SecureDoc V8.3 SR1 Release Notes

View All

Important Note

Feature Deprecation
On July 6, 2018 WinMagic customers and partners were notified that the SecureDoc pre-boot authentication feature for macOS – known as SecureDoc On Top (SDOT) for FileVault 2 – would be deprecated in SecureDoc 8.2 SR1. As of this release, customers will no longer see this feature available for macOS configuration settings.

Please visit Knowledge Base Article 1760 for more information.

Before Upgrading
Prior to upgrading from v8.2SR1 to v8.2SR2 or later versions, please refer to KB article KB000001727 to follow the steps to ensure your client machine has Win7 with KB3033929. For more information on this limitation please see previous release note v8.2SR1

SecureDoc Support
WinMagic strongly recommends that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and new features.

Please visit Knowledge Base Article 1397 for more information on End of Life and End of Support timelines for SecureDoc software releases.

Customers running SecureDoc 6.5 and earlier should upgrade their server and clients to an actively supported software version. For more information on upgrading from SecureDoc 6.5 and earlier, please visit

About This Release

This document contains important information about the current release. We strongly recommend that you read the entire document.

Recommended – WinMagic recommends this service release for all environments. Apply this update at your earliest convenience.

Previous Versions


8.3 SR1

Release Date
February 5th 2019
May 15th 2019

New Features, Improvements and fixes (server/client)
New Features, Improvements and fixes (server/client)

Download the latest release notes for each version listed within Knowledge Base Article 1756.

System Requirements
For server and client system requirements:
For supported devices, drives, smartcards and tokens:

Note:  It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation.

More information is available here:

During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.

Note:  Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g. Admin desktop) on which it runs, in order for the console to function properly

Client OS Support
This section shows supported operating systems and upgrade paths for SecureDoc Endpoint Clients.

Microsoft Windows





10 RS5 [1809]
10 RS4 [1803]
10 RS3 [1709]
10 RS2 [1703]
10 RS1 [1607]

10 T2 [1511]
10 T1 [1507]

Enterprise Pro


SD 7.5 SR1 HF8 / SD 8.2 HF1+
SD 7.5 SR1+
SD 7.1 SR6+
SD 7.1 SR4+

SD 7.1+


Enterprise Pro


All versions


Enterprise Pro


All versions

The KnownConfigs.XML File

Customers are strongly advised to download the most current KnownConfigs.XML file, then replace the current version (if older) in the SES Application folders and
Installation Packages.

WinMagic strongly recommends that you seek out the most up-to-date version of the KnownConfigs.XML file and incorporate it into your SES implementation on a regular basis (e.g. monthly). This will help ensure your SES Version will take advantage of new client installation override settings that have been added since the version of the KnownConfigs.XML file that came with your version of SES. This will improve installation success on any new device makes/models you might purchase since installing SES, utilizing the new special settings available in newer versions of this file.  Customers are advised to look to the SecureDoc Knowledge Base for a link to the available
KnownConfigs.XML files, then check that document (e.g. on a monthly basis) for updates to this file, then use the new version to replace all versions of the KnownConfigs.XML file in their SES Implementation folder structure.
For example:

1. Position Windows Explorer to: c:\Program Files(x8)\WinMagic\SDDB-NT, then
2. Search for files like *.xml.
3. Sort the resulting search list by name
4. In each directory where a KnownConfigs.XML file is found, replace it with the new
one that you have downloaded from the WinMagic Knowledge Base article.
Additional information can be found here: Installing or updating the KnownConfigs.xml file (Applies to SES from Version 7.5 onward).

The latest versions of the KnownConfigs.XML files can be found at the following links:

The contents of the KnownConfigs.XML file are reserved to be developed and advanced by WinMagic solely. While customers might consider enhancing it, WinMagic cannot be held responsible for issues that might arise from such modifications and may (at its sole discretion) levy an additional support charge to any customers that encounter support issues resulting from non-sanctioned, customer-initiated changes to the KnownConfigs.XML file.  WinMagic welcomes customer ideas and suggestions on how KnownConfigs.XML can be extended and improved, but WinMagic reserves the sole right to test, approve and to publish any changes to KnownConfigs.XML that it deems to be in the broader customer interest, and makes no commitment to act upon or publish all, or indeed any customer-recommended changes.


