Hardware Password Manager Version 1.0 Deployment Guide

Hardware Password Manager Version 1.0Deployment GuideDate: June 12, 2009

Hardware Password Manager Version 1.0Deployment GuideDate: June 12, 2009

First Edition (May 2009)

© Copyright Lenovo 2009.

LENOVO products, data, computer software, and services have been developed exclusively at private expense andare sold to governmental entities as commercial items as defined by 48 C.F.R. 2.101 with limited and restrictedrights to use, reproduction and disclosure.

LIMITED AND RESTRICTED RIGHTS NOTICE: If products, data, computer software, or services are deliveredpursuant a General Services Administration ″GSA″ contract, use, reproduction, or disclosure is subject to restrictionsset forth in Contract No. GS-35F-05925.

Preface

This guide is intended for IT administrators, or those who are responsible fordeploying the Lenovo Hardware Password Manager program on computers intheir organizations. The purpose of this guide is to provide the informationrequired for installing Hardware Password Manager on one or many computers,provided that licenses for the software are available for each target computer. TheHardware Password Manager application provides application help, whichadministrators and users can consult for information about using the applicationitself.

Lenovo Hardware Password Manager is developed for IT professionals and theunique challenges they may encounter. This deployment guide will provideinstructions and solutions for working with Hardware Password Manager. If youhave suggestions or comments, communicate with your Lenovo™ authorizedrepresentative. To learn more about the technologies that can help you lower thetotal cost of ownership and to check for periodic updates to this guide, visit thefollowing Web site:www.lenovo.com

© Copyright Lenovo 2009 iii

http://www.lenovo.com

iv Hardware Password Manager Version 1.0 Deployment Guide

Contents

Preface . . . . . . . . . . . . . . . iii

Chapter 1. Overview . . . . . . . . . 1

Chapter 2. Installing Hardware PasswordManager on LANDesk ManagementSuite . . . . . . . . . . . . . . . . 3Prerequisites . . . . . . . . . . . . . . 3Installing Hardware Password Manager on theLANDesk Management Suite core server . . . . . 4LDMS server setup . . . . . . . . . . . . 5Migrating to a new LDAP server . . . . . . . 5Installing Hardware Password Manager on a Lenovodevice . . . . . . . . . . . . . . . . 6

Chapter 3. Managing HardwarePassword Manager devices withLANDesk Management Suite . . . . . . 7Viewing Hardware Password Manager devices andtheir properties . . . . . . . . . . . . . 7

Managing enrolled users on Hardware PasswordManager devices . . . . . . . . . . . . 8Configuring an LDAP server connection . . . . 9Viewing Hardware Password Manager users andtheir properties . . . . . . . . . . . . 9Revoking a user’s access to a HardwarePassword Manager device . . . . . . . . 10Managing Hardware Password Manager groups 10

Managing remote actions and policy settings forHardware Password Manager devices . . . . . 12Updating client policies globally . . . . . . . 13Updating hardware passwords globally . . . . . 14Updating the emergency account . . . . . . . 15Changing server policy settings. . . . . . . . 15

Chapter 4. Hardware PasswordManager Client . . . . . . . . . . . 19Hardware Password Manager device setup . . . . 19Registering a device with the Hardware PasswordManager server and enrolling the first user . . . . 20Enrolling additional users on a Hardware PasswordManager device . . . . . . . . . . . . . 21Unenrolling a user from a Hardware PasswordManager device . . . . . . . . . . . . . 21Unregistering a device from the Hardware PasswordManager server . . . . . . . . . . . . . 22Updating credentials on a Hardware PasswordManager device . . . . . . . . . . . . . 22

Chapter 5. Deployment . . . . . . . . 25Fingerprint Integration . . . . . . . . . . 25Safe Guard Easy/Safe Guard Enterprisecompatibility . . . . . . . . . . . . . . 27One-touch registration . . . . . . . . . . . 27

Pre-registration . . . . . . . . . . . . 27User enrollment on a pre-registered system. . . 28

Client Policy settings . . . . . . . . . . . 28

Chapter 6. Scenarios. . . . . . . . . 31Service scenarios (configuration changes) . . . . 31

Scenario 1 - Hardware configuration changes . . 31Scenario 2- CMOS error . . . . . . . . . 31Scenario 3 - Replace fingerprint device . . . . 32Scenario 4 - Hardware passwords already set . . 32Scenario 5 - Setup under the OS (remote BIOSsettings) . . . . . . . . . . . . . . 33Scenario 6 - Replace system board . . . . . . 33Scenario 7 - Add a hard disk drive . . . . . 33Scenario 8 - Replace hard disk drive . . . . . 34Scenario 9 - Change hard disk location within asystem . . . . . . . . . . . . . . . 34Scenario 10 - Remove a hard disk drive . . . . 34Scenario 11 - Flashing the BIOS . . . . . . . 35Scenario 12 - Registered system can no longeraccess the LDMS server . . . . . . . . . 35Scenario 13 - Enter the BIOS setup. . . . . . 35Scenario 14 - Load default settings in BIOS setup 36Scenario 15 - Do not protect all hard drives. . . 36

User Scenarios . . . . . . . . . . . . . 36Scenario 1 - Forgot Hardware Accountcredentials, network connected . . . . . . . 36Scenario 2 - Forgot Hardware Accountcredentials, NOT network connected . . . . . 36Scenario 3 - Forgot corporate password . . . . 37Scenario 4 - Manual login using differentkeyboard types . . . . . . . . . . . . 37Scenario 5 - Handling enrollment from multipleboot partitions . . . . . . . . . . . . 37Scenario 6 - BitLocker . . . . . . . . . . 37

Appendix A. Hints and tips . . . . . . 39

Appendix B. Notices . . . . . . . . . 45Trademarks . . . . . . . . . . . . . . 46

© Copyright Lenovo 2009 v

vi Hardware Password Manager Version 1.0 Deployment Guide

Chapter 1. Overview

When Hardware Password Manager is installed, the LANDesk Management Suitecore server acts as the Hardware Password Manager server—it manages andauthenticates Hardware Password Manager devices. In addition, an LDAP serverfunctions as the authentication server for Hardware Password Manager—theHardware Password Manager server checks user credentials against data on theLDAP server.

On client devices with Lenovo Hardware Password Manager BIOS chips, theadministrator installs a LANDesk agent that contains a Hardware PasswordManager driver. When the client device boots, it communicates through a UDPchannel with the Hardware Password Manager server module (a Windows service)on the LDMS core server.

After the client has booted to the operating system, it uses PSI.DLL (installed withthe LANDesk agent) to communicate with a Web service on the LDMS core server.This communication is through an HTTPS channel.

The administrator uses the Hardware Password Manager features in LANDeskManagement Suite to manage Hardware Password Manager devices and createand deploy policies to these devices. These policies determine how HardwarePassword Manager is implemented for the devices; for example, the administratorselects which user options are available on Hardware Password Manager devicesas part of the policy definition.

© Copyright Lenovo 2009 1

2 Hardware Password Manager Version 1.0 Deployment Guide

Chapter 2. Installing Hardware Password Manager onLANDesk Management Suite

To use Hardware Password Manager functionality with LANDesk ManagementSuite 8.8, install the Hardware Password Manager patch on a LANDesk coreserver. As you configure this installation, you will set up an LDAP (LightweightDirectory Access Protocol) server to act as the LDAP authentication server forHardware Password Manager. Next, you install the Hardware Password Managerclient software on individual Lenovo devices that are equipped with HardwarePassword Manager BIOS.

After completing these installation tasks, you can begin registering LenovoHardware Password Manager devices on the Hardware Password Manager server(the LANDesk core server) and enroll users on those devices.

PrerequisitesThe following items should be considered prior to installing LANDeskManagement Suite products on your server:v The server should have access to the internet in order to obtain prerequisites and

to activate after the install is complete.v The server should have a static IP address.v The server cannot be a Domain Controller. It is recommended, however, to have

the server join a domain.v The account you log in to to perform the installation of the core server must

have Administrator privileges on the server with full read/write access. Ideallythis account would also be a Domain Administrator account. This account willbe used to create the initial administrator-level account used to log into theLANDesk console.

In order to ensure a clean, working installation of LANDesk Management Suiteproducts, the following installation order is recommended:1. Install Windows Server 2003 SP1 or install Windows 2000 Server or Advanced

Server with SP4 and IIS 52. Install the Windows Component Internet Information Services(IIS)

Note: This MUST be done before installing ASP.Net.3. Install the following Windows Components:v ASP.Net,v SNMP

4. Use Windows Update to install all available critical updates.5. Install Microsoft .NET Framework 2.0 or higher6. Install Web Services Enhancements (WSE) 2.0 SP3 for Microsoft .NET

(LANDesk Process 6. Manager only)

Note: This specific version is required.

After the LANDesk product is installed, it is recommended that you enableSecurity and Patch Manager to obtain updates for the LANDesk product. In the


console application, click Help-> LANDesk® Help Wizard -> Security Updates fora guide to configuring Security and Patch Manager.

Installing Hardware Password Manager on the LANDesk ManagementSuite core server

For LANDesk Management Suite Requirements, please visit:http://www.landesk.com/SolutionServices/product.aspx?id=670

1. The recommended platform is Windows Server 2003 R2 with SP2 InstallWindows Components. Windows Server 2003 installer is also needed to installthe Windows components.a. Go to Start->Control Panel->Add or Remove Programs.b. Click Add/Remove Windows Components.c. Add the following components:

1) Application Serverv ASP.NETv Internet Information Services (IIS)

2) Management and Monitoring Toolsv Simple Network Management Protocol

3) Microsoft .NET Framework 2.0 (for Windows Server 2003 R2)v Application Server

– ASP.NET– Internet Information Services (IIS)

v Management and Monitoring Tools– Simple Network Management Protocol

v Microsoft .NET Framework 2.0 (for Windows Server 2003 R2)d. Click Next.e. For Optional Networking Components, select Yes.f. Click Finish.g. For Windows Server 2003 Standard Edition, install ASP.NET 2 by following

these steps:1) Open command prompt.2) Go to the C:\WINDOWS\Microsoft.NET\Framework\v2.0.xxxxx

directory.3) Enter aspnet_regiis.exe -i.

h. Restart the system.2. The Ethernet driver is installed.3. Install Web Services Enhancements (WSE) 2.0 SP3.

a. Install WSE 2.0 SP3 available at:http://www.microsoft.com/downloads/details.aspx?FamilyID=1ba1f631-c3e7-420a-bc1e-ef18bab66122&DisplayLang=en

b. Choose Runtime as Setup Type.4. Install the LDMS Integration Toolkit, toolkit3103.exe. available at:

http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=LDMS-TVT


LDMS server setupMake sure the LDAP server ( MS Active Directory or Novell eDirectory) which actsas the LDAP authentication server for Hardware Password Manager is preparedand works properly.1. Run the ThinkManagement Autorun.exe and select Install on Core Server.

