SecureDoc V8.5 SR1 Release Notes

View All

Important Note

Feature Deprecation

On July 6, 2018 WinMagic customers and partners were notified that the SecureDoc pre-boot authentication feature for macOS – known as SecureDoc On Top (SDOT) for FileVault 2 – would be deprecated in SecureDoc 8.2 SR1. As of this release, customers will no longer see this feature available for macOS configuration settings.
Please visit Knowledge Base Article 1760 for more information.

Before Upgrading
Prior to upgrading from v8.2SR1 to v8.2SR2 or later versions, please refer to KB article KB000001727 to follow the steps to ensure your client machine has Win7 with KB3033929. For more information on this limitation please see previous release note v8.2SR1

SecureDoc Support
WinMagic strongly recommends that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and new features.

Please visit Knowledge Base Article 1397 for more information on End of Life and End of Support timelines for SecureDoc software releases.

Customers running SecureDoc 6.5 and earlier should upgrade their server and clients to an actively supported software version. For more information on upgrading from SecureDoc 6.5 and earlier, please visit

About This Release

This document contains important information about the current release. We strongly recommend that you read the entire document.

Recommended – WinMagic recommends this service release for all environments. Apply this update at your earliest convenience.

Previous Versions


Release Date



February 5th 2019

New features, improvements and fixes (server/client)

8.3 SR1

May 15th 2019

New features, improvements and fixes (server/client)


December 5th 2019

New features, improvements and fixes (server/client)

Download the latest release notes for each version listed within Knowledge Base Article 1756.

System Requirements
For server and client system requirements:
For supported devices, drives, smartcards and tokens:

Note:  It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation.
More information is available here:
During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.

Note:  Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g. Admin desktop) on which it runs, in order for the console to function properly

Client OS Support
This section shows supported operating systems and upgrade paths for SecureDoc Endpoint Clients.

Microsoft Windows





10 RS7 [1909]
10 RS6 [1903]
10 RS5 [1809]
10 RS4 [1803]

10 RS3 [1709]
10 RS2 [1703]
10 RS1 [1607]
10 T2 [1511]
10 T1 [1507]

Enterprise Pro


8.1 SR1 HF2+
SD 7.5 SR1 HF8 / SD 8.2 HF1+
SD 7.5 SR1+
SD 7.1 SR6+
SD 7.1 SR4+
SD 7.1+


Enterprise Pro


All versions


Enterprise Pro


All versions

Apple macOS






MAC 8.5+



MAC 8.3+

High Sierra


SD 8.2 DMG



SD 7.1 SR6+

El Capitan


SD 7.1 SR2+


Beginning in SecureDoc 8.5 SR1, WinMagic now supports several Yubikey tokens: 





Yubikey 5 NFC:




Yubikey 5 Nano:




Yubikey 5C:




Yubikey 5C Nano: Supported    


The KnownConfigs.XML File

Customers are strongly advised to download the most current KnownConfigs.XML file, then replace the current version (if older) in the SES Application folders and Installation Packages.

WinMagic strongly recommends that you seek out the most up-to-date version of the KnownConfigs.XML file and incorporate it into your SES implementation on a regular basis (e.g. monthly). This will help ensure your SES Version will take advantage of new client installation override settings that have been added since the version of the KnownConfigs.XML file that came with your version of SES. This will improve installation success on any new device makes/models you might purchase since installing SES, utilizing the new special settings available in newer versions of this file. Customers are advised to look to the SecureDoc Knowledge Base for a link to the available KnownConfigs.XML files, then check that document (e.g. on a monthly basis) for updates to this file, then use the new version to replace all versions of the KnownConfigs.XML file in their SES Implementation folder structure. For example:

1. Position Windows Explorer to: c:\Program Files(x8)\WinMagic\SDDB-NT, then
2. Search for files like *.xml.
3. Sort the resulting search list by name
4. In each directory where a KnownConfigs.XML file is found, replace it with the new one that you have downloaded from the WinMagic Knowledge Base article. Additional information can be found here: Installing or updating the KnownConfigs.xml file (Applies to SES from Version 7.5 onward).

