SecureDoc Enterprise Server

Release Notes

Product Version: 9.2

Published May 8^th, 2025

SecureDoc Support

WinMagic strongly recommends that you install the most recent software release to stay up to date with the latest functional improvements, stability fixes, security enhancements and new features.

Please visit Knowledge Base Article 1397 for more information on End of Life and End of Support timelines for SecureDoc software releases.

About This Release

This document contains valuable information about the current release. We strongly recommend that you read the entire document.

Recommended – WinMagic recommends this service release for all environments. Apply this update at your earliest convenience.

NOTE:  End of Life date for Hotfixes is the same as the Version or Service Release upon which they are based.

Download the latest release notes for each version listed within Knowledge Base Article 1756.

System Requirements

If using features that use the TPM (e.g., MagicEndpoint, or other TPM-based authentication such as TPM protection for Key Files), devices must have TPM 2.0 – TPM 1.2 or earlier are not supported.

For server and client system requirements: https://www.winmagic.com/support/technical-specifications

For supported devices, drives, smartcards, and tokens: https://www.winmagic.com/device-compatibility

Note:  It is strongly recommended to initially install Full-Text Indexing feature (Full-Text Search) into the Database Engine, before performing an SES installation.

More information is available here: http://msdn.microsoft.com/en-us/library/ms143786(v=sql.100).ASPX

During the installation of SES, if Full-Text Indexing has not been installed, a message will appear indicating the absence of the Full-Text Indexing. This message will not allow the user to stop the installation of SES which will require retrofitting Full-Text Indexing into an existing SQL Server.

Note:  Use of the SES Console will require the user to have at least local admin rights on the server or client device (e.g., Admin desktop) on which it runs for the console to function properly.

Client OS Support

Devices utilizing MagicEndpoint authentication must have Windows 10 or 11 – Windows 7 is not supported.

For a detailed view of which specific versions of SecureDoc are supported under various versions of Windows, macOS or Linux:  See: https://www.winmagic.com/support/technical-specifications

Mobile Token-based authentication using Bluetooth is not supported on any pre-Windows 10 Operating Systems

The KnownConfigs.XML File

Customers are strongly advised to download the most current KnownConfigs.XML file, then replace the current version (if older) in the SES Application folders and

Installation Packages.

WinMagic strongly recommends that you seek out the most up-to-date version of the KnownConfigs.XML file and incorporate it into your SES implementation on a regular basis (e.g., monthly). This will help ensure your SES Version will take advantage of new client installation override settings that have been added since the version of the KnownConfigs.XML file that came with your version of SES. This will improve installation success on any new device makes/models you might purchase since installing SES, utilizing the new special settings available in newer versions of this file.

Customers are advised to look to the SecureDoc Knowledge Base for a link to the available KnownConfigs.XML files, then check that document (e.g., on a monthly basis) for updates to this file, then use the new version to replace all versions of the KnownConfigs.XML file in their SES Implementation folder structure. For example:

1. Position Windows Explorer to: c:\Program Files(x8)\WinMagic\SDDB-NT, then

2. Search for files like *.xml.

3. Sort the resulting search list by name

4. In each directory where a KnownConfigs.XML file is found, replace it with the new one that you have downloaded from the WinMagic Knowledge Base article.

Additional information can be found here: Installing or updating the KnownConfigs.xml file (Applies to SES from Version 7.5 onward).

The latest versions of the KnownConfigs.XML files can be found at the following links:

• SecureDoc Device KnownConfigs.XML File for SES V8.2 And Later- Download the

latest version of this here: https://na80.salesforce.com/articles/Service/SecureDoc-Device-KnownConfigs-XML-File-for-SES-V8-2-Download-the-latest-version-of-this-here

• SecureDoc Device KnownConfigs.XML File for SES V7.5 - Download the latest

version of this here: https://na80.salesforce.com/articles/Service/SecureDoc-Device-KnownConfigs-XML-File-for-SES-V7-5-Download-the-latest-version-of-this-here

The contents of the KnownConfigs.XML file are reserved to be developed and advanced by WinMagic solely. While customers might consider enhancing it, WinMagic cannot be held responsible for issues that might arise from such modifications and may (at its sole discretion) levy an additional support charge to any customers that encounter support issues that can be traced back non-sanctioned customer-initiated changes to KnownConfigs.XML.

