SecureDoc v9

SecureDoc V9.0

9.0.000.1047
Release Notes

SecureDoc Support

WinMagic strongly recommends that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and new features.

Please visit Knowledge Base Article 1397 for more information on End of Life and End of Support timelines for SecureDoc software releases.

Customers running SecureDoc 6.5 and earlier should upgrade their server and clients to an actively supported software version. For more information on upgrading from SecureDoc 6.5 and earlier, please visit http://downloads.winmagic.info/SD8.2SR1/HF2/Release_Notes_8.2SR1HF2.pdf.

About This Release

This document contains important information about the current release. We strongly recommend that you read the entire document.

Recommended – WinMagic recommends this service release for all environments. Apply this update at your earliest convenience.

Previous Versions

Version	Release Date	Details
8.6 SR1	September 8th, 2021	New features, improvements and fixes (server/client)
8.6	December 8th, 2020	New features, improvements and fixes (server/client)
8.5	December 5th, 2019	New features, improvements and fixes (server/client)
8.5 SR1	April 8th, 2020	New features, improvements and fixes (server/client)
8.5 SR2	June 11th, 2020	New features, improvements and fixes (server/client)

Download the latest release notes for each version listed within Knowledge Base Article 1756.

System Requirements
For server and client system requirements: https://winmagic.com/support/technical-specifications
For supported devices, drives, smartcards and tokens: https://winmagic.com/device-compatibility

Note: It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation.
More information is available here: http://msdn.microsoft.com/en-us/library/ms143786(v=sql.100).ASPX
During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.

Note: Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g. Admin desktop) on which it runs, in order for the console to function properly

Client OS Support
For a detailed view of which specific versions of SecureDoc are supported under various versions of Windows, macOS or Linux: See: https://winmagic.com/support/technical-specifications

The KnownConfigs.XML File

Customers are strongly advised to download the most current KnownConfigs.XML file, then replace the current version (if older) in the SES Application folders and
Installation Packages.

WinMagic strongly recommends that you seek out the most up-to-date version of the KnownConfigs.XML file and incorporate it into your SES implementation on a regular basis (e.g., monthly). This will help ensure your SES Version will take advantage of new client installation override settings that have been added since the version of the KnownConfigs.XML file that came with your version of SES. This will improve installation success on any new device makes/models you might purchase since installing SES, utilizing the new special settings available in newer versions of this file.
Customers are advised to look to the SecureDoc Knowledge Base for a link to the available KnownConfigs.XML files, then check that document (e.g., on a monthly basis) for updates to this file, then use the new version to replace all versions of the KnownConfigs.XML file in their SES Implementation folder structure. For example:

1. Position Windows Explorer to: c:\Program Files(x8)\WinMagic\SDDB-NT, then
2. Search for files like *.xml.
3. Sort the resulting search list by name
4. In each directory where a KnownConfigs.XML file is found, replace it with the new one that you have downloaded from the WinMagic Knowledge Base article.

Additional information can be found here: Installing or updating the KnownConfigs.xml file (Applies to SES from Version 7.5 onward).

The latest versions of the KnownConfigs.XML files can be found at the following links:

SecureDoc Device KnownConfigs.XML File for SES V8.2 And Later- Download the

latest version of this here: https://na80.salesforce.com/articles/Service/SecureDoc-Device-KnownConfigs-XML-File-for-SES-V8-2-Download-the-latest-version-of-this-here

SecureDoc Device KnownConfigs.XML File for SES V7.5 - Download the latest

version of this here: https://na80.salesforce.com/articles/Service/SecureDoc-Device-KnownConfigs-XML-File-for-SES-V7-5-Download-the-latest-version-of-this-here

The contents of the KnownConfigs.XML file are reserved to be developed and advanced by WinMagic solely. While customers might consider enhancing it, WinMagic cannot be held responsible for issues that might arise from such modifications and may (at its sole discretion) levy an additional support charge to any customers that encounter support issues that can be traced back non-sanctioned customer-initiated changes to KnownConfigs.XML.
WinMagic welcomes customer ideas and suggestions on how KnownConfigs.XML can be extended and improved, but WinMagic reserves the sole right to test, approve and to publish any changes to KnownConfigs.XML that it deems to be in the broader customer interest, and makes no commitment to act upon or publish all, or indeed any customer-recommended changes.

Version 9.0

Which customers should upgrade to 9.0?
Version 9.0 is a general upgrade to the SecureDoc Enterprise Server and SecureDoc Client products and incorporates important new functionality to support MagicEndpoint and MagicEndpoint IdP, WinMagic’s new advanced authentication client functionality and Identity Provider, respectively.

Any customers can safely upgrade to 9.0.

NOTE: Any customers wishing to use Microsoft Azure AD (as opposed an on-premises Active Directory) must upgrade to V9.0. Azure AD is not supported on earlier versions of SecureDoc Enterprise Server.

Any Azure AD-joined Devices must be either initially installed using V9.0, or any existing devices that will be joined to an Azure AD must be upgraded to the V9.0 (or later) client software before being joined to the Azure Active Directory.

How to Install/Upgrade

Customers with an active support plan should contact support@winmagic.com to receive the latest download link for their SecureDoc upgrade.

New Features

SD-23569: Access to the F3 troubleshooting page at Pre-Boot enforces user ID if configured in the profile

Where customers have chosen the "Force user to enter a UserID at preboot" option, previously pre-boot did not
require the user to enter a valid User ID before allowing access to the “F3” technical information screen.

Beginning with 8.6 SR1, if the above option is enabled in the profile, users will be required to enter a valid User ID before they are able to gain access to this screen. After entering a valid User ID, the F3 functionality will be accessible.

