SecureDoc V8.6 SR1
On July 6, 2018 WinMagic customers and partners were notified that the SecureDoc pre-boot authentication feature for macOS – known as SecureDoc On Top (SDOT) for FileVault 2 – would be deprecated in SecureDoc 8.2 SR1. As of this release, customers will no longer see this feature available for macOS configuration settings.
Please visit Knowledge Base Article 1760 for more information.
WinMagic strongly recommends that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and new features.
Please visit Knowledge Base Article 1397 for more information on End of Life and End of Support timelines for SecureDoc software releases.
Customers running SecureDoc 6.5 and earlier should upgrade their server and clients to an actively supported software version. For more information on upgrading from SecureDoc 6.5 and earlier, please visit https://downloads.winmagic.info/SD8.2SR1/HF2/Release_Notes_8.2SR1HF2.pdf.
This document contains important information about the current release. We strongly recommend that you read the entire document.
Recommended – WinMagic recommends this service release for all environments. Apply this update at your earliest convenience.
December 5th 2019
New features, improvements and fixes (server/client)
April 8th 2019
New features, improvements and fixes (server/client)
June 11th 2019
New features, improvements and fixes (server/client)
December 9th 2020
New features, improvements and fixes (server/client)
Download the latest release notes for each version listed within Knowledge Base Article 1756.
For server and client system requirements: https://winmagic.com/en/data-security-support/system-requirements/
For supported devices, drives, smartcards and tokens: https://winmagic.com/en/data-security-support/device-compatibility/
Note: It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation.
More information is available here: http://msdn.microsoft.com/en-us/library/ms143786(v=sql.100).ASPX
During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.
Note: Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g. Admin desktop) on which it runs, in order for the console to function properly
Client OS Support
For a detailed view of which specific versions of SecureDoc are supported under various versions of Windows, macOS or Linux: See: https://winmagic.com/en/data-security-support/system-requirements/
Customers are strongly advised to download the most current KnownConfigs.XML file, then replace the current version (if older) in the SES Application folders and
WinMagic strongly recommends that you seek out the most up-to-date version of the KnownConfigs.XML file and incorporate it into your SES implementation on a regular basis (e.g. monthly). This will help ensure your SES Version will take advantage of new client installation override settings that have been added since the version of the KnownConfigs.XML file that came with your version of SES. This will improve installation success on any new device makes/models you might purchase since installing SES, utilizing the new special settings available in newer versions of this file.
Customers are advised to look to the SecureDoc Knowledge Base for a link to the available KnownConfigs.XML files, then check that document (e.g. on a monthly basis) for updates to this file, then use the new version to replace all versions of the KnownConfigs.XML file in their SES Implementation folder structure. For example:
Additional information can be found here: Installing or updating the KnownConfigs.xml file (Applies to SES from Version 7.5 onward).
The latest versions of the KnownConfigs.XML files can be found at the following links:
The contents of the KnownConfigs.XML file are reserved to be developed and advanced by WinMagic solely. While customers might consider enhancing it, WinMagic cannot be held responsible for issues that might arise from such modifications and may (at its sole discretion) levy an additional support charge to any customers that encounter support issues that can be traced back non-sanctioned customer-initiated changes to KnownConfigs.XML.
WinMagic welcomes customer ideas and suggestions on how KnownConfigs.XML can be extended and improved, but WinMagic reserves the sole right to test, approve and to publish any changes to KnownConfigs.XML that it deems to be in the broader customer interest, and makes no commitment to act upon or publish all, or indeed any customer-recommended changes.
Where customers have chosen the "Force user to enter a UserID at preboot" option, previously pre-boot did not
require the user to enter a valid User ID before allowing access to the “F3” technical information screen.
Beginning with 8.6 SR1, if the above option is enabled in the profile, users will be required to enter a valid User ID before they are able to gain access to this screen. After entering a valid User ID, the F3 functionality will be accessible.
Issue: Many customers have a "last resort" Key File on endpoint devices, typically used by Desktop Support, but for which nobody knows the key file password. This account can be used in conjunction with Challenge / Response (e.g. using SES Web Simplified Recovery), since such accounts are typically set to not allow password change following one-time use. This process works well when the device is functioning, however there was no corresponding way to use this method when using the SDRecovery tool to recover data from a non-functional system (e.g. if windows becomes corrupted).
