SecureDoc V9.0 SR4


Release Notes

View All


SecureDoc Support

WinMagic strongly recommends that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and new features.

Please visit Knowledge Base Article 1397 for more information on End of Life and End of Support timelines for SecureDoc software releases.


About This Release

This document contains important information about the current release. We strongly recommend that you read the entire document.

Recommended – WinMagic recommends this service release for all environments. Apply this update at your earliest convenience.


Release/EOL Dates

Details / Build Information

9.0 SR4

May 9, 2023
EOL: Mar 1, 2026

New Features, Improvements, and fixes (server/client)
Build# 9.0.400.60 (Server, all other clients), Build# 9.0003.103  (macOS)

9.0 SR3

March 2, 2023
EOL: Mar 1, 2026

New Features, Improvements, and fixes (server/client)
Build# 9.0.300.118 (Server, all other clients), Build# 9.0003.103 (macOS)

9.0 SR2

December 9, 2022
EOL: Dec 8, 2025

New Features, Improvements, and fixes (server/client)
Build# (Server, all other clients), Build# 9.0002.198 (macOS)

9.0 HF1

September 7, 2022
EOL: Mar 30, 2025

Hotfix containing improvements (see release notes)
Build# (Windows client installer only)

9.0 SR1

July 21st, 2022
EOL: Jul 21, 2025

New Features, Improvements, and fixes (server/client)
Build# (Server, all other clients), Build# 9.0001.73 (macOS)


March 31, 2022
EOL: Mar 30, 2025

New features, improvements and fixes (server/client)
Build# (Server, all other clients), Build# 9.000.1030 (macOS)

8.6 SR1 HF7

February 23rd, 2023
EOL: Sep 7, 2024

Fix for 8.6SR1 HF6 (client)
Build# ( Clients)

8.6 SR1

September 8th, 2021
EOL: Sep 7, 2024

New features, improvements and fixes (server/client)
Build# (Server, all other clients), Build# 8.6001.85 (macOS)


December 8th, 2020
EOL: Dec 7, 2023

New features, improvements and fixes (server/client)
Build# (Server, all other clients), Build# 8.6000.594 (macOS)

8.5 SR2

June 11th, 2020
EOL: Jun 10, 2023

New features, improvements and fixes (server/client)
Build# (Server, all other clients), Build# 8.5001.632 (macOS)

8.5 SR1

April 8th, 2020
EOL: Apr 7, 2023

New features, improvements and fixes (server/client)
Build# (Server, all other clients), Build# 8.5001.632 (macOS)


December 5th, 2019
EOL: Dec 4, 2022

New features, improvements and fixes (server/client)
Build# (Server, all other clients), Build# 8.5001.448 (macOS)


NOTE: End of Life date for Hotfixes is the same as the Version or Service Release upon which they are based.

Download the latest release notes for each version listed within Knowledge Base Article 1756.

System Requirements
If using features that use the TPM (e.g., MagicEndpoint, or other TPM-based authentication such as TPM protection for Key Files), devices must have TPM 2.0 – TPM 1.2 or earlier are not supported.

For server and client system requirements: For supported devices, drives, smartcards, and tokens:

Note: It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation.
More information is available here:

During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.

Note: Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g., Admin desktop) on which it runs for the console to function properly.

Client OS Support

Devices utilizing MagicEndpoint authentication must have Windows 10 or 11 – Windows 7 is not supported.
For a detailed view of which specific versions of SecureDoc are supported under various versions of Windows, macOS or Linux: See:

Mobile Token-based authentication using Bluetooth is not supported on any pre-Windows 10 Operating Systems


The KnownConfigs.XML File

Customers are strongly advised to download the most current KnownConfigs.XML file, then replace the current version (if older) in the SES Application folders and Installation Packages.

WinMagic strongly recommends that you seek out the most up-to-date version of the KnownConfigs.XML file and incorporate it into your SES implementation on a regular basis (e.g., monthly). This will help ensure your SES Version will take advantage of new client installation override settings that have been added since the version of the KnownConfigs.XML file that came with your version of SES. This will improve installation success on any new device makes/models you might purchase since installing SES, utilizing the new special settings available in newer versions of this file.
Customers are advised to look to the SecureDoc Knowledge Base for a link to the available KnownConfigs.XML files, then check that document (e.g., on a monthly basis) for updates to this file, then use the new version to replace all versions of the KnownConfigs.XML file in their SES Implementation folder structure. For example:

  1. Position Windows Explorer to: c:\Program Files(x8)\WinMagic\SDDB-NT, then
  2. Search for files like *.xml.
  3. Sort the resulting search list by name
  4. In each directory where a KnownConfigs.XML file is found, replace it with the new one that you have downloaded from the WinMagic Knowledge Base article.

