SecureDoc V9.0 SR1


Release Notes

View All


SecureDoc Support

WinMagic strongly recommends that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and new features.

Please visit Knowledge Base Article 1397 for more information on End of Life and End of Support timelines for SecureDoc software releases.

Customers running SecureDoc 6.5 and earlier should upgrade their server and clients to an actively supported software version. For more information on upgrading from SecureDoc 6.5 and earlier, please visit

About This Release

This document contains important information about the current release. We strongly recommend that you read the entire document.

Recommended – WinMagic recommends this service release for all environments. Apply this update at your earliest convenience.

Previous Versions


Release Date



March 31, 2022

New features, improvements and fixes (server/client)

8.6 SR1

September 8th, 2021

New features, improvements and fixes (server/client)


December 8th, 2020

New features, improvements and fixes (server/client)


December 5th, 2019

New features, improvements and fixes (server/client)

8.5 SR1

April 8th, 2020

New features, improvements and fixes (server/client)

8.5 SR2

June 11th, 2020

New features, improvements and fixes (server/client)

Download the latest release notes for each version listed within Knowledge Base Article 1756.

System Requirements
For server and client system requirements:
For supported devices, drives, smartcards and tokens:

Note: It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation.
More information is available here:
During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.
Note: Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g., Admin desktop) on which it runs for the console to function properly

Client OS Support

Devices utilizing MagicEndpoint authentication must have Windows 10 – Windows 7 is not supported.
For a detailed view of which specific versions of SecureDoc are supported under various versions of Windows, macOS or Linux: See:


The KnownConfigs.XML File

Customers are strongly advised to download the most current KnownConfigs.XML file, then replace the current version (if older) in the SES Application folders and
Installation Packages.


WinMagic strongly recommends that you seek out the most up-to-date version of the KnownConfigs.XML file and incorporate it into your SES implementation on a regular basis (e.g., monthly). This will help ensure your SES Version will take advantage of new client installation override settings that have been added since the version of the KnownConfigs.XML file that came with your version of SES. This will improve installation success on any new device makes/models you might purchase since installing SES, utilizing the new special settings available in newer versions of this file.
Customers are advised to look to the SecureDoc Knowledge Base for a link to the available KnownConfigs.XML files, then check that document (e.g., on a monthly basis) for updates to this file, then use the new version to replace all versions of the KnownConfigs.XML file in their SES Implementation folder structure. For example:

  1. Position Windows Explorer to: c:\Program Files(x8)\WinMagic\SDDB-NT, then
  2. Search for files like *.xml.
  3. Sort the resulting search list by name
  4. In each directory where a KnownConfigs.XML file is found, replace it with the new one that you have downloaded from the WinMagic Knowledge Base article.

Additional information can be found here: Installing or updating the KnownConfigs.xml file (Applies to SES from Version 7.5 onward).


The latest versions of the KnownConfigs.XML files can be found at the following links:

    • SecureDoc Device KnownConfigs.XML File for SES V8.2 And Later- Download the

latest version of this here: File-for-SES-V8-2-Download-the-latest-version-of-this-here

    • SecureDoc Device KnownConfigs.XML File for SES V7.5 - Download the latest

version of this here: SES-V7-5-Download-the-latest-version-of-this-here


The contents of the KnownConfigs.XML file are reserved to be developed and advanced by WinMagic solely. While customers might consider enhancing it, WinMagic cannot be held responsible for issues that might arise from such modifications and may (at its sole discretion) levy an additional support charge to any customers that encounter support issues that can be traced back non-sanctioned customer-initiated changes to KnownConfigs.XML.
WinMagic welcomes customer ideas and suggestions on how KnownConfigs.XML can be extended and improved, but WinMagic reserves the sole right to test, approve and to publish any changes to KnownConfigs.XML that it deems to be in the broader customer interest, and makes no commitment to act upon or publish all, or indeed any customer-recommended changes.

Version 9.0 SR1

Which customers should upgrade to 9.0 SR1?
is a general upgrade to the SecureDoc Enterprise Server and SecureDoc Client products and incorporates important new functionality to support MagicEndpoint and MagicEndpoint IdP, WinMagic’s new advanced authentication client functionality and Identity Provider, respectively, as well as supporting Azure AD.

