MagicEndpoint V1.3


Release Notes

View All


MagicEndpoint Support

WinMagic strongly recommends that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and new features.

About This Release

This document contains important information about the current release. We strongly recommend that you read the entire document.

Recommended – WinMagic recommends this service release for all environments. Apply this update at your earliest convenience.

Previous Versions


Release Date


ME 1.3

December 9, 2022
EOL Dec 8, 2025

Updates, improvements, new features
Build#,  Build# (ME IdP Server)

ME 1.2

July 20, 2022
EOL Jul 19, 2025

Updates, improvements, new features

ME 1.0
IdP 9.0

March 31, 2022
EOL Mar 30, 2025

Initial Release of MagicEndpoint and
MagicEndpoint Identity Provider (IdP)

Download the latest release notes for each version listed within Knowledge Base Article 1756.

System Requirements

  1. MagicEndpoint requires that the SecureDoc client agent software be installed and registered with a SecureDoc Enterprise Server before installing MagicEndpoint. NOTE: While it offers optimum security to permit SecureDoc to encrypt the disk drive, it is not a necessity; The SES Client can be installed with a Profile/Installation Package that specifies Removable Media Only (RMO) protection.

  2. If using MagicEndpoint Identity Provider (IdP) service as the delegated IdP to an Azure AD (AAD) domain (for instance, to use MagicEndpoint IdP for Microsoft 365/Office 365), it is important to note that new devices cannot be joined to that AAD domain.

    a. In such a case, the environment needs to be a hybrid one, meaning devices need to be joined to the local domain, which is then synchronized to the Azure AD domain for O365.

  3. Devices must have TPM 2.0 – TPM 1.2 or earlier are not supported.

Client OS Support

In this initial version, only Windows devices are supported.
Devices utilizing MagicEndpoint authentication must have Windows 10 or Windows 11 – Windows 7 is not supported.


Version 1.3 of MagicEndpoint

Which customers should upgrade to ME version 1.3?

Customers who had been testing MagicEndpoint 1.0, 1.1 or 1.2, or the same product under pre-release/Beta names like FIDO Eazy Diamond/3.0/Enterprise or SecureDoc Passwordless Authentication, should upgrade to the full release final version.  


New Features

SecureDoc IdP central management has been enhanced to permit Administrator-control over Service Providers

Issue: SecureDoc IdP will benefit from Administrators having the ability to manage access to Service Providers
Solution: With this improvement, each Service Provider definition gains settings to define which users or groups of users can access it and use the service.

These are based on groups/users that have been synchronized from Active Directory to the SES Database.

There will exist a pre-defined group encompassing everyone (meaning any user in the SES Database), and this will be automatically applied whenever an Admin is creating a Service Provider entry, but this can be dropped and replaced with more restrictive Group/User information at will.

Affected tickets: SD-41740 



MagicEndpoint/SecureDoc IdP can now authenticate requests coming from OIDC sources.

Issue: Customers may need to validate users and authenticate against an OIDC Source

Solution: MagicEndpoint IdP now incorporates the capacity to validate against OIDC.

Affected tickets: SD-41060 

Where a user has multiple accounts, the user should have the option to choose which account is to be used to sign in to a given Application/Service Provider.

Issue: In the case multiple accounts are assigned to a user (e.g., the user works both a staff member, but also as an Administrator), the user needs to choose with which account he/she wants to sign-in to that application. The user currently can choose that account on IdP Web, but that is seen as an incomplete solution.

Solution: During authentication, a pop-up will appear from the MagicEndpoint client during on each service request (where multiple accounts exist for the user), which permits the user to choose with which account they want to use to login.

Affected tickets: SD-42025 

MagicEndpoint IdP now offers LDAP-based authentication

Issue: Customers may need to validate users and authenticate against an LDAP Source

Solution: MagicEndpoint IdP now incorporates the capacity to act as an LDAP. server

Affected tickets: SD-42070 

Groups should include an option to enable access authentication using a Mobile Device across a network (as opposed to via Bluetooth), so that any user belonging to this group, or any user group member of this group should be allowed such network-based access using a mobile device.

Issue: Authentication using a Mobile Device over a network connection is not manageable at the Group level.

Solution: Groups now include an option to enable authentication using a Mobile Device over a network connection (versus a Bluetooth connection), so that any user belonging to this group, or any user group member of this group can be allowed such network-based authentication authorization functionality.

Affected tickets: SD-42092 

MagicEndpoint IdP will have two options for User Action during RADIUS-based authentication

Issue: To provide maximum flexibility and customer focus, users authenticating using RADIUS can still be optionally required to prove presence at the device, in accordance with their organization's security policies.
Solution: MagicEndpoint IdP will offer the choice of two User Action modes for RADIUS authentication: a) User Present (default) b) User Verification

Affected tickets: SD-42250 

Device MAC (Media Access Control) address filtering permits the MagicEndpoint IdP to avoid requiring users to enter a User Name in the Cisco VPN AnyConnect client during RADIUS authentication.

Issue: To provide as seamless and non-intrusive a user experience as possible, the use of the device-unique MAC address will permit device-user relationships to be defined such that the user need not enter a User ID during authentication to the Cisco AnyConnect VPN client.

Issue: WinMagic is always striving to provide as seamless and non-intrusive a user experience as possible during authentication.,

Solution: Use of the device-unique MAC address will permit device-user relationships to be defined such that the user need not enter a User ID during authentication to the Cisco AnyConnect VPN client during RADIUS authentication.

Affected tickets: SD-42259 

IdP user groups can now be managed from within the SES Groups functionality using the SESWeb console.

Issue: As MagicEndpoint and its integration with SES evolve as an Enterprise solution for authentication, the need arises to keep user-level administration simple to manage, yet remain powerful.