Follow the prompts in the installation wizard and select Reboot Now afterinstallation.

2. Activate the core server, select activating the core server using your LANDeskcontact name and password or select 45-day trial (internet connection required).

3. Configure the LDAP Server:a. Connect the LDMS Server and LDAP Authentication server to network.b. Launch ThinkManagement Console.c. In the toolbox, there is a ThinkVantage Hardware Password Manager group

with three items: Enrolled Users, Intranet Account Groups, and RemoteActions and Policy Settings. Click Intranet Account Groups and click theConfigure LDAP server button (the third button) on the toolbar.

d. Enter the information for the LDAP server that will serve as theauthentication server. The following items need to be defined for the LDAPserver:v Hostname: - The name of the LDAP serverv Port: - The port number to communicate with the server. The default port

is 389 for MS Active Directory, when you select Novell eDirectory asLDAP server, the default port is 636.

v Server type: - Select the type, either the MS Active Directory or theNovell eDirectory

v Encryption type: - Select the type of encryption used for communicationwith the server.

v Authorized user:

– The username for logging in to the Microsoft Active Directory server– A domain name\username or simply a username– The username for logging in to a Novell eDirectory server: it is better

to use cn=admin name, o=admin context. if Bind Restrictions is set toNone, admin name.admin context could work, if Bind Restrictions isDisallow anonymous simple bind, admin name.admin context will notwork.

-v Password: the password for the authorized user on the LDAP server

e. Click OK when the information is complete.

LDMS Server setup is now complete.

Migrating to a new LDAP serverYou may find that you need to change the IP address or hostname of your LDAPserver. You may also need to change to a new server with a different IP address, oreven change to a different type of LDAP server.

If any of these changes occur, you need to migrate the LDAP server data bypurging the old data from your LANDesk database and creating a new LDAPserver configuration. To do this, run the HpmDbUtil.exe utility located in\program files\landesk\ManagementSuite\ , then repeat the LDAP configuration

Chapter 2. Installing Hardware Password Manager on LANDesk Management Suite 5

task in step 3 above. This utility will make the necessary changes in the databaseand allow LANDesk Management Suite to communicate with the new LDAPserver.

Note that the following will occur when you run HpmDbUtil.exe:v All previous Hardware Password Manager data in the database will be removed,

including registered devices, enrolled users, and remote actions.v All hardware passwords will be removed.v Global server settings will be reset to default values, except for the portal

service. Both IIS and the portal service will be restarted.

Important: before you purge data using HpmDbUtil.exe, make sure that allhardware password protected devices can be unlocked.

After migrating to a new LDAP server, make sure you restart the server so thatyou can pass the corporate account authentication.

Installing Hardware Password Manager on a Lenovo deviceTo add Hardware Password Manager features to a Lenovo device, deploy aLANDesk agent to the device that includes the Hardware Password Manager clientcomponent. You can do this by pushing a LANDesk agent to the notebook (such aswith a scheduled task) or by pulling the agent.

To deploy an agent with Hardware Password Manager client features:

1. In the LANDesk Management Suite console, click Tools −> Configuration−>Agent Configuration.

2. Click New on the Agent Configuration tool bar, and make sure ThinkVantageHPM client is selected in the Agent Components to Install section.

3. Save the configuration, and then use the push method to deploy the agent tothe Lenovo device. Refer to the LANDesk Getting Started and Discovering andInstalling Agents help wizards under the online help for more information. ForGetting Started, you only need to perform the Launch the Configure ServicesTool and Configure Scheduler Credentials steps.

Notes:

1. To simplify the device discovery process, turn off the Windows firewall.2. For Windows XP, simple file sharing must be disabled on the Lenovo device.

This is normally disabled by default for devices that log into a domain. You canturn off this option from Windows Explorer. Click Tools->FolderOptions->View, scroll to the bottom of the list and uncheck Use simple filesharing.

3. For Windows Vista it is recommended that User Account Control be turned off.

When the agent is deployed, the Client Portal is installed on the device withassociated .dll files. The filename of the Client Portal is cmp_portal.exe, which islocated in the C:\Program Files\Lenovo\Hardware Password Manager folder.


Chapter 3. Managing Hardware Password Manager deviceswith LANDesk Management Suite

Interface elements are added to the console to help you manage HardwarePassword Manager devices. In the network view, Hardware Password Managerdevices that have been discovered and managed are listed in a separate HardwarePassword Managed devices group. You can view these devices and their propertiesfrom the network view. Also in the network view, when a list of devices includesHardware Password Manager devices, you can right-click on a HardwarePassword Manager device to use a context menu with Hardware PasswordManager features.

In the toolbox, a Hardware Password Manager group is added, with three items:Enrolled users, Intranet Account Groups, and Remote actions and policy settings.

The options in the interface are described in detail in the following sections:v “Viewing Hardware Password Manager devices and their properties”v “Managing enrolled users on Hardware Password Manager devices” on page 8v “Configuring an LDAP server connection” on page 9v “Viewing Hardware Password Manager users and their properties” on page 9v “Revoking a user’s access to a Hardware Password Manager device” on page 10v “Managing Hardware Password Manager groups” on page 10v “Managing remote actions and policy settings for Hardware Password Manager

devices” on page 12v “Updating client policies globally” on page 13v “Updating hardware passwords globally” on page 14v “Updating the emergency account” on page 15v “Changing server policy settings” on page 15

Viewing Hardware Password Manager devices and their propertiesIn the LANDesk Management Suite network view, a separate folder under theDevices folder is added for Lenovo Hardware Password Manager devices thathave been discovered and managed. Open this Hardware Password Manageddevices folder to view a list of Lenovo Hardware Password Manager devices.

To view a Hardware Password Manager device’s properties:

1. In the LDMS network view, expand the Devices folder and click the HardwarePassword Managed devices folder.

2. Right-click the name of a Hardware Password Manager device and select HPMproperties.

Options in the properties dialog are summarized below. These options are noteditable from this dialog.

Summary

Passwords listed on this tab can be automatically generated or can be set for eachdevice, depending on how the policy is defined.


v Registration time and status: lists the date/time of registration and currentstatus.

v BIOS passwords: displays the passwords for each BIOS profile and thedate/time the profile was last backed up. This section includes the supervisorpassword (SVP), which logs on to the device with administrator access, and thepower-on password (POP), which logs on to the device as a user.

v Hard disk passwords: lists passwords for accessing each hard disk on thedevice. This section displays the master password, the user password, and thebackup password for the hard disk (click the View button to see the backuppassword).

v Emergency Admin Account: lists the credentials for the administrative accountthat can access the Hardware Password Manager device. The emergency adminaccount is created on every device. This credential can be used in an emergencyto access the device’s BIOS with administrator privileges.

Enrolled users:

All users that are enrolled to access the Hardware Password Manager device arelisted on this tab. The intranet account user name is the name used for LDAP useraccount login. The hardware account user name is the name used to save data tothe hardware account (a secure area of non-volatile memory that can only beaccessed by the computer’s BIOS). The LDAP path shows the user’s location in theLDAP server tree (for example,CN=ADMINISTRATOR,CN=USERS,DC=TESTLAB).

Member of:

This tab lists the Intranet Account groups that the device is a member of. TheLDAP path shows the group’s location in the LDAP server tree.

Remote Actions:

The Remote actions section lists all previous remote actions that have been appliedto this Hardware Password Manager device. The Revoke user remote actionssection lists users that were enrolled on the device but whose access has beenrevoked.

Client Policy:

The Windows policy list shows the status of OS-related policy settings currentlyapplied on the device. The BIOS policy list shows the status of BIOS-related policysettings currently applied on the device. These settings are selected in the UpdateClient Policy dialog; see Updating client policies globally for information on settingthe policy see “Updating hardware passwords globally” on page 14 for moreinformation)

Managing enrolled users on Hardware Password Managerdevices

When a Lenovo Hardware Password Manager device is registered with theHardware Password Manager server, the main user of that device is enrolled as anauthorized user of that Hardware Password Manager device. You can enrolladditional users on each Hardware Password Manager device, by using the ClientPortal on the device or by including the user in a Hardware Password Managergroup that has rights to that device.


To manage users for Hardware Password Manager devices, use the Enrolled usersoption in the Management Suite toolbox (or, in the Management Suite console,click Tools −> Hardware Password Manager −> Enrolled Users).

Using the Enrolled users tool, you canv Configure the LDAP server connectionv View a list of Hardware Password Manager usersv View the properties of a Hardware Password Manager userv Revoke a user’s access to a Hardware Password Manager device

Configuring an LDAP server connectionIn the Enrolled users and Intranet account groups views, users and groups arelisted in a tree structure that displays the users and groups on the LDAP serveryou use for Hardware Password Manager authentication. To view that treestructure, you must first configure the LDAP server connection.

The information you enter in this dialog enables the Hardware Password Managerserver to connect to the LDAP server, which can be either a Microsoft ActiveDirectory server or a Novell eDirectory server.

You can migrate from one LDAP server to another without losing data. If you findthat you need to use a different server for LDAP authentication, enter theconfiguration data for the new server.

To configure an LDAP server connection:

1. Click Enrolled users in the toolbox (or click Tools −>Hardware PasswordManager −>|Enrolled Users).

2. Click the LDAP server button.3. Enter the Hostname of the LDAP server.4. If you want to use a port other than the default to access the server, clear the

Use default port checkbox and enter another port number.5. Select the Server type type (MS Active Directory or Novell eDirectory).6. Select the Encryption type for the server.7. Enter the credentials used to access the LDAP server in the Authorized user

and Password text boxes. The user can be in the form domain\username or cansimply be the user name.

Viewing Hardware Password Manager users and theirproperties

The Manage enrolled users tool lets you view all users that are enrolled to accessLenovo Hardware Password Manager devices. You can view a list of all users, oryou can select groups in the LDAP directory tree to view subsets of the list. Youcan view all properties for each enrolled Hardware Password Manager user,including the user ID, LDAP path, groups that include the user, and devices theuser is enrolled on. These properties are not editable in the properties dialog.

To view enrolled Hardware Password Manager users and their properties:

1. Click Enrolled users in the toolbox (or click Tools −>Hardware PasswordManager −> Enrolled users).

2. To view all enrolled users, click All users in the tree structure.

Chapter 3. Managing Hardware Password Manager devices with LANDesk Management Suite 9

3. To view a subset of users, expand any groups that are listed in the treestructure and click a group name.

4. To view a user’s properties, right-click the user in a user list and selectProperties.

Note: You can also select the user and click the Properties button on the toolbar.