Improvements

SD-22456 A new option permits Administrators to elect to have a device produce debug logs (at a defined level of detail) to be retained for 48 hours

Issue: While installing or upgrading the SecureDoc Client software on a given device will generate debug-level logs that can be retained for a fixed period of time (to troubleshoot installations and upgrades), where a given device is exhibiting unusual behavior that occurs sporadically, it is often difficult to "trap" a period of time where the behavior is manifested.

Solution: With this change a device can be made to generate Debug logs at the desired degree of detail, and have those logs remain accessible (and downloadable) for a period of 48 hours.

This functionality can be triggered either from settings within the SecureDoc Client Control Center application, or by applying Registry settings on the device.

SD-23635 - SecureDoc Pre-Boot now supports 4K Native sector size (e.g. for NVMe drives)

Issue: In previous versions, the VHD driver assumed that the size of the physical sector of the disk is 512 bytes and issues 512-bytes IO calls, making the VHD driver incompatible with disks having a 4K sector size.

Solution: With this version, SecureDoc can be installed (and its VHDX file) can be built on a disk that is 512b, or 4k, or anything else.

SD-27649 An issue affecting HP EliteDesk 800 G2 & G3 models has been resolved

Issue: These HP model workstations would shut down automatically when the monitor (connected via Display Port) was turned off.

Solution: This issue has been corrected - these models will remain running when the monitor is turned off.

SD-29473 Re-enforce Permanent Auto-boot following SecureDoc Client Software upgrade.

Issue: Customers have encountered that, when using Permanent Auto-boot on Windows endpoint devices, following an upgrade of the SecureDoc Windows Client software the Permanent Auto-boot fails.
Since users are used to Permanent Autoboot, and given that the users may not even have a personal Key File on the device, the impact of this was felt by customer support teams having to field support calls for users who could not get to Windows.

Solution: To make upgrades more robust, the upgrade has been improved so that when the device registers and imports the profile, if said profile is configured to use permanent autoboot, then a NEW auto-boot key file is issued to the device before the device reboots.

SD-30821 An improved method has been created for collecting Pre-Boot Logs that does not require use of USB media.

Issue: Complexities surrounding the capture of Logs during a PBU Pre-Boot (Pre-Boot for Native UEFI devices) had become a concern for customers, particularly where the only way to get the logs was through use of a USB stick.
Certain customers have Boot Logon Debugging set to default to 5 (maximum detail) to write full-detail logging information on all devices, but this can be minimized (on extraction to a USB memory stick) to a lower level of logging if the WMUEFI.INI file in the USB device specifies a lower level of logging.

Solution: NOTE: At this time, this solution is only partially applied, affecting only PBU Pre-Boot on devices using software-based encryption.
PBU will save its own Debug Log (defined at the logging level set in the SecureDoc Control Center) in the drive's system partition, and following boot to Windows the device will copy the logs to the UserData folder, where they can be aggregated (at the defined detail level) with the other logs when Support runs the log aggregation script.
The process to draw such logs onto a USB memory stick remains the same. and the WMUEFI.INI file in the USB media will continue to define the level of logging to be extracted to the USB media.

SD-32749 IPV6 Communication settings can now be configured for all Windows Client Profiles, at Pre-Boot, as well as within Client Control Center and in SES Internal communication settings

Issue: Customers require IPV6 configuration settings for SES and SES-managed client devices, as well as to define communication settings within the elements of SES.

Solution: IPV6-format Network addresses can now be configured in all areas of SES, as well as for Windows, macOS, Linux, server and cloud-hosted endpoints/servers configurations, such as via Device Profiles, SDForm (used in Client installation), SDService, WinPin, SecureDoc Control Center (on the Client).

SD-32774 SecureDoc Icon remains dark when macOS desktop is change to Dark Mode, making icon difficult to see

Issue: If the user changes the macOS desktop to utilize the Dark Mode setting, the SecureDoc menu icon would remain as black characters in the menu bar, making it difficult to find.

Solution: Now, the SecureDoc menu icon in the Menu bar will become white on dark when the macOS desktop is in Dark Mode.

SD-32817 (and others, see ticket) New feature provides Hardware Reset feature to securely lock Self-Encrypting Drives upon Warm Reboot

Issue: Due to the nature of OPAL SED management, these disk drives will remain in an unlocked state if their host devices are warm-rebooted. Although a useful feature, it also constitutes a security vulnerability since devices could be subjected to a "Forced Restart Attack" (see article: "4 SED Attacks and How to Mitigate Them" at https://winmagic.com/blog/4-sed-attacks-and-how-to-mitigate-them/).

To combat this vulnerability, it is possible to leverage the Hardware Reset drive firmware feature which will, when enabled, force the OPAL SED to lock upon Warm Reboot of the device.

Solution: WinMagic has incorporated functionality into the Device Profile in this version to support such a Hardware Reset, which will force devices to go through full Pre-Boot Authentication upon warm reboot.

To ensure that WinMagic customers aren't being forced to have this feature enabled by default, a new flag in SDProfile.spf informs the SecureDoc client during deployment as to whether or not it should attempt to enable the Hardware Reset feature on a supported OPAL SED.

To enable this functionality, manually add the following section and settings clause to the Profile's .SPF file.
[SED]
SEDHardResetEnable=1

SD-33376 AES-NI functionality for endpoint devices is now enabled by default, and the option to enable/disable it has been removed from the SES Console Profile definition panel.

Issue: The use of AES-NI functionality, which utilizes a FIPS-approved set of Crypto instructions built into modern processors, had become mainstream several years ago.