Additional information can be found here: Installing or updating the KnownConfigs.xml file (Applies to SES from Version 7.5 onward).


The latest versions of the KnownConfigs.XML files can be found at the following links:

    • SecureDoc Device KnownConfigs.XML File for SES V8.2 And Later- Download the

latest version of this here: File-for-SES-V8-2-Download-the-latest-version-of-this-here

    • SecureDoc Device KnownConfigs.XML File for SES V7.5 - Download the latest

version of this here: SES-V7-5-Download-the-latest-version-of-this-here


The contents of the KnownConfigs.XML file are reserved to be developed and advanced by WinMagic solely. While customers might consider enhancing it, WinMagic cannot be held responsible for issues that might arise from such modifications and may (at its sole discretion) levy an additional support charge to any customers that encounter support issues that can be traced back non-sanctioned customer-initiated changes to KnownConfigs.XML.
WinMagic welcomes customer ideas and suggestions on how KnownConfigs.XML can be extended and improved, but WinMagic reserves the sole right to test, approve and to publish any changes to KnownConfigs.XML that it deems to be in the broader customer interest, and makes no commitment to act upon or publish all, or indeed any customer-recommended changes. 

Version 9.0 SR4


For customers deploying 9.0SR4 to devices containing Self Encrypting Drives (SEDs), if you encounter any unexpected messages indicating that SecureDoc Installation is not proceeding on such a device, please contact WinMagic Support for assistance.  

The Windows Essentials Profile and Installation Package types are no longer supported

Issue: The Windows Essentials licensed client type is being discontinued.  Windows Essentials was a slimmed down version of the SecureDoc Windows client which supported management of BitLocker encryption while including several key SecureDoc features.  Lack of uptake of this client type in the market necessitates its removal to streamline product offerings.

Solution: : The Windows Essentials profile and Installation Package types are no longer supported, and these profile/package types will no longer be available to create or deploy to endpoints.

Note: Due to the extent of the documentation that is affected, documentation relating to this Profile and Installation Package type will still exist in this version but will be fully removed in the V9.1 documentation coming later this year.  Customers are asked to ignore any references to Essentials in the documentation in the meantime.

Affected Tickets: SD-43817 

Which customers should upgrade to 9.0SR4?
Version 9.0SR4 is a Service Release upgrade to the SecureDoc Enterprise Client and Server.
All customers are recommended can safely upgrade to 9.0SR4.
Why upgrade?

NOTE: Any customers wishing to use Microsoft Azure AD (as opposed an on-premises Active Directory) must upgrade to V9.0 (or higher). Azure AD is not supported on earlier versions of SecureDoc Enterprise Server. 

Any Azure AD-joined Devices must be either initially installed using V9.0, or any existing devices that will be joined to an Azure AD must be upgraded to the V9.0 (or later) client software before being joined to the Azure Active Directory.

NOTE: SecureDoc installer now no longer supports installation on macOS Mojave. Version 9.0SR2 ends support for macOS Mojave, and as a result the macOS Mojave target has been removed from the SecureDoc executables framework, installation, and run-time scripts.

IMPORTANT: For customers wishing to utilize SecureDoc’s Bluetooth Low Energy mobile device-based authentication at Pre-Boot:
1 - The device Profile must specify the Linux-based Pre-Boot for UEFI devices – termed as PBLU in this documentation.  Phone-based authentication (whether using Bluetooth Low Energy communication or network-based communication) does not work with
2 – Bluetooth must be enabled in the endpoint computer’s hardware configuration (BIOS or UEFI settings), as use of Bluetooth Low Energy mobile device-based authentication is a compelling security feature.,

NOTE: These release notes are presented in a new format compared to prior releases. A) Rather than leading with the ticket number(s), these will include the ticket(s) at the end of each release note; b) Issues and improvements will be grouped into meaningful groups that discuss specific aspects of the product (e.g., Authentication, Server, client, and other groupings).


How to Install/Upgrade

Customers with an active support plan should contact to receive the latest download link for their SecureDoc upgrade. 


New Features

Authentication & Recovery

ThinkPad T14 Gen 3 devices could not connect to SDConnex at Pre-Boot, therefore was unable to perform PBConnex network-brokered authentication.