Options in the properties dialog are summarized below.

Summary:

This tab lists the ID and common name of the user, the path in the LDAP tree thatthe user is found in, and the user’s current status. Also lists the date and time theuser was enrolled as a Hardware Password Manager user.

Member of:

Lists the Hardware Password Manager groups to which the user belongs, with theLDAP path of each group.

Enrolled devices:

Lists the devices on which the user is enrolled, giving the device name andmachine ID.

Remote actions:

Lists any revoke user actions that have been performed on the user, including thename of the device from which the user was revoked and the date and time of thelast status change.

Revoking a user’s access to a Hardware Password Managerdevice

After a user has been enrolled on a Hardware Password Manager device, you canrevoke that enrollment if the user should no longer have access to the device. Torevoke a user, you create a remote action that is applied to each device you specify.The next time the device contacts the Hardware Password Manager server toupdate its policy, the user is removed from the list of users for that device.

To revoke a user from a Hardware Password Manager device:

1. Click Enrolled users in the toolbox (or click Tools −> Hardware PasswordManager −> Enrolled Users).

2. In the user list, select the user.3. Click the Revoke user button on the toolbar.4. In the Create Remote Action dialog, clear the checkbox for one or more devices

from which you want to revoke the user.5. Click OK.

Managing Hardware Password Manager groupsHardware Password Manager groups link user groups (as defined in the LDAPserver) with Hardware Password Manager devices. Hardware Password Managergroups are useful because they allow multiple users to access one or more deviceswithout individually enrolling each user on each device. When a device is added


to a group, all members of that group have access rights to the device and can usean intranet account login to log in to the device.

When you open the Intranet Account Groups tool, groups are listed in the LDAPtree view. Each group is created on your LDAP server; you can’t create a group inLANDesk Management Suite. However, you can edit groups (define the grouprole) and drag devices into groups to associate those devices with the members ofthe groups.

Intranet account groups are distinguished by the role defined for the users in thegroup:v User: an end user of a Hardware Password Manager device.v Service Tech: an IT technician, allowed limited access to the device for servicing.

Access can be limited to a time frame (duration), or the technician can beallowed a certain number of logins.

v Administrator: an administrative user allowed to access devices.

For example, all members of a group that is defined with the Service Tech role canlog in to devices in the group a specified number of times. If the role is defined sothe user can only log in to the device two times, access to the device expires forthe user after the second login.

To edit a Hardware Password Manager group:

1. Click Intranet account groups in the toolbox (or click Tools −> HardwarePassword Manager −> Intranet account groups).

2. In the LDAP tree view, click a group name and click the Edit intranet accountgroup button on the toolbar. Most items in the Edit intranet account groupdialog are not editable. You can select the role for the group; if you selectService Tech, you can limit access to Hardware Password Managed devices.

3. Select the HPM role from the combo box.4. Check the with expiration check box if you want to limit access to the device

for a length of time or a specific number of logins. (This applies only to ServiceTech users.)

5. If you selected with expiration, select Duration and choose a beginning andend time for access to Hardware Password Managed devices; or select Logincount remaining and choose a number of logins.

6. Click OK.

To associate devices with a group:

1. Click Intranet account groups in the toolbox, or click Tools −> HardwarePassword Manager −> Intranet account groups.

2. To associate a device with a group, drag the device from the network view tothe group name in the LDAP tree view.

3. To view the devices associated with a group, click the group name and clickthe View computers button on the toolbar.

The dialog shows the LDAP distinguished name of the group and lists the devicesassociated with the group. Members of the group can log in to all devices listedhere, unless you have defined the group as a Service Tech group with anexpiration on group access, and the association has expired.


Managing remote actions and policy settings for Hardware PasswordManager devices

Remote actions are changes to a Hardware Password Manager device’s settingsthat are applied to one or more devices by the administrator. Actions includecredential management, registering or deregistering devices, and enrolling orrevoking users.

Remote actions are not applied immediately to Hardware Password Managerdevices. After the administrator applies one or more remote actions to a device, theactions are pending until the next time the device is powered on. The device thenconnects to the Hardware Password Manager server and requests any pendingactions. The actions are completed by the client and the new settings are in effect.

One remote action is to change policy settings on the Hardware Password Managerdevice. There are two types of policies: those applied at the OS level (Windowspolicies) and those applied at the BIOS level (BIOS policies). Policies determinehow the device manages credentials, and determine whether registration and userenrollment are automatically started when the device is powered on. They alsodetermine whether multiple users can be enrolled on a Hardware PasswordManager device and how user login is handled for the BIOS menu.

As you manage remote actions, you can apply actions individually or globally.When the Remote actions and policy settings tool is open, you can drag HardwarePassword Manager devices from the network view and drop them onto specificremote actions. Or you can use buttons on the toolbar to apply actions globally.

Remote actions include the following:v Renew hardware account: replaces the BIOS hardware passwords with a new

set of credentials that are generated by the Hardware Password Manager server.The new credentials are stored in the hardware account, a secure area ofnon-volatile memory that can only be accessed by the computer’s BIOS.

v Restore hardware account: restores the BIOS hardware passwords in thehardware account with the backup credentials stored in the Hardware PasswordManager server. This includes system and user password backups.

v Deregister computer: clears the hardware passwords and changes the status ofthe client device from Registered to Enable and removes the device from the listof registered Hardware Password Manager devices.

v Revoke user: removes a user from the list of users allowed to access a HardwarePassword Manager device.

v Update client policy: saves an updated policy to the Hardware PasswordManager BIOS of the device, replacing the previous policy.

v Update common hardware password: saves new common hardware passwordsto the Hardware Password Manager device; common hardware passwords arevalid for all Hardware Password Manager devices managed by the HardwarePassword Manager server (see “Updating hardware passwords globally” onpage 14).

v Update emergency account: saves the emergency account credentials to theHardware Password Manager device; the emergency username and passwordcan be used to restore access to a device if the user is unable to log in (see“Updating the emergency account” on page 15).

To apply remote actions to Hardware Password Manager devices:


1. Click Remote actions and policy settings in the toolbox (or click Tools −>Hardware Password Manager −> Remote actions and policy settings).

2. To apply a remote action to an individual device, drag the device name fromthe network view to one of these actions: Renew hardware account, Restorehardware account, Deregister computer, or Update client policy.

3. To revoke a user, drag the target user onto the Revoke user action in theRemote Actions tree. (You can also revoke users in the Manage enrolled userstool.)

4. To apply an updated client policy to all Hardware Password Manager devices,click the Update client policy globally button on the toolbar. Select the policyitems you want to enable from the Windows policy and BIOS policy tabs, thenclick OK. See “Updating client policies globally” for more information.

5. To apply common passwords to all Hardware Password Manager devices, clickthe Update common passwords button on the toolbar. Select the checkbox nextto each type of password that you want to apply to all Hardware PasswordManager devices. To use the same password for all devices, type the passwordin the text box for the password type you select. If you leave the text boxblank, a unique password will be generated for each device.

6. To change the emergency (administrative) account on all Hardware PasswordManager devices, click the Update emergency account button on the toolbar.Type a new user name in the text box. To use the same password for alldevices, type the password in the text box. If you leave the text box blank, aunique password will be generated for each device.

Updating client policies globallyYou can determine which client policies are applied to all managed LenovoHardware Password Manager devices by selecting policies in the Update clientpolicy dialog. The policies you can select include the following OS-level items:v Hardware account equals Windows credentials: the login credentials stored in

the hardware account of the Hardware Password Manager BIOS are the same asthe user’s Windows credentials.

v Auto-start user enrollment at Windows login: when the user logs in toWindows the first time after the Hardware Password Manager device ismanaged by the Hardware Password Manager server, the Hardware PasswordManager registration will open automatically.Hardware Password Manager enrollment will open automatically when thedevice is registered and a user logs in that has not enrolled.

v Allow multiple users to enroll on a single device: more than one user can beenrolled on a device. If this checkbox is cleared, only the first user to be enrolledon a device can be an enrolled user (although administrator and servicetechnician users can still access the device if needed).

The following BIOS-level policies can be selected:v Show last logon account for hardware account: at the BIOS user logon screen,

the last user account to have logged on to the BIOS is displayed as the default.v Prompt for hardware account on warm boot: if the device is restarted, the BIOS

will require a user login to ensure that the same user is accessing the deviceafter the restart.

In the Update client policy dialog, a list of devices shows which devices will havethe new policy applied on their next startup. The dialog has a default selection ofpolicy settings; if you have changed the settings but want to return to the originaldefaults, click the Reset to default button.


The Update Option can be found on the Update Client policy window. This hasthree options:1. Apply to Server Setting only2. Generate Remote Actions only3. Both (Default)

Updating hardware passwords globallyLenovo Hardware Password Manager features in LANDesk Management Suiteinclude global management of different hardware passwords for HardwarePassword Manager devices. You can specify the same password to be used by allHardware Password Manager devices, or you can auto-generate a differentpassword for each device. This feature manages the following kinds of passwords:v SVP - the supervisor password gives a user full administrator access to a device,

including configuration of BIOS settings. It is a superset of the power-onpassword.

v POP - the power-on password lets a user power on the device and access it withnormal user privileges.

v MHDP - the master hard disk password lets the user access the hard disk andreset the user hard disk password. It is a superset of the UHDP.

v UHDP - the user hard disk password lets a user access the hard disk.

You can select any of these four types of passwords to be applied to managedHardware Password Manager devices. If you select a password type and want alldevices to use the same password, type that password in the text box. If you wanteach device to have a unique password, select the checkbox for that password typebut leave the text box blank.

If you have made changes and want to return to the default, click the Reset todefault button. By default, all four passwords are set with a uniquely generatedpassword for each device.

After you change these settings and click OK, a remote action task is created in theremote actions tree list (in the Update common hardware passwords folder). Youcan click that task to view the status of the task as it is applied to the HardwarePassword Manager devices. Under that task in the tree, the devices are listed bystatus—Active, Pending, Failed, or Successful. You can also view the All devicesfolder to see all devices.

To view the current hardware passwords for a Hardware Password Managerdevice

1. Click Remote actions and policy settings in the toolbox or click Tools −>Hardware Password Manager−> Remote actions and policy settings.

2. In the Remote actions tree view, expand Remote actions by type.3. Expand Update common hardware passwords.4. Click either the All devices folder or one of the status folders. Double-click a

device name in the list of devices.

The View hardware passwords dialog shows the current password settings for thedevice that were changed with the remote action task, as well as the date/time thepassword was changed.


The Update Option can be found on the Update Common Hardware Passwordwindow. This has three options:1. Apply to Server Setting only2. Generate Remote Actions only3. Both (Default)

Updating the emergency accountEach Lenovo Hardware Password Manager device has an emergency accessaccount that can be used to log in to the device if the user is unable to log in. Youcan change the credentials for this account and apply the change to all HardwarePassword Manager devices with the Update emergency account feature.

