HP Dc5700 HP ProtectTools Security Manager Guide - Page 27

HP Client Manager for Remote Deployment, Background, Initialization, Maintenance

Get HP Dc5700 - Compaq Business Desktop PDF manuals and user guides
UPC - 882780819535
View all HP Dc5700 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 27 highlights

7 HP Client Manager for Remote Deployment Background HP Trustworthy platforms equipped with a Trusted Platform Module (TPM) ship with the TPM deactivated (default state). Enabling the TPM is an administrative option protected by HP BIOS-enforced policies. The administrator must be present to enter BIOS configuration options (F10 options) to enable the TPM. Furthermore, the Trusted Computing Group (TCG) specifications mandate that explicit human (physical) presence must be established in order to activate a TPM. This mandate ensures that a user's privacy rights are respected (by providing an opt-in model for use) and that a rogue application, virus, or Trojan horse does not enable the TPM for malicious use. The establishment of physical presence and the requirement for an administrator's local presence pose an interesting challenge for IT managers trying to deploy this technology across a large enterprise. Initialization HP Client Manager (HPCM) provides a method of remotely enabling the TPM and taking ownership of the TPM in the enterprise environment. This method does not require the physical presence of the IT administrator, yet it still meets the TCG requirement. HPCM allows the IT administrator to set certain BIOS options and then reboot the system to enable the TPM on the remote system. During this reboot, the BIOS, by default, displays a prompt; in response, the end user must press a key to prove physical presence, as specified by the TCG. The remote system then continues to boot, and the script completes by taking ownership of the TPM on the system. During this procedure, an emergency recovery archive and an emergency recovery token are created on a location designated by the IT administrator. HPCM does not execute the TPM user initialization on the remote system, since the user must be allowed to choose the password. TPM user initialization must be performed by the end user of that system. Maintenance HP Client Manager can be used to reset the user password remotely without the IT Administrator being made aware of the user password. HPCM can also remotely recover the user credentials. Proper administrator passwords must be supplied for both of these functions. ENWW Background 21

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
7
HP Client Manager for Remote
Deployment
Background
HP Trustworthy platforms equipped with a Trusted Platform Module (TPM) ship with the TPM
deactivated (default state). Enabling the TPM is an administrative option protected by HP BIOS-enforced
policies. The administrator must be present to enter BIOS configuration options (F10 options) to enable
the TPM. Furthermore, the Trusted Computing Group (TCG) specifications mandate that explicit human
(physical) presence must be established in order to activate a TPM. This mandate ensures that a user’s
privacy rights are respected (by providing an opt-in model for use) and that a rogue application, virus,
or Trojan horse does not enable the TPM for malicious use. The establishment of physical presence
and the requirement for an administrator’s local presence pose an interesting challenge for IT managers
trying to deploy this technology across a large enterprise.
Initialization
HP Client Manager (HPCM) provides a method of remotely enabling the TPM and taking ownership of
the TPM in the enterprise environment. This method does not require the physical presence of the IT
administrator, yet it still meets the TCG requirement.
HPCM allows the IT administrator to set certain BIOS options and then reboot the system to enable the
TPM on the remote system. During this reboot, the BIOS, by default, displays a prompt; in response,
the end user must press a key to prove physical presence, as specified by the TCG. The remote system
then continues to boot, and the script completes by taking ownership of the TPM on the system. During
this procedure, an emergency recovery archive and an emergency recovery token are created on a
location designated by the IT administrator.
HPCM does not execute the TPM user initialization on the remote system, since the user must be
allowed to choose the password. TPM user initialization must be performed by the end user of that
system.
Maintenance
HP Client Manager can be used to reset the user password remotely without the IT Administrator being
made aware of the user password. HPCM can also remotely recover the user credentials. Proper
administrator passwords must be supplied for both of these functions.
ENWW
Background
21