WinMagic welcomes customer ideas and suggestions on how KnownConfigs.XML can be extended and improved, but WinMagic reserves the sole right to test, approve and to publish any changes to KnownConfigs.XML that it deems to be in the broader customer interest, and makes no commitment to act upon or publish all, or indeed any customer-recommended changes.

Version 9.2

IMPORTANT

Starting with version 9.1, support for 32-bit operating systems has been discontinued to align with industry trends and focus on optimizing performance, security, and features for modern 64-bit environments.

Customers deploying version 9.1 SR1 HF2 on devices with Self-Encrypting Drives (SEDs) may encounter unexpected messages during installation. If this occurs, we recommend contacting WinMagic Support for assistance. To ensure compatibility with the latest developments and take full advantage of our software’s capabilities, users are encouraged to transition to 64-bit operating systems.

Which customers should upgrade to 9.2?

Version 9.2is a release upgrade to the SecureDoc Enterprise Client and Server.

All customers are recommended can safely upgrade to 9.2

Why upgrade?  https://winmagic.com/blog/5-reasons-to-update-your-winmagic-securedoc-investment/

Compatibility Note:
MagicEndpoint (ME) version 1.5 is required for compatibility with SecureDoc 9.2. Earlier versions of ME are not supported with SD 9.2, and ME 1.5 is not compatible with SD versions prior to 9.2.

Note:  

To use Microsoft Azure AD instead of on-premises Active Directory, you must upgrade to version 9.0 or higher. Earlier versions of SecureDoc Enterprise Server do not support Azure AD.  

For Azure AD-joined devices, ensure they are either initially installed with version 9.0 or higher, or upgrade existing devices to version 9.0 (or later) before joining them to Azure AD.

NOTE: SecureDoc installer now no longer supports installation on macOS Mojave. Version 9.1 ends support for macOS Mojave, and as a result the macOS Mojave target has been removed from the SecureDoc executables framework, installation, and run-time scripts.

End of Life Notice:

macOS Catalina has officially reached its End of Life (EOL). We no longer support this version, and users are strongly encouraged to upgrade to a newer macOS version to maintain security and functionality.

IMPORTANT: For customers wishing to utilize SecureDoc’s Bluetooth Low Energy mobile device-based authentication at Pre-Boot:

1 - The device Profile must specify the Linux-based Pre-Boot for UEFI devices – termed as PBLU in this documentation.  Phone-based authentication (whether using Bluetooth Low Energy communication or network-based communication) does not work with

2 – Bluetooth must be enabled in the endpoint computer’s hardware configuration (BIOS or UEFI settings), as use of Bluetooth Low Energy mobile device-based authentication is a compelling security feature.,

NOTE: These release notes are presented in a new format compared to prior releases. A) Rather than leading with the ticket number(s), these will include the ticket(s) at the end of each release note; b) Issues and improvements will be grouped into meaningful groups that discuss specific aspects of the product (e.g., Authentication, Server, client, and other groupings).

How to Install/Upgrade

Customers with an active support plan should contact [email protected] to receive the latest download link for their SecureDoc upgrade.

New Features

SecureDoc Console or SESWeb Console

[PBL] Accessibility Beep Now Supported on Modern Devices.

Description: We’ve enhanced accessibility support at the Pre-Boot Authentication (PBA) screen by enabling audible “beep” feedback on newer devices. This improvement helps users who rely on screen readers or sound cues to navigate the login process, especially on modern laptops that no longer include a traditional PC speaker.