By default, the user name is ″Admin″ and the password is uniquely generated foreach client. You can change the user name, password, or both. If you specify a username but leave the password field blank, a unique password will be generated foreach device. If you have made changes and want to return to the default, click theReset to default button.

To view the current emergency account credentials for a Hardware PasswordManager device:

1. Click Remote actions and policy settings in the toolbox or click Tools −>Hardware Password Manager −> Remote actions and policy settings.

2. In the Remote actions tree view, expand Remote actions by type.3. Expand Update emergency account.4. Click either the All devices folder or one of the status folders. Double-click a

device name in the list of devices.

The View emergency account dialog shows the current emergency accountcredentials for the device that were changed with the remote action task, as well asthe date/time the credentials were changed.

The Update Option can be found on the Update Emergency Account window. Thishas three options:1. Apply to Server Setting only2. Generate Remote Actions only3. Both (Default)

Changing server policy settingsServer policy settings include various ways to manage user enrollment, credentials,and client portal and BIOS settings for the Lenovo Hardware Password Managerdevices you manage. The settings are changed from the LDMS core server console;items that affect individual devices are then held in a pending queue until the nexttime each device is booted and requests an updated policy.

To change server policy settings1. Click Remote actions and policy settings in the toolbox or click Tools −>

Hardware Password Manager−> Remote actions and policy settings.2. Click the Update Server Policy Settings button on the toolbar.3. Make changes on the four tabs in the dialog, then click OK when you have

finished.


The tabs in the Server policy settings dialog are described below.v General - This tab lists the name, IP address, and UDP port of the LDMS server

used to authenticate Hardware Password Manager users.The Status of portal service section shows whether the portal service on theLDMS server is running. The portal service is a UDP server, one of thecomponents on the Hardware Password Manager server. It is used forcommunication with the Hardware Password Manager device BIOS when theuser logs on using the Intranet Account Login. You can start, stop, or restart theservice as needed from this dialog.Check Allow users to enroll on multiple devices if you want to allow oneintranet account that can enroll on multiple Hardware Password Managerdevices. If this checkbox is cleared, one intranet account can only be enrolled inone device.Check Enable ″one-touch″ registration if you want to pre-register newHardware Password Manager devices with one-touch features from Lenovo.One-touch registration automatically registers the device and creates theemergency admin account when the user logs in to Windows.Check Enable First User logged on a machine as Administrator if you want to

v Credentials - This tab determines the length of auto-generated passwords andthe number of password backups to keep. Backups are encrypted and stored inthe LDMS database.By default, auto-generated hardware passwords, as well as emergency adminaccount passwords, are between 32 and 64 characters long. You can change theminimum and maximum numbers for both types of passwords. You can alsospecify how many backups to save for hardware passwords.

v Client Portal - This tab specifies which menu items are enabled for display onthe Client Portal menu on managed Hardware Password Manager devices. Thedevice user accesses the portal from the Windows Start menu (Start−>AllPrograms−>ThinkVantage−>Hardware Password Manager). The Client Portalmenu items are always selected. When you perform tasks such as Remove Userafter you enter the internet credentials that correlate to the User, Service Tech,and Administrator roles, you will get an error if you do not have the clientportal rights. Users log in to Hardware Password Manager devices with anassigned role, which correlates to the user group that the user belongs to. (See“Managing Hardware Password Manager groups” on page 10 for a descriptionof roles.) So, for example, a user may see all options on the Client Portal while aService Tech may have a limited set of options available. If a user tries an optionwhich is not checked for that role, an error message will be displayed.

v BIOS - This tab specifies which menu items are enabled for display on the BIOSmenu of managed Hardware Password Manager devices, and allows you tospecify which BIOS versions are excluded from Hardware Password Managerdevice management.BIOS menu items are selected separately for the three user roles: User, ServiceTech, and Administrator. Users log in to Hardware Password Manager deviceswith an assigned role, which correlates to the user group that the user belongsto. (See “Managing Hardware Password Manager groups” on page 10for adescription of roles.) So, for example, a usermay see all options on the HPMBIOS menu while a Service Technician may have a limited set of optionsavailable.

Note: When the client policy is set to Hardware Account equals WindowsCredentials the Change Hardware Account password option will not be seenwhether or not it is checked for the role.


The BIOS version exclude list section lets you list BIOS versions that you wantto exclude from Hardware Password Manager management. If you attempt toperform any remote actions on a device with a listed BIOS, the remote actionwill fail. Likewise, if you attempt to register a Hardware Password Managerdevice that has a listed BIOS, the registration will not be performed.



Chapter 4. Hardware Password Manager Client

Lenovo devices with Hardware Password Manager BIOS chips need to beregistered with a management server (referred to as the Hardware PasswordManager server). The process of registering a device begins with the installation ofan agent on the device. After the user runs a BIOS-level program the device isregistered; one or more users are then enrolled as authenticated users on thatdevice. When Hardware Password Manager is installed, only enrolled users (orusers in a group that the device is associated with) can log in to the device. Accessto the device, and even access to the hard drive, is restricted to enrolled users (orusers in the same group as the device) as long as Hardware Password Manager isrunning.

The LANDesk Management Suite core server acts as the Hardware PasswordManager server, and management features are accessed through the LDMS console.These features allow the administrator to manage Hardware Password Managerdevices, install agents on Hardware Password Manager BIOS-enabled devices, andmanage registration and enrollment on these devices.

On a Hardware Password Manager device, management features are accessedthrough a BIOS menu (accessed before the OS starts) and through the Client Portalmenu (accessed at Windows login or from a Start menu option). The administratorcan customize these menus to determine which features are available.

This chapter contains information about using Hardware Password Managerdevices with Lenovo Hardware Password Manager. It is written for the end userwho will register the device with the Hardware Password Manager server andenroll as a user. This guide includes the following sections:v “Hardware Password Manager device setup”v “Registering a device with the Hardware Password Manager server and

enrolling the first user” on page 20.v “Enrolling additional users on a Hardware Password Manager device” on page

21.v “Unenrolling a user from a Hardware Password Manager device” on page 21.v “Unregistering a device from the Hardware Password Manager server” on page

22.v “Updating credentials on a Hardware Password Manager device” on page 22.

Hardware Password Manager device setupBefore registering a device for Hardware Password Manager you must changesome of the settings in the BIOS:1. Power on the system.2. Press F1 to boot into the Bios setup window.3. In the Security tab, select Password.4. Select Hardware Password Manager and set to Enabled.

5. Press F10 to save and exit.


Registering a device with the Hardware Password Manager server andenrolling the first user

In order to register a device with the Hardware Password Manager server, theHardware Password Manager client must have been installed on the device andenabled in the BIOS. This is done by the LANDesk administrator, who installs anagent with the Hardware Password Manager client on the device.

When the client is installed, it communicates with the Hardware PasswordManager server to authenticate the device. The client can then request HardwarePassword Manager policy settings from the Hardware Password Manager server.The registration process is then completed when the user enters credentials forlogging on to the device.

For registration to occur, the device must be connected to the network on whichthe Hardware Password Manager server is located.

The administrator has two options for initiating registration of Hardware PasswordManager devices:v Registration is automatically started when the user logs on to Windows. For this

option, the administrator selects the Auto-start registration at Windows loginoption in the client policy that is applied to Hardware Password Managerdevices.

v The user opens the Client Portal to begin registration.

To register a device with the Hardware Password Manager server and enroll auser:

1. Click Start −>All Programs −> ThinkVantage −> Hardware PasswordManager to open the Client Portal. (If your administrator has set upauto-start, the portal will open automatically when you log in.)

2. Click Register System.3. Click Next->Restart->OK to restart the device.4. As the BIOS runs, the HPM Initialization Process verifies that you want to

continue with registration. Select OK . After Windows starts and you log in,the Client Portal dialog opens.

5. Under Enter Your Intranet Account Credentials, enter your username andpassword for logging into the domain.

6. Under Enter your Windows Credentials, enter your username, password, anddomain for logging in to the Windows on this device.

7. Enter your Hardware Account may pop up according to the server policy.Click Finish.

8. Suspend the countdown window pop-up and wait 30 seconds, or click OK tosuspend.

9. After logging on to the desktop, restart the message pop-up.10. Click OK to restart the device.11. At the BIOS login prompt, log in using your Windows credentials or hardware

account credentials for the device.

If you uncheck Enable First User enrolled on a machine as Administrator, thefirst enrolled user has user privilege in BIOS. If you check Enable First Userenrolled on a machine as Administrator, the first enrolled user has administratorprivilege in BIOS


Enrolling additional users on a Hardware Password Manager deviceMore than one user can log in to a Hardware Password Manager device withsingle-sign-on protection if your LANDesk administrator has enabled multipleusers. When any of the enrolled users log in to the device, the Client Portal runsand they can access the device with single sign-on. This includes administrativeusers who are enrolled by the LANDesk Management Suite console.

The following are required for enrolling additional users on a device:v In the client policy applied to the device, Allow multiple users to enroll on a

single device must be selected.v For each additional user, an account must be created on the device.v You should drag the devices under Hardware Password Devicesj to the Active

Directory or eDirectory group.

If your administrator has enabled multiple users on a device, complete thefollowing steps to enroll more than one user.

To enroll an additional user on a Hardware Password Manager device:

1. Log in to Windows.2. Click Start −> All Programs −> ThinkVantage −> Hardware Password

Manager to open the Client Portal. (If your administrator has set up auto-start,the portal will open automatically.)

3. Click Enroll additional user.4. Enter the user’s intranet credentials, Windows credentials, or hardware account

credentials according to the policy on the server.5. Suspend the countdown window pop-up and wait seconds or click OK to

suspend.6. After logging on to the desktop, it will prompt you to restart.7. At the BIOS login prompt, log in using the Windows credentials for the

additional user on this device.8. Log in using the Windows credentials for the additional user if the client policy

is Vault=Windows. Log in using the hardware account credentials for theadditional user if the client policy is Vault=Windows.

The enrolled additional user will have user or administrator right in BIOS,according to the role of the group; user, administrator, or service tech.

Unenrolling a user from a Hardware Password Manager deviceWhen a user should no longer have access to a Hardware Password Managerdevice, you can unenroll the user to terminate access. When a user is unenrolled,only that user’s credentials are removed from the hardware account. Hardwarecredentials remain on the device, and other users’ credentials are not affected.

To unenroll a user from a Hardware Password Manager device:

1. Log in to Windows.2. Click Start −> All Programs −> ThinkVantage−> Hardware Password

Manager to open the Client Portal.3. Click Remove user.4. Enter your Intranet account credentials when prompted.5. Click OK to confirm that the system will suspend.

