<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<style>
h1 {
font: normal normal bold 175%sans-serif;
font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;
color: #f7941c;
}
h2, {
font: normal normal bold 150% font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;color: #f7941c;
}
h3, {
font: normal normal bold 100% font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;color: #f7941c;
}
body, {
font: normal normal normal smaller sans-serif;</font>
font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;
background-color: White;
Color: Black;
margin: 16px;
}
ul, {
font: normal normal normal 100%
font-family: "Times New Roman", Times, serif;
list-style-type: disc
list-style-position: outside;
text-align: left;
margin: 16px;
}
li {
font: normal normal normal 100%
font-family: "Times New Roman", Times, serif;
text-align: left;
}
p{
font-family: "Times New Roman", Times, serif;
}
pre{
font-family: monospace;
}
note{
font-family: "Times New Roman", Times, serif;
font-size: x-small;
}
code {
font-family: "Courier New", Courier, monospace;
font-size: 98%;
}
a:link {
text-decoration: none;
}
a:visited {
text-decoration: none;
}
</style>
<title>Sentinel LDK and Sentinel HASP Run-time Environment Installer
GUI: Readme</title>
</head>
<body>
<h1>Sentinel<sup>®</sup>
LDK <nobr>and Sentinel HASP<sup>®</sup>
Run-time</nobr> Environment
Installer GUI for Windows: Readme</h1>
<h2>Version 7.54</h2>
<h3>February 2017</h3>
<hr align="left">
<p>This document provides
information regarding the Run-time Environment Installer GUI for
Sentinel LDK and Sentinel HASP, including supported operating systems,
enhancements, known compatibility issue, and issues resolved.
("Sentinel LDK" is the next generation of Sentinel HASP.)</p>
<p>The following topics are discussed:<a name="topics"></a></p>
<ul>
<li><a href="#OS_support" style="text-decoration: none; ">Operating Systems Supported</a></li>
<li><a href="#upgrading" style="text-decoration: none; ">Upgrading the Run-time Environment</a></li>
<li><a href="#installing" style="text-decoration: none; ">Installing the Run-time Environment</a></li>
<li><a href="#deviceGuard" style="text-decoration: none; ">Issues Related to Device Guard and Code Integrity Policies</a></li>
<li><a href="#fixes" style="text-decoration: none; ">Enhancements and Issues Resolved in This Release</a></li>
<li><a href="#history" style="text-decoration: none; ">Revision History</a></li>
<li><a href="#knownIssues" style="text-decoration: none; ">Known Issues - Run-time
Environment</a></li>
</ul>
<h2>Operating Systems Supported<a name="OS_support"></a></h2>
<ul>
<li>Windows XP (X86) SP3</li>
<li> Windows XP (X64) SP2</li>
<li> Windows Vista SP2</li>
<li> Windows 7 SP1</li>
<li> Windows 8.1 SP1</li>
<li>Windows 10 Version 1607 </li>
<li> Windows Server 2003 SP2</li>
<li>Windows Server 2008 SP2</li>
<li> Windows Server 2008 R2 SP1</li>
<li> Windows Server 2012 R2</li>
<li>Windows Server 2016</li>
<li> Windows 7 SP1 Embedded
standard (x86)</li>
</ul>
<p>The operating system versions listed in this section were tested by Gemalto and verified to be fully compatible with Sentinel LDK. Older operating system versions are likely to be fully compatible as well, but are not guaranteed. For reasons of compatibility and security, Gemalto recommends that you always keep your operating system up to date with the latest fixes and service packs.</p>
<p><a href="#topics" style="text-decoration: none; ">Back to Topics</a></p>
<h2>Upgrading the Run-time
Environment<a name="upgrading"></a></h2>
<p>When using the Installer GUI to
upgrade the Run-time Environment, ensure that:</p>
<ul>
<li>No other Run-time
Environment Installer is active.</li>
<br>
<li>No other Run-time
Environment components are active. Although the installation program
terminates applications that are accessing the Run-time, it does not
terminate running services. For example, if the Sentinel License
Manager is running as a service, you must stop the service before
upgrading the Run-time Environment.</li>
</ul>
<p><a href="#topics" style="text-decoration: none; ">Back to Topics</a></p>
<h2>Installing the Run-time
Environment<a name="installing"></a></h2>
<ul>
<li>The Installer GUI detects
the version of the operating system during Run-time Environment
installation, before installing the relevant drivers.</li>
<br>
<li>By default, Windows Vista
(and later) operating systems display a <b>User
Account Control</b> message during
driver installation. The user must click <b>Continue</b>
to continue the installation. Alternatively, the user can change the
default setting from the Control Panel of their operating system.</li>
<br>
<li>A log file of the
installation process is written to <b>aksdrvsetup.log</b>
in the Windows directory.</li>
</ul>
<p><a href="#topics" style="text-decoration: none; ">Back to Topics</a></p>
<h2>Issues Related to Device Guard and Code Integrity Policies<a name="deviceGuard"></a></h2
>
<p>The traditional method until now to protect against malicious application under Windows has been to trust the applications unless they were blocked by an antivirus or other security solution. Device Guard, available in Windows 10 Enterprise, implements a mode of operation in which the operating system trusts only applications that are authorized by your enterprise. You designate these trusted applications by creating <em>code integrity policies</em>.</p>
<p>You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.<br>
<br>
Only code that is verified by Code Integrity, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.</p>
<p>Code integrity contains two primary components:</p>
<ul>
<li><span dir="LTR"> </span>kernel mode code integrity (KMCI)</li>
<li><span dir="LTR"> </span>user mode code integrity (UMCI)</li>
</ul>
<p>This section describes issues that arise and the workarounds when machines at the end user site are enabled with Device Guard, and the code integrity policy set to “enforce” mode.</p>
<p><strong>Note:</strong> The procedures described in this document should be performed by an IT professional who is familiar with Device Guard and code integrity policies.</p>
<h3>Issue 1: Protected application does not operate at the customer site</h3>
<p>(LDK-17267) ) When you distribute applications that are protected with SL keys, the customized vendor library (haspvlib_<em>vendorID</em>.*) that are required for these applications are not signed. As a result, Device Guard does not allow the software to operate at the customer site.</p>
<p><strong>Workaround A:</strong></p>
<p>This workaround must be performed at the customer site.</p>
<p>Do the following to add an exception for the customized vendor library file in the code integrity policy:</p>
<ol>
<li>Use Windows PowerShell in elevated mode to create a policy for the exception.</li>
<li>Use the Group Policy editor to deploy the policy file.</li>
</ol>
<p>Each of these procedures is described below. For additional details, go to:<a href="https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-code-integrity-policies-steps?f=255&MSPPError=-2147217396"> https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-code-integrity-policies-steps?f=255&MSPPError=-214721739