What’s New

Please refer to the previous Release notes for new features in this version:

New Features / Improvements

SD-21263 – SecureDoc adds support for the TP-LINK TL-WN722N USB WiFi adapter at Pre-Boot for WiFi-based authentication

WinMagic has been apprised by a number of customers that network adapters based on or like the TP-LINK TL-WN722N USB WiFi adapter are becoming commonplace in customer implementations.

Solution: Support has been added for the TP-LINK TL-WN722N USB WiFi adapter.

SD-29298SecureDoc's SESWeb now offers a REST API interface

SES Web now supports a REST API interface. This is installed as a new project on IIS called SDWebApi. The SES installer has been updated to setup and configure this additional IIS site. 

Documentation on how to use the REST APIs here:

SD-21831 – Provide API method of integrating SecureDoc with a Hitachi IDM / IVR (Interactive Voice Response) system to permit both Browser and Telephone-based Challenge/Response device access recovery 

Solution: SecureDoc now exposes product functionality through REST APIs. In 8.3 SR1, two APIs are provided 
1. Authenticating a system admin. 
2. Performing a Challenge / Response request for a user. 
The operational flow is as follows: 
1. The user authenticates to the IVR system (This is a proprietary non-SecureDoc function of this IVR system) 
2. The user speaks into the phone the Challenge Data that is shown at SecureDoc's PBA (This will be in the form of a series of numerals). 
3. The IVR system parses (to SecureDoc's API) several data fields to calculate the Response Number. 
4. The API returns the Response Number to the IVR system to be relayed to the user. 
5. At SecureDoc's Pre-Boot, the user will enter the Response Number to by-pass and log into the system

Documentation on how to use the REST APIs here:

SD-21910SecureDoc Installation Package settings for OSA now permit definition of the destination folder during installation of the device 

OSA now offers the following options to define where the device record will be stored (This is the equivalent functionality that was previously introduced for Windows devices): 

Default - add device into the same folder as the user 
Option - select the folder that all devices will be added to

SD-23537Track Disk-level Encryption Progress/Status in device registry, to permit external tracking processes to query devices directly 

SecureDoc will now track device encryption status (and percent encrypted) in Registry entries on each Windows device.  The information is stored in: 


in a format of [DWORD32] DriveLetter = percent encrypted, e.g. C = 100 

It also tracks the current/active or last known conversion process direction (e.g. Encryption or Decryption), in this registry entry: 

in a format of [DWORD32] ConversionDirection= [0/1], 0 = Decryption, 1=Encryption

SD-23658The SecureDoc system tray icon right-click menu now provides access to expanded information

The SecureDoc right-click menu available from the system tray icon now provides access to expanded information on drive encryption status, including for fixed drives, RME- and RMCE-protected drives (both USB flash media and CD/DVD Drives), and now also shows encryption or decryption progress information. 

SD-27927The pre-boot button that permits a user to access a Browser-based password reset website now permits its button text to be customized

Based on customer requests, the text that appears in the button that permits access to a Browser-based password reset facility (if the customer offers that) can now be customized to suit the customer's internal naming for this facility/function.  This customization can be performed via the SecureDoc Profile -> Boot Text and Color -> Edit Boot Messages interface.

SD-29314SecureDoc has added SDLinux support for Ubuntu 18.04.1 

In V8.3SR1, SecureDoc Enterprise Server now offers support for Ubuntu 18.04.1.

SD-30058 – SecureDoc V8.3SR1 for macOS now supports macOS Mojave 10.14.5

Support for macOS Mojave 10.14.5 has been implemented in SecureDoc 8.3 SR1, meeting new Apple notarization requirements.

SD-29320SDLinux Client can now be upgraded to newer SecureDoc SDLinux client versions 

WinMagic has resolved how to permit upgrading an SDLinux client to a newer version. 

SD-28964New functionality added that permits currently-encrypted devices to be re-imaged without needing to be re-encrypted

This new functionality supports the scenario where the C partition is reformatted and windows is reinstalled, while preserving SecureDoc software based encryption, when using appropriately configured installation media.  After this re-image process completes, the drive is still able to function normally as preboot is still retained on the disk to unlock the drive. In addition, User Data (stored in other partitions) remains on the disk during this process. Once windows is reinstalled, when the SecureDoc client is reinstalled, it will recognize that the disk was previously (and is still currently) encrypted and re-establish communication with the SES server, using the same unique ID that was previously assigned to the device.