Solution: To simplify the Device Profile UI, in this version this (now unnecessary) decision point is being removed from the Windows Profile. Instead, this function will be enabled by default, and the checkbox that enables/disables this functionality has been removed.

NOTE: This is a zero-impact change. Where a given processor does not support AES-NI, the setting is ignored anyway, and WinMagic sees no reason customers with modern AES-NI-capable processors would wish to forgo the advantage of processing speed gains provided by AES-NI.

SD-34096 64-bit driver support has been added for eToken 5110 tokens

Issue: SecureDoc's 64-bit Pre-Boot Kernel needs to support as many tokens as possible, and there is a pressing need among customers for support for the eToken 5110.

Solution: As a part of WinMagic's drive to standardize on a 64-bit Pre-Boot, the eToken 5110 token now has 64-bit driver support within the SecureDoc Pre-Boot Kernel.

SD-34507 - SESWeb console can now create and modify Windows Enterprise Client Installation package information.

As SESWeb moves toward feature parity with the SES Console, Version 9.0 of SES now offers the ability to create and modify Windows Enterprise Client Installation packages.

SD-34822 Issue using embedded Card Reader at SecureDoc V8.3 Pre-Boot on DELL Latitude 5500 has been corrected

Issue: SecureDoc V8.3 had been unable to connect with and use the embedded Card Readers found in DELL Latitude 5500 series devices from within the SecureDoc Pre-Boot environment.

Solution: This issue has been corrected, and the SecureDoc V9.0 client software can use these card readers at Pre-Boot.

SD-35722, SD-23635 The SecureDoc client has been updated to handle 4k native disk cluster sizes in SDSpace, and to support PBU and PBL pre-boot.

4k native boot disk is only supported on devices that use UEFI (not Legacy BIOS). It does not work on legacy boot devices, and currently works only with Self Encrypting Drives (SEDs) and BitLocker.

SD-35813 The Kernel used in the Surface installer package in earlier versions of SecureDoc did not support newer Surface models such as Surface Pro 7

Issue: The SecureDoc Pre-Boot Kernel used in the Surface installer package in earlier versions of SecureDoc did not support newer Surface models (such as Surface Pro 7).

Solution: The SecureDoc Pre-Boot Kernel has been updated in SES V9.0 to ensure greatest support for newer Surface models.

SD-36547 SecureDoc for Linux clients now support token-based Authentication at Pre-Boot

Issue: SecureDoc has long supported Token-based Key File authentication for Windows endpoints at Pre-Boot.

Solution: This version adds support for Token-based Key File authentication for physical or virtualized (but not Cloud-hosted) Linux endpoints at Pre-Boot. Virtualized clients must have access during pre-Boot to the host's USB port into which the Token has been inserted.

SD-36666 Administrators will now be warned if attempting to apply a Device Profile against all devices in a Folder

Issues: Some customers have encountered greater than desired device changes when using the SES Console and SESWeb options to apply a Profile to a Folder (and all its subfolders).

Solution: This issue was due to not realizing that this change applies to folders and subfolders. To clarify that this is by design, both the SES Console and the SESWeb console now present messages that articulate how many devices will be affected by an attempt to apply a Device Profile to all devices in a folder (and its subfolders), allowing the Administrator to understand the breadth of the change before accepting it, and allowing the Administrator to cancel/back out of the change before submitting.

SD-36698, SD-36625 SecureDoc for Mac installation now warns standard-rights user to use elevated-rights user account for installation

Due to limitations in recent macOS operating system versions, installation must be performed by a user account that has elevated rights. If a standard-rights account is detected, the installation will indicate this in a message box, after which it can be terminated so that it can be retried under an elevated-rights account.

SD-36934 The option "Encrypt after xx seconds" was still accessible, even where Administrators had defined device profile settings "Allow user to change the default media encryption settings" and "Encrypted media can be accessed with a password" as both enabled.

Issue: The device profile options "Allow user to change the default media encryption settings" and "Encrypted media can be accessed with a password", when enabled, stipulate that the user must perform some steps before media encryption can begin, therefore these options run counter to the idea of enabling automatic encryption through use of the "Encrypt after xx seconds" (which, when used triggers a countdown during which the user can only remove the media before it starts to be encrypted, or by leaving the media plugged in, it will automatically be encrypted. Customers had found these contradictory behaviors confusing.

Solution: WinMagic has removed the confusion relating to these contradictory options. The option entitled: "Encrypt after xx seconds" will no longer be accessible if the Administrator has chosen either of the contradictory options mentioned above.

SD-37382, SD-37381 SecureDoc Key Files now support both Token-based authentication and Auxiliary Password-based authentication

SecureDoc Enterprise Server will now support a new GUI option that permits Administrators to (optionally) define the use of the user's Password as an Auxiliary Password for Token-Based key files.

SES will maintain a per-device flag that indicates whether token-protected Key Files work on that specific device.

This flag is sent from a client when a user successfully logs in at pre-boot with his or her token-based KF (here we assume any the other users will works with their own token-based KF at pre-boot, on this specific client device, since in general same token protection is set in profile)

SES will differentiate on the KF created per-user when propagating user's Key File.
SES can only generate such token-based Key Files with Auxiliary Password under the following conditions:
- availability of per-user certificate
- availability of per-user password

Where a user's Authentication (and therefore Key File) on a given device has been successfully converted from Password to Token-based authentication, the user's certificate (public key) will be sent back to SES, so that SES can update and re-transmit a token-based Key File thereafter. Once the user has authenticated with token at pre-boot successfully, SecureDoc will remove the Auxiliary password. In case, there is token incompatibility with pre-boot - the user can use Auxiliary password to authenticate at pre-boot.