Chapter 4. Hardware Password Manager Client 21

The system will resume automatically after it has suspended and completedunenrolling the user.

Unregistering a device from the Hardware Password Manager serverA device can be unregistered from the Hardware Password Manager server in twoways:v The user can open the Hardware Password Manager Login Menu in the BIOS

and unregister the device. (See To open the Hardware Password Manager LoginMenu.)

v The administrator can unregister the device using the Hardware PasswordManager administration tools in LANDesk Management Suite.

After the device is unregistered, the Hardware Password Manager functionality isno longer in effect unless the device is registered again with the HardwarePassword Manager server.

Updating credentials on a Hardware Password Manager deviceAfter Hardware Password Management is enabled on a device, you can access theHardware Password Manager Login Menu to make changes to passwordmanagement. You can also access the Client Portal to perform enrollment andregistration tasks.

These menus display password management options that are available on yourdevice. Options available on these menus are configured by the administrator onthe Hardware Password Manager server; not all of the following options may beavailable depending on how your administrator has set up Hardware PasswordManager.

The options below refer to a hardware account. This is a secure area of non-volatilememory that can only be accessed by the computer’s BIOS. Hardware credentialsand all user credentials are stored in the hardware account. While the user doesnot directly access the hardware account, when credentials are added or changed,they are written in the hardware account.

The Hardware Password Manager Login Menu can include the following tasks:v Start Windows.v Restore hardware accounts (restore credentials saved in the hardware account)v Deregister PCv Change hardware account Password:v Unregister the device from the Hardware Password Manager server

The Client Portal menu can include the following tasks:v Register the devicev Enroll first userv Enroll additional usersv Unenroll userv Remove a userv Renew hardware accountv Restore hardware account


To open the Hardware Password Manager Login Menu

1. Power on the device.2. At the User Login prompt, press Esc.3. Select Intranet account login to open the HPM BIOS Menu.4. Enter valid corporate credentials.5. Hardware Password Manager menu opens.

To open the Client Portal

1. In Windows, click Start −>| All Programs −> ThinkVantage −> HardwarePassword Manager.

Chapter 4. Hardware Password Manager Client 23


Chapter 5. Deployment

This chapter contains additional deployment information for using HardwarePassword Manager devices with Hardware Password Manager. It is written for theadministrator who will manage devices with the Hardware Password Managerserver and configure these devices with other. This guide includes the followingsections:v “Fingerprint Integration”v “Safe Guard Easy/Safe Guard Enterprise compatibility” on page 27v “One-touch registration” on page 27v “Client Policy settings” on page 28

Fingerprint IntegrationThe Hardware Password Manager utility is fully compatible with the Lenovopreferred fingerprint utilities (Authentec and UPEK). For Windows XP clients, it isrecommended that the Hardware Password Manager client is installed without theHardware Password Manager GINA. Doing so will allow the user to performsingle sign-on into Windows using their fingerprints. To install the HardwarePassword Manager client application without the GINA, use the following installcommand:CMPInstall.exe /vNOGINA=1

Furthermore, the order of enrollment is important when using Hardware PasswordManager with fingerprint utilities. First register in Hardware Password Manager toset hardware passwords. Then enroll your fingerprints for pre-start access usingthe Fingerprint Setup Utility. When your fingerprints are enrolled for the first time,shut down and restart the computer. When you swipe your fingerprint, the userlogin will prompt you to enter your credentials and log in to the desktop. Afterrestarting the computer for the second time, swipe you fingerprint, and it willrelease the actual hardware passwords. the BIOS program will release actualhardware passwords from the hardware account when you swipe your registeredfingerprint at the BIOS fingerprint prompt.

If you see the fingerprint enrollment wizard and the Hardware Password Managerregistration wizard displayed at the same time after you log into the Windowsoperating system, proceed first to the Hardware Password Manager registrationwizard. However, if you enroll your fingerprints first, you can still register yourfingerprints with the Hardware Password Manager provided that you have notalready set hardware passwords.

If you are creating an image, you can use the following steps in your image tosuppress the fingerprint enrollment wizard until the system is registered in theHardware Password Manager utility:1. Disable the fingerprint enrollment wizard by default.

Authentek:HKEY_CURRENT_USER\Software\Authentic Biometric Suite\bFingerprintSoftwareStartUp

UPEK:HKEY_CURRENT_USER\Software\Protector Suite\Control Center\1.0\ShowOnStartup


2. Create a script that enables the fingerprint enrollment wizard if the system isregistered in the Hardware Password Manager utility and the current user isenrolled in Hardware Password Manager. A utility is provided in the HardwarePassword Manager program folder that IT administrators can use to obtainregistration and enrollment status within a script.The script interface is defined as follows:v Utility Name:

cmp_util.exe

v Prerequisite:psadd.sys device driver, cmp_server_dll.dll

v Usage:cmp_util.exe <command> where <command> is one of the following:– supported* - returns whether the utility is supported on the current

system– registered - returns whether the current system is registered in the utility– enrolled - returns whether the current Windows system user is enrolled in

the utility– enabled - returns whether the utility is enabled in the BIOS program– show - displays results to the console for all of the above commands

v Return codes:– 0 - false– 1 - true– 2 - error

v Example:cmp_util.exe -supported

The behavior of the fingerprint enrollment differs slightly between a HardwarePassword Manager registered system and a non-registered system. For registeredsystems, the BIOS program prompts for Hardware Password Manager User Logincredentials (Hardware account ID and password) instead of actual hardwarepasswords. After verifying the specified user login credentials, the BIOS programobtains the actual hardware passwords from the hardware account and saves themin the fingerprint device.

Other fingerprint scenarios to consider:1. User enrolls in Hardware Password Manager after enrolling fingerprints for

pre-start access (hardware passwords are set) In this scenario, the user hasalready set a POP and has enrolled for pre-start fingerprint access. The ClientPortal treats the scenario the same as when any pre-start passwords are setprior to registering in Hardware Password Manager. In this case, the ClientPortal instructs the user to remove all hardware passwords.

2. User enrolls in Hardware Password Manager after enrolling fingerprints forpre-start access (hardware passwords are cleared) In this scenario, the user hasalready enrolled for pre-start fingerprint access but has manually cleared thePOP and HDP (as requested in the previous scenario). The system starts andthe user can enroll in the Hardware Password Manager utility. However, thenext time the user starts the system and swipes their finger, the BIOS programretrieves the old password or passwords from the fingerprint device anddetermines that they are not valid. The BIOS program then prompts for userlogin credentials. If the user is validated with their hardware account, thehardware passwords are retrieved from the system hardware account by the


BIOS program and the passwords are validated. If they are confirmed, the newpasswords are stored in the fingerprint device automatically.

Safe Guard Easy/Safe Guard Enterprise compatibilityIn environments where the Safe Guard Easy/Safe Guard Enterprise utility is used,the Hardware Password Manager client must be installed after the Safe GuardEasy/Safe Guard Enterprise utility.

There is also a limitation where the Hardware Password Manager single sign-onfeature does not work when the Safe Guard Easy/Safe Guard Enterprise utility isinstalled. Thus, the user is not automatically logged into the Windows operatingsystem when the user performs a normal Hardware Password Manager user login.

One-touch registrationAs an administrator, you can register your systems in the Hardware PasswordManager utility to protect them from unauthorized users during the deploymentand distribution process. This is accomplished by allowing an administrator topre-register all of their systems in the Hardware Password Manager utility with acommon local administrator account. This process requires a single manual step(one-touch) to complete, which is required to prevent denial of service attacks.

This process is initiated by policy, and administrator corporate credentials areobtained from the Hardware Password Manager server which is provided as apolicy setting. When you enable one-touch registration, the Admin Consoleautomatically prompts for corporate credentials to use for the registration process.

Note: One-touch refers to the one manual step required by the administrator toregister the system in the Hardware Password Manager utility. When the system isregistered and delivered to users, enrollment can automatically be initiated (basedon policy) for any user successfully logging into the Windows system on thesystem, either a local or domain login. The “one touch” registration process isignored if the system is already registered.

Pre-registrationThis process is the same as the normal registration process, except for thefollowing differences:1. Based on policy, the Client Portal (which is automatically launched when

logging into Windows) initiates the one-touch Hardware Password Managerregistration function based on the one-touch policy setting.

2. The Client Portal does not prompt for confirmation to proceed with registrationand enrollment.

3. The Client Portal does not prompt for a restart prior to confirming userpresence.After restarting, press Enter at Confirm Registration.

4. The Client Portal does not prompt for corporate, Windows, or hardwareaccount credentials. The corporate credentials used are the administrator-levelcredentials provided by the administrator. The Windows and hardware accountcredentials are not required since no user account is created; only the commonAdministrator account is enrolled.

5. The Client Portal proceeds with the suspend and resume operation withoutnotifying the user.

Chapter 5. Deployment 27

6. The Client Portal returns a success or failure code to the calling process. It doesnot return a success or failure code and will restart automatically.

When the one-touch registration process is complete, the system ispassword-protected and a single local hardware account exists. The hardwareaccount is set to the common administrator hardware account credentials. Thesesystems can be safely distributed by the administrator to end-users knowing thatthey are protected with hardware passwords.

User enrollment on a pre-registered systemWhen the system is delivered to the user, the user must perform a HardwarePassword Manager login (network access is required) in order to gain access to thesystem. If no network access is available or the Hardware Password Managerserver is behind a VPN, then the administrator has the option to provide thecommon administrator hardware account credentials to allow access to the system.

This flow is the same as the normal “Enroll Additional Users” flow, except for thefollowing differences:1. When the user logs in to the Windows system, the Client Portal is

automatically initiated and prompts the userto enroll in Hardware PasswordManager. Note: Automatic enrollment can be managed by policy.

2. The Client Portal prompts the userto enter a corporate credentials on the UserEnrollment window.

Client Policy settingsThe following are client-specific policy settings managed by the HardwarePassword Manager server:

Table 1.

Setting Description Default

Synchronize Hardwareaccount with Windowsaccount (same user nameand password)

Defines whether the clientshould attempt to keep thehardware account credentialsin sync with the users’Windows credentials.

When enabled, changes tothe Windows password bythe user results in updatingthe hardware account. Morespecifically, the newWindows password is storedin the hardware account (forsingle sign-on) and thehardware account passwordis updated to be the same asthe new Windows password.

True


Table 1. (continued)

Setting Description Default

Auto-start registration atWindows login

Defines whether HardwarePassword Managerregistration shouldautomatically start atWindows login when thefollowing conditions exist:

v Hardware PasswordManager utility is enabled

v No local hardware accountexists

v Network connectivity tothe Hardware PasswordManager server exists

When the system isregistered, the registrationprompt is not displayed tousers at Windows login.

