IssueMy company initially had decided not to permit Self-Help Recovery functionality (where in the global settings the number of questions is non-zero, and the requisite number of questions had been sent to the client device(s) during installation through the Installation Package). Later, we re-thought that decision and now wish to implement Self-Help Recovery functionality. Question: We need to get self-help questions answered for users/devices that do not have self-help questions. How is that accomplished? ConsiderationsWinMagic always recommends that the question of whether to use or not to use Self-Help Recovery ideally must be resolved prior to initial implementation because it is fundamentally difficult to alter once implementation begins. It is considered a "core configuration" item whose functionality and ramifications should be defined and agreed upon prior to initial implementation. In an SES implementation that uses Self-Help Recovery the initial set of questions would have been sent to the client devices during initial installation. However, SecureDoc Enterprise Server has no native process for either adding new questions or altering existing questions, so where no questions exist currently for a given user/device combination, there is no central means within SecureDoc Enterprise Server to define which questions are to go to which device/user combination. Once answered, the questions and the answers actually reside inside each user's Key File(s) on all devices on which the user has a Key File. SolutionTo correct this issue and implement Self-Help Recovery on SecureDoc Devices that do not use it: First, enter the master list of Self-Help Recovery Questions in the Global Settings panel for questions. Then, enable Self-Help Recovery in the Global Settings | General Panel | click on Password Rules Next, create a new Installation Package file that contains the desired list of questions. 1 - Use a Text Editor to open that new Installation Packages' PackageSettings.ini file and search for the line that contains "SHQuest=", followed by a string of characters (which is the list of questions in a protected form). NOTE: Be sure to copy all that text, since missing or altering a single character will render the remaining steps invalid, and may force return to the backup copy of the SecurDoc.ini file on the client devices mentioned in point 3, below. 2 - COPY that SHQuest= line into the copy/paste buffer and save that somewhere (e.g. into a text file on a USB stick, or pasted into an Email if the end users are fairly tech-savvy). 3 - The next part is somewhat more complex and requires access to the end-point devices directly: It is necessary to somehow get that line to replace the SHQuest= line that exists in the SecurDoc.ini file within the SecureDoc implementation on the affected machines. This can be done by having an IT Technician a) visit each computer; b) copy the existing SecurDoc.ini file to a new name (as a fall-back position in case any damage occurs to the structure of the "live" SecurDoc.init file, and c) get the new SHQuest= line into the copy/paste buffer. 4 - Open the SecurDoc.ini file with a text editor then overwrite the it with the SHQuest= line gleaned from the new Installation package in step 2 above. 5 - Save the SecurDoc.ini file 6 - Get the SES Administrator to send down a new Key File to that computer for all affected users. Following the next Reboot and Pre-Boot Authentication, the presence of the new Key File will trigger the device to prompt the user to answer his/her security questions. If Password Propagation is enabled, the questions, once answered, will be propagated automatically inside updated key files that SES will send down to all devices on which that user has a Key File. NOTES: The file name SecurDoc.ini is spelled correctly - it is indeed missing the "e" in the word secure - this is intentional to ensure this file is readable by DOS-type operating systems; this file has always been called SecurDoc.ini |