Solution: This improvement permits customers to perform Challenge/Response when using the SDRecovery tool, in order to unlock an encrypted disk.
Use of Challenge / Response in this context will be limited to unlocking a disk only, using either cached a key file on the disk or an external key file. NOTE: Challenge/Response in SDRecovery will not ask the user to reset the password.
This new diagnostic page reports such items as:
Preboot Mode last used to boot (V4 / PBL / PBLU / PBU)
Preboot UEFI boot mode (Boot Order or Boot Patching)
Preboot Language Setting
Cached Users - a list of SecureDoc User IDs that have on-device Key Files that will permit local logon access at Pre- Boot.
Is Autoboot enabled
A second tab permits access to enabling or disabling the debug logs, and exporting Log information.
Issue: Several customers have been asking WinMagic to implement Token-protected User Key Files for the SD Linux client.
Solution: This version provides a solution to meet these needs.
SecureDoc Enterprise Server will import user certificates from LDAP and create token KFs using user certificates. Where the user does not have an available certificate. that user will fallback to using a password-protected Key File.
Issue: Some customers have encountered unexpected support calls from users who have mistakenly switched their pre-boot language, thereby, altering their keyboard inputs - despite the language bar prompting them if they are sure they want to switch languages.
Solution: In this version, a new configuration option has been added which will hide the language bar from the main Pre-Boot screen, ensuring it is only accessible if the user presses F3 and makes the change through that means.
This option can be enabled by manually adding the following parameter to the Device Profile, in the SDSpace section:
Once this option is set, the keyboard language bar will be hidden from the Login screen and the Challenge / Response screen. In order to change the keyboard language at Pre-Boot, the user must go to the F3 screen.
Issue: When an end user elects to change the language at Pre-Boot, the following message is displayed: "Do you wish to permanently save your keyboard layout settings? (yes/no)"
This prompt provided no indication of what the resulting language will be if the user proceeds with the change.
Solution: This change improves this prompt, to provide more information to ensure the user is fully aware of the before and after language change. This message now will display as:
<WARNING_ICON> You are about to change the keyboard language from <old_language> to <new_language>. Are you sure that you want to change your keyboard layout?
This change will assist end users from accidentally changing languages, which could cause problems logging in at Pre-Boot due to altered character mapping under the new language.
Issue: Where User Credentials can be changed (e.g. Administratively) during outside of windows, (e.g. from Active Directory or from a third party password management website) the company help desk would instruct the user to lock and unlock the device using the new Credentials, successfully authenticating to windows using the new password. In this scenario Windows will update its password, but windows would not communicate that password change to SecureDoc.
Solution: WinMagic has implemented a new SecureDoc Credential Provider, in order to enable password synchronization on an unlock event. Note, that this does change windows to use an alternate credential provider, which could exhibit compatibility issues with other 3rd party credential provider solutions. It is recommended to test this option if using 3rd party credential providers, e.g. multi factor authentication as those cases may not require this feature to allow password synchronization on an unlock.
This feature can be enabled by manually adding the following parameter to the Device Profile, under the [SecureDoc CP] section:
Once this profile option has been applied, the user must log off and log on for the option to take effect.
Issue: After deploying an SDMac installation package and FileVault2 is enabled, the WinMagic recovery account would appear normally under the FDESetup list. Other functions also works fine, such as changing the recovery account password via remote command sent from the server.
However, after reboot or shut down upon turning on the device, the account would not appear, nor could it be selected on the FileVault2 login screen.
NOTE: This issue only occurs on Apple devices containing the M1 chip. Solution: This issue has been corrected in this version.
Issue: When A Child domain within a Multi-Domain environment is configured to be synchronized, upon initiating a Full Sync process it would fail to synchronize, yielding an error message in the ADSync event log.
Solution: This issue has been resolved in this version, and child Domains will correctly synchronize.