True

Auto-start user enrollment atWindows login

Defines whether theHardware PasswordManager enrollment shouldautomatically start atWindows login when thefollowing conditions exist:

v Hardware PasswordManager utility is enabled

v No local hardware accountexists for thecorresponding Windowsaccount.

v Network connectivity tothe Hardware PasswordManager server exists

True

Note: Client policy settings can be applied globally or individually to specificsystems. Client policy settings are updated automatically at Windows login.

Chapter 5. Deployment 29


Chapter 6. Scenarios

This chapter describes scenarios associated with hardware and user configurationchanges. For the purpose of these scenarios, all systems are considered to beregistered in Hardware Password Manager.

Service scenarios (configuration changes)This section describes hardware scenarios.

Scenario 1 - Hardware configuration changesWhen you make a hardware change, a BIOS error is triggered and you areprompted to enter your administrator password (PAP/SVP) in order to enter theBIOS setup. Once in the BIOS setup, accept the changes to clear the BIOS error.

You can also skip the administrator password prompt and re-start the system. Inthis case, the BIOS error is not cleared and you will be prompted again for theadministrator password on all subsequent re-starts until entering the BIOS setupand accepting the memory changes.

When hardware changes are made to a system, the BIOS error occurs, and the UserLogin window is displayed. You can perform one of these actions:v Enter the hardware account credentials at the User Login window using an

account with Hardware Password Manager Administrator privileges. If theHardware Account credentials with Hardware Password Manager Userprivileges are entered, the BIOS will prompt for the administrator passwordseparately

v At the User Login window, press Esc to open the Login Menu window andselect Internet Account Login to open the window. Enter the administratorcorporate credentials to release the PAP/SVP.

v At the User Login window, press Esc to go to the Login Menu window andselect Manually Enter Passwords to go to the manual login and enter thePAP/SVP. You can obtain the PAP/SVP from the Hardware Password ManagerAdmin Console.

Notes:

1. If the PAP is not known on a desktop system, you can remove the CMOSbattery to clear both the POP and PAP.

2. Hardware changes on Lenovo ThinkPads do not generate BIOS errors to allowfor hot or warm-swapping, so the PAP/SVP is not required.

Scenario 2- CMOS errorTo protect BIOS settings in CMOS memory, a checksum is computed and saved forerror detection. Each time the system starts, this number is recomputed andchecked against the stored value. If they do not match, an error notification isgenerated to inform the user that CMOS contents may have been corrupted andtherefore some settings may be wrong. The most common cause of checksumerrors in CMOS is a battery that is losing power, or a virus or system boardproblem.


CMOS errors require you to enter BIOS setup and select Load Default Settingsbefore the system can start the operating system. In order to enter BIOS setup, theSVP must be provided.

When a CMOS error occurs, the User Login window is displayed when this BIOSerror occurs. Do one of the following:v Enter the hardware account credentials with Hardware Password Manager

Administrator privileges to release the SVP/PAP, such as the Emergency Adminaccount. If hardware account credentials with Hardware Password ManagerUser privileges are entered, the BIOS will prompt for the PAP/SVP.

v Enter corporate credentials by:1. Press the Esc key to open Login Menu window2. Select Intranet Account Login to open the Internet Account Login window3. Enter the username and password at the Internet Account Login window.

v At the User Login window, press Esc to open the User Login window and selectManually Enter Passwords. At the manual login, enter the PAP/SVP. You canobtain this information from the Hardware Password Manager Admin Console.

Note: For desktop systems, you can skip the CMOS error by pressing F2 andstarting the system. The next start will give you the same error until you enter theBIOS setup and load the default settings by pressing F9.

Scenario 3 - Replace fingerprint deviceUsers can enroll their fingerprints for single sign-on capability using HardwarePassword Manager. When a fingerprint is enrolled for pre-start access, hardwarepasswords are associated with the swiped fingerprint and are stored within thefingerprint device. When the user swipes an enrolled fingerprint at the prompt, theBIOS will release the actual hardware passwords from the hardware account. TheBIOS displays the fingerprint swipe prompt first when starting the system. To openthe User Login window, the user must press the ESC key. If the fingerprint deviceis removed, the fingerprint swipe prompt will no longer be displayed, and theUser Login window is displayed first.

When a defective fingerprint device is replaced, the registered fingerprints andassociated hardware passwords go away. Hardware Password Manager is notaffected except that the user can no longer using their fingerprint. The fingerprintswipe prompt will not be displayed and the User Login window is displayed first.

To regain fingerprint access, the user must register their fingerprint for Windowsand pre-start credentials using the Fingerprint Setup Utility. If a fingerprint deviceis replaced with another fingerprint device that already has registered fingerprintsand passwords, the BIOS will overwrite those passwords as long as the userprovides correct passwords using either manual, User Login or HardwarePassword Manager Login. If hardware account credentials without HardwarePassword Manager Administrator privileges are provided, only the Power OnPassword and Hard Drive Passwords are updated in the fingerprint device(PAP/SVP is not added to the fingerprint device until a user logs in withHardware Password Manager Administrator credentials or manually enters thecorrect PAP/.SVP.

Scenario 4 - Hardware passwords already setWhen hardware passwords are already set prior to registering, the user cannotregister in Hardware Password Manager. When starting the registration process,


the Client Portal will inform the user that they must manually clear hardwarepasswords before registering. Once the hardware passwords are cleared by theuser, registration will proceed normally.

Scenario 5 - Setup under the OS (remote BIOS settings)This scenario can occur when you receive new machines and want to roll outdefault BIOS settings, such as disable serial port or set admin password.

When a machine is registered in Hardware Password Manager, hardwarepasswords cannot be changed by Setup under the OS (since they are managed bythe HPM server) unless the current password is provided which you can obtainusing the LDMS Console. If a user disables Hardware Password Manager eithermanually through the BIOS setup or by Setup under the OS on a machine that isregistered in Hardware Password Manager, the BIOS will clear the hardwarepasswords and delete the local hardware account and SST.

Scenario 6 - Replace system boardWhen the system board is replaced, the POP, SVP, hardware account, and servercredentials no longer exist on the system. Only the HDPs remain set. In this case,you must manually clear the HDP in the BIOS setup, start the machine, andre-register in Hardware Password Manager using the Client Portal. In order toclear the HDP, you must enter it manually. You can obtain it from the LDMSconsole.

You must have the HDD ID for the hard disk in order to locate the correct HDP.The HDD ID can be retrieved using a Lenovo-supplied Hardware PasswordManager DOS utility.

When a system board is moved from one system to another system, it is assumedthat the system board is not registered in Hardware Password Manager. You mustclear or disable Hardware Password Manager prior to redeploying the systemboard in the field.v Desktop systems - If the system board was not deregistered, you can remove

the CMOS battery to clear the POP/SVP, then enter BIOS setup and disableHardware Password Manager.

v ThinkPad - Removing the CMOS battery will not clear the SVP – you mustobtain the SVP from the LDMS console in order to enter the BIOS setup anddisable Hardware Password Manager.

Note: When replacing a system board, you must reset the machine type/modeland serial number to match the correct values prior to registering in HardwarePassword Manager.

When re-registering the client system with the new system board in the sameHardware Password Manager server domain, the server will recognize that themachine is already registered (i.e. machine/user/hdd instances and hardwareaccount backup already exist) and clear all of the structures on the server beforeproceeding with the registration.

Scenario 7 - Add a hard disk driveWhen a hard disk is added to a system registered in Hardware Password Manager,you must renew the hardware account in order for Hardware Password Managerto assign a password to the new hard disk. Renew Hardware Account willrenumber the hard disks in the machine and set passwords on all detected drives.

Chapter 6. Scenarios 33

If the hard disk already has a HDP set, you must manually clear the HDP beforerunning Renew Hardware Account. If you do not know the HDP, then the harddisk can no longer be used.

In order to clear the HDP, you must have the HDD ID and the system ID in orderto obtain the correct HDP and SVP. The HDD ID and machine ID can be retrievedusing a Lenovo supplied Hardware Password Manager DOS utility.

Note: The SVP is not required to clear a HDP for ThinkPad systems.

When an unprotected hard disk is added to a Hardware Password Managerregistered system, the BIOS will detect that the hard disk is not protected. In thiscase, when logging into Windows, the Client Portal will inform the user that anunprotected device (HDD) was found and ask them if they want to renew thehardware.

Scenario 8 - Replace hard disk driveThis scenario is the same as Scenario 7 – Add a Hard Disk if the replacement harddisk does not have a HDP set.

If the hard disk was previously managed by Hardware Password Manager, so it isknown to the LDMS server and has a HDP set, the HDP must be cleared manuallyusing BIOS setup. Once the HDP is cleared, the scenario is the same as “Scenario 7.

In order to clear the HDP, you must have the HDD ID and the system ID in orderto obtain the correct HDP and SVP. The HDD ID and machine ID can be retrievedusing a Lenovo supplied Hardware Password Manager DOS utility.

Once you obtain the HDD ID and machine ID, you can obtain the HDP and SVPusing the LDMS Admin Console. Now you can clear the HDP using BIOS setup.

Note: The SVP is not required to clear a HDP for ThinkPad systems.

Scenario 9 - Change hard disk location within a systemThis scenario occurs when the physical position of hard disk 1 and 2 are swappedon the bus. There is no impact to Hardware Password Manager because hard diskposition is not maintained within the HDD instance on the server.

Scenario 10 - Remove a hard disk driveWhen removing a hard disk, the recommended solution is to deregister the systemprior to removing the hard disk, and then re-register the system once the hard diskhas been removed. Doing this will make sure the hard disk does not have an HDPset.

If the hard disk is no longer going to be used, it does not matter whether the HDPis cleared prior to removing the hard disk. When the system is started the nexttime, run Renew Hardware Account, which will update the local hardwareaccount.

Note: Removing the hard disk without first deregistering will leave an orphanedHDD instance on the server. You can opt to let such records remain in case theHDP is ever needed in the future, or clean them up using the LDMS AdminConsole.


Scenario 11 - Flashing the BIOSThis scenario describes the impact to Hardware Password Manager when updatingthe BIOS with a flash image (applied using a flash utility). Since flash utilities existin both DOS and Windows, all flash scenarios must be tested with both types ofutilities. Although Hardware Password Manager hardware account structures arestored in flash, the flash utilities have been updated to not overwrite HardwarePassword Manager related structures.v Forward Flashing - When flashing to a newer version of BIOS on a Hardware

Password Manager registered system, the hardware account should not bedisrupted (e.g. the user’s Hardware Password Manager registration status andhardware account credentials should not change).

v Back flashing - When flashing back to a previous version of BIOS that supportsHardware Password Manager, the hardware account should not be disrupted(e.g. the User’s Hardware Password Manager registration status and hardwareaccount credentials should not change).BIOS flash utilities that support Hardware Password Manager should not beflashed back to a previous BIOS version that does not include HardwarePassword Manager support. The system must be deregistered before backflashing.