Note:  At present, this solution applies only to SecureDoc Software-encrypted disks.

SD-29248, SD-30118Simplified Recovery functionality now includes ability to perform Challenge/Response Recovery on RMCE container-encrypted USB media

This new functionality consists of a new RMCE "tab" in the Simplified Recovery panel. Upon selecting this panel, a page will be shown which will prompt the user to enter the Key Name of the Key that was used to encrypt the RMCE media.  This key name is displayed on the end user screen when prompting to perform the challenge / response.  Pressing "submit" will search for the key in the SecureDoc database and allow the support technician to select the key.

Once the correct Key has been located, it can be selected and an input box can be used to enter the challenge code. The "Get Response" button, once pressed, will cause the Response string to be displayed.  Functionally, this is very similar to the Challenge/Response capability that currently exists in the regular web console.

SD-29309SESWeb improvement offers a means to detect and rationalize duplicated device entries 

A new System HealthCheck page has been added, which offers an option to initiate a search for duplicate devices. 
Upon selecting this option, the system checks for duplicate devices, and presents a list of identified devices that have duplicates (along with their associated duplicate device(s)) to the Administrator.  The Administrator has the option to review the list of these devices, and perform any action on them as required (review details, delete device etc.) 

NOTE: During the process of finding and cleaning out duplicated devices, when Administrators request a list of duplicated devices SESWeb will display duplicated devices across folders - which might include folders which are outside of the Administrator's sphere of authority. Devices in such folders cannot be deleted by that Administrator (but might be able to be deleted by another Administrator that has the duplicated device within his/her sphere of authority). 

SESWeb will provide a warning if the Administrator attempts to delete a duplicated device that exists in a folder over which the Administrator does not have required authority, and the device will not be deleted. The phrasing of this warning message is: "You do not have permission to access this resource". 

SD-29328, SD-29868 – A new set of values have been added to the Registry to track if Auto-Boot is enabled on the device, and its status. 

The new registry keys are found in: "HKEY_LOCAL_MACHINE\SOFTWARE\WinMagic\SecureDoc" 
and are:


– Time the values were last updated/recorded
– Options are:
0=no autoboot
1=Permanent Auto-Boot
2=Temporary Auto-Boot
(controlled by both counter & timeout)

– Existing Auto-Boot counter before Auto-Boot expires 
– Existing timeout (in minutes) before Auto-Boot expires 


SD-22150 – SecureDoc's Linux kernel for Pre-Boot Linux for UEFI Devices (PBLU) will now default to 64-bit, rather than 32-bit

In previous versions, SecureDoc would install a 32-bit Pre-Boot Linux (PBL) on legacy and UEFI systems unless the Administrator had defined in the installation package to use 64-bit PBL. 

In this version, the logic for UEFI systems ONLY will be that SecureDoc will install 64-bit PBLU (Pre-Boot Linux for UEFI devices) by default. 

There will continue to be a way to override the default behavior (package setting) to install 32-bit PBLU, which may be required if UEFI firmware is 32-bit (which should be a rarity with current hardware) or in case there are issues when using 64-bit PBL 

WinMagic will define appropriate settings for those systems that require 32-bit PBLU through overrides defined in the KnownConfigs.xml file.

SD-29501Additional Port Settings defined for access to SESWeb API interface in the InstallShield wizard for SES

An additional port number setting has been added to the SESWeb Port definition panel in the InstallShield wizard. It now contains two port number definitions:
"SecureDoc Web Port Number"        (original, but renamed from "Port number") and 
"SecureDoc Web API Port Number" (new) 

The same Certificate as is used for the SecureDoc Web Port Number will be bound to this new SecureDoc Web API port during installation.

SD-29696, SD-29247, SD-29734, SD-29324, SD 26901 – The RMCE Viewer Application has been substantially improved, along with options in SES Console related to configuring RMCE. 

The logic and presentation of the RMCE Viewer, and behavior of RMCE have been substantially improved over earlier versions. 

SecureDoc Client Improvements: 
1 - If using Disk Access Control settings that require un-encrypted USB media to be encrypted, and RMCE is the preferred encryption method, a prompt will guide the user to encrypt the device and will open the RMCE encryption prompt so the user can easily continue. 