Issue: Lenovo ThinkPad T14 Gen 3 devices contain a network card that was not represented in the firmware pack in previous versions of the SecureDoc client, with the result that such devices were unable to perform PBConnex network-brokered authentication because the network stack could not be activated due to missing firmware support for the network card in those devices.

Solution: The required firmware files are included in the V9.0SR4 firmware pack for the Linux-based Pre-Boot.  Customers encountering this issue should upgrade affected client devices to V9.0SR4.

Affected tickets: SD-44585 

Previous user name was displayed in the SecureDoc Pre-Boot Logon screen by default in 9.0 SR2 clients.

Issue:  A change introduced in 9.0 SR2 had endpoint devices defaulting to show the user name of the last user to have logged to the SecureDoc Pre-Boot authentication screen.

Solution:  As of V9.0 SR4 the user name field will again default to being blank in the SecureDoc Pre-Boot authentication screen in all future versions.  Where customers wish to display the last-logged-in user name, the Administrator must manually add the following name-value pair in the SDSpace section of the Device Profile, as follows:



Affected tickets: SD-44068

A new feature permits users the ability to recover access and log into Windows using a One Time Password (OTP) provided on the user's Mobile Device.

Issue:  To assist users in authenticating to a SecureDoc-protected Endpoint, a means must be found to provide users the ability to recover and log into Windows using a One-Time Password (OTP) that is provided on their phone. 

Example use cases that support this need are:  Bluetooth Low Energy communication is not available/not enabled on the user's Mobile Device; User is offline; The Mobile Device's TPM isn’t available;

Solution:  This new feature permits users the ability to recover access and log into Windows using a One Time Password (OTP) provided on the user's Mobile Device. Once the user has keyed in this One Time Password at Pre-Boot, the user's SecureDoc-protected endpoint will boot into Windows.

Affected tickets: SD-43976




Provide support for support for Ubuntu 20.04

Issue: As the Linux OS and major Distros advance, SecureDoc must be updated to ensure compatibility with the updated OS/Distro.

Solution: This version now provides support for the latest version of Ubuntu 20.04.

Affected tickets: SD-44822, SD-44378

This Service Release now supports Ubuntu 22.04

Issue: Previous versions did not fully support Ubuntu 22.04 due to numerous Kernel and support library changes required.

Solution: This Service Release now support Ubuntu 22.04 and has been tested on both Desktop and Server versions.
Affected tickets: SD-41652 

SaaS – Software as a Service




SecureDoc Console or SESWeb Console


SecureDoc Client - Linux


SecureDoc Client - Windows


SecureDoc Client - macOS


Authentication & Recovery

SecureDoc's Linux-based Pre-Boot (PBLU) now supports token key file protection utilizing 256-bit ECC certificates on YubiKeys.

Issue:  Yubico's Yubikey supports a 256-bit ECC certificate that had previously not been supported under SecureDoc's Linux-based Pre-Boot (PBLU).

Solution:  SecureDoc's Linux-based Pre-Boot (PBLU) now supports the Yubikey 256-bit ECC certificate, and further performs a validation check at Boot Logon that halts authentication into the system when the 256-bit ECC certificate on the YubiKey has expired.

Affected tickets: SD-44244, SD-44246, SD-44250


Resolved Issues


Authentication & Recovery

An issue in the 9.0 version (and 9.0 SRx Service Releases prior to 9.0 SR4) that prevented Auto-login when using Key File on Token with Token present during Pre-Boot has been resolved.

Issue:  A customer that had been using special-function headless/keyboardless devices found that upon installing V9.0 or its service releases up to 9.0SR3 were no longer able to get these devices to auto-login when using Key File on Token with the token present/inserted during SecureDoc Pre-Boot.  Instead, such devices would stop at Pre-Boot and await entry of a PIN or other authorization.

Solution:  This issue has been corrected in this Service Release, 9.0 SR4, and such devices will again successfully auto-login at Pre-Boot.

Affected tickets: SD-44523

On specific endpoint devices the TouchPad did not work in versions from V9.0 onward.

Issue:  This issue may have arisen due to the addition of support in V8.0 for ECC YubiKey tokens, followed by a kernel change in V9.0SR3 which might not have supported the touchpad in the same way.  On these devices, the Keyboard/Touchscreen works fine, but the TouchPad does not work anymore, whereas it was working on builds prior to V9.0.  The exact Brand and Model of devices affected was “DELL Latitude 7320 Detachable “, though this might have affected other device types.