Solution: The beep function has been restored and now works through the high-resolution sound card instead of the older PC speaker. We've also included firmware support for affected models, ensuring consistent sound feedback during login. Users or IT administrators can fine-tune the beep behavior through simple settings if needed.

Notes:

- Sound can now be played in different tones, including softer or more noticeable alerts, depending on your needs.

- This improvement is available starting with PBL version E3.BIN.

This update ensures a smoother and more inclusive experience for all users, especially those who depend on audio support during device startup.

Affected tickets: SD-50197

SD-48888 New Feature: BLE Phone Registration and Conversion from Password-Based Keyfile.

Description: A new UI and workflow have been introduced to support Bluetooth Low Energy (BLE) phone registration and conversion from password-based keyfiles (KF). This includes:

1. A local conversion process allowing users to switch from a password-based KF to a BLE phone.

2. BLE re-enrollment (online only) after completing a recovery.

3. During BLE keyfile recovery login, users can choose to either reset back to a standard password-based KF or convert to a new BLE phone by scanning a QR code.

Improvement: Introduced as part of ongoing improvements to user flexibility and security, this new functionality is now available in the ME2 app and SES 9.2. Further enhancements are currently in progress.

Affected tickets: SD-4888

SD-47442 New Feature: Conversion Progress Reporting from SD Client to SES.

Description: A new functionality has been added in SES 9.2 that allows the SD client to report encryption conversion progress (%) back to the SES console. This applies only to SD Software encryption and not to BitLocker or hardware-encrypted (SED) devices.

The reporting tracks the full disk (not partition-based), specifically internal storage, and updates SES every 10% of completion, displaying 10%, 20%, and so on until the process reaches 100%.

To enable this feature, manually add the parameter `UpdateProgressToServer=1` under the `[General]` section in the profile.

Note: This feature is not supported in the following scenarios:  

1. Decryption initiated from SD Control Center  

2. Re-conversion (Encrypt again) via SD Control Center

Affected tickets: SD-47442

SD-44854 Unable to Revert Boot Background Image to Default on Installed SDClient.

Description: Previously, once the boot background image was changed on an installed SD Client, there was no option to revert it back to the default image.

Support has been added to revert the boot background image to the default through the SES Console. To do this, navigate to the device profile, then go to Boot Text and Color, and select the new 'Revert to default' option. Once the image is imported or reverted for the profile assigned to the device, send the remote command 'Apply pre-boot background image' to the device. The default image will be pushed to the device after communication with the server and will be applied on the next reboot.

Note: This functionality is not yet available on SES WEB

Affected tickets: SD-44854

Improvements

SecureDoc Console or SESWeb Console

Support for Registering a New BLE Phone When Using Alternate Password Login.

Description: To improve flexibility and recovery options, users can now register a new Bluetooth Low Energy (BLE) phone after logging in with an alternate password (ALT PWD). This is especially helpful in common situations where a user has lost their original phone or is unable to access the phone app. With this enhancement, users can seamlessly re-enroll a new device while keeping their ALT PWD credentials unchanged.

Additionally, this feature supports local key file (KF) conversion during recovery logins through Challenge Response, Self-Help, or One-Time Password (OTP) methods.

Solution: This functionality is available starting in version 9.2, offering a smoother and more user-resilient recovery experience.

Affected tickets: SD-50185

Expanded Support for Systems with More Than 16 Volumes.

Description: In previous versions of SDLinux, encryption was limited to systems with 16 or fewer volumes. If a system had more than 16 volumes, encryption would either fail or be unable to start on the additional volumes.

This improvement removes that limitation, allowing users to successfully encrypt systems with more than 16 volumes.

What This Means for You:

- You can now install and encrypt a system that already has more than 16 volumes without any issues.

- You can also start with a system that has fewer than 16 volumes, and later add more drives or partitions, even beyond the 16-volume mark, and encryption will continue to work smoothly.