RMCE Viewer Improvements: 
1 - The RMCE Viewer panel has been redeveloped in QT, to permit easy on-the-fly translation into local language (in the same way that the SES Client Control Center (also written in QT) translates itself into one of the available languages). 

2 - Upon having successfully authenticated to RMCE-protected USB media, users may now change the password that protects that media, using the RMCE Viewer application. 

3 - If, in the Device Profile, Disk Access Control is enabled and the most common setting "Read only, unless encrypted" is enabled, it means that contents of removable drives can be read but no new files can be copied onto them. If an attempt is made to copy or drag a file onto a non-protected USB media, SecureDoc now presents the user with a reminder screen stating that in order to be able to write data, the drive must be encrypted, Under this improvement, the user can click on a button in this prompt, which will lead the user through the media encryption process. 

This is an important improvement over the earlier methodology which would show a small popup in the bottom right stating that the drive must be encrypted before files can be written, after which the user would be prompted to enter admin credentials. Having entered those credentials, the user would mistakenly be led to believe the media was now encrypted, but would then see a new error popup up showing access is still denied since the media was still not encrypted.  This improvement was made to improve this end user experience.

4 - When an RMCE container has been given a password during creation, a user without the key that was used to create the RMCE container can plug the RMCE USB into a SecureDoc-protected PC and be prompted to enter a password to access the container. 

Issue: If this password is not known, there is no option to gain access with an Administrator's help by using Challenge / Response when the USB device is inserted into a SecureDoc-protected device (unlike when the same USB is inserted into a non-SecureDoc-protected device, where the user can perform Challenge Response recovery on the USB stick using the viewer application). 

In this version, this limitation has been eliminated, and users can now also perform Challenge / Response recovery against a Password-protected USB stick on a SecureDoc-protected device, just as can be done on a device that is not protected by SecureDoc 

Device Profile Improvements relating to RMCE: 
1 - Where Personal Keys are defined in the Global settings (and the user will therefore have a Personal Key), that Personal Key will be defined as the default key to be used to protect the RMCE-encrypted media. 
2 - The Device Key can now (optionally) be removed from the list of keys from which the user may select when encrypting USB media, ensuring that users cannot protect USB media with the same key that protects their device's hard drive. 
3 - NOTE: Where using RME (full-volume Removable Media Encryption) the option mentioned in item 2 above does not apply, so that option becomes disabled, as it is not applicable for RME, and cannot be selected.


Resolved Issues

SD-29239Corrected issue where SDLinux for Endpoint devices permitted non-compliant passwords to be used

Issue: When deploying Endpoint Linux package using Auto provisioning with the manual definition of a Device Owner, during the installation process, a user would be prompted to define his/her ownership of the device and set a password.  If the user's Password did not meet SecureDoc's password quality settings, SDLinux would warn the user that the password did not meet the password strength rules, but yet still permitted the user to forge ahead and use the non-compliant password anyway. 

Solution: This issue has been resolved, and users must enter a password that complies with the password strength rules.

SD-22495 – SecureDoc now sends a refreshed Permanent Auto-Boot Key File to endpoint devices 

Issue: Certain customers had detected that, in the event of some damage to the AutoBoot Key File resident on their devices, the devices could not successfully Auto-Boot and would be stuck at Pre-Boot. 

A replacement Device Profile sent by SESWeb would (erroneously) not replace the damaged Auto-Boot Key file. The same functionality applied by the SES Console does work correctly, replacing/refreshing the Key File, restoring Auto-Boot functionality. 

Solution: This version fixes this variance in behaviors between SES Console and SESWeb.  In this version, regardless of whether the Profile is reapplied by SESWeb or the SES Console, the profile will be applied and a replacement Auto-Boot Key File will also be applied, restoring consistency between the SES Console and SESWeb.

SD-27009Certain USB devices could not be successfully mounted on MacBook Air devices after installing SecureDoc

Issue: Users of MacBook Air devices found that certain USB-connected devices would not mount successfully following the installation of the SecureDoc client software. It was determined that this was caused by an obsolete driver. 

Solution: The obsolete driver has been removed from this version and customers should be able to mount all USB devices now.

SD-28972Pre-Boot Browser occasionally fails to load web page images. 

Issue: Certain customers utilizing the Pre-Boot browser for user self-recovery/Account reset have encountered issues where essential images are not loaded correctly in the Pre-Boot Browser, causing users to have difficulties navigating or understanding status information conveyed using images. 