Issue: It was reported that in some cases, users were locking the encryption engine in windows, due to excessive failed login attempts. In past versions, this required that the PC be rebooted in order to unlock the engine. This was inconvenient and it was requested to find an alternative method to the permanent lockout.
Solution: The encryption engine can now operate in a method compared to the TPM “heal timer”, to allow a cool down period between failed attempts. To alter this new functionality (which is enabled by default), manually revise the following parameters in the [General] section of the Device Profile:
The TTokiMaxLoginAttempt value defines how many failed Login attempts these applications will tolerate before triggering the Lockout.
The TTokiLockOutHealingTimeOut value defines how many seconds will be added to a failed login attempt count timer - e.g. 600 = 10 minutes. Note: If the TTokiLockOutHealingTimeOut value is set to 0 (zero) this feature will not be used.
The TTokiLockOutHealingTimeOut setting, if not set to zero, cannot be set to a value below 300. If it is set to a non- zero value below 300, then 300 will be used. If there is a lockout event, the user will be prompted with a message indicating that he/she is locked out, indicating how many minutes the user must wait before attempting to log in again.
NOTE: Each additional failed login attempt (up to the maximum defined in the TTokiMaxLoginAttempt value will add the number of seconds specified in the TTokiLockOutHealingTimeOut value to a countdown timer. If the user does not wish to wait out the countdown period, the device can be restarted, which will reset the countdown timer to zero and open up the opportunity to login successfully with the correct credentials.
Issue: It was inconvenient to have to run the “collectclientsupportlogs.bat” file as admin, especially when most users cannot run this command as administrator.
Solution: To improve and provide an easy-to-use interface, WinMagic has created a new panel through which users can export device logs from their SecureDoc-protected endpoints. Customers should find this new functionality to be substantially easier to use than the "collectclientsupportlogs.bat" command line application. This new Application/Panel, unlike the command line application it replaces, can run without requiring Windows elevated/admin rights. It will collect not only userdata and setup logs, but also collect relevant windows logs and registry keys for SecureDoc - Specifically the WinMagic Key and subkeys. Lastly, it will create a zip file containing the collected logs, placing it in a specified location so that it can more easily be retrieved.
WinMagic has improved security within the SESWeb browser-based Console application, as follows:
The following SESWeb pages in which backURL could be vulnerable to XSS have been addressed and corrected:
Other pages with backURL as a query parameter have been encoded/escaped to eliminate this risk. A risk to the following page was corrected – impacted only when using an older version of jQuery:
Some fields in the Profile and Packages text fields could be vulnerable to XSS, and those risks have been addressed in this Service Release.
Issues were found where the SecureDoc Encryption engine that is used in part to perform removable media encryption, could become locked and require a restart of the device to unlock. This prevented users from accessing media until a restart.
This issue has been incrementally improved in 8.6 SR1 with the introduction of a cooldown period to allow the engine to unlock without a restart. Additional improvements will be included in future SecureDoc releases.
Issue: When a device equipped with an Intel 5xx Graphics Adapter has gone through SecureDoc's Linux-based pre- boot (PBLU), once the device is in Windows if the device is put into lock or sleep, or if a monitor is turned off, the system will freeze. This behavior was specifically reproducible when using devices connected to “displayport” connections. It was uncovered that the intel driver is unable to handle power state mode changes after Linux has loaded, due to missing the correct functionality that is supposed to reset the displayport registers on linux restart.
In prior versions one could set "nomodeset" which would usually resolve the issue by simply not allowing the intel driver to load, but that setting was found to not work on all devices and required manual adjustments to the SecureDoc profile. Alternatively, it was possible to disable additional display port connections at pre-boot, but this could cause confusion as to which physical display port connection was used as not all monitors would display the Pre-Boot authentication.
Solution: This issue was determined to require a new display driver from Intel, which was provided to WinMagic and integrated into the SecureDoc Linux Pre-boot authentication. With the addition of this display driver, this issue has been resolved in this Service Release.
Issue: Where customers stand up a "housekeeping" device, running SecureDoc and having SFE Policies and requisite keys so that it can independently monitor in-policy folders and encrypt new contents, it was found that if the device encountered a file in the in-policy folder for which it did not have necessary rights, it would not bypass that file to continue on with any others it could encrypt.