SD-37587, SD-37482 SecureDoc for macOS has been improved to permit users to use the Recovery Account again if they failed to set a new password

Issue: If macOS users forget their passwords and want to use WM recovery account to login at pre-boot, in previous versions if they failed to successfully set a new password after logging in using the Recovery Account, they could not do so again using the same Recovery Account password if the device was rebooted before a new personal password could be set.

Solution: In this version, users who fail to successfully set a new Password prior to rebooting the device (after having used the Recovery Account to log in) may use the same Recovery Account password in order to have a second chance to set a new password.

SD-37588 Delay rotation of FileVault 2 Recovery string until device can communicate with SDConnex and SES Server.

Issue: Where users forget their password, they will use the WinMagic recovery account to login to FIleVaul2 to on a macOS device. After the user logs in and sets a new password the device SecureDoc will rotate the recovery account to have a new password, and communicate that to SES.

However, if in the interim that device is no longer able to communicate with the SES server, then the new Recovery Account cannot be communicated and stored in the SES server.

Solution: With this improvement, the device will delay rotating the recovery account password until the next time it is successfully able to communicate to the SES server.

SD-37635 Upon logging in to a macOS device protected with SecureDoc for FileVault 2, an error message appears indicating the Recovery Account password can't be changed/rotated at this time.

Issue: Following login using the FileVault 2 Recovery Account, the following message appears: "The Recovery account password can't be set this time. Please try to Login as other User. Please inform your SecureDoc Administrator that setting Recovery password failed. ". Upon logging out then logging in with another user account, once SecureDoc starts normally and communication with server has completed, it was noted that instead of rotating automatically to a new value, the WinMagic recovery password remained as it was before the above scenario. If the Administrator tried to send down a remote command to force-change the recovery password, Error 0x1 occurred while parsing the remote command data.

Background: After investigation, WinMagic found out the root cause for the situation where the WinMagic recovery account cannot change its password is because this account is defined as SecureToken Disabled. The reason for this is because M1 chip macOS BigSur allows Standard User to enable FV2, but when our account is created with Standard User credential, this account doesn't have SecureToken Enabled.

Solution: To resolve this issue, SecureDoc will prevent a Standard user from enabling FileVault 2.

SD-38042 Surface Pro 7 Devices in docking stations were not able to use SDConnex at Pre-Boot.

Issue: Recent model Microsoft Surface Pro 7 devices docking stations attach their Ethernet adapters to the computer's PCI bus, whereas docking stations for previous-generation Surface Pro devices attached them to the USB Bus. As a result, SecureDoc's Pre-Boot for Native UEFI was not searching the PCI Bus when seeking Network cards, and so Surface Pro 7 devices in docking stations were not able to perform PBConnex network-brokered authentication

Solution: In this version of the SecureDoc client, all buses will be checked for network cards, to ensure that PBConnex can work regardless which bus hardware manufacturers decide to use to connect docking station peripherals and devices.

SD-38069 SecureDoc for Linux now supports RHEL 8.4

Issue: Earlier versions of SecureDoc did not support Red Hat Enterprise Linux (RHEL) version 8.4

Solution: SecureDoc now supports RHEL 8.4

SD-38401 SecureDoc now supports macOS 12.X Monterey

Issue: macOS continues to evolve and SecureDoc must provide support for newer versions of macOS.

Solution: SES V9.0 supports client devices running macOS 12.X Monterey.

SD-38486 Ability to create and edit Windows Enterprise Installation Packages has been added to SESWeb

As SESWeb works its way toward feature parity with SES Console, the addition in this version of the Windows Enterprise Client type is a major step forward.

SD-38651 SecureDoc and SES can now create TPM-protected Key Files

Issue: WinMagic is constantly striving to improve SecureDoc Client Security, while at the same time easing and improving User Experience.

Solution: SecureDoc and SES can now create and manage TPM-protected Key Files on endpoint devices.
This process utilizes the public part of the TPM key which can be stored within SES, and which can be used in a more complex protection scheme which can ultimately be unlocked by the user entering a simple (e.g. 6 character minimum) PIN whose scope remains local to the device (e.g. the PIN is not transmitted to nor stored in the Server).

SD-38996 Ability to create and edit Folder Encryption policies has been added to SESWeb

As SESWeb works its way toward feature parity with SES Console, the addition in this version of the Windows Enterprise Client type to add and maintain Folder Encryption Policies is a major step forward.

SD-39007, SD-39130 Redundant SecureDoc FV2 messages following macOS upgrade and login using FileVault recovery account have been suppressed.

Issue: Following an upgrade of macOS, upon next login to SecureDoc for FileVault 2, the user would encounter a series of redundant messages after logging in with the FileVault recovery account.

Solution: The redundant messages have been suppressed. After macOS has been upgraded and the user has logged in with the WinMagic account, the multiple system redundant messages that were displayed (and which the user would need to ignore) have been eliminated in this fix.

NOTE: There is a new Password Confirmation dialog that appears starting in this version. Version 8.6 SR1 and earlier did not enquire the user to provide a password after performing a macOS major upgrade.

SD-39130 The WinMagic Recovery Account may fail/be stuck at the Login Page after upgrading macOS following recovery.

Issue: If a user has used the WinMagic recovery account logged into system to perform user password recovery, the WinMagic recovery account has gone through the user setup configuration which is provided by macOS
After that, if the user upgraded macOS to the a newer version, some user settings cannot be handled by the macOS upgrade.