The latest versions of the KnownConfigs.XML files can be found at the following links:

  • SecureDoc Device KnownConfigs.XML File for SES V8.2 And Later- Download the

latest version of this here:

  • SecureDoc Device KnownConfigs.XML File for SES V7.5 - Download the latest

version of this here:

The contents of the KnownConfigs.XML file are reserved to be developed and advanced by WinMagic solely. While customers might consider enhancing it, WinMagic cannot be held responsible for issues that might arise from such modifications and may (at its sole discretion) levy an additional support charge to any customers that encounter support issues that can be traced back non-sanctioned customer-initiated changes to KnownConfigs.XML. W WinMagic welcomes customer ideas and suggestions on how KnownConfigs.XML can be extended and improved, but WinMagic reserves the sole right to test, approve and to publish any changes to KnownConfigs.XML that it deems to be in the broader customer interest, and makes no commitment to act upon or publish all, or indeed any customer-recommended changes.


New Features

New Features

SD-32449 – The SecureDoc OSA Installation Package offers a new option: An override to force endpoint users to enter Device ID and User ID manually into SDForm during the registration of SecureDoc on an endpoint device

Improvement: Based on customer requests, SecureDoc Enterprise Server's Installation Package settings now offer an option where, when utilizing SDForm (enabled within the Installation Package), instead of querying the device itself to get Device ID and Users ID, when SDForm is presented, it will require the user or technician overseeing the installation to enter User ID and Device ID (both of which are mandatory on that form). The technician can enter other optional information as desired.

To trigger this functionality

1 - Enable the use of SDForm in the Device Installation Package. 2 - Using a Text editor, open the Package.ini file

Under Package Settings, enter the following values. DefaultPC_IDEmpty=1
3 - Save these changes to the Package.ini file.

During installation, the above settings will force the PC (Device) ID and User ID fields to be empty when SDForm is displayed, and both fields must then be manually filled in in order to register the new device to SES.


SD-32900 – SDBM – Build in Integrity checking to lock device from numerous number of failed login attempts to OS login exceeding the allowed limit

SDBM has been improved to include an integrity check on the Windows OS login, which tallies the number of failed login attempts against an Administrator-defined maximum. Upon reaching the maximum, SDBM locks the device, somewhat similar to functionality in SecureDoc's Pre-Boot, but this operates within the Bitlocker login process.

Once the limit has been reached, SDBM puts the device into a secure state by automatically restarting it and leaving the system at Bitlocker's pre-boot, enforcing the BitLocker Recovery Screen or, if owner user's password is already known, requiring TPM + PIN (or just password) authentication.

Once locked, the device can be recovered by either performing a BitLocker recovery - with administrative assistance - or by accessing the TPM + PIN (or password) account.

SD-32923 – SDBM – Include new integrity checks that can prevent attacks to TPM-ONLY mode

Improve SDBM ability to detect and then lock the device to protect against attack vectors.

The possible attack scenarios this improvement protects against are:

  1. If the SDBM device doesn't communicate to SDConnex within a set number of days, lock the system per requirement to keep the system in a secure state.
  2. Extracting Bitlocker keys from a TPM
  3. TPM-sniffing
  4. Firmware weakness in modern laptops exposes encryption keys
  5. Bitlocker-countermeasures
  6. Use of TPM-only. Using TPM-only validation does not require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign in experience is the same as a standard logon. However, if the TPM is missing or changed, or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign- in but less secure than the other options, which require an additional authentication factor.
  7. Improvement to detect and protect against too many invalid login attempts
  8. Protecting Thunderbolt and other DMA ports. There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.


SD-33301 – Introducing SSO ability for SDBM client

WinMagic has added Single Sign-on (SSO) functionality to Bitlocker devices managed by SES.