Solution: This issue has been resolved, and images now load and are displayed correctly. 

SD-28262 – Vulnerability affecting Self-Encrypting Drives when using Profile Boot parameter "Transfer key to OS using Persistent Storage" 

Through continued development of our SecureDoc solutions, WinMagic had discovered a vulnerability affecting devices using SecureDoc to manage Self-Encrypting Drives (SEDs) under specific conditions (see below). NOTE: There is no evidence that the vulnerability has yet been exploited to steal sensitive information stored on an SED. 

Products/Solutions Affected 
For this vulnerability to apply, devices must meet the following 3 conditions: 
1. SecureDoc v8.3 or earlier for Windows 
2. Self-encrypting Drives (SEDs)
3. The option entitled "Transfer key to OS using Persistent Storage" is enabled * 
* Persistent Storage mode can be enabled in the following ways: 
• Windows Profiles in SES -> under Boot Configuration -> Advanced Options: 
 “Transfer Key to OS using Persistent Storage” 
• Persistent Storage can be applied automatically to devices if configured in the KnownConfigs.XML file. Please review your most current KnownConfigs.XML file to determine if your devices may be affected. 

Solution: This vulnerability has been corrected in SES V8.3SR1. 
WinMagic strongly recommends any affected devices be upgraded to SecureDoc v8.3SR1 as soon as possible. 

SD-29423Apple Mac devices can appear in the SES Database with an encryption status of 128 

Issue: This issue is extremely rare, but it was found that in one particular environment that Apple Devices would report an encryption status of 128 which indicated that they were unable to process the encryption status.  This status would cause issues with SES Web when working with these devices. 

Solution: SES Web has been updated to recognize the status code 128, and permit this status to resolve to a meaningful status description. Status = 128 will appear as "Status Undefined" in reports, and the SES Web Console user interface, as well as in the SES console for compatibility to be maintained.

SD-29677 – Ubuntu 16.04 Server LVM/RHEL 7.6 LVM All drives are duplicated in “Compliance” tab after upgrading Linux system from 8.3 to 8.3SR1

Issue: When upgrading Linux client devices (either SDLinux or CloudVM Linux servers) from V8.3 to V8.3SR1 client software, the result will be that the Disk Drives records for the client device will be duplicated in the SES Database following the upgrade. 

Solution: This issue is now resolved.

Note: This issue applies to the upgrade from V8.3 and V8.3SR1 only, and WinMagic anticipates having a more comprehensive solution in a future version that will eliminate duplication of disk drive records. 

SD-29975 – An issue was found that could cause SecureDoc to start encryption immediately when installed via the SYSTEM account.

Solution: This issue has been resolved.

SD-30178 – The secondary Challenge-Response option (numerals only) required a means of customizing the title text. 

Solution: This has been resolved. For customers who need to utilize a numeric-only Challenge String, and also require customization of the default text (which is "Challenge Data 2"), this is now possible. In order to change the default text, edit the message ID 10205 using the “Edit Boot Messages functionality” in the “Boot Text and Color” section of the SecureDoc Device Profile. Upon a new installation or profile update, the new messaging is displayed on the Boot Logon challenge / response screen.

SD-29685 – Issue corrected wherein Disk Access Control is not applied until after initial Encryption + user Log-off and device Reboot had had been performed.

Issue: In previous versions, Disk Access Control settings could not come into effect until after initial Full Disk Encryption completed, and the user had logged off or the device had been rebooted.

Solution: This issue has been resolved. Device Access Control settings will now be fully functional even during initial disk encryption stage.

SD-28124 – An issue can occur where devices may time-out and fail to authenticate successfully (failing with error 139) where devices are successfully connecting to the network using 802.1X network settings but unable to connect to an SDConnex server (e.g. all SDConnex servers are inaccessible/down).

Issue: In this scenario, PBL or PBLU can detect a network connection on the client but cannot communicate to any SDConnex servers. After the user logs on using cached credentials, the client tries to communicate to SDConnex (e.g. to check if there is pending Crypto-erase command) and eventually PBL or PBLU crashes with error 139.
Solution: This issue has been resolved, and PBL or PBLU will no longer crash if using 802.1x and servers are not accessible.