Scenario 12 - Registered system can no longer access theLDMS server

If a Hardware Password Manager registered system is reassigned or moved to alocation that does not have network connectivity to the LDMS server, you musthave a way to clear the hardware accounts and passwords to allow usage of thesystem.

In order to do this, you must login to the emergency account to gain access to theSVP and all HDPs, and disable Hardware Password Manager. When HardwarePassword Manager is disabled, the BIOS will clear the hardware accountstructures, the SST, and all hardware passwords.

If the emergency account is unknown, you must obtain the SVP and HDPs usingthe LDMS console in order to disable Hardware Password Manager.

In this case, the LDMS server will be left with an orphaned entry (such as machineinstance and hardware account backup). You can use the LDMS console to identifythese orphaned entries and clean them up if you desire.

Scenario 13 - Enter the BIOS setupUsers can enter the BIOS setup in one of these ways:v User Login – User must have a local account that is a member of the Hardware

Password Manager Administrator group.v Hardware Password Manager Login – User must have a corporate account that

is a member of the Service Tech or Hardware Password Manager Administratorgroup.

v Manual Login – User must obtain the SVP from the administrator using theLDMS Admin Console


Scenario 14 - Load default settings in BIOS setupThis scenario describes the implications of loading default BIOS settings on asystem that uses Hardware Password Manager. Users may load default BIOSsettings if CMOS is cleared or corrupted.

When default settings are loaded, the POP, SVP remain set and all HardwarePassword Manager structures remain intact.

Scenario 15 - Do not protect all hard drivesThis scenario describes a scenario where a user registers their system in HardwarePassword Manager, but then wants to use an additional hard drive that is NOTprotected. The hard drive most likely will be an external hard drive or oneinstalled in a docking station.

Note: The hard drive should not be connected when the system is registered inHardware Password Manager or else the hard disk will be assigned an HDP.

User ScenariosThis sections describes scenarios that may be encountered by the user:

Scenario 1 - Forgot Hardware Account credentials, networkconnected

This scenario occurs when a user forgets their hardware account credentials buthas network connectivity to the LDMS server. To resolve this, the user should dothe following:v Perform a Hardware Password Manager Loginv Start Windows from the Hardware Password Manager Services menuv Log into Windows by manually entering their Windows credentialsv Launch the Client Portal and select Remove User

v Re-enroll the account in Hardware Password Manager.

Scenario 2 - Forgot Hardware Account credentials, NOTnetwork connected

This scenario occurs when a user forgets their hardware account credentials anddoes not have network connectivity to the LDMS server. To resolve, the usershould do the following:1. Call the IT administrator and obtain local Administrator account credentials.

Power on the system and enter administrator account credentials at the UserLogin prompt.

2. Log into Windows by manually entering their Windows credentials3. Launch Client Portal and select Remove User4. Re-enroll their account in Hardware Password Manager.

Another way to do this is for the user to enter the BIOS setup after providing theAdministrator account credentials and disabling Hardware Password Manager.This will clear the hardware account, SST, and hardware passwords. The user canthen start Hardware Password Manager and re-register the system when returningto a location with network connectivity to the LDMS server.


Scenario 3 - Forgot corporate passwordThis scenario occurs when a user forgets their corporate password. In this case, theuser can still use their system via User Login. The user can reset their corporatepassword using their corporate process (website or manual reset by ITAdministrator).

Once the corporate password is reset, the user can still perform a HardwarePassword Manager Login using the new corporate credentials.

Scenario 4 - Manual login using different keyboard typesHardware passwords such as POP, SVP and HDP that are handled by BIOS are notportable between systems with different keyboard types. This is because text at theBIOS level is recognized as scan codes and cannot be translated within BIOS to orfrom a more portable format such as ASCII. Trying to manage passwords stored asscan codes can result in a password entered on one keyboard type may be acompletely different set of scan codes on another keyboard type. For example,consider the password azw. On an English keyboard, the scan code representationis 0x1E, 0x2C, 0x11. However, on a German keyboard, the scan code representationis 0x1E, 0x15, 0x11.

There are 3 keyboard types used to support different languages:1. French, Belgian2. German, Swiss, Hungay, Polish, Czechloslovakia, Slovenia, Slovakia3. All other languages

When deploying hardware passwords from the server, such as POP, SVP and HDP,the server converts the ASCII text to scan codes based on the keyboard type of thetarget system. These passwords (represented by scan codes) are sent to the client tobe set in the hardware.

Changing keyboard types is not supported for manual entry of passwords. If auser wants to change keyboard types, the best practice is to do this:1. Deregister from Hardware Password Manager2. Change the keyboard,3. Reregister in Hardware Password Manager.

Scenario 5 - Handling enrollment from multiple boot partitionsThis scenario can occur when a user registers and enrolls on one boot partition(such as Vista), and wants to enroll in Hardware Password Manager on a secondboot partition (such as XP). In this case, the Hardware Password Manager Clientcode should be installed in each boot partition. The user should register and enrollin Hardware Password Manager from one boot partition. Once enrolled, HardwarePassword Manager functions normally in all boot partitions where the HardwarePassword Manager Client code is installed assuming the Windows logincredentials are the same in all boot partitions. If the Windows login credentials aredifferent, the user will have to manually enter their Windows credentials in theWindows Gina/CP when using boot partitions other than the one used to registerin Hardware Password Manager.

Scenario 6 - BitLockerBitLocker and Hardware Password Manager are compatible meaning a clientenrolled in Hardware Password Manager (for BIOS password protection - POP,


SVP, HDPs) can further protect their data using BitLocker (logical volumeencryption). BitLocker enrollment and key retrieval is handled the same way as isdone today by customers (outside the scope of Hardware Password Manager).

The best practice when using both technologies is to enroll in Hardware PasswordManager prior to enabling BitLocker. If the user first enables BitLocker, thenregisters in Hardware Password Manager, the fact that BIOS passwords are set willcause BitLocker to fail its integrity check (BIOS passwords are validated withinPCR1) and cause the BitLocker Recovery Mode to start. Hardware PasswordManager will warn the user of this issue during the registration flow if BitLocker isenabled. The user can choose to continue with the registration or cancel at thispoint. If the user continues, then BitLocker Recovery Mode will be executed on thenext start since the integrity check on BIOS passwords (PCR1) will have failed.


Appendix A. Hints and tips

The following is a list of tips associated with Hardware Password Manager Version1.0:v Symptom - Bitlocker recovery mode is triggered if you register a system in

Hardware Password Manager that has Bitlocker encryption in use.Problem description: - If the user first enables BitLocker encryption, then registersin Hardware Password Manager, the fact that BIOS passwords are set will causeBitLocker to fail its integrity check (BIOS passwords are validated within PCR1)and cause the BitLocker Recovery Mode to start on the next boot.Solution: - Enroll in Hardware Password Manager prior to enabling Bitlockerencryption.

v Symptom - Systems that are deregistered offline still show up as registered in theThinkManagement Console.Problem description: - When a system is deregistered by disabling HardwarePassword Manager in BIOS setup, the Hardware Password Manager server isnot informed that the system was deregistered. Thus, the Hardware PasswordManager server continues to show the system as registered. If the Administratorupdates a policy setting or targets a remote action to the deregistered system,the status of the action will be left in a pending state until the system isre-registered in Hardware Password Manager. Then remote actions for systemsare left in a pending state for long periods of time, an indication that the systemmay not be registered anymore or has not been connected to the intranet for along time.

Note: Users cannot deregister in BIOS setup unless they are a member of theService Tech or Administrator group (because the SVP is required and it is onlyreleased for Service Tech and Administrator users).Solution: - If the user re-registers the system after deregistering in BIOS setup,the server will sync back up with the client and will show the correctregistration status. If the Administrator has retired that system and no longerexpects it to be registered, they can delete the system out of the HardwarePassword Manager server.

v Symptom - If user moves a hard disk from one Hardware Password Managerregistered system to another, User Login will not work since the new systemdoes not know the password for the hard disk.Problem description: - Hard disks with passwords set cannot be shared betweenregistered systems. Hard disk passwords are handled as follows:1. To allow for consistency between desktop and mobile, all HDPs are the same

within a given system (even though mobile BIOS could support differentHDPs within a system).

2. HDPs are different for each system (unless a common HDP is set via policy).3. Assuming #1 and #2 are true, it is impossible to share a HDD on different

registered systems (since the assumption is the HDP is common between alldrives on system A and when moving it to system B, the HDP stored in thevault differs).

Solution: - Only systems can be shared between users through the AdminConsole (not HDDs). Thus, if the user wants to share a drive between 2 or more


systems, the recommendation is to remove the HDP on that drive (manuallythrough BIOS setup) or remove the drive when initially registering so that anHDP is not set for that drive.

v Symptom - HPM client installation failsProblem description: - When installing the HPM client, the installation fails with“LTAPI.DLL not found” when the firewall software is active.Solution: - As documented in the LANDesk Installation guide, disable theantivirus and firewall protection during client agent installation.

v Symptom - When the Do not require CTRL+ALT+DEL Windows policy is disabled,Hardware Password Manager single sign-on to Windows will not occur – user isrequired to enter their Windows credentials.Problem description: - Single sign-on to Windows will not work if the Windowspolicy setting is enabled that requires the user to Press Ctrl+Alt+Del to login.This security setting determines whether pressing CTRL+ALT+DEL is requiredbefore a user can log in. When this policy is enabled on a computer, a user isnot required to press CTRL+ALT+DEL to log in. If this policy is disabled, anyuser is required to press CTRL+ALT+DEL before logging on to Windows (unlessthey are using a smart card for Windows logon)The default on domain-computers is Disabled. The default on stand-alonecomputers is Enabled.Solution: - Enable the Do not require CTRL+ALT+DEL Windows policy.

v Symptom - You receive Antivirus messages during client installationProblem description: - The client agent must be installed with Antivirus andFirewalls disabled. Once installed, these can be re-enabled. This is documentedin the LANDesk User’s Guide as an installation requirement.Solution: - Disable Antivirus and Firewall protection during client agentinstallation.

v Symptom - All hard drive passwords (HDPs) are the same within a registeredHardware Password Manager system. However, the passwords will differbetween systems where policy is set for the Hardware Password Manager serverto generate the passwords (e.g. non-common HDPs).Problem description: - The Hardware Password Manager server will generate thesame HDPs for all hard disks attached to a machine during registration (in orderto comply with desktop BIOS capabilities).