Solution: This issue has been corrected in this version.
Significant improvements have been made to password sync which WinMagic believes will make this process more reliable for customers using SecureDoc Pre-boot authentication.
A major benefit of this change will be experienced when devices are offline/unable to reach the SES Server, or when outside the domain network.
Issue: When PXE boot was enabled in the bios, it was found to cause issues with the native SecureDoc UEFI Pre- Boot authentication (PBU) and so SecureDoc would disable the PXE boot protocol.
Solution: In this version, the PXE boot protocol can be reinstated if needed, through enabling a parameter in the SecureDoc Profile. This option can be enabled by manually adding the following parameter to the Device Profile, in the SDSpace section:
0 = disabled (default);
1 - enabled (PXE Boot allowed)
Although this issue has been corrected in this version, as a security "best practice" customers are advised to close out of RMCE Manager or RMCE Viewer if intending to log out of the device and log in as a different user.
Issue: When SES Web is installed as the only component on a server, the install did not create the emergency disk files. This caused a scenario where emergency disks could not be retrieved from the SES Web Console.
Solution: This issue has been resolved. Now when installing SES web as the only SecureDoc Enterprise Server component, the emergency disk files are installed and prepared so that they can be generated by the web console admin user.
Issue: This issue occurs where fixed IP addresses are used for PBConnex Auto-Boot but Hyper-V creates a large number of virtual network adapters, exceeding the number that SecureDoc can track. As a result, the fixed IP address required is not applied to the endpoint's actual network adapter that will be used for SecureDoc pre-boot.
Solution: This issue has been corrected. Extensive testing of the fix shows that this issue no longer occurs.
Issue: After performing a windows client installation offline, if the Client VPN is not connected to the corporate network for some time after the system is logged in, then the device will fail to register to the SES Server, and therefore could not transition from Provisioning to Deployed status, even after a VPN connection had been re- established.
Investigation indicated that the device would attempt communication for 10 minutes and would then stop, not resuming even if the VPN connection to the network were established after the 10 minute boundary. As a result, device registration would not complete, unless the system remained on long enough for the windows client to initiate the regularly scheduled communication. (Default is 60 minutes) This could result in a 50-minute gap where the system would not automatically complete registration or cache users.
Solution: Offline device installations will indefinitely try to register; repeating communication attempts approximately every minute until successful.
An issue was found when using Intel VROC raid configured for a RAID 1 Mirror, when also using SecureDoc Pre- Boot Linux for UEFI (PBLU) which prevented pre-boot from properly accessing key data during the 2nd stage of the boot process, thus resulting in a pre-boot loop.
The root cause of this issue was due to the raid 1 mirror being identified as single disks by the SecureDoc pre-boot authentication. The mirror does not update outside the windows OS (IE: at boot time), which caused a potential inconsistency in that on the “stage 2” of the boot process, SecureDoc could sometimes read from the incorrect SDSpace which would not contain key transfer data required to successfully boot into windows.
This issue has been corrected, and the transfer data is now retrievable from either disk.
Issue: Upon attempting to encrypt a secondary hard drive of 4TB capacity or larger, the following message could appear:
An unidentified error has occurred. Error code Task:TaskDiskManagement
Solution: This issue has been resolved for Windows 10 only, at present. Customers having 4TB or larger secondary drives will not encounter this error, and the drive will be encrypted successfully.
For users of Windows, 7, 8, 8.1 devices, this solution will be applied in the next available Service Release or Hot Fix.
An issue was discovered with the SecureDoc for Microsoft Surface client when used on the Microsoft Surface Go 2 device, that prevented the wireless network card from being detected. This issue was already resolved in the Non- Surface SecureDoc client for windows, and it was determined that the Surface Go 2 is in fact compatible with the standard SecureDoc for Windows client. By design, the standard client prevents installation on surface devices due to known issues with Microsoft’s UEFI implementation on many of their models. However, in this circumstance it became desirable to be able to install the standard client on this surface device.