Any customers can safely upgrade to 9.0SR1.

NOTE: Any customers wishing to use Microsoft Azure AD (as opposed an on-premises Active Directory) must upgrade to V9.0 (or higher). Azure AD is not supported on earlier versions of SecureDoc Enterprise Server. 

Any Azure AD-joined Devices must be either initially installed using V9.0, or any existing devices that will be joined to an Azure AD must be upgraded to the V9.0 (or later) client software before being joined to the Azure Active Directory.


How to Install/Upgrade

Customers with an active support plan should contact to receive the latest download link for their SecureDoc upgrade. 


New Features

SD-41866, SD-41804, SD-41778 SecureDoc adds Out-of-Band Phone-based authentication to Remoted-to Desktop during RDP Session.

Issue: WinMagic is seeking a means to ensure that easy, yet powerful multi-factor authentication is available for endpoint devices the user accesses using RDP (Remote Desktop Protocol).

Solution: With this major improvement, SecureDoc-protected endpoint devices that can be remoted-to using RDP can prompt the user to authorize the authentication to the remoted-to endpoint using his/her phone.

This solution makes use of a combination of WinMagic Credential Provider on the remoted-to device and the WinMagic IdP (Identity Provider) server requesting and processing/returning the user's confirmation/authorization from the user's phone which is running the WinMagic Authenticator app.



SD-38651 SecureDoc and SES can now create TPM-protected Key Files

Issue: WinMagic is constantly striving to improve SecureDoc Client Security, while at the same time easing and improving User Experience.

Solution: SecureDoc and SES can now create and manage TPM-protected Key Files on endpoint devices.
This process utilizes the public part of the TPM key which can be stored within SES, and which can be used in a more complex protection scheme which can ultimately be unlocked by the user entering a simple (e.g. 6 character minimum) PIN whose scope remains local to the device (e.g. the PIN is not transmitted to nor stored in the Serve

SD-38827 The SecureDoc Profile now offers options to define TPM-protected Key Files

Issue: Customers are always seeking the strongest protection possible for Pre-Boot Authentication.

Solution: The SecureDoc Profile now permits customers to define whether (and how) users can convert to a TPM+PIN protected Key File.

SD-40003 User Interface has been improved where SecureDoc Pre-Boot detects a touch-screen interface that requires calibration before use.

Issue: Where customers are using a touch-screen interface (e.g. Microsoft Touch), SecureDoc Pre-Boot needs to be "trained" to understand and calibrate the touch-screen relative to the UI elements presented on it.

Solution: Prior to the Calibration process being launched, a new message will appear on-screen, after which the user is guided through the touch-screen calibration process.

SD-41799 SecureDoc 9.0SR1 now contains the 8.7 Crypto Engine

Issue: Previous versions of SecureDoc used crypto engine 7.2.

Solution: SecureDoc 9.0SR1 introduces the use of the 8.7 Crypto Engine.

SD-41815 A new report has been added to the SESWeb Reports functionality, showing Users by Role.

Issue: In previous versions, it was not readily possible to obtain a list of users indicating the role(s) they have within SES.

Solution: This oversight has been corrected in this version, and a new Users by Role report is available in the User reports panel.

SD-42228 Client Communication attempts following failed communication are now limited to three retry attempts.

Issue: Where a client device is unable to communicate with the server, the device will continue to retry communication every minute until either successful or until the next communication cycle begins. This burdens the client's communication stack unnecessarily, particularly where the client's connectivity or location does not permit communications in general. .

Solution: Client Communication attempts to the Server - following failed communication - are now limited to three retry attempts after which, if unable to communicate, the device will not re-attempt until next scheduled communication cycle.




Resolved Issues

SD-40107 SES Logs have been improved to provide greater detail as to the purpose of commands

Issue: Where a customer wishes to review logs from SES (for example to track if the temp autoboot command was applied to a device using the SES Web console), the log typically would show something like: "The creation of the command "Cmd[05df765c9397508f]" for computer "SE1LAP7513457", which lacks context as to the purpose of the command. This differs from effectively the same command when it originates in the SES Console, where the log text looks like: "The creation of the command "Activate auto-boot on SES Cmd" for computer "SE1LAP7513457"

Solution: These two log entries are now harmonized to look the same, regardless which console gave rise to the command being sent to the endpoint device.