This update provides greater flexibility for users with larger storage setups or complex system configurations.

Affected tickets: SD-50149

Proxy Settings Now Supported in Pre-Boot to Enable SDConnex Connectivity.

Description: Pre-Boot Authentication (PBA) now supports proxy settings, allowing SDConnex to connect properly in environments where internet access is routed through a proxy. This improvement helps users in managed networks stay connected without requiring manual configuration changes post-boot.

Solution:

- Proxy details (address and port) can now be read from system settings (`sdspace`) and applied during pre-boot.

- SDConnex will use these proxy settings instead of the default connection values, improving reliability in network-restricted setups.

This ensures users can stay connected during pre-boot, even in networks that require proxy access, helping with smoother updates, support tools, and remote device communication.

Note: No changes were made to SES 9.1 SR1 HF3 due to known limitations.

Affected tickets: SD-49561

SAML 2.0 Support Added for Seamless Single Sign-On (SSO).

Description: The web application now supports SAML 2.0 authentication, allowing users to log in through external identity providers using Single Sign-On (SSO). This enhancement simplifies access for organizations that use federated identity systems, improving user convenience and aligning with enterprise security practices.

What’s Improved: Users can now authenticate using their organization’s identity provider without needing to manage separate credentials for the application. This update ensures a smoother and more secure login experience while preserving support for all existing login methods.

Setup Notes: Administrators can configure the new SSO feature by specifying the appropriate login URLs for their environment. Secure HTTPS connections are required to enable safe communication during the authentication process.

This update makes it easier for organizations to integrate the application into their broader authentication ecosystem while maintaining a consistent and user-friendly login experience.

Affected tickets: SD-49487

SD-47948 Feature Restored: Crypto Erase Command for BitLocker Devices.

Description: In previous SES versions (8.6 to 9.1), the "Crypto-erase a device" option was available for BitLocker-managed devices but had been removed in more recent releases.

Update: The Crypto Erase functionality has now been re-enabled for BitLocker-managed devices (SDOT/SDBM) and is accessible through the SES Console and SES Web interfaces.

Important : Crypto Erase must first be enabled under Global Options. Please be aware that once a device is crypto-erased, the system becomes unrecoverable.

Affected tickets: SD-47948

Updated Hardware Detection to Address WMIC Deprecation in Windows 11 24H2.

Description: To maintain compatibility with Windows 11 24H2, SecureDoc has been enhanced to work seamlessly even on systems where the legacy WMIC utility is no longer available by default. This update ensures that hardware detection tasks tied to KnownConfigs.xml continue to function as expected during installation and system configuration.

Solution: A dynamic fallback mechanism has been implemented to patch in WMIC functionality when it's missing, and remove it once the task completes, ensuring hardware detection and setup remain uninterrupted. This change requires no manual steps from users and ensures consistent deployment behavior on newer Windows builds.

Affected tickets: SD-49529

Wireless Detection Resolved on Dell Precision 3591 with Intel Wi-Fi 6E AX211.

Description: Users reported that wireless networks were not being detected during pre-boot on Dell Precision 3591 devices using the Intel Wi-Fi 6E AX211 adapter. This occurred when using beta version 9.1SR1 HF2.

Solution: Wireless detection has been resolved in version 9.2, which introduces support for newer Intel wireless chipsets through an updated PBL kernel (6.11). Customers using Dell Precision 3591 devices are encouraged to upgrade to 9.2 for full wireless compatibility.

Affected tickets: SD-49296

Enhanced Filtering in SESWeb Reports (9.1 HF4).

Description: Several improvements have been made to the SESWeb report filtering system to provide more accurate and intuitive results when working with user, device, group, and key reports.

Solution: Filters for Yes/No fields have been updated to use checkbox options, and unnecessary or unsupported filters have been removed to improve usability. Fields such as First Name, Last Name, Email, and Phone now handle null or empty values correctly. Date filters have been improved to ensure they match the selected dates accurately, regardless of time values. Additionally, an internal server error previously affecting the Keys by Group report in SaaS environments has been resolved. These changes collectively enhance the reliability and clarity of report filtering across the SESWeb interface.