Solution: As this scenario may become more frequent in the future, a new MSI installation parameter has been added to the standard SecureDoc for Windows client. The installation parameter is:
which will allow the windows client to forcefully install on an otherwise blocked surface device. Example usage is:
SecureDoc_64.exe /s /v" /qn /l*v %TEMP%\SDSetupSilent.log ALLUSERS=2 SURFACE_CHECK=0
Issue: When creating Removable Media Container-encrypted containers larger than 32GB as an empty container, then using the Add File(s) option to manually add large files ( greater than 100KB) inside the container, it would appear that the files were added successfully, but upon attempting to open the files directly through RMCE Manager or RMCE Viewer, a message would appear from the Mac OS indicating that the application could not open the file. If using the “Decrypt to...” option to save the file on the Desktop and open it through the macOS Finder, it would still show that it cannot open the file. In summary, if the file manually added to a large (>32GB) container exceeds 100KB in size, this issue occurs.
NOTE: There is no such issue on 32GB or larger containers when using option to move data inside the container during the process of creating the container; all files of any size in a large container can be opened correctly.
This issue has been corrected in this version.
Issue: This problem pertains particularly to Windows 10 devices in Legacy BIOS mode, affecting both Software encryption and use of Self-Encrypting Drives.
During the upgrade to the versions mentioned, the Boot area was relocated into the "System" partition (500 MB in size), to ensure enough disk space to accommodate the required approx. 128MB.
The old partition had not been cleared, and the volume mount point had not been updated to reflect the new Boot Logon area in "System".
Solution: This has been corrected in this version.
Issue: Where the Profile option "Save local keyfile for PBConnex user" is in effect, a user who has logged in to an endpoint device through PBConnex (e.g. where a PBConnex group relationship exists between the user and the device) and who does not currently have a locally-cached Key File on the device, if the device already has all user Key File slots occupied by other Key Files, the PBConnex-authenticated user's Key File will not be saved locally.
Note: This issue only affects devices that are installed using Hardware Encryption (e.g. OPAL Self Encrypting Drives)
Work-Around: At present there is no work-around for this limitation, though WinMagic anticipates having a solution in a forthcoming version.
Customers with an active support plan should contact email@example.com to receive the latest download link for their SecureDoc upgrade.
5770 Hurontario Street, Suite 501
Mississauga, Ontario, L5R 3G5
Toll free: 1-888-879-5879
Phone: (905) 502-7000
Fax: (905) 502-7001
Human Resources: firstname.lastname@example.org
Technical Support: email@example.com
For information: firstname.lastname@example.org
For billing inquiries: email@example.com
This product includes cryptographic software written by Antoon Bosselaers, Hans Dobbertin, Bart Preneel, Eric Young (firstname.lastname@example.org) and Joan Daemen and Vincent Rijmen, creators of the Rijndael AES algorithm.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.OpenSSL.org/).
WinMagic would like to thank these developers for their software contributions.
© Copyright 1997 – 2021 by WinMagic Corp. All rights reserved.
Printed in Canada Many products, software and technologies are subject to export control for both Canada and the United States of America. WinMagic advises all customers that they are responsible for familiarizing themselves with these regulations. Exports and re-exports of WinMagic Inc. products are subject to Canadian and US export controls administered by the Canadian Border Services Agency (CBSA) and the Commerce Department’s Bureau of Industry and Security (BIS). For more information, visit WinMagic’s web site or the web site of the appropriate agency.
WinMagic, SecureDoc, SecureDoc Enterprise Server, Compartmental SecureDoc, SecureDoc PDA, SecureDoc Personal Edition, SecureDoc RME, SecureDoc Removable Media Encryption, SecureDoc Media Viewer, SecureDoc Express, SecureDoc for Mac, MySecureDoc, MySecureDoc Personal Edition Plus, MySecureDoc Media, PBConnex, SecureDoc Central Database, and SecureDoc Cloud Lite are trademarks and registered trademarks of WinMagic Inc., registered in the US and other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2019 WinMagic Corp. All rights reserved.
© Copyright 2021 WinMagic Corp. All rights reserved. This document is for informational purpose only. WinMagic Corp. makes NO WARRANTIES, expressed or implied, in this document. All specification stated herein are subject to change without notice.