On July 6, 2018 WinMagic customers and partners were notified that the SecureDoc pre-boot authentication feature for macOS – known as SecureDoc On Top (SDOT) for FileVault 2 – would be deprecated in SecureDoc 8.2 SR1. As of this release, customers will no longer see this feature available for macOS configuration settings.
Please visit Knowledge Base Article 1760 for more information.
Prior to upgrading from v8.2SR1 to v8.2SR2 or later versions, please refer to KB article KB000001727 to follow the steps to ensure your client machine has Win7 with KB3033929. For more information on this limitation please see previous release note v8.2SR1 http://downloads.winmagic.info/manuals/Release_Notes_8.2SR1.pdf
WinMagic strongly recommends that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and new features.
Please visit Knowledge Base Article 1397 for more information on End of Life and End of Support timelines for SecureDoc software releases.
Customers running SecureDoc 6.5 and earlier should upgrade their server and clients to an actively supported software version. For more information on upgrading from SecureDoc 6.5 and earlier, please visit http://downloads.winmagic.info/SD8.2SR1/HF2/Release_Notes_8.2SR1HF2.pdf.
This document contains important information about the current release. We strongly recommend that you read the entire document.
Recommended – WinMagic recommends this service release for all environments. Apply this update at your earliest convenience.
February 5th 2019
New features, improvements and fixes (server/client)
May 15th 2019
New features, improvements and fixes (server/client)
December 5th 2019
New features, improvements and fixes (server/client)
Download the latest release notes for each version listed within Knowledge Base Article 1756.
For server and client system requirements: https://www.winmagic.com/support/technical-specifications
For supported devices, drives, smartcards and tokens: https://www.winmagic.com/device-compatibility
Note: It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation.
More information is available here: http://msdn.microsoft.com/en-us/library/ms143786(v=sql.100).ASPX
During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.
Note: Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g. Admin desktop) on which it runs, in order for the console to function properly
Client OS Support
This section shows supported operating systems and upgrade paths for SecureDoc Endpoint Clients.
10 RS8 
SDFV2 7.1 SR6+
SD 7.1 SR2+
The KnownConfigs.XML File
Customers are strongly advised to download the most current KnownConfigs.XML file, then replace the current version (if older) in the SES Application folders and Installation Packages.
WinMagic strongly recommends that you seek out the most up-to-date version of the KnownConfigs.XML file and incorporate it into your SES implementation on a regular basis (e.g. monthly). This will help ensure your SES Version will take advantage of new client installation override settings that have been added since the version of the KnownConfigs.XML file that came with your version of SES. This will improve installation success on any new device makes/models you might purchase since installing SES, utilizing the new special settings available in newer versions of this file. Customers are advised to look to the SecureDoc Knowledge Base for a link to the available KnownConfigs.XML files, then check that document (e.g. on a monthly basis) for updates to this file, then use the new version to replace all versions of the KnownConfigs.XML file in their SES Implementation folder structure. For example:
1. Position Windows Explorer to: c:\Program Files(x8)\WinMagic\SDDB-NT, then
2. Search for files like *.xml.
3. Sort the resulting search list by name
4. In each directory where a KnownConfigs.XML file is found, replace it with the new one that you have downloaded from the WinMagic Knowledge Base article. Additional information can be found here: Installing or updating the KnownConfigs.xml file (Applies to SES from Version 7.5 onward).
The latest versions of the KnownConfigs.XML files can be found at the following links:
- SecureDoc Device KnownConfigs.XML File for SES V8.2 And Later- Download the
- SecureDoc Device KnownConfigs.XML File for SES V7.5 - Download the latest
The contents of the KnownConfigs.XML file are reserved to be developed and advanced by WinMagic solely. While customers might consider enhancing it, WinMagic cannot be held responsible for issues that might arise from such modifications and may (at its sole discretion) levy an additional support charge to any customers that encounter support issues that can be traced back non-sanctioned customer-initiated changes to KnownConfigs.XML. W WinMagic welcomes customer ideas and suggestions on how KnownConfigs.XML can be extended and improved, but WinMagic reserves the sole right to test, approve and to publish any changes to KnownConfigs.XML that it deems to be in the broader customer interest, and makes no commitment to act upon or publish all, or indeed any customer-recommended changes.