Solution: This improvement permits automatic Single Sign-on to Windows devices protected by Bitlocker, wherein upon successful authentication at Bitlocker pre-boot, automatic sign-on to the default User's Windows account will take place. This applies only to normal (non-recovery) authentication. If after performing any form of recovery, the user must log in at the Windows login screen.

1 - The Single Sign-on (SSO) option should be enabled in the Device Profile 2 - SDBM password sync option must be enabled for SSO to function

NOTE: This feature is not recommended for multi-user/shared devices.


SD-30171 – Removal tool for SDFV2

WinMagic has introduced a SecureDoc Client Removal tool to clean up macOS devices if SecureDoc for FileVault2 installations should fail for any reason.

This tool's primary benefit is in performing a reset (to permit re-attempting installation) where customers had opted to not permit endpoint users to uninstall SecureDoc for FileVault 2 by having disabled the option entitled: "Allow SecureDoc uninstall by SecureDoc user with admin rights or local administrator" in the Profile that was deployed to the endpoint device(s). This tool provides additional options if the use of the Uninstall SecureDoc remote command to remove SecureDoc is unable to successfully remove SecureDoc.

Details on the use of this tool will be available to customers through the WinMagic Support Team.

SD-30292 – Automated deployment of SDBM for Windows10 devices

Previous versions of the SecureDoc could halt when attempting to initialize the TPM (if required), requiring a user to monitor the endpoint device and to click within a pop-up message to confirm such initialization was permitted.

In this Service Release, a different process will be used within the Client Installer process, which yields the necessary result but does not prompt the user, thus permitting a smoother and silent installation process.

SD-30570 – Improvement for reports to have a standard header

Issue: Reports should have standard headers when export to pdf

This issue is resolved.

SD-30991 – Configurable option in the SDFV2 Profile to rotate the Recovery Account Password every XX days

Recovery Account password length (default is 24-bytes)

Use this option to define the length of the FileVault2 Recovery Account’s password. The default length is set to 24 bytes. Note: If not specified, the recovery account password will automatically be replaced every 30 days with a new random password.

SD-31449 – Medigenic keyboard not working at Pre-Boot

SecureDoc's Pre-Boot now includes driver support for Medigenic 104C Wipeable USB-connected keyboards, used extensively in medical environments. This enabled these keyboards to now work at Pre-Boot.

SD-32901 – SDBM – Integrate user provisioning rules for the SDBM client

SecureDoc SDBM now includes Provisioning rules to simplify and streamline device deployments.

This new feature permits devices to remain in a Provisioning mode that is operationally quite similar to Provisioning mode for devices protected by SecureDoc protection.

This new functionality:

  • Allows a device to remain in provisioning mode until the device owner has been identified.
  • Permits the device to initially AutoBoot (using TPM-ONLY) or use a Temporary User (TPM + Admin-defined PIN) or simply turns authentication off for encrypted BitLocker drives.
  • Once the owner has been identified, the Bitlocker Protector will be auto-switched to TPM + PIN (or e.g. Password only), where the PIN is synchronized to the device-owning user's password.

This will benefit WinMagic customers using SDBM, enabling them to easily deploy SDBM without having to know who will be a given device's end-user, nor needing to manually stage credentials when using methods other than TPM only.

SD-32942 – SDFV2 Handling of exFAT volume names which contain special characters, when creating RME/RMCE

SecureDoc now supports additional special characters in removable Media Volume names when creating removable media/RMCE media under macOS.

The following characters are now supported for use when creating RME/RMCE media on devices running macOS.

The supported special characters are: ~ ` ! @ # $ % ^ & ( ) _ + = - { } [ ] { } [ ' ] ; ,

SD-33054 – New Linux Kernel update for Pre-Boot 64 bit (endpoint and OSA)

Linux Kernel update improves SecureDoc PBL & PBLU ability to detect Network and other devices at pre-boot

This version includes an updated Linux Kernel for SecureDoc's Pre-Boot for Linux, as well as for the Linux-Based Pre-Boot for UEFI devices.