Affected tickets: SD-49053

Warning Message Removed When SID Is Null During Full Sync.

Description: Previously, a warning message would appear in ADSync logs during a full sync if a group had a missing SID (Security Identifier). While this did not affect functionality, it could cause unnecessary concern or confusion.

Solution: The system now handles cases where the SID is null more gracefully, preventing the warning from appearing. This results in cleaner logs and a smoother sync experience.

Affected tickets: SD-48723

ME

Smartcard-to-BLE Conversion Now Supported Without User Password.

Description: Organizations using smartcard-only authentication can now seamlessly transition users to MagicEndpoint’s Bluetooth (BLE) login without requiring a user password. This enhancement simplifies onboarding for environments where passwords are not used, such as those with strict smartcard-only policies.

Solution: Support for password-less smartcard-to-BLE conversion has been added in SES 9.1 SR1 HF3 and 9.2 SaaS. This allows large-scale user transitions without disrupting authentication workflows.

Affected tickets: SD-49184

IDP

SD-49815 New Feature: Manager Approval for User Login via Network Phone.

Description: This feature addresses scenarios where end-users are unable to access their mobile devices during login at the SDCP screen. Without their phone, users would typically be locked out. With this update, users can now request login approval from an assigned admin or manager, who will receive the push notification on their own mobile device.

Users can be assigned to one or multiple managers via SES Web or the IdP interface. When attempting to log in, users in a group can choose from their group’s assigned managers to approve the login push.

Solution: Implemented in SES 9.2, this feature introduces Manager Phone Approval for group managers. Administrators can assign managers to specific user groups either through the IDP or SES Web interface, enabling approval routing in cases where the user’s device is unavailable.

Affected tickets: SD-49815

LINUX

Automatic Setup of io_load Setting for Supported Linux Systems.

Description: We've made it easier to deploy SecureDoc on certain Linux systems by automatically handling the io_load configuration during installation. Previously, this step required manual setup, which could lead to delays or errors if overlooked.

Solution: SecureDoc now automatically detects when the io_load=256 setting is needed and applies it during installation, no manual steps required. This streamlines the deployment process and ensures a smoother setup experience, especially on RHEL 8.10 and 9.5 systems.

Affected tickets: SD-49992

Support Added for Red Hat Enterprise Linux (RHEL) 9.5.

Description: SecureDoc now supports Red Hat Enterprise Linux (RHEL) 9.5, including kernel version 5.14.0-503.23. This update ensures customers using the latest RHEL version can deploy and manage SecureDoc with full compatibility and confidence.

Solution: Support for RHEL 9.5 has been added, expanding compatibility with newer Linux environments and simplifying deployments for customers on the latest platform releases.

Affected tickets: SD-49991

Enhanced Recovery Support for Encrypted LVM Disks Attached to Encrypted Systems.

Description: SecureDoc Recovery for Linux (sdrecovery) has been improved to better support scenarios where an encrypted LVM disk is attached to another fully encrypted system. Previously, recovery would appear successful, but the additional encrypted volumes would not be accessible.

Solution: The recovery process now intelligently detects and handles duplicate device names, ensuring that attached encrypted disks are correctly unlocked and displayed for mounting. This enhancement makes recovery more reliable, even in complex environments using multiple encrypted systems.

Affected tickets: SD-49858

Enhanced Drive Encryption Performance on RHEL 9.4.

Description: An issue was identified where drive encryption on RHEL 9.4 systems was significantly slower than expected, taking over an hour to complete. This performance drop was linked to changes in how the SDLinux driver managed data conversion during encryption.

Solution: Performance has been improved by optimizing how the driver handles data conversion, specifically removing a limiting check that slowed down processing. With this update, encryption times have returned to expected levels, delivering a faster and more efficient deployment experience on RHEL 9.4 systems.