SD-41878 Bluetooth Low Energy phone-based authentication cannot be performed at SecureDoc Pre-Boot, but can be at Windows if using SecureDoc Credential Provider

Issue: In this version there is no support for Bluetooth Low Energy-based Phone authentication at SecureDoc Pre- Boot

Solution: Any devices on which the Key File is defined for BLE Authentication will present a request at Pre-Boot for the user to enter the Alternate Password (which must have been previously configured for that Key File). Once the device has loaded Windows, the user can then use Bluetooth Low-Energy (BLE) phone-based authentication at Windows using the same Key File.

SD-42310 SecureDoc Key Files protected with a Bluetooth/Phone based token do not support Two-Factor Authentication

Issue: Where phone-protected login takes place, or where using standard login to phone-protected key files (e.g., the user enters User name and just presses OK (without having entered a password or PIN) then when WinMagic Authenticator prompts the user and/or asks for authorization to complete the login, then any User Experience aspects that prompt for 2-factor authentication using Bluetooth will not appear, since phone-based login is already a 2-factor login.

Solution: Where using SecureDoc Key Files protected with a Bluetooth/Phone based token, the SecureDoc Client on the device will not prompt for any further 2-factor authentication elements/interaction.
Where using Push notifications to the phone, then the user must provide approval as the second factor.

SD-42387 Failed to register security key on Windows 7 device

Issue: If SecureDoc is deployed with an IdP List to a Windows 7 device, after the user has successfully logged into MagicEndpoint. the device will show as Online - Pending User Registration. However, if the user attempts to add a new security key (e.g. to strengthen authentication to (say) Gmail), no security key is created, no dialog appears to prompt the user to select the security method, so finally no message appears indicating one was successfully created.

Solution: Customers who wish to use MagicEndpoint are (in general) advised to move off Windows 7 due to inherent issues and inherent lack of support in that operating system for base functionality required by MagicEndpoint.





Contacting WinMagic

5770 Hurontario Street, Suite 501
Mississauga, Ontario, L5R 3G5
Toll free: 1-888-879-5879
Phone: (905) 502-7000
Fax: (905) 502-7001
Human Resources:
Technical Support:
For information:
For billing inquiries:


This product includes cryptographic software written by Antoon Bosselaers, Hans Dobbertin, Bart Preneel, Eric Young ( and Joan Daemen and Vincent Rijmen, creators of the Rijndael AES algorithm.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (

WinMagic would like to thank these developers for their software contributions.
© Copyright 1997 – 2022 by WinMagic Corp. All rights reserved.

Printed in Canada Many products, software and technologies are subject to export control for both Canada and the United States of America. WinMagic advises all customers that they are responsible for familiarizing themselves with these regulations. Exports and re-exports of WinMagic Inc. products are subject to Canadian and US export controls administered by the Canadian Border Services Agency (CBSA) and the Commerce Department’s Bureau of Industry and Security (BIS). For more information, visit WinMagic’s web site or the web site of the appropriate agency.

WinMagic, SecureDoc, SecureDoc Enterprise Server, Compartmental SecureDoc, SecureDoc PDA, SecureDoc Personal Edition, SecureDoc RME, SecureDoc Removable Media Encryption, SecureDoc Media Viewer, SecureDoc Express, SecureDoc for Mac, MySecureDoc, MySecureDoc Personal Edition Plus, MySecureDoc Media, PBConnex, SecureDoc Central Database, and SecureDoc Cloud Lite are trademarks and registered trademarks of WinMagic Inc., registered in the US and other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2022 WinMagic Corp. All rights reserved.

© Copyright 2022 WinMagic Corp. All rights reserved. This document is for informational purpose only. WinMagic Corp. makes NO WARRANTIES, expressed or implied, in this document. All specification stated herein are subject to change without notice.