Issue: In previous versions, SecureDoc's pre-boot had been unable to scan for Wireless Networks under 64-bit PBLU when using certain wireless adapters, e.g. Intel Wi-Fi 6 AX200 160MHz Network Interface Cards (NICs).

Solution: This new Linux Kernel at the heart of SecureDoc's PBL and PBLU Pre-Boot environments will support more network interface cards, touchscreens, and other devices during Pre-Boot.

SD-33123 – ‘Caps’ button and alphabet table on the On-screen keyboard of Pre-Boot not consistent with On- screen keyboard of Windows 

Pre-Boot On-screen keyboard now matches the Windows on-screen keyboard layout

Issue: In previous versions the On-Screen keyboard layout accessible at SecureDoc Pre-Boot did not match the Windows on-screen keyboard layout.

Solution: This has been corrected in this Service Release. The SecureDoc on-screen keyboard layouts is consistent with the Windows on-screen keyboard layout.

SD-33516 – Port Control Changes on SES

SecureDoc has been enhanced to allow dynamic Port Control, authorizing USB-connected devices based on USB devices currently connected to endpoint device.

An additional option has been added to the Port Control functionality in SES Console (and to the endpoint client), which permits the SES Administrator to define that SecureDoc-protected Client devices may be placed into a condition that permits polling the devices currently connected during a polling phase, and thereafter accept the insertion/connection of only those devices.

NOTE: This functionality has primarily been added to support IOT devices, such as Bank Machines (ABM/ATM devices), or Kiosk devices, which will normally work with a rigorously-limited set of peripheral devices connected, but may require (under tightly-controlled circumstances) for a mouse/keyboard or diagnostic device to be connected when being repaired or diagnosed.

The available options are:

  1. Manually configure authorized devices
  2. Automatically build the Authorized Devices list on the client, authorizing currently-inserted devices


The first option "Manually configure authorized devices" causes Port Control to behave as it did in prior versions, permitting the Administrator to define a "master list" of authorized devices.

The second option, "Automatically build the Authorized Devices list..." will, if checked, cause Client devices to scan the currently inserted device types and automatically "whitelist" them, permitting ONLY those devices to be inserted in the future as acceptable/whitelisted devices.

A second aspect of it this improvement is to permit Port Control to be temporarily disabled, so that other devices (mouse, keyboard, diagnostic tools) may be polled and used. After 1 hour, the device will return to supporting only the normal set of devices. This functionality is covered in greater depth in the SES Administrator Guide, in the Port Control section.

SD-33213 – Synchronization with Azure AD

SecureDoc ADSync can synchronize to data stored within a Microsoft Azure AD source.

In this version, SecureDoc now adds the ability to configure and perform ADSync against a Microsoft Azure AD source.

SD-33302 – Switch SDBM client to Bitlocker Recovery once device is reached no-comm interval

WinMagic has added a new feature to SDBM for BitLocker that will lock devices that have not communicated to an SDConnex Server within the Administrator-defined period of time.

Improvement: A new feature will (when enabled) cause devices that have not successfully communicated to an SDConnex server within the prescribed time period (number of days) to lock out regular user authentication.

Such devices must then be authenticated to using the Recovery String, or a USB Startup Key (if one exists for the device).

The check for failure to communicate will be made when the Client starts up, or upon resumption from hibernation. A minimal grace period of 1 minute will be given before actual lock-up occurs.

SD-33302 – Switch SDBM client to Bitlocker Recovery once device has reached no-communication interval

WinMagic has added a new feature to SDBM for BitLocker that will lock devices that have not communicated to an SDConnex Server within the Administrator-defined period of time.

SD-33671 – Allow Windows Login Monitoring to extend to more scenarios besides Permanent Autoboot

In previous versions of SecureDoc, the customer had the ability to monitor failed login attempts at the windows login screen, when using permanent autoboot. The intent was to activate pre-boot authentication if a threshold of failed login attempts were reached. In this case, the system would restart and pre-boot would be displayed, thus increasing the security of the device. Once a user is able to successfully logon at pre-boot, the autoboot capability would be restored.