Affected tickets: SD-49508

Support for Ubuntu 22.04 in FIPS Mode.

Description: SecureDoc for Linux now fully supports deployment on Ubuntu 22.04 systems running in FIPS mode. Previous versions of SES were unable to generate installers that preserved end-to-end FIPS validation on some Ubuntu FIPS-mode environments.

Solution: This limitation has been resolved. SES can now create FIPS-compliant SecureDoc installers for Ubuntu 22.04, ensuring smooth deployment in security-hardened environments.

Affected tickets: SD-43713

Fixed Bugs

SecureDoc Console or SESWeb Console

Improved Handling of Simultaneous Logins with Case-Insensitive Usernames.

Description: In earlier versions, users could start multiple login sessions under the same user ID by entering the username with different capitalizations (e.g., “TERMINAL”, “terminal”, or “TerMinAl”), even when simultaneous logins were disabled. This behavior allowed multiple sessions to be created unintentionally despite the configuration setting <add key="DisableSimultaneousLogin" value="true" />.

Although the system correctly tracked the “last user login” timestamp, the session restriction was not enforced when capitalization differed.

Solution: This issue has been resolved in SES version 9.2. Simultaneous login restrictions now apply consistently, regardless of how the username is capitalized, ensuring reliable enforcement of session policies and a more secure user experience.

Affected tickets: SD-50398

Amend SDWeb Content Security Policy Header

Description: A vulnerability was identified in the SDWeb login page related to a misconfigured Content Security Policy (CSP) header. The issue was caused by limitations in a third-party component that required an upgrade to support stricter security compliance.

Resolution: The Content Security Policy has been updated to align with modern web security standards by removing unsafe directives and adding additional restrictions to prevent unauthorized script execution. Supporting components were upgraded and modified to ensure compatibility with the enhanced policy. This update improves overall SDWeb security while maintaining full functionality, with no action required from customers beyond applying the latest version.

Affected tickets: SD-48758

Improved Pre-Boot Login Handling for SAM ID After Upgrade to 9.1 SR1.

Description: In earlier upgrades to 9.1 SR1 from 8.6/9.0 SR3, some users experienced unexpected behavior at the pre-boot screen, where their login format switched from the familiar Domain\UserID to the UPN format (e.g., [[email protected]](mailto:[email protected])). This occurred due to how the system prioritized account matching when domain aliases were used.

Solution: SES 9.2 enhances pre-boot login behavior by correctly recognizing SAM IDs, even in environments with domain aliases and cached credentials. This ensures a smoother and more familiar sign-in experience for users after upgrading.

Affected tickets: SD-49990

SD-49797 PWM Configuration UI Added to SES Console.

Description: SecureDoc Password Manager (PWM) is a suite of components designed to assist or take over manual username/password logins for applications that do not support password-less authentication. It complements ME’s password-less authentication by managing credential entry for incompatible applications. PWM includes both Client and SES components, and its configuration was previously only available through the SD profile and had to be set manually.

What's New in 9.2 In version 9.2, a configuration UI for PWM has been added directly to the SES console. This new interface is available in the profile section under "Password Manager."

Affected tickets: SD-49797

Reports Now Respect User Folder Permissions in SDWeb.

Description: In earlier versions, certain SDWeb reports displayed information from folders that users did not have permission to access, such as the root folder or recycle bin. This affected report accuracy and user access control, particularly for limited-scope admin roles.

Solution: Folder-based permissions are now correctly enforced across SDWeb reports. Users can only view report data for folders they are explicitly granted access to. This fix applies to reports including:

- MagicEndpoint User Registration

- Users by Domain

- Keys by Device

- Keys by Group

- Keys by User

Additionally, access to specific report menus and dashboards now requires assigned role permissions. For example, to view the Device Report Menu or Dashboard, a role must include permission to read device data.

