Deployment Recommendations

This article will cover the following:

WinMagic’s Policy And Recommendations On Device Compatibility
WinMagic has a priority-one objective to ensure that SecureDoc deploys well for our customers. To that end, WinMagic provides features that are compatible across many hardware platforms. WinMagic maintains an up-to-date list of currently supported platforms at device-compatibility.

To ensure that we have the best and broadest compatibility possible, we do the following:

WinMagic maintains partnerships with HP and Lenovo, allowing WinMagic to validate SecureDoc against most business grade models – including systems not yet available for purchase.
WinMagic works with the following OEMs to ensure that SecureDoc has compatibility with as many of their business grade models as possible:
- Dell
- Panasonic
Starting with version 7.5 of SecureDoc, WinMagic is providing superior device, BIOS/UEFI and hardware compatibility for varying makes and models of computer and other Endpoint devices using an XML file called KnownConfigs.xml. NOTE: This file should be included with all SecureDoc Installation Packages created with SecureDoc Enterprise Server V7.5 or beyond. This XML file contains a growing list of device-specific recommended settings that have been extensively tested to help ensure that SecureDoc Client software roll-outs will be as problem-free as possible. This XML file is continuously updated by WinMagic. The latest version is always available in the Customer Portal, and customers are strongly recommended to check for, download and apply updated versions of this file on a regular basis.
Starting with version 8.3 of SecureDoc, WinMagic provides a new compatibility tool which will allow customers to determine the level of compatibility of a specific computer make/model with SecureDoc. The tool will determine and report on the optimum settings that a customer should use to deploy the computer successfully. If the tool is unable to determine a set of optimum settings, customers are encouraged to send us the resulting report, to allow WinMagic to further investigate why it cannot be deployed.
For the smoothest-possible deployment of SecureDoc protection across the enterprise, WinMagic customers must make their hardware purchasing decisions based on business-grade hardware that has been tested by WinMagic and approved as compatible. Although WinMagic spends extensive time testing across various platforms, WinMagic cannot guarantee that all features will be supported for every system, especially on non-standard or consumer-grade hardware. Furthermore, if a system has been on the market for less than 120 days, it is possible that the device isn’t fully compatible with SecureDoc. Compatibility testing is constantly underway, however it is at WinMagic’s discretion if and when compatibility for any specific device will be achieved as device compatibility is not a product defect. WinMagic encourages customers to share their plans of make/models they will be purchasing with their WinMagic Sales Representative, in order to facilitate compatibility testing.
Finally, here at WinMagic we have a long-standing belief that our customers will have the best deployment experience when using Self-Encrypting-Drives (SEDs). With SEDs becoming more popular – and often included with the PC – we believe many of our customers can opt for SED without extra cost while benefitting from the data security that they provide.

WinMagic customers are recommended to follow these guidelines to ensure maximum compatibility and a smooth deployment:

The PBA Compatibility Tool

Customers are strongly advised to use the SecureDoc Pre-Boot Compatibility Test Tool on any new Windows device types they have purchased (or are considering purchasing), to determine as early as possible whether such devices will be compatible with SecureDoc’s Pre-Boot Authentication. It also is recommended that you test with the KnownConfigs.XML file present.

In Version 8.3, WinMagic added an option to run any Installation Package in Pre-Boot Compatibility Test mode, which will install SecureDoc’s Pre-Boot and attempt to determine whether a given device type will be Compatible with SecureDoc’s Pre-Boot. It will also determine and report if there are any special settings that may be required to achieve a compatible Profile/Installation Package combination.

Customers are strongly recommended to try their Installation Package in Compatibility Test Mode on any new device types they have purchased, or that they are considering purchasing.

Details of how to setup, run and uninstall a Compatibility Test, as well as how to interpret the Tool’s resulting Compatibility Report can be found in the SES Administrator Guide, in Appendix F.

The relevant section of the Administrator Guide is also attached to this article.

Download Link For The Latest KnownConfigs.XML File

Customers are strongly advised to download the most current KnownConfigs.XML file, then replace the current version (if older) in the SES Application folders and Installation Packages.
WinMagic strongly recommends that you seek out the most up-to-date version of the KnownConfigs.XML file and incorporate it into your SES implementation on a regular basis (e.g. monthly). This will help ensure your SES Version will take advantage of new client installation override settings that have been added since the version of the KnownConfigs.XML file that came with your version of SES. This will improve installation success on any new device makes/models you might purchase since installing SES, utilizing the new special settings available in newer versions of this file.

Customers are advised to look to the SecureDoc Knowledge Base for a link to the available KnownConfigs.XML files, then check that document (e.g. on a monthly basis) for updates to this file, then use the new version to replace all versions of the KnownConfigs.XML file in their SES Implementation folder structure. For example:

Navigate to C:\Program Files (x86)\WinMagic\SDDB-NT\Binary Installation Files\WindowsPC
Copy updated knownconfigs.xml to this location
Navigate to SES console> Installation Packages> Right click on each package to update the contents of said package
Navigate to C:\Program Files (x86)\WinMagic\SDDB-NT\YourDatabase and look a few packages to ensure that version of knownconfigs,xml has been updated

TIP: Ensure that you copy the updated packages to any shares or deployment tools that you use

Additional information can be found in Knowledge Base Article 1747: Installing or updating the KnownConfigs.xml file (Applies to SES from Version 7.5 onward)

Background
In SES V7.5, WinMagic introduced a new feature – the KnownConfigs.XML file – which will ship in every version starting with V8.2. It provides device make/model-specific “adjusting” values for otherwise relatively standard Device Profiles, so that where WinMagic has determined a give device type requires “special handling” to produce a successful installation, that special handling information can be provided to customers easily.