SD-31432: SES now supports SUSE Linux 15 and 15.1.
With this version, SUSE Linux has been added as a supported Linux distribution for encryption and management by SecureDoc. Versions of SUSE Linux supported are 15 and 15.1.
SD-34145: Windows Client Security Vulnerability Report.
Ongoing security improvements were made to the SecureDoc client, with the following two CVE's specifically referenced among the improvements: CVE-2020-11519, CVE-2020-11520
SD-34186: SecureDoc for Linux is now able to operate in FIPS mode.
With this version, where customers wish to enable FIPS mode using FIPS-mode-setup --enable, SecureDoc now handles FIPS mode and will successfully allow the encrypted system to boot correctly.
SD-34264: Support of Yubico Yubikey USB Tokens in PBA.
SecureDoc has added Pre-Boot Authentication support for endpoint users to utilize Yubico AB's Yubikey(TM) 5-series tokens.
Specific tokens supported are:
Yubikey 5 NFC
Yubikey 5 Nano
Yubikey 5c Nano
These are all supported under SecureDoc's 64-bit Linux-based Pre-Boot for UEFI devices (PBLU).
NOTE: At present, only the Yubikey 5 NFC and Yubikey 5 Nano device types work under 32-bit PBLU or with SecureDoc's Native Pre-Boot for UEFI (PBU)
SD-34495: Issues could arise when installing both the SecureDoc Client and InfoCage (InfoCage is a Windows authentication and Removable media control application).
Issue: After installing InfoCage and SecureDoc8.5, InfoCage authentication would fail.
Solution: It was determined that a Windows setting shared by both applications was being pre-set in such a way that SecureDoc's installation would negatively impact InfoCage.
This has been corrected in this version, and both applications will co-exist successfully.
SD-34387: SecureDoc's Self-Learning and KnownConfigs.XML functionality are extended to store in the SES Database information about devices not represented in the KnownConfigs.XML file.
Issue: KnownConfigs.XML contains tested and validated information about endpoint device makes/models that have been investigated at WinMagic. However, due to the sheer number of make/model combinations available in the marketplace, it is unfeasible for WinMagic to evaluate all possible permutations.
Solution: As an element in improving how SecureDoc can be installed on as many make/model endpoint types as possible, where a device make/model is not found in the KnownConfigs.XML file, AND where the device does not prove its compatibility "out of the box", the SecureDoc installer will go into a "self-learning" mode where it will determine as much as possible what are the specific needs of this make/model, and report its findings to be stored in the SES database, in order to inform future installations as to how they are to be installed and what special handling may be required, thereby accelerating and improving installation success levels.
SD-30908, SD-33027, SD-33320: Users could receive an SESWeb Error 500 - WM0002 Unauthorized access when changing a Device Profile.
An issue was found with the Microsoft WIF Framework would return a null security token, thus causing the 500 error, because the user is no longer able to communicate as their token is no longer valid. This seems to be a defect in the WIF framework.
Solution: SES Web has been improved to work around the WIF framework defect and this issue has been resolved
SD-34194: Reduce red warning messages about USB encryption.
Where endpoint device profiles define that customer is blocked from writing to unencrypted USB devices (but may read), a red warning panel would appear during each attempt to access the USB device for both reading and attempts to write.
Solution: Once the user has defined that he will not be encrypting the drive; subsequent attempts to only read from the drive will not result in the appearance of the red warning panel.
SD-31817: Certain devices installing SecureDoc OSA on Ubuntu 18.04.02 could fail to boot to Linux; Message: "System BootOrder not found. Initializing defaults." would be displayed.
Issue: Although not necessarily limited to version OSA 8.3.000.370, one or more customers received an error (listed below) after installing SecureDoc OSA on Ubuntu Linux 18.04.02 devices, and the device would not boot into Ubuntu Linux.
