will have the "maximum failed login attempts" feature disabled by default, though advanced users can still enable this feature if desired, using the SecureDoc Stand-alone client Control Center application.
Wireless NIC (Intel 7260 AC wireless adaptor) on a Dell Latitude E-7240 doesn't work with version 6.4 SR1
On Dell Latitude E-7240 machines that have SecureDoc version 6.4 SR1 installed, the wireless NIC (Intel 7260 AC wireless adaptor) would stop working at pre-boot and display "wireless error 7".
In SecureDoc version 6.4 SR1,This issue has been resolved by adding support for Atheros Wireless NICs on WinMagic’s Linux kernel (for PBL).
RMCE (On Windows) compatibility Adding folder to RMCE does not mount RMCE on MAC
The Mac Removable Media Container Encryption viewer (RMCE_Viewer) is now compatible with FAT32 containers created on Windows. In the previous version, the containers created using RMCE on a Windows device would fail to open in the RMCE viewer application on the Mac platform.
This has been resolved, and Mac devices can now successfully mount and access FAT32 containers encrypted on Windows devices.
RMCE data incompatibility issue between Mac and Windows
An issue that had occurred where folders added to a Windows-created Removable Media Container-Encrypted container by a Mac device would subsequently be unreadable on a Windows device has been resolved.
Now, Mac users can freely add folders and sub-folders to a Windows-created RMCE Container, and have those files/folders be freely accessed on a Windows device.
Removed and disabled specific FFE functions within the SES Web Console
The SESWeb console has been changed to remove any reference to functionality that would permit creation of new FFE policies, or to add FFE policies to groups. To accomplish this latter, the Advanced tab has been removed from the SESWeb console.
Note that the ability to view FFE policies remains, and that new columns have been added to the SESWeb presentation panel on FFE policies to now show “Alias Name” and “Policy Type”. The Status column has been removed.
When creating a copy of an installation package, the copy would appear in the root folder, not in the same folder as the original from which it was copied. This issue applies to Hosting environments only
This issue has been resolved. Copies of Installation Packages will now be placed into the same folder as the package from which they are derived.
Native Japanese keyboard layout does not apply to PBU (different from PBL Japanese layout)
PBU will now use Native Japanese keyboard layout similar to what has been in PBL. However, current UEFI specification doesn't define two Japanese keyboard layout specific keys: <yen-sign> and <underscore>. As a result those two keys won't work in PBU (on non-Japanese physical keyboard these keys or similar ones don't even exist).
Users set with Flag = 0, are not being prompted to change their password
When users are imported into the database through CSV with a password, the Flag column being set to 0, they are not prompted to change thier initial password when logged in. This issue has been fixed by setting the initial password flag to true for CSV imported users.
If "Lock computer when token is removed" option is enabled, users cannot login to Windows using password-protected keyfile
When the feature "Lock computer when token is removed" is enabled. a user logs into pre-boot with a token-protected keyfile and then unplugs the token, after which a password-protected user attempts to login to Windows, the token-monitoring feature locks the computer because it detects that the token is not present.
The product is working as designed: This may be considered to be a security feature to ensure that users can only log in if the token is plugged into the system, even if their own key file is not token-protected.
Adding DAC manipulation into SDRecovery for purpose of data recovery
In the previous versions, on the client devices when Lock option is enabled in Disk Access Control (DAC) profiles,, the SES Administrator did not have the option to copy data from a problem disk onto non-encrypted external storage devices, such as USBs.
Now, SES Administrators are able to copy data (regardless of DAC access restrictions) onto a non-encrypted USB storage by unlocking the disks and unblocking DAC using SDRecovery feature.
Unable to uninstall SD with Trust control enable when plugging USB to machine
Limitation: As previous versions, before being able to uninstall the SecureDoc client software, all disks/drives must be decrypted. However, if a USB drive is listed as a trusted device and such a trusted device is inserted at the time one is attempting to uninstall SecureDoc, SecureDoc will assume that (at least some) of the device has not been decrypted and will therefore disallow the SecureDoc client software from being uninstalled.