Each Installation Package set of files will henceforth contain a KnownConfigs.XML file which will be used by an V8.2 (or subsequent) installer to provide targeted special settings for a wide range of devices on which it had previously been complex to install SecureDoc. This change will make a dramatic difference in SES Administrators’ experience of the product.

As WinMagic encounters and resolves the nuances of new device types, WinMagic will be updating the KnownConfigs.XML file and making it available to customers. Each new version of SES will ship with the most up-to-date version of the KnownConfigs.XML file.
Customers that prefer to remain on an older SES Version will still be able to download and replace their KnownConfigs.XML file with the most up-to-date device make/model special settings available. Such customers are advised to look to the SecureDoc Knowledge Base for a link to the available KnownConfigs.XML files.

The latest versions of the KnownConfigs.XML files can be found at the following Knowledge Base Articles:

Knowledge Base Article 1745: SecureDoc Device KnownConfigs.XML File for SES V8.2 And Later
Knowledge Base Article 1746: SecureDoc Device KnownConfigs.XML File for SES V7.

The contents of the KnownConfigs.XML file are reserved to be developed and advanced by WinMagic solely. While customers might consider enhancing it, WinMagic cannot be held responsible for issues that might arise from such modifications and may (at its sole discretion) levy an additional support charge to any customers that encounter support issues that can be traced back non-sanctioned customer-initiated changes to KnownConfigs.XML.

WinMagic welcomes customer ideas and suggestions on how KnownConfigs.XML can be extended and improved, but WinMagic reserves the sole right to test, approve and to publish any changes to KnownConfigs.XML that it deems to be in the broader customer interest, and makes no commitment to act upon or publish all, or indeed any customer-recommended changes.

WinMagic’s Policy On Pre-Boot Authentication Compatibility
Pre-boot authentication (PBA) code runs before the OS (Windows) runs. Thus, it cannot use devices or components readily available in Windows like Windows Hello (biometrics and proximity), voice authentication, phone factor, the pen, the smartcard reader, the USB authentication token, or even the network, let alone network protocols and VPN software. To make this point clear, BitLocker does not offer any of these (Windows) features at pre-boot.

WinMagic believes in the importance of the endpoint – as the security gate keeper, as the foundation for security – and thus we have implemented support for Multifactor Authentication (MFA) – For example, authentication tokens, since 2000, with biometrics added later on; and since 2010, support for pre-boot networking, and more. It is impossible to imagine IT today without networks, because of its usefulness, ranging from managing IT to big data analytics and machine learning, and the decisions from them. Why not also at pre-boot where the foundation of security – the endpoint – can be made more secure?

BitLocker made it easier for businesses to deploy FDE with less disruptions because Microsoft works with hardware vendors to make sure its PBA runs well. But, more importantly, because its PBA offers only basic functionalities. This does result in questionable decisions like recommending “no (PBA) authentication with the default TPM-only mode”, which is rather not good enough against dedicated adversaries. (For more complete analysis please read our blog post on this topic).

Having support for all these various – and new coming – hardware at pre-boot comes with a cost. WinMagic works intensively with PC and UEFI BIOS vendors to support these varieties of hardware early, ideally before the PCs are offered on the market. However, even this is difficult. Until the industry and the ecosystem partners have standards to support these hardware devices at pre-boot, WinMagic cannot guarantee that SecureDoc FDE will work with all hardware on the market.

We have also learned and experienced that, due to IT complexity and vendors commitment, we cannot rush these integration works. To achieve a smooth and timely deployment we must recommend our customers use a less-featured PBA, e.g. only use wired but not wireless pre-boot networking, or at times even just rely on BitLocker PBA for devices we don’t yet or might not be able to support. If we try to solve these incompatibility issues before each installation, it might take too long for a smooth deployment, and, as a result, both our customers and WinMagic would be unhappy.

We estimate that we currently support 90+ % of hardware models out there. With more vendor support and a push for better security and its support, we believe that we can achieve 100% in the future. We currently work with several of the largest PC vendors actively on this PBA support. Our recommendation is that our customers and prospects always review our device compatibility section prior to their hardware purchase decision.

In short, we know of these existing pre-boot issues and we believe we can work with our PC OEM partners to address the issues because of the importance of IT security and customer demands. WinMagic is willing to accept and review these incompatible cases. Resolving them at the point of deployment will be the exception and not the rule, however. Our recommendation to customers is that they should either consider using a less capable PBA – including just BitLocker PBA, or switch to a PC model which is compatible with SecureDoc.