The issue is after macOS upgrading is done and user wants to login with WinMagic recovery account to perform recovery (reset real user password), the device will remain stuck at the user login page, and the WinMagic account fails to login to the system.

Resolution: In SES V9.0 SecureDoc for FileVault 2 (SDFV2), after macOS has been upgraded to the newer version, SDFV2 will delete the WinMagic recovery account and re-create a new one.
The User will encounter the Password Confirmation dialog to provide user credentials so that SecureDoc can re-create the new WinMagic recovery account correctly, then add this account into the FileVault 2 Unlock list.
After re-creating the WinMagic recovery account, macOS will treat this user as a new user. It won't have issues when logging into the system.
This has also resolved an issue that occurred in a previous version; After macOS was upgraded and the user logged in with the WinMagic account, it several system redundant messages were displayed which the user would need to ignore. These redundant messages have been eliminated in this fix.
One disadvantage is this Password Confirmation dialog is new, starting in this version. Version 8.6 SR1 and earlier did not require the user to provide a password after performing a macOS major upgrade.

SD-39155 Ability to manage and edit SES Global Options has been improved - with a new more intuitive User Interface - has been added to SESWeb

As SESWeb works its way toward feature parity with SES Console, the addition in this version of the Windows Enterprise Client type is a major step forward.

SD-39260 The SecureDoc Client now has a new way of being deployed using SCCM

Issue: Installing the SecureDoc Client has been possible using SCCM for some time, and improvements to this process are constantly being sought.

Solution: In a new Knowledge Base Article WinMagic articulates the steps necessary to install the SecureDoc Client using SCCM in a new way.

SD-39550 The SES Profile General options panel has been modified to move Refresh/Reset button adjacent to the Encrypt Partition Only option, to which it belongs

Issue: In the SES Profile General options the Refresh/Reset button appears in an inappropriate place, leading to confusion

Solution: This button has been moved to be located adjacent to the Encrypt Partition Only option, to which it belongs functionally. If Partition Only encryption is not selected, this button is disabled/inaccessible.

Resolved Issues

SD-35512 The SecureDoc Client for Linux now supports changing the Pre-Boot background image and on-screen prompt text

Issue: Unlike other client types, to this point the SecureDoc client for Linux (SDLinux) did not include a means to update the Pre-Boot background image or the on-screen text post-installation.

Solution: This has been corrected. The Pre-Boot background image and on-screen prompt text can now be modified for Linux client devices.

SD-36571 Earlier versions of the SES Client would not correctly exclude SEDs from encryption if found in list of disks to be excluded

Issue: When using the profile option to exclude fixed disks from encryption, Self Encrypting Disks (OPAL SEDs) would not be excluded as configured. If the excluded disk was not detected as an OPAL SED, then the exclusion was correctly applied.

Solution: This issue has been resolved., The profile option to exclude specific fixed disks from encryption will now also properly exclude specified disk(s) identified as self encrypting, ensuring that it/they will not be encrypted.

SD-37272 After upgrading from Win10 1909 to 20H2, SecureDoc-protected devices cannot communicate to SDConnex Server via proxy server.

Issue: Following an upgrade of Windows from Win10 1909 to 20H2, SecureDoc-protected devices cannot communicate to SDConnex Server via proxy server.

Solution: This issue has been resolved in this version.

SD-37381 On V8.6 encrypted devices, using a secondary SecureDoc account that has been added to User Management can cause a "Blue Screen" halt with error code 0xc0000225 after authentication

Issue: Under SecureDoc V8.6, on a full-disk encrypted device the primary SD account "admin" is able to log in at pre-boot. However, after creating a secondary Key File (which has the AES encryption key) and adding it to the user management, logging in with that secondary account at Pre-Boot produces a "Blue Screen" halt with error code 0xc0000225.

Solution: This issue has been corrected in this version

SD-35703 Aspects of Disk Access Control (DAC) do not yield expected results with CD/DVD media, or have proven a source of confusion for customers

Issue: Particularly since the move to Container-Encrypted CD/DVD media, customers have found that the selection of certain Disk Access Control modes for such media can cause undesirable or unexpected user experience.

Solution: In Version 9.0 of SES and the SecureDoc Client, the following three modes will no longer be available for CD/DVD DAC restrictions: "Read only, unless encrypted"', "No access, unless encrypted" and "No access". These modes have been removed from the User Interface (e.g., in SecureDoc Control Center, as well as the SecureDoc Console's and SESWeb Consoles configuration panels for Device Profiles. The options that will remain available for CD/DVD media will be Full Access and Read-Only.

SD-35961 Customers could encounter a 'Buffer too small' 0x150 error when trying to reset their passwords in SecureDoc Control Center

Issue: When changing passwords in SecureDoc Control Center (SDCC), if the device had been configured with the password history feature enabled (to ensure the user is not re-using a previous password), upon attempting to change the password the user would receive a 'Buffer too small' 0x150 error .

Solution: This issue has been corrected in this version.

SD-35993 SecureDoc Client Control Center now offers smooth user experience when decrypting all drives

Issue: In previous versions, use of the Decrypt All option in SecureDoc Client Control Center to decrypt all encrypted disks would decrypt all drives in "thorough" (all sectors) mode rather than decrypting each of the drives according to how it had originally been encrypted.

Solution: The Decrypt All option now decrypts drives according to how they were originally encrypted - using either Standard (only encrypt data) or Thorough mode (encrypt all sectors, whether they contain data or not).