Improvement: WinMagic has now extended this feature to be available for all other boot scenarios. If it is desired that failed login attempts be monitored, SecureDoc can now apply this same logic when using pre-boot authentication in a network autoboot or non-autoboot configuration.

In the case that a machine is authorized to network autoboot, once the maximum number of failed windows logins are reached, the system will be excluded from performing network autoboot and will restart to the pre-boot screen.

In the case that a machine is not in an autoboot state, once the maximum number of failed Windows logins are reached, the system will restart to pre-boot authentication.
This provides additional protection against systems that could be lost or stolen while in sleep mode.

Resolved Issues

SD-23528 – PBL/U: The <Tab> functionality needs to be updated/clearer

Tab-order between on-screen controls in the Linux-based Pre-Boot (PBLU) environment was incorrect

This has been corrected in this Service Release. Tab order is now:

  1. Password text box
  2. Login button
  3. Forgot password button
  4. Language drop-list control (expand using space-bar)
  5. WiFi Network icon
  6. User ID text box

Use of <Alt>+Tab will cycle backward through these controls

SD-32769 – Office Installation Fails if the option to set to “Do not create and send down deploying user key file”

The combination of the installation package provisioning setting "Do Not create and send down deploying user key file" and the general installation package setting "In case of communication error, continue the installation offline" can result in Pre-Boot not being installed on the device.

Issue: When configuring the installation package, customers that wish to prevent the "Deploying User" from being cached on the device will enable the option "Do Not create and send down deploying user key file".
However, when this option is set in combination with the option "In case of communication error, continue the installation offline", the client installation will fail since it does not install boot logon.

Solution: This issue has been corrected in this version, and Pre-Boot is correctly installed when faced with this combination of settings.

SD-32898 – OSA device: Failure to login offline

Users were unable to login on OSA devices offline after having changed their Passwords.

This has been corrected in this Service Release. Users will now be able to successfully log to devices that are currently not communicating to the server, after having changed their Passwords.

SD-33249 – Request Mandatory Fields Register Computer Form (OSA)

Customers running the Japanese version of Windows Server 2016 could encounter error message "Character(s) entered that are not Standard Latin characters, symbols or digits" when performing a remote client installation.

This issue was detected in SES v8.5.000.480, and applies only to the Japanese version of Windows Server 2016.

Solution: This issue has been resolved in this Service Release.

SD-33250 – Deployment State in SDPin.log does not match “DeploymentState” value in the registry

Since introducing provisioning mode, the state of the client device was tracked by a "DeploymentState" value, which was reflected in the SecureDoc logs. A value with the same name existed in the registry but was not being used for this purpose, which resulted in confusion if the two were compared.

Resolution: The Registry value for DeploymentState now reflects the same value as indicated in the log files.

SD-33289 – Independent testing reported vulnerabilities for SES Web

Security improvements have been implemented.

In this Service Release, a number of security improvements have been implemented into the SES Web Console.

SD-33329 – Clicking on a log entry under user or device freezes the SES Web screen and the popup cannot be closed

An issue had been detected in V8.5 SESWeb where users could not navigate forward/backward through Device or User Log entries, nor close the Detailed log view

Issue: When using the SES Web browser-based console, having clicked on a device or user, then clicking on the logs tab, when the user would click on a log entry the expected pop-up panel providing detailed information about the log entry would not permit forward or backward navigation between log entries, and would not permit closing the pop-up panel, making it appear in V8.5 that the popup panel appears "frozen" and no buttons work, nor can the user close the popup window.

This has been corrected in this Service Release.

SD-33481 – Service warning while processing request 0x7822 on OSA devices

A warning message 0x7822 may occur on OSA devices using PBConnex Network-Brokered authentication.