Work-around: Either remove the device from the trusted list, or preferably ensure any trusted devices have been unplugged from the USB port(s) prior to initializing uninstall.
[T440s] Wireless card support for 2 x 2 11b/g/n M.2 card (PBL)
Limitation: Our current 6.4, 6.4 SR1 & 6.5 PBL cannot support Wireless RTL8192EE NIC support (available on T440s).
Password is expired after upgrading client from 5.2 to 6.4 SR1(hot fix)
Limitation: Where customers are coming from clients running version V5.2, and upgrading to V6.4 or V6.5, if a Token/Smartcard KeyFile is converted to a password-based keyfile, a message "Password has expired" is displayed.
Work-around: Token/Smartcard KeyFile must be reverted back to a Token KeyFile before upgrading the SecureDoc Client software
Folder icons for FFE are flickering between regular icon, and FFE icons
Limitation: Windows Explorer does not automatically update the display when file changes or folder changes are made by other users. You must press F5 or click Refresh on the View menu in Windows Explorer to manually update the changes in the current folder of a network share.
Work-around: Perform the following steps:
1. Set the following registry key to 1:
2. Reboot OS.
Installing Dropbox, SugarSync or Box will disable icon Overlay for FFE Folder
Limitation Windows only supports first 15 overlay icons in alphabetical order. If users are not able to see SecureDoc “Lock” overlay icon, it is because the overlay icon limit has on that computer has exceeded.
Work-around: If a user wishes to see SecureDoc overlay icon, perform the following :
1. For Windows 7 64-bit implementations, expand the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\
2. Find and rename SecureDoc overlay keys (WMAllKey, WMNoKey, WMNotTransformed, and WMPartialKey) to be alphabetically earlier than any other keys. One easy way to do this is to add spaces in front of the name.
3. Restart the computer, or restart Explorer
Machine does not auto-reboot after encryption is complete when option "Encrypt partition only" is checked/enabled in Profiles
Limitation When an auto-boot profile is deployed to a device with checking the “Disable reboot following boot logon installation” option, the device does not auto-reboot after completion of encryption.
Work-around: It is recommended to uncheck the "Disable reboot following boot logon installation" option. Checking the option can cause the system not to auto-boot on some systems.
SecureDoc FileViewer needs to run without Admin rights
Limitation: Users without administrator permission cannot install SecureDoc FileViewer on Windows.
Work-around: When installing the Windows FileViewer while logged in with a Windows user account, select the option to "Only for me (Windows user)" during the install wizard. When logged in as Windows Administrator, right-click the FileViewer icon and select “Run as administrator” option.
|SD-10213||Unable to read content of a file when copying / dragging an encrypted file from SDCL original folder into SD Cloud folder (Network folder)
Limitation When an SDCL file is moved from the original "encrypted" folder to a network-based SFE folder, the file will be double encrypted, which makes the contents inaccessible.
Work-around: SDCL files in the original folder should NOT be moved into an SFE protected folder.
“Decrypt all disk” button will not work when one or more disks are encrypted using Partition encryption only
Limitation: In this version, the "Decrypt All Disks" option that permits decrypting all encrypted disks does not operate correctly on disks that have been partition-encrypted.
Work-around: For partition-encrypted disks, the user must decrypt such partitions a partition at a time (i.e. one by one). If after having decrypted any encrypted partitions there are any full-disk encrypted disks that must be decrypted, these can now be decrypted using the decrypt all functionality.
Auto Boot does NOT work after converting the RMO to FDE with "Permanent Autoboot" is enabled
Limitation: If a Windows endpoint device that is running a profile that defines protection for Removable Media Only (an RMO profile), and that device is subsequently sent a new Full Disk Encryption profile that also specifies that the device is to AutoBoot (bypassing Pre-Boot Authentication), then that device will not autoboot. The issue occurs only when transitioning from RMO to AutoBoot directly.