Devices would boot with no issues until SecureDoc was installed.
After installing SecureDoc, the device would boot through the SecureDoc Pre-Boot and then fail to boot into Ubuntu after the reboot, with the following message displayed:
'System BootOrder not found. Initializing defaults."
Solution: This issue has been corrected in this version.
SD-33467: Installer improved to handle installation issue on certain device types; Log would show Error 1722 - Visual C++ Redistributable for Visual Studio 2017 (VCRedist) is not installed.
On certain devices customers might encounter SecureDoc setup failing to complete successfully. Inspection of the installation log on such devices would show Error 1722 - Visual C++ Redistributable for Visual Studio 2017 (VCRedist) is not installed. Under previous build V220.127.116.110 running setup a second time would normally fix this issue, but this solution was deemed unsatisfactory.
This issue is fixed in this version - setup works properly on devices that would have failed under V18.104.22.1680, without need of a second installation attempt.
SD-33884: Certain HP devices fail to load Pre-Boot during the installation process, yielding Error 0x776e.
Issue: If a device fails to load Pre-Boot during the installation process, Error ID 0x776e is displayed. This is by design, in that if Pre-Boot fails to run, SecureDoc is blocking itself from continuing to encrypt the device.
Where this problem is compounded is when, after being able to correct Pre-Boot issue so that it successfully loaded on subsequent reboots, now the encryption would fail to start automatically, this time producing Error 0x66 "Unidentified error has occurred".
Solution: This has been corrected, and if the device is able to get to Pre-Boot during a subsequent re-boot, encryption will progress as normal.
SD-34210: When installing only SDConnex (and/or ADSync) services on a second-or-subsequent SES server, Error 2753 will appear.
Issue: Customers utilizing multiple SDConnex servers may wish to install SDConnex on additional Servers, or they may wish to have ADSync running in a server that is not their primary SES Console platform.
When doing this, they may wish to opt not to install the SES Console program elements (which in previous versions would be installed but simply not be used). However, de-selecting the SES Server element during installation could yield an Error 2573.
Solution: This version corrects this, permitting the installation of SDConnex and/or ADSync without having to select to install the SES Console as well.
SD-34112: SecureDoc for FileVault 2's has begun the process for removing support for Removable Media Encryption on the macOS platform, which will be fully deprecated in future version 8.6.
Issue: Due to recent Apple-derived changes to macOS, SecureDoc for FileVault 2 will not be able to support Removable Media Encryption on the macOS platform beyond V8.6 (due approximately Q4 2020).
Solution: WinMagic is gradually deprecating Removable Media Encryption functionality.
In this version, Administrators are no longer able to configure RME in the Mac profile settings. However, on Client devices, the user is still able to manually encrypt removable media.
Removable Media Encryption will be totally deprecated in SecureDoc/SES version 8.6.
SD-34233: Port Control has a "carry over" effect, continuing to block disallowed devices that had been connected during the period in which Port Control was enabled, even after Port Control has been disabled.
Issue: If a SecureDoc Device Profile is created and deployed, in which Port Control is enabled and Port Control includes a limitation permitting access to a specific device only (e.g. based down to Serial Number), then if during the period that Port Control is in effect, the SecureDoc client will "remember" the types of devices that have been plugged in and disallowed, it will continue to disallow these devices to be plugged in even after Port Control has been disabled.
This "carry over" effect does not appear to affect USB-connected Portable Hard Drives.
A worked example that illustrates this issue follows:
Create a package with Port Control
Manually configure authorized devices
Add a distinct device (USB A with a serial number)
2. Deploy package to client
3. Shutdown machine after having installed Boot Logon and having encrypted the Hard Drive
Insert USB stick B - it is blocked (not in the permitted list, which contains only USB A)
Insert USB stick C - it is similarly blocked
Insert USB-connected external Portable Hard Drive - it is similarly blocked.
In SES, now disable Port Control (= uncheck "Blocked unauthorized USB devices) in the Device Profile, then assign this updated profile to the test device.
On the client device, it can be verified that Port Control is disabled by checking SecureDoc Control Center on the device itself.