SD-29990 Under certain hardware configurations, (specifically when using a NVME SSD with the system bios set to UEFI and RAID mode enabled) it was found that SecureDoc's Pre-Boot Linux for UEFI (PBLU) pre-boot environment was unable to access the disk, and this resulted in an error 0x1.

Issue: Currently there is a known limitation where the combination of UEFI, NVME SSD, and intel RAID mode is not supported by PBLU.  PBU does support this configuration.  Thus, in order to address situations where systems were already deployed in this state, the ability to automatically revert to PBU (Pre-boot for native UEFI) has been implemented.

Solution: To address this issue, SecureDoc's Pre-Boot now, having displayed the Error 0x1 dialog box (due to inability to access the disk drive) will start a 30-second countdown timer. Once this reaches 0, it will exit and reboot the system, skipping the log files saving procedure and decrementing an internal PBL counter which starts at a value of 3. This internal counter will decrement by 1 for each reboot attempt, counting the number of failed PBLU attempts occurring in a row. When this counter reaches 0, PBLU will no longer launch, and PBU will be enabled for all future boot operations.

SD-29226 Pre-boot idle device timer was shutting down machines even while users were typing credentials at Pre-Boot or using the IDM Browser.

Issue: The SecureDoc Client Pre-boot has an idle device timer that beings timing from the moment that the Pre-Boot screen is displayed on the device. Users that waited to begin entering their credentials would experience that the device would time-out and reboot while users were entering their credentials or using the IDM Browser.

Solution: This has been resolved.  The Pre-Boot idle device timer is suspended and stops its count-down when the user strikes a key or moves the mouse, either in the Pre-Boot Logon screen or the IDM Browser.

SD-29947 – Existence of a DNS name in a device profile's SDConnex server list can cause Offline Installations to fail

Issue: Customers that utilize an "offline" installation package that permits SecureDoc to continue installation if the device is unable to access the SDConnex Server(s) encountered that the offline install would fail if the device profile contained no IP addresses for SDConnex server communication.

Such installation packages would have the setting "In case of communication error, continue installation offline" enabled. Affected customers had SDConnex profile communications settings that only contained DNS name-based SDConnex servers (e.g. for a Network Load Balancing Device).

Where devices are unable to connect to SDConnex servers by their IP addresses, the installer would show an error message: "Sub: Socket connect", then show a countdown which, when it reached zero, would continue the installation offline.   In the case where only DNS-named SDConnex server(s) were configured, a different error would appear "Sub: Get Host By Name" (failed to resolve DNS host name), but this error is not accompanied by a countdown timer, causing the installation to fail.

Solution: This issue has been resolved.  Now installations will continue offline in the same manner, where the setting "In case of communication error, continue installation offline" has been configured in the installation package settings, and the SD client device is unable to communicate via either DNS or IP to an SDConnex server.  A countdown timer will appear and the installation will continue offline once the timer has expired.

SD-29655 – SDConnex connection time-out values have been re-enabled.
Issue: Testing based on V8.2 and V8.3 showed that network connection time-out values set in PBConnex were not being respected. Instead, connection attempts from client devices would time-out based on a fixed 20 second value.

Solution: This issue has been resolved.  SecureDoc's pre-boot connection attempts will now time-out based on the settings defined in the console settings, as originally designed.

SD-29797 – In SecureDoc 8.3, efforts to improve the reliability of SecureDoc AD authentication resulted in a side effect where a single failed attempt to authenticate through PBConnex would cause two failed authentications against Active Directory.

Issue: Certain customers may have a very stringent failed login attempts policy against Active Directory, and may experience higher than expected account lockouts due to this side effect.

For example: If failed authentication lockouts were set to 5 in AD, each failed authentication through SDConnex would count as 2 failed attempts against AD, locking the User account after 3 failed attempts to SDConnex at pre-boot. (3x2=6, exceeding the max of 5)

Solution: For customers impacted by this issue, the ability to define the authentication method has been implemented. With the settings defined below, SDConnex will now attempt to log in only once to AD for each login attempt that it brokers at Pre-Boot, permitting users to have the expected number of login attempts available to them as are defined in AD rules.

To enable "1 call" AD Authentication:

1 - Access the SecureDoc Database table dbo.Settings
2 - Add a new row, and enter the following under the NAME column: IDNLW_AD_AUTH_TYPE
3 - Enter the following in the corresponding ValNum column: 2
4 - Restart SDConnex

Note: This setting may need to be confirmed after a Database Upgrade.