1. Recover access to the device using Challenge-Response.
2. Once the device has been logged into at Windows, ensure the device is on the network and can communicate with the SES server.
3. The SES Administrator should re-send the desired Profile, which will correct the source of the issue (since this will no longer be an RMO to Pre-Boot transition).
The offline folder option is disabled after enabling File and Folder Encryption (FFE)
Limitation For devices already having offline folder enabled, after enabling FFE the synchronization will break.
Lenovo L420 and Power Detection
Limitation: On Lenovo L420 or L412 models, if the user logs in through the WinMagic PBL (V5 Pre-Boot on a NON-UEFI device) then the user will notice the power adapter detection system tray icon will have disappeared from the Windows system tray. This issue might also occur on certain other Lenovo models.
Workaround: Do the following:
1. Use V4 boot-loader(if you do not require PBConnex or setting related to new pre-boot )
2. If you want to use V5 (PBL), enter <acpi=off> in the Boot configuration settings ->Advance Options -> Boot Parameters field
Introduce TPM reset counter when system is stuck in Dictionary Attack
SecureDoc does not reset the TPM lockout counter after a successful login attempt. Unless the lockout counter is reset, any device that has sustained one or more failed login attempts will gradually approach the possibility of being locked out, since the TPM will continue to count all failed authentication attempts until it reaches the lockout threshold. The lockout threshold occurs at 10 failed login attempts.
Please refer to your Administrator or Microsoft resources for assistance in resetting the TPM Lockout counter, usually performed through the TPM Management (tpm.msc) snap-in.
Files shared by two applications may restrict SFE from encryption
Limitation: SecureDoc File Encryption (SFE) can encounter situations that will block its ability to encrypt a given file if the file is being shared by one or more additional processes or services at the point that SFE attempts to encrypt it. One common example of this would be where SFE might attempt to encrypt the Outlook.pst file, because that file is normally shared directly with the Outlook search process. In that case, that file will fail to be encrypted because SFE is unable to get an exclusive lock on the file.
Work-Around: This will depend largely on the file(s) involved, and the services or processes that might utilize them at various points, but it may be possible to shut down certain services or processes temporarily so that SFE can complete encryption of those files. You may need the assistance of your firm's Windows System Administrator, who can advise based on file type which services and processes can be halted to permit encryption to continue.
Win8.1 stops at “Please wait, attempting to unlock your machine…” after BitLocker is disabled, but BootLogon is still installed
Limitation: If BitLocker encryption is disabled (effectively decrypting the device) either from the SecureDoc Control Center application or from the Windows Control Panel without also uninstalling the SecureDoc pre-boot (BootLogon) environment, then users will be stopped at the SecureDoc pre-boot screen but they will not be able to authenticate at Pre-Boot in order to then be able to log into Windows.
Work-around: The user must access the device's boot menu and select the "os MANAGER" option to log into Windows. Having done that, the user must remove pre-boot before un-installing the SecureDoc Client software.
OSA: "WPA2-Personal" in Network Access Control does NOT work in Wireless Settings page at PBA after successfully deploying OSA to an endpoint
Limitation: Currently, WinMagic does not support applying any wireless related settings to OSA profile. This is limitation of existing OSA product.
Unable to register Hardware Password Manager (HPM) when “One Touch Registration” option is enabled (For Lenova computers)
Limitation: When an SecureDoc client installation package is created with “Hardware Password Manager” default settings and “One-touch computer registration” options enabled and this package is deployed on a client machine, an error message “Hardware Password Manager experienced an internal error. Please retry your request.” is displayed.
Work-around: There is no work-around available for this issue. SES version 6.5 does NOT support “One Touch Registration” option.
Native Japanese keyboard layout does not apply to PBU (different from PBL Japanese layout)
PBU will now use Native Japanese keyboard layout similar to what has been in PBL. However, current UEFI specification doesn't define two Japanese keyboard layout specific keys: <yen-sign> and <underscore>. As a result those two keys won't work in PBU (on non-Japanese physical keyboard these keys or similar ones don't even exist).