Affected tickets: SD-49188

Error 500 When Signing In to SESWeb with Valid User Account.

Description: Following an upgrade to SES 9.1 SR1, some users encountered an HTTP Error 500 or a “User is not registered” message when signing in to SESWeb, even with previously valid credentials.

Solution: This issue has been resolved in SES 9.1 SR1 HF2 and SaaS. Improvements were made to better handle user account data during login, ensuring more reliable access and preventing unexpected errors for valid users.

Affected tickets: SD-49080

SD Clilent

Wireless Network Not Detected on HP ZBook Firefly 16-inch G11.

Description: Support for the Intel Wi-Fi 6E AX211 network card has been enhanced to ensure proper detection during pre-boot on HP ZBook Firefly 16-inch G11 systems. This update improves wireless connectivity during authentication and setup.

Solution: The issue was resolved through updated system drivers and BIOS, enabling proper detection of the wireless network card during pre-boot. This enhancement ensures seamless wireless functionality on supported HP ZBook Firefly G11 devices running Windows 11.

Affected tickets: SD-50481

Lenovo T16 Gen 3 – PBU AutoBoot Not Working When Connected to LAN.

Description: On the Lenovo T16 Gen 3, users experienced an issue where AutoBoot with Pre-Boot for Wired LAN (PBU) did not function as expected. The system would remain on the pre-boot screen without proceeding to auto-login when connected to a wired network. Pressing CTRL+ALT+DEL would allow the process to continue, but this was not ideal for user experience.

Solution: Improvements have been made to enhance AutoBoot reliability for wired connections on supported devices. Users can now expect seamless AutoBoot at pre-boot without manual intervention.

Affected tickets: SD-50236

Bluetooth Adapter Not Detected After Resuming from Hibernation on HP ZBook Firefly 14" G11.

Description: Some HP ZBook Firefly 14" G11 devices experienced an issue where the wireless adapter would fail to resume properly from hibernation, requiring a full reboot to restore connectivity. This was especially critical for large-scale depoyments using MediaTek Wi-Fi 6E adapters.

Solution: A new configuration option has been introduced to improve wireless adapter recovery during resume from hibernation. By setting the advanced boot parameter wmsd_reset_wlan=1, the system will reset the PCIe wireless adapter automatically, ensuring seamless connectivity after sleep or hibernation.

Affected tickets: SD-49138

Black Screen on Boot – HP ZBook Power 15.6" G10.

Description: Some users reported a black screen after boot on the HP ZBook Power 15.6" G10, where the device appeared to be running but the login screen was not visible, either on the internal or external display. Typing login credentials blindly still allowed successful boot into Windows.

Solution: Adjusting the advanced boot profile settings to include nomodeset resolved the display issue and allowed the login screen to appear as expected.

This update improves compatibility with display initialization during the boot process on affected hardware.

Affected tickets: SD-47417

LINUX

SD Boot Failure During SDLinux Installation When USB Stick Is Connected.

Description: An issue was identified where devices could fail to boot properly after SDLinux installation if a USB stick was plugged in at the time of installation. This was due to the installer potentially assigning sdspace to the USB device, resulting in a misconfigured or non-functional boot environment.

Solution: A fix has been implemented to detect and skip removable disks during installation, preventing sdspace from being assigned to USB devices. This update enhances the reliability of SDLinux deployments, especially during scripted or automated installations.

Recommendation: Ensure no USB drives are connected to the system during installation to avoid unexpected behavior.

Affected tickets: SD-50023

Limitations

ME Application - Phone

Geolocation Restriction Behavior for MFA, Network Phone Key File, IdP Portal, RADIUS, and LDAP Logins.

Description: End-users can successfully log in using MFA, Network Phone key files, IdP portal, RADIUS, and LDAP through the ME application, even when accessing from locations outside of allowed geolocation zones. This ensures continued access for essential authentication methods across varying environments.