Try plugging in USB devices:
When plugging in previously-used USB B & C, these will (incorrectly) continue to be blocked.
Plug Portable previously-used External Hard Drive - this is (correctly) accessible
Plug previously un-used devices USB D & E - these are accessible
Solution: WinMagic anticipates having a solution to this issue available soon.
Work-Around: Changing Port Control settings and then taking the device through a warm-reboot (not a full shutdown-restart) will correctly pick up the revised Port Control settings.
NOTE: If you do not need the features available in V8.5SR2 for all devices, you may consider allowing devices on which Port Control is used to remain on a previous SecureDoc version version which does not demonstrate this issue.
SD-34663: Upgrading directly from macOS High Sierra to latest Catalina can yield issues due to old drivers in-place on device.
Issue: If customers perform a direct upgrade from macOS High Sierra to the latest macOS Catalina, the upgrade will appear to be successful, and most of SecureDoc appears to run normally. However, certain old drivers are retained, which can lead to a Kernel Panic if the customer inserts an USB key into the device.
Further, this issue can occur if the customer performs some minor macOS upgrades (e.g. from 10.15.5 (19F96) to macOS 10.15.5 (19F101)). Such upgrade process may become stuck.
Cause: MacOS retains the old SecureDoc driver in the /Library/Stagedextensions/ folder and the upgrade installer has no rights to remove or unload it during the upgrading process.
Since the old driver is still in place, it cannot be replaced correctly by the new driver.
Work-Around 1: Highly Recommended:
1 - Upgrade to macOS Mojave first, and then to macOS Catalina.
Work-around 2: Use if already upgrading from High Sierra to Catalina:
After upgrading to macOS 10.15.5 (19F96).
1. Reboot the machine.
2. Boot into the Recovery partition by booting and holding Command+R
3. Remove the old drivers from folder: Library/StagedExtenstions/Library/Extenstions/
- Use command <diskutil list> to find out the correct Volume - it will usually show the operation system partition name, and the size will be around 10~11 GB (e.g. "Macintosh" and "disk1s5")
- Use command <diskutil apfs unlockVolume diskNumber>, after providing correct password, the disk should be unlocked and mounted. e.g. <diskutil apfs unlockVolume disk1s5>
- Use command to remove the driver under /Volumes/VolumeName/Library/StagedExtenstions/Library/Extenstions/ folder, both WinMagicSDFVFamily.kext and WinMagicComUnit.kext.
(e.g. <rm -r /Volumes/Macintosh/Library/StagedExtensions/Library/Extensions/WinMagicComUnit.kext>)
(e.g. <rm -r /Volumes/Macintosh/Library/StagedExtensions/Library/Extensions/WinMagicSDFVFamily.kext>)
- Use command to remove the current driver under /Volumes/VolumeName/Library/Extenstions/ folder, both WinMagicSDFVFamily.kext and WinMagicComUnit.kext. (e.g. <rm -r /Volumes/Macintosh/Library/Extensions/WinMagicComUnit.kext>) (e.g. <rm -r /Volumes/Macintosh/Library/Extensions/WinMagicSDFVFamily.kext>)
- Reboot the machine
- Login at the SecureDoc for FileVault 2 preboot
- Get into Mac desktop
-->Since current driver has been removed, a message will appear:
"Kernel extensions of SecureDoc were removed or damaged. Please re-install SecureDoc."
- Re-install SecureDoc for FileVault 2 to create a new driver
Once this issue has been corrected using the steps above (SecureDoc for FileVault 2 has been re-deployed successfully)
Re-test the original issue has been corrected, by:
- Inserting a USB stick into the Mac device
- You should see that the device no longer exhibits the Kernel Panic issue.
Now: Upgrade 10.15.5 (19F96) to 10.15.5 (19F101)
Once the upgrade is successful, you should again see no Kernel Panic issue occurring.
SD-34680: Surface PRO 6 Unsuccessfully boot into OS after deploying SD package to client with latest BIOS.