SD-39109 The list of acceptable special characters that may be used in volume names of removable media has been changed

NOTE: For macOS Big Sur ONLY, the back-tick ` and multiple dollar-signs in a row (e.g. %^$$&) are not acceptable characters and should not be used.

This is an update to previously-issued release notes that were published in a previous version: SD-32942, which had listed additional special characters that could be used in removable Media Volume names when creating removable media/RMCE media under macOS.

The following special characters represent the revised/updated list of those special characters that are supported for use in volume names when creating RME/RMCE media on devices running macOS: ~ ! @ # $ % ^ & ( ) _ + = - { } [ ] { } [ ] ; , '

SD-36145 Where Windows is unable to format an item of removable media, the SecureDoc presentation of that message was ambiguous

Issue: If attempting to format an item of removable media, and Windows is unable to process the request, the message that filtered up through SecureDoc lacked detail needed to inform the user.

Solution: The message has been improved to provide the user with additional information that will inform his next steps.

SD-36171 The SES Client upgrade process now permits moving devices to a specific folder

Issue: In previous versions, the SecureDoc Installation process can (optionally) define that client devices are to be placed in a specific folder.
Although this same setting existed within the same installer that can be used to upgrade a client (by overwriting the new version of the software on top of the old version), during upgrade the folder references were ignored in previous versions, leaving upgraded devices in whatever folder they had originally resided.

Solution: In SES V9.0, a new Installation Package option in the Provisioning panel permits customers to define that endpoint devices should be moved automatically to a specified folder during a software upgrade. Any of the folder options available in the Provisioning panel settings can be applied during upgrade, for example moving devices from the current folder to the owning user's folder, or to a registration folder, or to a specific folder ID defined in the Provisioning panel. The benefit of this option is that it permits endpoints (following upgrade) to reside in a new destination folder whose configuration settings will apply to/govern those devices.

SD-37045: Customers could encounter error 0xa109 when attempting to encrypt secondary drive of 4TB capacity or larger

Issue: Upon attempting to encrypt a secondary hard drive of 4TB capacity or larger, the following message could appear:

An unidentified error has occurred. Error code Task:TaskDiskManagement
Error 0xa109

Solution: This issue has been resolved for Windows 10 only, at present. Customers having 4TB or larger secondary drives will not encounter this error, and the drive will be encrypted successfully.

For users of Windows, 7, 8, 8.1 devices, this solution will be applied in the next available Service Release or Hot Fix.

SD-36388 SecureDoc for Linux now supports RHEL 8.3

Issue: Earlier versions of SecureDoc did not support Red Hat Enterprise Linux (RHEL) version 8.3

Solution: SecureDoc now supports RHEL 8.3

SD-36483 Where SecureDoc Client devices are protected by a BitLocker PIN or Passphrase, the PIN or Passphrase must be changed on the same retention cycle as is defined in the Global settings.

Issue: Where customers use BitLocker in PIN-based or Passphrase-based authentication mode, where the Profile does not define that the PIN/passphrase is to be synchronized with the Windows password there had been no means to force the user to rotate his/her BitLocker PIN/Passphrase on a regular basis, leading to risk of the same PIN/passphrase being used for an extended period.

Solution: PIN or Passphrase rotation will now be governed by options in the Global settings. Upon expiration of this period, the user will be prompted to set a new PIN or passphrase.

SD-36753 Hyper-V Generation 2 modules have been added to the SecureDoc Pre-Boot Kernel for UEFI

Issue: Customers require that SecureDoc can support Hyper-V Generation 2 hardware within the Linux pre-boot kernel for UEFI devices.

To this point, under V8.6 when using the SecureDoc SUSAM support for UEFI, SecureDoc under the Linux- based Pre-Boot for UEFI loads successfully but is missing is missing keyboard, mouse, and network support due to lack of Hyper-V-specific Linux drivers.

Solution: This issue has been corrected in SES V9,0, and customers utilizing Hyper-V-enabled devices should upgrade their client devices to SecureDoc V9.0

SD-38047 An issue, encountered when reimaging devices using "policy engine"-based encryption, had resulted in error message: "An unidentified error has occurred. Error code: 0x66 (0x66)".

Issue: A customer had encountered an issue in their environments related to the "policy engine" based encryption process, in which a device can be re-imaged while preserving its disk encryption. On devices that had SecureDoc installed and Pre-Boot Authentication in place, some devices were failing to start encryption correctly. This process had been run on certain devices where SecureDoc had been installed, Pre-Boot Authentication was in place, but the disk had not been originally encrypted. When the disk is not encrypted, but pre-boot is loading, there is no SDJob to start encryption, so the "Policy Engine" encryption logic takes over.
In this scenario, this "policy-based encryption" was not correctly engaging, resulting in presentation of message: "An unidentified error has occurred. Error code: 0x66 (0x66)".

Background: A version of the Windows installer that has integrated SecureDoc kernel drivers is used to reinstate Windows after the C: drive was formatted.
Following re-image, the SD client software is reinstalled and normally the device is able to continue communication in SES with the original device record (No re-registration or duplication of device occurs).

Solution: This issue has been resolved in this version

SD-38104 SESWeb incorrectly throws a message indicating that SES must be configured (seemingly randomly).

Issue: In certain previous versions, administrators could be directed to a page (seemingly randomly) whose message mistakenly indicates that SES has not been configured. If the Administrator should attempt to configure via SESWeb, a message would appear indicating that SESWeb is already configured, and it would ask the Administrator if he/she wanted to reconfigure it.

Solution: This issue has been corrected in this version.