Issue: This problem may occur when an OSA Client Device is attempting to use PBConnex Network-Brokered authentication at the same time as the OSA client is processing commands sent by SES. This can happen for instance when users key files are queued up to be sent to the client device when it is offline. During the next boot, once the network connection becomes ready one of the client-side processes is trying to receive and process the key file commands SES, while another process is trying to obtain a PBN key file for the user to login. These concurrent accesses to the shared element on the client cause the original issue detected by SES (error 0x7822).

Solution: This issue is fixed in this Service Release. Customers will need to install the 8.5SR1 client on affected OSA machines.

SD-33515 – When running SDOT installation on a machine already encrypted with Bitlocker

An issue was found with the installation logic, which prevented immediate device registration after running the SecureDoc Client installer. This would occur only when installing on an already encrypted device that was leveraging BitLocker encryption. The result was an unnecessary reboot in order to continue with the registration process.

This issue has been resolved, and the installation will proceed with registration as expected on a Bitlocker encrypted client device.

SD-33729 – Error 0x9947 when trying to create Emergency disk for devices

A defect was found that limited the path length when trying to create an emergency disk using the SES console.

Issue: Customers that had lengthy path information could breach the previous path length limitation acceptable to the Emergency Disk creation tool.

Solution: The path limitation has been resolved and now all paths should be acceptable when creating an emergency disk.

Workaround: Specify a location to save the Emergency Disk with as short of file path as reasonably possible.

SD-33027 – Error WM0002 Unauthorized Access resulting in 500 error in SES Web

An issue was found with the Microsoft WIF Framework would return a null security token, thus causing the 500 error as the user is no longer able to communicate as their token is no longer valid. This seems to be a defect in the WIF framework.

Solution: SES Web has been improved to work around the WIF framework defect and this issue has been resolved.

SD-32731 – WmWin.dll causes Explorer.exe to crash when run as a different user

Issue: After clicking on "Run as different user", or in some cases using Alt+Tab to cycle between open applications, the whole windows interface would be stuck for a moment, then all open windows will close automatically. This type of crash is logged in Event logs, showing that explorer.exe had crashed and would be automatically re-started by Windows. The operating system remained running.

All affected systems were running Windows 10 1809 and SecureDoc 8.3SR1. Solution: This issue has been corrected in this Service Release.

SD-31429 – Enabling then subsequently disabling "Detailed Trace Logs" for SES Web left detailed trace logs enabled

Issue: Customers that would enable detailed trace logs for SES Web would find that the logs continued to be generated even after having disabled this functionality. The logs continued being created under the C:\Program Files (x86)\WinMagic\SDDB-NT\SDWeb folder as a file called #LOGFILE#:

Solution: This has been corrected in this version, and detailed trace logs can now be successfully disabled.


SD-33437 – Encrypted Containers sized 2TB or larger - that are created on Windows using its automatic choice of 4K sector size - will mount as Read-Only on macOS devices.

Issue: Where creating large containers of 2 Terabytes or greater, Windows automatically switches to 4K sector size. Containers created on macOS will use 512-byte sector size, regardless of container size.


  1. Containers >2TB size, created on macOS devices, can be successfully opened on Windows devices, and container is Read/Write capable.
  2. Containers >2TB size, created on Window devices, can be successfully opened on macOS devices, but the container will be mounted Read-Only.

Note: The read-only issue with 4K sectors applies on macOS devices where the user uses SecureDoc for FileVault 2 to access the container (e.g. the user's logged-in Key File contains the required Key, or the user enters the container password).
Where users use the Mac RMCE_Viewer, large containers can be opened correctly.

Reason: macOS natively only recognizes 512-byte sector size, regardless whether the container created is large or small.

The easiest work-around where a) dealing with external devices greater than 2TB in size that are to be Container-Encrypted, AND b) those external devices must be capable of being written to by BOTH Windows and macOS devices is the following:

Recommended that customers use a macOS device to perform initial Container-Encryption on these very large-capacity external devices, so they can utilize the 512-byte sector-size that is compatible with both operating systems.