Solution: A new "IdP" tab has been added to SES Web's group properties functionality, permitting tying a Group to IdP-defined Service Provider configurations, providing the users who are members of the Group to access said Service Providers. The settings also permit use of "Out of Band" (network-based) authentication (as opposed to only using Bluetooth Low Energy communication between endpoint and the user's Mobile Device (Phone) as well as configuration of whether user must provide simple or more stringent proof of presence at the device

Affected tickets: SD-42732 

LDAP-based authentication requires User Presence options like exist in the RADIUS settings.

Issue: There are no options an Administrator can define re: how the user should prove presence during authentication authorization when using an LDAP-based authentication modality.

Solution: With this version, there will be User Action modes for LDAP:
User Present (default)
User Verification

Affected tickets: SD-42937

Client panel that guides user to change to Token-protection conditionally shows Mobile App installation QR Code and instructions if user selects WinMagic Mobile Token

Issue: Now that customers can elect to protect their Key Files using the WinMagic Mobile Token (which uses the WM Authenticator app in their phone), it would be beneficial to ensure users can install the app if they do not currently have it.

Solution: As a benefit to customers this panel will now display the download QR Code (which when scanned will take the user directly to the app in either the Apple Store or Google Play - as appropriate to their mobile device type - when the user opts to use a WinMagic Mobile Token. For any other token types, the existing static blue "Key + USB" image will be shown in the top left corner of the panel.
Further, since the instructions for conversion to Mobile token differ from the use of a physical token (e.g., no insertion), the text at the top of the panel will provide specific guidance for converting to the Mobile token.

Affected tickets: SD-43241 

IdP-related Log Entries are accessible in an IdP-specific Logs viewer in the SESWeb console.

Issue: Where IdP-related log entries are added, they must be accessible separately as the IdP should be considered its own source of logged events.
Solution: IdP-related Log Entries will be accessible in an IdP-specific Logs viewer within the SESWeb console.

Affected tickets: SD-42058 



Resolved Issues




Error message "An unidentified error has occurred. Error code: 0x9B08CA" appears, blocking ability to perform Phone-based Authentication

Issue: Presence in Bluetooth manager (under Device Manager) of FIDOEazy" and "Your Phone" appears to block ability to complete Phone-based Authentication.

Scenario: A device has SecureDoc deployed using an Installation Package successfully. The profile used specifies use of SecureDoc Credential Provider and Bluetooth Low Energy (BLE) authentication.
1. Boot Logon is installed, the drive is successfully encrypted, and device ownership is established (the "Secure Moment").
2. The user logs in to Pre-boot, SecureDoc Credential Provider, and into SecureDoc Control Center (SDCC) - these will be successful and without error
3. The user paired the Phone's Bluetooth with PC for any purposes
4. The user opened SecureDoc Control Center and logged in to it.
5. At this point, the user should have been able to login to SecureDoc Control Center successfully by authenticating using WMAuthenticator on the Phone, and without error

The actual result was an error message "An unidentified error has occurred. Error code: 0x9B08CA" shown.

6. Click the "OK" button to close this error message and close SecureDoc Control Center
7. In Device Manager, open the Bluetooth Device section and remove "FIDOEazy" and "Your Phone"
8. In Device Manager, disable and re-enable Bluetooth device
9. Reboot
10. You should now be able to successfully login at Preboot, SecureDoc Credential Provider, and to SecureDoc Control Center using Bluetooth

NOTE: After applying the work-around from steps #7 to #8, an attempt to pair the Phone's Bluetooth in the PC resulted in being unable to detect the Phone to login to SecureDoc Control Center or SecureDoc Credential Provider - it was only possible to login at SecureDoc Pre-Boot

Affected tickets: SD-43633



How to Install/Upgrade

Customers with an active support plan should contact to receive the latest download link for their SecureDoc upgrade. 




Contacting WinMagic

5770 Hurontario Street, Suite 501
Mississauga, Ontario, L5R 3G5
Toll free: 1-888-879-5879
Phone: (905) 502-7000
Fax: (905) 502-7001
Human Resources:
Technical Support:
For information:
For billing inquiries:


This product includes cryptographic software written by Antoon Bosselaers, Hans Dobbertin, Bart Preneel, Eric Young ( and Joan Daemen and Vincent Rijmen, creators of the Rijndael AES algorithm.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (

WinMagic would like to thank these developers for their software contributions.
© Copyright 1997 – 2022 by WinMagic Corp. All rights reserved.

Printed in Canada Many products, software and technologies are subject to export control for both Canada and the United States of America. WinMagic advises all customers that they are responsible for familiarizing themselves with these regulations. Exports and re-exports of WinMagic Inc. products are subject to Canadian and US export controls administered by the Canadian Border Services Agency (CBSA) and the Commerce Department’s Bureau of Industry and Security (BIS). For more information, visit WinMagic’s web site or the web site of the appropriate agency.

WinMagic, SecureDoc, SecureDoc Enterprise Server, Compartmental SecureDoc, SecureDoc PDA, SecureDoc Personal Edition, SecureDoc RME, SecureDoc Removable Media Encryption, SecureDoc Media Viewer, SecureDoc Express, SecureDoc for Mac, MySecureDoc, MySecureDoc Personal Edition Plus, MySecureDoc Media, PBConnex, SecureDoc Central Database, and SecureDoc Cloud Lite are trademarks and registered trademarks of WinMagic Inc., registered in the US and other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2022 WinMagic Corp. All rights reserved.

© Copyright 2022 WinMagic Corp. All rights reserved. This document is for informational purpose only. WinMagic Corp. makes NO WARRANTIES, expressed or implied, in this document. All specification stated herein are subject to change without notice.