Affects: Surface Pro 6 devices whose BIOS is updated from 234.2706.768 to 235.3192.768. Under SecureDoc V8.5SR2 such devices will Black Screen/Blinking Cursor halt after Pre-Boot Authentication under SecureDoc V8.5SR2, unless settings defined below are applied to the SecureDoc Device Profile prior to installation or upgrade to SecureDoc V8.5SR2, or if SecureDoc is already installed, prior to the BIOS upgrade.
a) Prior to installing SecureDoc V8.5SR2 on a Microsoft Surface Pro 6 client device type, or
b) Prior to upgrading SecureDoc to V8.5SR2.
DO: Ensure that the Device Profile Boot settings have been set to ensure that the option "Use persistent storage" is enabled.
SD-34553: The SDService log can contain unrecognizable/meaningless characters if initial encryption is interrupted on RHEL 7.8 devices that use the XFS File System.
WinMagic has recognized this issue, but has not been able to determine a cause or solution in time for this Service Release.
Work-Around: Allow initial encryption on RHEL 7.8 devices that use the XFS File System to continue to completion, without interrupting this process.
SD-34709: Self learning does not consistently work on devices where it already exist.
If intending to install SecureDoc V8.5SR2 on HP devices using SecureDoc's feature that auto-adapts to the endpoint device's technology (entitled "Installer will auto-adapt to device specifics/technology" in the Device Profile settings), it is necessary to delete the KnownConfigs.XML file from the Installation Package set of files.
Issue: When utilizing the "Installer will auto-adapt to device specifics/technology" option in the Device Profile settings, if that XML file contains settings that apply or partially apply to that HP device (either specifically as in the HP 830 G6 device type tested) or where there are general settings that apply (e.g. there are settings that apply to all HP devices, regarldless of model), the auto-adapt funcitonality will not successfully determine how to set up the device type.
Work-Around: If using the "Installer will auto-adapt to device specifics/technology" option in the Device Profile settings when installing on HP devices, delete the KnownConfigs.XML file from the installation Package set of files.
Customers with an active support plan should contact firstname.lastname@example.org to receive the latest download link for their SecureDoc upgrade.
5770 Hurontario Street, Suite 501
Mississauga, Ontario, L5R 3G5
Toll free: 1-888-879-5879
Phone: (905) 502-7000
Fax: (905) 502-7001
Human Resources: email@example.com
Technical Support: firstname.lastname@example.org
For information: email@example.com
For billing inquiries: firstname.lastname@example.org
This product includes cryptographic software written by Antoon Bosselaers, Hans Dobbertin, Bart Preneel, Eric Young (email@example.com) and Joan Daemen and Vincent Rijmen, creators of the Rijndael AES algorithm.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.OpenSSL.org/).
WinMagic would like to thank these developers for their software contributions.
©Copyright 1997 - 2020 by WinMagic Corp. All rights reserved.
Printed in Canada Many products, software and technologies are subject to export control for both Canada and the United States of America. WinMagic advises all customers that they are responsible for familiarizing themselves with these regulations. Exports and re-exports of WinMagic Inc. products are subject to Canadian and US export controls administered by the Canadian Border Services Agency (CBSA) and the Commerce Department’s Bureau of Industry and Security (BIS). For more information, visit WinMagic’s web site or the web site of the appropriate agency.
WinMagic, SecureDoc, SecureDoc Enterprise Server, Compartmental SecureDoc, SecureDoc PDA, SecureDoc Personal Edition, SecureDoc RME, SecureDoc Removable Media Encryption, SecureDoc Media Viewer, SecureDoc Express, SecureDoc for Mac, MySecureDoc, MySecureDoc Personal Edition Plus, MySecureDoc Media, PBConnex, SecureDoc Central Database, and SecureDoc Cloud Lite are trademarks and registered trademarks of WinMagic Inc., registered in the US and other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2020 WinMagic Corp. All rights reserved.
© Copyright 2020 WinMagic Corp. All rights reserved. This document is for informational purpose only. WinMagic Inc. makes NO WARRANTIES, expressed or implied, in this document. All specification stated herein are subject to change without notice.