SD-29732 – An issue has been found where some devices utilizing Opal self-encrypting drives would work for a period of time, but then would show error 0x8011 and/or 0x78011 at SecureDoc's Pre-Boot.

An issue has been found where devices utilizing Opal self-encrypting drives would work for a period of time, but then at some point  after being rebooted would show error 0x8011 and/or 0x78011 at SecureDoc's Pre-Boot, blocking further access.  If the user attempted to tap 'a' during start-up to access the Version 4 Pre-Boot, the device would show a 0x4480 error, and again access would be blocked.

It was determined that through use of WinPe the drive can be unlocked, after which it would be possible to access the SecureDoc Control Center application in Windows (after doing a warm-reboot).

Solution: This issue has been resolved.


SD-30120 – SecureDoc-protected Ubuntu Linux clients may not be able to upgrade from Ubuntu 16.04 to 18.04 if the device Boot Partition size is less than 256MB

Issue: Customers will be unable to upgrade in-place Ubuntu distributions from 16.04 to 18.04 using 'disk-upgrade' then 'do-release-upgrade' if the pre-allocated boot partition size is less than 256MB. 

Currently, if a Linux system does not have an existing /boot partition, SDLinux creates a 256MB boot partition automatically during installation. When doing a release upgrade from Ubuntu 16.04 to 18.04 this space is unfortunately not sufficient to perform a release upgrade. 
Currently Ubuntu only recommends a minimum of 250MB for the boot partition, per:
If the customer had created a separate boot partition during their installation of the operating system that is in excess of 256MB, they should not encounter this problem, 

For customers that have boot partitions that are not at least 256MB in size, , the options are: 
- For new installs 
If you have an Ubuntu 16.04 system that does not have an existing separate boot partition (or existing boot partition is less than 256MB), it is recommended that you upgrade to Ubuntu 18.04 first prior to deploying SDLinux. 
- For existing SDLinux installs: 
If your Ubuntu 16.04 system's boot partition is less than 256MB you will be unable to perform the release upgrade to Ubuntu 18.04 as this requires significant boot partition space to perform. If possible you can do one of the following: 
• Increase your /boot partition space 
• Migrate your data to a new Ubuntu 18.04 system and re-install SDLinux on that system


How to Install/Upgrade

Customers with an active support plan should contact to receive the latest download link for their SecureDoc upgrade. 

Contacting WinMagic

5600A Cancross Court
Mississauga, Ontario, L5R 3E9
Toll free: 1-888-879-5879
Phone: (905) 502-7000
Fax: (905) 502-7001
Human Resources:
Technical Support:
For information:
For billing inquiries:


This product includes cryptographic software written by Antoon Bosselaers, Hans Dobbertin, Bart Preneel, Eric Young ( and Joan Daemen and Vincent Rijmen, creators of the Rijndael AES algorithm.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (

WinMagic would like to thank these developers for their software contributions.
©Copyright 1997 - 2019 by WinMagic Corp. All rights reserved.
Printed in Canada Many products, software and technologies are subject to export control for both Canada and the United States of America. WinMagic advises all customers that they are responsible for familiarizing themselves with these regulations. Exports and re-exports of WinMagic Inc. products are subject to Canadian and US export controls administered by the Canadian Border Services Agency (CBSA) and the Commerce Department’s Bureau of Industry and Security (BIS). For more information, visit WinMagic’s web site or the web site of the appropriate agency.
WinMagic, SecureDoc, SecureDoc Enterprise Server, Compartmental SecureDoc, SecureDoc PDA, SecureDoc Personal Edition, SecureDoc RME, SecureDoc Removable Media Encryption, SecureDoc Media Viewer, SecureDoc Express, SecureDoc for Mac, MySecureDoc, MySecureDoc Personal Edition Plus, MySecureDoc Media, PBConnex, SecureDoc Central Database, and SecureDoc Cloud Lite are trademarks and registered trademarks of WinMagic Inc., registered in the US and other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2019 WinMagic Corp. All rights reserved.
Ó Copyright 2019 WinMagic Corp.  All rights reserved. This document is for informational purpose only. WinMagic Inc. makes NO WARRANTIES, expressed or implied, in this document. All specification stated herein are subject to change without notice.

 View All Release Notes