Note: The MHDP and UHDP may differ for a drive, but all MHDPs will be thesame and all UHDP will be the same across attached drives within a system.Solution: - None

v Symptom - When changing your Windows password to a blank password afterregistering in Hardware Password Manager, the client application does not thinkthe user is registered and prompts the user to enroll again.Problem description: - Blank passwords cause problems on Vista due to limitationswith the CAPI implementation in Vista (see http://support.microsoft.com/default.aspx/kb/309408). Once this problem occurs, even if the user tries tochange their password back to a non-blank value, the situation does not repairitself (user will still be prompted to enroll). The user must deregister (via BIOSsetup) and reregister.Solution: - Set Windows policy to NOT allow blank Windows passwords. If thereis a strong desire to allow blank Windows passwords, Vista SP2 includes a fixthat resolves this problem.

v Symptom - When a system is registered via the one-touch registration process(only an emergency admin account is created), the user can perform an Intranet


Login and see the Deregister PC option. Ideally, this option would not be visibleby default as it allows a secured PC to be deregistered before any users enroll.Problem description:

Solution: - Administrator can disable the Deregister PC from the BIOS menu as apolicy setting in the Admin Console. Doing this will prevent the user fromseeing the Deregister PC option.

v Symptom - When policy dictates that Hardware Account and Windowscredentials are to be kept in sync, a change to the Vault password via theIntranet Login menu is not detected by the Client application.Problem description: - The Client Portal cannot update the Windows password asa result of changes to the Vault password. This is because the Client Portalcannot accurately or securely monitor changes to the Vault password onceWindows boots (for example, the client can only know if a password changeoccurred, but not what the password change actually is).

Note: If the user changes their Windows password, the Client application willprompt the user to update their Vault password on the next Windows login.Solution: - Administrators can prevent this from happening if they disable the“Change Hardware Account password” policy setting (BIOS menu setting).

v Symptom - You receive the error message Failed to generate encryption keyduring the Hardware Password Manager registration.Problem description: - Users with a Windows username containing any of thecharacters ″!@#$%^&*()″ will receive an error when trying to register.Solution: - Change your username to exclude the special characters shown above.

v Symptom - The Hardware Password Manager registration wizard does notprompt to set a Windows password if it is blank.Problem description: - Since Hardware Password Manager requires a Windowspassword in order to register, it is expected that the Hardware PasswordManager client would prompt to set a Windows password if one is not set.Instead, the HPM client just doesn’t allow the user to click Next if theirWindows password is blank.Solution: - the user should have a Windows password set prior to registering inHardware Password Manager.

v Symptom - SGE or SGN installation fails if the Hardware Password Managerclient is installedProblem description: - If installing SGN or SGE on Windows XP when theHardware Password Manager client is installed, an error is displayed indicatingthe Lenovo GINA is active and the installation fails.Solution: - Uninstall the Hardware Password Manager client, restart the system,install SGE or SGN, restart again, then reinstall the client.

v Symptom - When entering the BIOS version into the BIOS version exclude list forThinkCentre system, the last character of the BIOS version cannot be enteredinto the text box in the Admin Console.Problem description: - The problem is because the Hardware Password Managerserver supports a maximum of 8 characters for the BIOS version. ThinkCentresystems have a 9 character BIOS version. This is not likely to pose a problemsince exact matches are not required (first 8 characters are matched regardless ofthe 9th character).Solution: - None

v Symptom - None

Appendix A. Hints and tips 41

Problem description: - The error message PSI.DLL is missing is displayed if theclient agent was not installed correctly.Solution: - Uninstall the client agent, restart the system, then reinstall the clientagent. Make sure the Hardware Password Manager checkbox is selected wheninstalling the client agent if you wish to use Hardware Password Manager onthat system).

v Symptom - NoneProblem description: - This problem occurs when restoring a system from abackup that was taken prior to registering in Hardware Password Manager.When enrolling in Hardware Password Manager, the user’s Windows credentialsare stored in secure storage within the Windows CAPI keystore. Furthermore,the association between the Windows credential and the Intranet account ismaintained.When restoring a system to a point prior to the user being enrolled in HardwarePassword Manager, the CAPI keystore can be lost (since it is stored in theWindows registry) – which means the Windows credentials and associationswith the Intranet account are lost even though the system is actually registered.In this case, the client application will continue to prompt you to enroll (if policyindicates to do so). Furthermore, if you try to enroll and you specify the sameIntranet Account as you previously used to enroll, the client application will failindicating you already enrolled. If you were to enroll again using a differentIntranet Account, the client application will allow the enroll to complete – nowyou will have two hardware accounts associated with the same Windowsaccount (which is not recommended).Solution: - To prevent this problem from occurring, make sure your backup istaken AFTER the system is registered in Hardware Password Manager (e.g.when using Rescue and Recovery or any backup tool that performs a full diskbackup).If you have already restored your system (e.g. lost your CAPI keystore),deregister and reregister in Hardware Password Manager.

v Symptom - When registering in Hardware Password Manager, if networkconnectivity is lost during the suspend/resume operation and the user logs offbefore network connectivity resumes, the client application completes theregistration process normally. However, theHardware Password Manager servershows that the PC failed to register.Problem description: - Problem occurs because the client application is unable toreport the successful completion of registration to the Hardware PasswordManager server.Solution: - Deregister and reregister in Hardware Password Manager.

v Symptom - Received the Hardware account does not exist message whenupdating your Windows password.Problem description: - This problem occurs under the following conditions:1. Server policy is set to not sync Windows and Hardware accounts.2. User registers with a Hardware Account name that differs from their

Windows username.3. The IT Administrator changes server policy to force Windows and Hardware

accounts to be sync’ed.4. User later changes their Windows password.5. The next time the user logs into Windows, the client application notifies the

user that their Hardware Account needs to be updated to reflect their newWindows password.


6. User is prompted for intranet credentials to authenticate with A/D beforeupdating the hardware account.

7. Client application displays a message indicating the hardware account doesnot exist. This is because the user’s windows username does not match thehardware account name (it is expected to match based on the current policysetting).

Solution: - If this problem occurs, the recommendation is to deregister andregister in Hardware Password Manager.To prevent this problem from occurring, the IT Administrator should decide onthe desired policy setting for sync’ing Windows and Intranet account credentialsand stick with it (do not change after users have registered).

v Symptom - N/AProblem description: - Hardware Password Manager supports all Windows-basedfunctions via wireless connections, such as registration, renew vault, restorevault, and the execution of remote actions. However, BIOS does not supportwireless network connections. So, the computer must have a hard-wired networkconnection for any BIOS-based functions that requires a network connection,such as Intranet Login (which is needed only if the user forgot their user logincredentials).Solution: - The user must use a wired network connection when performing anIntranet Login from BIOS.

v Symptom - Receive Incorrect username or password specified message whenthe Intranet username and/or password are correct and is greater than 63characters in length.Problem description: - BIOS allows a maximum 64 byte username and password(including null termination) to be entered when performing an Intranet Login(e.g. 63 characters each for the username and password). Thus, the clientapplication must enforce the same restriction for consistency.Solution: - Set A/D policy to limit Intranet usernames and passwords tomaximum 63 characters in length.

v Symptom - The Hardware Password Manager client application prompts you toenroll even though user has already enrolledProblem description: - If a domain user is configured with a hard-coded DNSserver address (not automatically detected) and Hardware Password Managerpolicy is set for Windows and User Login to be sync’ed, the Hardware PasswordManager client application may not recognize that the user is already enrolled IFtheir domain account password has been changed or reset by the Administrator.Solution: - Deregister the system (either through BIOS setup or the Intranet Loginmenu in BIOS), then re-register.

v Symptom - After restoring from a backup that was taken prior to installing theHardware Password Manager client application, the user is unable to re-registerto the Hardware Password Manager server; the user receives a messageindicating internal error.Problem description: - If the user has registered in Hardware Password Manager,then restores from a backup where the Hardware Password Manager clientapplication was not installed, the system is left in a state where BIOS thinks thesystem is registered (the secure vault is allocated and hardware passwords areset), but the client application is no longer installed.Solution: - Deregister the system (either through BIOS setup or the Intranet Loginmenu in BIOS), then re-register.

Appendix A. Hints and tips 43

v Symptom - Hardware Password Manager login failure using a Novell server(LDAP) This can occur anywhere that the Intranet Account authentication isrequested, such as registration, renewal, or Intranet Login at the BIOS prompt.Problem description: - You cannot log in using special characters such as such as =(equal sign) and . (period). This can occur in either of the following scenarios:– If LDAP options/connections/bind restrictions is set to None and the

username format is user1.novell

– If the LDAP options/connections/bind restrictions is set to Disallowanonymous simple bind and the username format is cn=user1, o=novell

Solution: - N/Av .

Problem description: - IfSolution: -


Appendix B. Notices

Lenovo may not offer the products, services, or features discussed in thisdocument in all countries. Consult your local Lenovo representative forinformation on the products and services currently available in your area. Anyreference to an Lenovo product, program, or service is not intended to state orimply that only that Lenovo product, program, or service may be used. Anyfunctionally equivalent product, program, or service that does not infringe anyLenovo intellectual property right may be used instead. However, it is the user’sresponsibility to evaluate and verify the operation of any other product, program,or service.

Lenovo may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

Lenovo (United States), Inc1009 Think PlaceBuilding OneMorrisville, NC 27560USAAttention: Lenovo Director of Licensing

LENOVO GROUP LTD. PROVIDES THIS PUBLICATION “AS IS” WITHOUTWARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUTNOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Somejurisdictions do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. Lenovo may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

The products described in this document are not intended for use in implantationor other life support applications where malfunction may result in injury or deathto persons. The information contained in this document does not affect or changeLenovo product specifications or warranties. Nothing in this document shalloperate as an express or implied license or indemnity under the intellectualproperty rights of Lenovo or third parties. All information contained in thisdocument was obtained in specific environments and is presented as anillustration. The result obtained in other operating environments may vary.

Lenovo may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Any references in this publication to non-Lenovo Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this Lenovoproduct, and use of those Web sites is at your own risk.


Any performance data contained herein was determined in a controlledenvironment. Therefore, the result in other operating environments may varysignificantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

TrademarksThe following terms are trademarks of Lenovo in the United States, othercountries, or both:

Access ConnectionsLenovoThinkVantageThinkPad

IBM is a trademark of International Business Machines Corporation in the UnitedStates, other countries, or both.

Microsoft and Windows® 2000, Windows XP and Windows Vista are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

Intel® is a trademark of Intel Corporation in the United States, other countries, orboth.

Other company, product, or service names may be trademarks or service marks ofothers.


Printed in USA

Documents

Hardware Password Manager Version 1.0 Deployment Guide