SD-38111 Users encountered failure after configuring SESWEB 9.0 using IIS, browser displays error "HTTP Error 500.19"

Issue: SESWeb 9.0 requires that the URL Rewrite server plug-in be implemented into IIS before installing V9.0. Without this plug-in, when attempting to configure SESWeb using IIS, it will display the following error: "HTTP Error 500.19".

Solution: Customers must deploy the URL Rewrite Plug-in into IIS before attempting to install or upgrade to SESWeb V9.0. Steps the user must take to accomplish this are covered in the documentation. This plug-in can be got at this web link: https://www.iis.net/downloads/microsoft/url-rewrite

SD-38322 Endpoint devices will be unable to begin initial encryption if using a Temporary User account having a sub-8 character long password on a device whose TPM is disabled, producing "No key found (0x7608)" error message in the SDJOB log file.

Issue: It has been found that where installing BitMana on an endpoint device whose TPM has been disabled in the BIOS, if the password of the Temp User Account used in Provisioning stage contains fewer than 8 characters, the installation will fail to encrypt the device, producing a "No key found (0x7608)" error message in the SDJOB log file.

Solution: Users will be warned if the password entered for the Temp User is not at least 8 characters in length.

SD-38708 SES Console Group Definition no longer has an option to block inheritance from parent folders to child folders.

Issue: There had been issues customers encountered when attempting to block inheritance of attributes from a parent folder into a child folder defined in SES Console, and in SESWeb there was no equivalent control that could be set to block inheritance. Historically there had been anomalies in how inheritance blocking behaved in deep folder trees, leading to confusion.

Solution: In Version 9.0, WinMagic has decided to disable inheritance blocking. The block inheritance option previously found under the folder properties page in the SES Console has been removed.
WinMagic will re-evaluate the design and may re-introduce disabling inheritance in a future version.

SD-38709, SD-38950 Correct issue where User permissions derived from nested folders propagate only one level down

Issue: SecureDoc Enterprise Server is designed to permit inheritance of User Permissions defined at a given Folder level to sub-folders.
While this feature is not extensively used, an issue has been found that shows such inheritance does not extend beyond the first sub-folder, which leaves Users located in sub-sub-folders (and below) left out of the inheritance process.

Solution: This issue has been corrected.

SD-38710 SESWeb Console would not permit Administrators to log in whose Group was a subordinate Group under a Group whose members could log in

Issue: Where the SES Administrator had either created a subgroup below the Group that defines access to SESWeb, or the Administrator had added an existing group to be a sub-group of the Group that defines access to SESWeb, the SESWeb Console would not permit Administrators in such a sub-group to log in to SESWeb. It appeared that Group membership and permissions propagation was failing to permit sub-Group members to inherit the same rights of access to SESWeb that parent-group members obtained.

Solution: This issue has been corrected in SES V9.0

SD-38825 64-bit Linux-based pre-Boot for UEFI devices was not working on Dell OptiPlex 5090 models.

Issue: 64-bit Linux-based pre-Boot for UEFI was not working on Dell OptiPlex 5090 models, causing deployment to fail.

Solution: The KnownConfigs.xml file has been updated in Version 9.0 to apply necessary tweaked configuration settings unique to this make/model.

SD-38961 Smart Card not working at SecureDoc pre-boot on Dell Latitude 7410. Error (0x7721) appears.

Issue: Certain customers encounter an error when attempting to use a Smart Card at SecureDoc pre-boot, receiving message "Card reader error, Remove/reinsert reader connector and reboot (0x7721)"

This issue appears to only affect new Dell Latitudes 7410 devices. Both internal and external readers were tried, and both have the same issue.

Solution: This issue has been corrected in this Hot Fix, and customers using Dell Latitude 7410 devices will no longer encounter this issue.

SD-39159 Where using PBConnex Group-based access that defines storing a Key File on OSA endpoint device, the key file was not being stored.

Issue: Where PBConnex Group-based access is defined that stipulates that user key files are to be locally stored on an OSA endpoint, it was found that under some circumstances where the key is in a Key File on an OSA endpoint device, the key file was not being stored.

Solution: This issue has been corrected in this version.

SD-39269 was fixed by SD-39392 An issue with macOS users not having enough time to approve Full Disk Encryption has been improved.

Issue: Apple had introduced a fdesetup pop-up message in macOS Catalina, which, during the enablement of FileVault 2, required the user to click OK button on this pop-up message.

Background: In previous versions of SES and the SES Client for macOS, the user was permitted only approximately 10 seconds in which to click the OK button. However, if it was not clicked within the time limit, then SecureDoc for FileVault 2 could not enable FileVault 2 successfully in this system start cycle, so SecureDoc would show a countdown dialog panel, then automatically reboot the device. After that, it would repeat the prompt process by requesting that the user provide a password.

Solution: With this improvement, the User is able to click on the OK button anytime within an almost one-minute period

Due to Apple's design, after 1 minute this fdesetup pop up will disappear, but even though the user might not have been able to click the OK button, SecureDoc will enable FileVault 2 successfully.

On the other hand, if the user clicks on the "Don't Allow" button, the SecureDoc setup process will display a countdown dialog and will automatically reboot the device. Following device restart, it will then again ask for a password to enable FileVault 2.

SD-39614 Unable to set static Boot IP address for SecureDoc Client devices running Japanese-localized Windows 7

Issue: Client devices running the Japanese version of Windows 7 will not be able to deploy SecureDoc clients with fixed Boot IP address settings. It is unclear why this does not work on the Japanese version of Windows 7, as it neither affects any other language-versions tested, nor Windows 10/11

Solution: Customers that rely upon fixed IP addresses are recommended to move from Windows 7 to Windows 10/11 or utilize DHCP-provided IP addresses at Pre-Boot if staying with Windows 7.