Solution:  This issue has been corrected in V9.0SR4, and the touchpad will work correctly on affected devices.

Affected tickets: SD-44503

An issue could occur where installation of SecureDoc client could remove all network settings in the Registry, replacing them only with the SecureDoc Password Sync network.

Issue:  When SecureDoc is installed, it adds the PasswordSynchronizer definition to the Order sub element, then copies the entire element contents to HwOrder.  If Order is missing, it is created and PasswordSynchronizer is added to it, and the now nearly-empty Order sub-element is used to replace the HwOrder element by Windows upon reboot, wiping out all network configurations that existed in it. 

Details: Normally, in the Registry Hive, under:  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\ there will typically be both Order and HwOrder sub elements. These are typically identical. In some cases, devices may have only the HwOrder sub element, and the Order element is missing.

Solution:  The absences of the Order sub-element is unusual, and affects only certain devices.  To ensure this cannot occur in the future, if the Order sub element is missing, SecureDoc V9.0SR4 will copy the entire contents of the Order sub element to it, and only then will it add the PasswordSynchronizer definition. In this way, upon reboot when Order is copied to HwOrder, all current network configurations will continue to exist in HwOrder.

Affected tickets: SD-44230

In prior versions running on HP ProBook 450 G8, SecureDoc's Pre-Boot (both native Pre-Boot for UEFI and Linux-based Pre-Boot for UEFI devices) was unable to detect the on-board wireless Network Interface (NIC), making PBConnex-based authentication impossible over Wi-Fi.

Issue:  Customers were unable to use Wi-Fi-based PBConnex because, for HP ProBook 450 G8, SecureDoc's devices running prior SecureDoc versions, Pre-Boot (both native Pre-Boot for UEFI and Linux-based Pre-Boot for UEFI devices) was unable to detect the on-board wireless Network Interface (NIC).

Solution:  This issue has been corrected in this version which now contains the needed firmware for these NIC devices, and customers using Wi-Fi-based PBConnex on HP ProBook 450 G8 devices will be able to use Pre-Boot and PBConnex on both native Pre-Boot for UEFI and Linux-based Pre-Boot for UEFI devices.

Affected tickets: SD-41938




IMPORTANT: Mobile Token-based authentication using Bluetooth is not supported on any pre-Windows 10 Operating Systems.


SES Console or SESWeb Console


MacOS Devices




Authentication – Remote Desktop



Contacting WinMagic

5770 Hurontario Street, Suite 501
Mississauga, Ontario, L5R 3G5
Toll free: 1-888-879-5879
Phone: (905) 502-7000
Fax: (905) 502-7001
Human Resources:
Technical Support:
For information:
For billing inquiries:


This product includes cryptographic software written by Antoon Bosselaers, Hans Dobbertin, Bart Preneel, Eric Young ( and Joan Daemen and Vincent Rijmen, creators of the Rijndael AES algorithm.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (

WinMagic would like to thank these developers for their software contributions.
© Copyright 1997 – 2023 by WinMagic Corp. All rights reserved.

Printed in Canada Many products, software and technologies are subject to export control for both Canada and the United States of America. WinMagic advises all customers that they are responsible for familiarizing themselves with these regulations. Exports and re-exports of WinMagic Inc. products are subject to Canadian and US export controls administered by the Canadian Border Services Agency (CBSA) and the Commerce Department’s Bureau of Industry and Security (BIS). For more information, visit WinMagic’s web site or the web site of the appropriate agency.

WinMagic, SecureDoc, SecureDoc Enterprise Server, Compartmental SecureDoc, SecureDoc PDA, SecureDoc Personal Edition, SecureDoc RME, SecureDoc Removable Media Encryption, SecureDoc Media Viewer, SecureDoc Express, SecureDoc for Mac, MySecureDoc, MySecureDoc Personal Edition Plus, MySecureDoc Media, PBConnex, SecureDoc Central Database, SecureDoc Cloud Lite, MagicEndpoint and MagicEndpoint FIDO Eazy are trademarks and registered trademarks of WinMagic Inc., registered in the US and other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2023 WinMagic Corp. All rights reserved.

© Copyright 2023 WinMagic Corp. All rights reserved. This document is for informational purpose only. WinMagic Corp. makes NO WARRANTIES, expressed or implied, in this document. All specification stated herein are subject to change without notice.