Allowing non-storage USB device for default USB port control policy
Limitation Applying a default USB port control policy will block the use of some USB-connected devices that do not have storage functionality, such as: a) USB-connected Fingerprint reader b) USB-connected HD CAM camera.
Stand-alone SecureDoc Client might not encrypt files under SecureDoc Cloud Lite (SDCL) policy when user logs logging into external key file
Limitation: If logging into SecureDoc Standalone version Control Center using an external keyfile, the encryption key may not be picked up properly by SecureDoc Client. This results in the folder encryption defined by an FFE/SDCL policy not functioning (although the rest of the SDCL functions properly). Files will be synchronized correctly, but in some cases not encrypted first.
Work-around: Log out and log back into the key file using the SecureDoc Control Center. Stop and re-start the SDCL application, following which the encryption of any unencrypted files in the folder will proceed as expected.
Microsoft Surface Pro 3 failed to resume from hibernation while conversion is in progress when BitLocker encryption is enabled
Limitation: When SD installation package (with BitLocker Encryption enabled) is deployed on Microsoft Surface Pro 3, the device will reboot and BitLocker icon appears on the system tray indicating that the conversion is in progress. However, when the device goes into hibernation during the conversion process, it fails to resume. This happens because SecureDoc On Top (of BitLocker) (SDOT) is not supported for Microsoft Surface Pro devices, types 1, 2 and 3.
Work-around: Administrator can either use SecureDoc BitLocker Management (SDBM) or a package that implements SecureDoc’s own encryption engine to protect Surface Pro devices.
When two hard drives are inserted into the machine one at a time, the client has problem sending the information back to SES
Limitation: This issue has been found when two hard drives (Samsung and Sandisk SSD) are inserted consecutively onto a docking station. The client machine reports only one disk’s information back to SES and fails to detect the other one. This issue occurs because asset management cannot support more than one drive connected through USB bay.
SecureDoc asks the PBN ikey 2032 users to change initial password every time the machine is restarted
Limitation: This issue occurs for PBN iKey 2032 users. Every time the computer restarts, the users are prompted to change the initial password.
Work-around: Uncheck the “Change initial password” checkbox (Tools -> Options -> General -> Password Rules) for token-protected key file while creating an Installation Package in SES console.
SecureDoc Credential Provider does not support Windows 8 Microsoft Accounts
Limitation: In this version of the SecureDoc client, SecureDoc Credential Provider does not support Microsoft Accounts, with the result that:
1. Single Sign-on (SSO) does not work.
2. Automatic password synchronization does not work. Users will be prompted to sync the new password manually into the SecureDoc context.
3. If the SES Profile option entitled "Only users having SecureDoc Credentials may login to Windows" is enabled, the user will be stuck at the logon screen and a restart will be required.
Use of “Change initial password” can affect second (and subsequent) Admin accounts’ ability to log into SES Console
Limitation: Where the “Change initial password” global option is set/enabled, when a second (third, etc) administrator keyfile is created and saved with a keyfile password, when this new Admin user tries to log into the SES console after changing the initial password, an error message “The password entered is incorrect. Try again.” is displayed.
Work-around: When prompted to change the initial password, perform the following steps:
1. Launch SES console.
2. Browse and select the desired keyfile.
3. Login with the selected keyfile. The message, "Initial password must be changed now!". is displayed.
4. Click OK. The "Change keyfile password" screen appears.
5. Change the password.
6. Click OK.
7. On the SES Console menu bar, select Database -> Change keyfile password
8. Enter the old password
9. Enter a new password, then re-enter to confirm the new password
10. Click OK. The new password can now be used to login to SES console.
|Please note that WinMagic is deprecating SecureDoc V4 Pre-Boot Authentication (PBA) support for SEDs in favor of the fuller function, more capable, V5 Pre-Boot Linux (PBL). The existing V4 support for SEDs will remain in the product for the time being but will not be maintained or enhanced. We recommend that customers migrate to V5 PBL over the course of the next year.”|