Solution: Geolocation policies are designed to evaluate both the user and the associated service provider. When both are configured within the same group with defined allowed locations, geolocation restrictions are fully enforced. This behavior is supported for Service Provider (SP) logins using Out-of-Band (OOB) authentication, where access is permitted only from approved locations. For other authentication methods such as MFA, Network Phone key file, IdP portal, RADIUS, and LDAP, access remains available regardless of location, supporting flexible and uninterrupted login experiences for users.

Notes:

- SP logins via OOB enforce geolocation restrictions as configured.

- Other authentication methods remain accessible from any location, ensuring consistent user access where applicable.

Affected tickets: SD-50721

SD Client

Volume Count Restrictions for Encryption in SecureDoc Client.

Description: The SecureDoc Client currently has limitations when encrypting systems with a high number of volumes. If a device requires encryption for more than 20 volumes, this cannot be achieved through a standard client upgrade. A full uninstall followed by a fresh installation of the SecureDoc Client is required to enable encryption for configurations exceeding 20 volumes.

Additionally, systems that already have 31 encrypted volumes may encounter errors when attempting to add and encrypt more volumes using commands such as secdoc.py add. This is due to a maximum volume threshold being reached, preventing further encryption.

Note: These limitations apply specifically to the SecureDoc Client and do not affect the SES Console or SESWeb Console. Administrators planning for large-volume configurations should account for these constraints during deployment.

Affected tickets: SD-50747, SD-50700

SDCP Login Method Display Update After SES 9.2 Upgrade with BLE and MagicEndpoint.

Description: After upgrading from SES 9.0 SR4 to SES 9.2 and deploying a client package with BLE and MagicEndpoint enabled, users may notice that the SDCP screen initially shows only the UserID without displaying the login method.

Attempting to proceed may result in a message stating, “The specified username is invalid.”

This occurs only after the first startup post-upgrade. Once the system is restarted, the SDCP screen displays the correct login options, “Login with MagicEndpoint Phone App” and “Login with Alternative Password” and the user can log in as expected.

Note: This is a one-time behavior after upgrading and is resolved with a simple system restart. All BLE login functionality remains intact, and no additional configuration is required.

Affected tickets: SD-50537

Contact WinMagic

Acknowledgements

This product includes cryptographic software written by Antoon Bosselaers, Hans Dobbertin, Bart Preneel, Eric Young ([email protected]) and Joan Daemen and Vincent Rijmen, creators of the Rijndael AES algorithm.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.OpenSSL.org/).

WinMagic would like to thank these developers for their software contributions.

©Copyright 1997 – 2025 by WinMagic Corp. All rights reserved.

Printed in Canada Many products, software and technologies are subject to export control for both Canada and the United States of America. WinMagic advises all customers that they are responsible for familiarizing themselves with these regulations. Exports and re-exports of WinMagic Inc. products are subject to Canadian and US export controls administered by the Canadian Border Services Agency (CBSA) and the Commerce Department’s Bureau of Industry and Security (BIS). For more information, visit WinMagic’s web site or the web site of the appropriate agency.

WinMagic, SecureDoc, SecureDoc Enterprise Server, Compartmental SecureDoc, SecureDoc PDA, SecureDoc Personal Edition, SecureDoc RME, SecureDoc Removable Media Encryption, SecureDoc Media Viewer, SecureDoc Express, SecureDoc for Mac, MySecureDoc, MySecureDoc Personal Edition Plus, MySecureDoc Media, PBConnex, SecureDoc Central Database, SecureDoc Cloud Lite, MagicEndpoint and MagicEndpoint FIDO Eazy are trademarks and registered trademarks of WinMagic Inc., registered in the US and other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2025 WinMagic Corp. All rights reserved.

© Copyright 2025 WinMagic Corp. All rights reserved. This document is for informational purpose only. WinMagic Corp. makes NO WARRANTIES, expressed or implied, in this document. All specification stated herein are subject to change without notice.