SD-40275 Issues with event messages appearing when enabling LSA Protection have been corrected.

Issue: Certain customers saw event messages (when in audit mode) on endpoint devices once LSA Protection was enabled

Solution: This issue has been corrected in this version.

SD-41114 Device Ownership was not being finalized where AzureAD users attempted to take ownership of AzureAD-joined endpoint devices that are synchronized to SecureDoc Enterprise Server.

Issue: Where AzureAD users attempt taking ownership of AzureAD-joined endpoint devices that are synchronized to SecureDoc Enterprise Server, the requisite Boot and Personal Key Files are not being placed into the endpoint devices so ownership is not finalized.

NOTE: This issue does not occur where AAD is not synchronized to SES.

Work-Around: Certain data must be entered directly into the database where customers are installing SecureDoc onto Azure AD (AAD) joined devices.

Using the SQL console into your SES database, the following SQL statement must be applied:

INSERT INTO Settings (Name,ValStr) values ('IDNLW_AZURE_AD_CLIENT_ID','YOUR_APPLICATION_ID')

Note: 'YOUR_APPLICATION_ID' should be substituted with the contents of the Azure AppId field shown in the Active Directory Integration panel in the SESWeb Global Settings for ADSync.

Limitations

SD-35430 SESWeb Support for Port Control does not include a means of defining acceptable USB-connected devices list

The SESWeb browser-based Console in V8.6 does not include a means of creating or maintaining a list of acceptable device types that can be communicated to endpoint device through the Profile. This functionality is relatively rarely used.

Work-around: For customers that do create and define a list of acceptable USB devices, if configuring a Profile using SESWeb, save it, then open the Profile using the SES Console, then navigate to the Port Control panel and create the list of VID (Vendor ID) and PID (Product ID) information for those devices that are to be considered acceptable.

NOTE: While the SES Console does permit the console to query the server's USB Bus history (or the USB Bus history of the Administrator's device if the SES console is installed on the Administrator's Laptop/Desktop computer), it will not be possible to emulate access to USB Bus history within the SESWeb console, due to the long-standing designed limitations placed on web applications to access the hardware on which the Web server is running.

WinMagic will be seeking an alternate way to handle importing a list into SESWeb, which will be announced in a future version.

SD-36585 SESWeb will not have the Key File option necessary to store a Key File on a Token when creating a Key File for a user.

Issue: SESWeb is a web-based application that runs on a server and cannot access the hardware that it runs on. As a result, it cannot fetch a Key File and insert it into a USB token.

This is a limitation inherent in all Web-based applications, that they cannot access the hardware they're running on.

Work-Around: If you need to create a Token containing a Key File for a user, this can be performed using the SES Console application.

SD-38514 In SES V9.0, macOS High Sierra support is being dropped.

Issue: As SES Client support grows to encompass new macOS versions, the oldest versions are dropped from support.

Solution: Please do not install or upgrade to SecureDoc V9.0 on macOS High Sierra client devices.

SD-39853 SecureDoc IdP's RADIUS functionality does not support MS-CHAP V2

Issue: The RADIUS protocol includes 2 password validation modes. These are:
PAP - Password Authentication Protocol,
CHAP - Challenge-Response Authentication Protocol and
MS-CHAP - The Microsoft variant of CHAP

In this version of the SecureDoc IdP the Microsoft variant of CHAP is not supported.

At present there is no work-around for this issue.

Contacting WinMagic

WinMagic
5770 Hurontario Street, Suite 501
Mississauga, Ontario, L5R 3G5
Toll free: 1-888-879-5879
Phone: (905) 502-7000
Fax: (905) 502-7001

Sales: sales@winmagic.com
Marketing: marketing@winmagic.com
Human Resources: hr@winmagic.com
Technical Support: support@winmagic.com
For information: info@winmagic.com
For billing inquiries: finance@winmagic.com

Acknowledgements

This product includes cryptographic software written by Antoon Bosselaers, Hans Dobbertin, Bart Preneel, Eric Young (eay@mincom.oz.au) and Joan Daemen and Vincent Rijmen, creators of the Rijndael AES algorithm.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.OpenSSL.org/).

WinMagic would like to thank these developers for their software contributions.
© Copyright 1997 – 2022 by WinMagic Corp. All rights reserved.

Printed in Canada Many products, software and technologies are subject to export control for both Canada and the United States of America. WinMagic advises all customers that they are responsible for familiarizing themselves with these regulations. Exports and re-exports of WinMagic Inc. products are subject to Canadian and US export controls administered by the Canadian Border Services Agency (CBSA) and the Commerce Department’s Bureau of Industry and Security (BIS). For more information, visit WinMagic’s web site or the web site of the appropriate agency.

WinMagic, SecureDoc, SecureDoc Enterprise Server, Compartmental SecureDoc, SecureDoc PDA, SecureDoc Personal Edition, SecureDoc RME, SecureDoc Removable Media Encryption, SecureDoc Media Viewer, SecureDoc Express, SecureDoc for Mac, MySecureDoc, MySecureDoc Personal Edition Plus, MySecureDoc Media, PBConnex, SecureDoc Central Database, and SecureDoc Cloud Lite are trademarks and registered trademarks of WinMagic Inc., registered in the US and other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2022 WinMagic Corp. All rights reserved.

© Copyright 2022 WinMagic Corp. All rights reserved. This document is for informational purpose only. WinMagic Corp. makes NO WARRANTIES, expressed or implied, in this document. All specification stated herein are subject to change without notice.