SD-33791 – TPM is locked after too many failed login attempts

When the TPM is locked after excessive failed login attempts, the device must remain running for 10 minutes to make available an additional attempt to authenticate using TPM + PIN

Issue: Built-in functionality in the TPM ensures that the TPM will become locked following 32 failed login attempts, and once locked it will not accept any PIN at pre-boot; The device can only be unlocked using Bitlocker Recovery.

By leaving the system running for at least 10 minutes, the TPM will permit one additional attempt to authenticate using the correct PIN at next re-boot. If that fails, the user must wait an additional 10 minutes for one additional attempt to be permitted. (See NOTE, below)

IMPORTANT: Only once the user has successfully authenticated with the correct PIN will the TPM be reset, permitting up to the maximum failed PIN attempts (32).

Use of Bitlocker Recovery allows successful boot to Windows, but there are no notifications shown to a user that indicate the TPM was locked. Use of Bitlocker Recovery does NOT reset the TPM (see NOTE below).

NOTE: Once the device has been Bitlocker Recovered the user may change/reset the PIN using the system drive's context menu. However, changing the PIN does not "reset" the TPM - the TPM must still "count down" in 10 minute increments, each of which will open up to allow one additional TPM + PIN login attempt (e.g. Locked, 10 minutes later 1 attempt becomes available, 20 minutes later an additional attempt becomes available equaling 2 attempts total (assuming the first attempt was not used), 30 minutes later 3 attempts, and so on).
If the device is rebooted within the first 10 minutes after being unlocked using BitLocker recovery, not enough time would have elapsed to free up one additional TPM+PIN login attempt, so the device would again have to be unlocked using Bitlocker Recovery.

The above is "normal" TPM/Windows behavior and has nothing to do with whether SecureDoc is installed or not, so this information is provided primarily as guidance to customers. Customers are advised to review the following Microsoft article for additional details:

How to Install/Upgrade

Customers with an active support plan should contact to receive the latest download link for their SecureDoc upgrade. 

Contacting WinMagic

5770 Hurontario Street, Suite 501
Mississauga, Ontario, L5R 3G5
Toll free: 1-888-879-5879
Phone: (905) 502-7000
Fax: (905) 502-7001
Human Resources:
Technical Support:
For information:
For billing inquiries:


This product includes cryptographic software written by Antoon Bosselaers, Hans Dobbertin, Bart Preneel, Eric Young ( and Joan Daemen and Vincent Rijmen, creators of the Rijndael AES algorithm.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (

WinMagic would like to thank these developers for their software contributions.

©Copyright 1997 - 2020 by WinMagic Corp. All rights reserved.

Printed in Canada Many products, software and technologies are subject to export control for both Canada and the United States of America. WinMagic advises all customers that they are responsible for familiarizing themselves with these regulations. Exports and re-exports of WinMagic Inc. products are subject to Canadian and US export controls administered by the Canadian Border Services Agency (CBSA) and the Commerce Department’s Bureau of Industry and Security (BIS). For more information, visit WinMagic’s web site or the web site of the appropriate agency.

WinMagic, SecureDoc, SecureDoc Enterprise Server, Compartmental SecureDoc, SecureDoc PDA, SecureDoc Personal Edition, SecureDoc RME, SecureDoc Removable Media Encryption, SecureDoc Media Viewer, SecureDoc Express, SecureDoc for Mac, MySecureDoc, MySecureDoc Personal Edition Plus, MySecureDoc Media, PBConnex, SecureDoc Central Database, and SecureDoc Cloud Lite are trademarks and registered trademarks of WinMagic Inc., registered in the US and other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2020 WinMagic Corp. All rights reserved.

© Copyright 2020 WinMagic Corp.  All rights reserved. This document is for informational purpose only. WinMagic Inc. makes NO WARRANTIES, expressed or implied, in this document. All specification stated herein are subject to change without notice.

 View All Release Notes