Lenovo ThinkPad R400 (English) Hardware Password Manager Deployment Guide
Lenovo ThinkPad R400 Manual
View all Lenovo ThinkPad R400 manuals
Add to My Manuals
Save this manual to your list of manuals |
Lenovo ThinkPad R400 manual content summary:
- Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 1
Hardware Password Manager Deployment Guide Updated: July, 2010 - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 2
- Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 3
Hardware Password Manager Deployment Guide Updated: July, 2010 - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 4
Note: Before using this information and the product it supports, read the general information in Appendix D "Notices" on page 49. Third Edition (July 2010) © Copyright Lenovo 2010. LENOVO products, data, computer software, and services have been developed exclusively at private expense and are sold - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 5
core server 4 ThinkManagement Console with HPM server setup 5 Migrating to a new LDAP server 6 Installing Hardware Password Manager on a Lenovo 17 Defining scopes and roles for console users . . . 18 Service operating system (remote BIOS settings 30 Scenario 6 Manual login using different keyboard - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 6
Appendix C. Hints and tips 43 Appendix D. Notices 49 Trademarks 50 iv Hardware Password Manager Deployment Guide - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 7
and users can consult for information about using the application itself. Lenovo Hardware Password Manager is developed for IT professionals and the unique challenges they may encounter. This deployment guide will provide instructions and solutions for working with Hardware Password Manager. If you - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 8
vi Hardware Password Manager Deployment Guide - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 9
Windows ID and password for the user. The user also has the option to authenticate himself to BIOS HPM is installed, the Lenovo ThinkManagement Console core server acts as the HPM server. On Lenovo client devices which support HPM, to communicate with a Web service on the server. This communication - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 10
2 Hardware Password Manager Deployment Guide - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 11
LDAP server to provide authentication services for HPM. Policies for how hardware passwords are generated and how client devices are managed are defined in the console as well. Next, you install the HPM client software on individual Lenovo devices that support HPM. A BIOS setting is used to enable - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 12
. After being installed, an HPM core server cannot be renamed. 4. Disable the Indexing Service and Windows Search Service because they might interfere with the normal operation of the HPM core server. For more details, go to the Web site: http://community.landesk.com/support/docs/DOC-7245 5. Add the - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 13
www.landesk.com/lenovo. After completing the registration, you will receive an email with a link to download the installation package as well as LANDesk credentials for activating the core server after installation. After you have downloaded the installation package, follow the instructions below to - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 14
core server. Follow the prompts in the Installation wizard and select Restart Now after installation. 4. Activate the core server by entering your LANDesk contact name and password in the Core Console core server setup Lenovo device To add Hardware Password Manager features to a Lenovo - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 15
Services Tool and Configure Scheduler Credentials steps. Notes: 1. To simplify the device discovery process, turn off the Windows® firewall. 2. For Windows XP, simple file sharing must be disabled on the Lenovo WSCFG32.EXE. A dialog box is displayed showing the components that will be installed - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 16
the background for about a minute. Two executable files and two log files will be created. One executable, designated by "_with_status", will provide an installer that displays installation status to the user. The other executable will be installed silently. 8 Hardware Password Manager Deployment - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 17
server policy settings" on page 17 Viewing Hardware Password Manager devices Lenovo Hardware Password Manager devices that have been discovered and managed. Open this Hardware Password Managed devices folder to view a list of Computers • BIOS passwords: displays the passwords for each BIOS profile - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 18
that can only be accessed by the computer's BIOS). The LDAP path shows the user's Windows policy list shows the status of operating system related policy settings currently applied on the device. The BIOS policy list shows the status of BIOS a tree structure that displays the users and groups on - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 19
name. Viewing Hardware Password Manager users and their properties The HPM Enrolled Users tool enables you to view all users that are enrolled to access Lenovo Hardware Password Manager devices. You can view a list of all users, or you can select groups in the LDAP directory tree to view subsets of - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 20
Service Tech: an IT technician, authorized with limited access to the device for servicing that is defined with the Service Tech role can log in group; if you select Service Tech ,you can limit specific number of logins. (This applies only to Service Tech users.) 12 Hardware Password Manager - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 21
displays the LDAP distinguished name of the group and lists the devices or users associated with the group. Members of the group can log in to all devices listed here, unless you have defined the group as a Service onto specific remote computer's BIOS. • Restore Hardware Account: restores the BIOS - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 22
Manager BIOS from the Windows Policy and BIOS Policy tabs, Lenovo BIOS are the same as the user's Windows credentials. • Auto-start registration at Windows logon: when the user logs in to Windows Windows time. This supports various deployment start user enrollment at Windows logon: Hardware Password - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 23
administrator and service technician users can still access the device if needed). The following BIOS-level policies can be selected: • Show last logon account for hardware account: at the BIOS user logon screen, the last user account to have logged on to the BIOS is displayed bydefault. • Prompt - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 24
Passwords dialog box displays the current password the selected computers. The computers as well as any newly registered Hardware Password Manager devices. Updating the emergency account Each Lenovo Account dialog box displays the current emergency selected computers. The computers as - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 25
are enabled for display on the BIOS menu of managed Hardware Password Manager devices, and allows you to specify which BIOS versions are excluded from Hardware Password Manager device management. BIOS menu items are selected separately for the three user roles: User, Service Tech, and Administrator - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 26
on the Hardware Password Manager BIOS menu but a Service Technician might have a limited set of options available. Note: When the client policy is set to Hardware Account equals Windows credentials, the Change Hardware Account password option will not be displayed whether or not it is selected - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 27
5. Click OK. To assign permissions to a group that can be authenticated through the new authentication, do the following: 1. In the User's tool, click + on the toolbar or right-click Group Permissions, and then click New group permission. 2. Enter a name for the group permission. 3. Select the - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 28
20 Hardware Password Manager Deployment Guide - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 29
Lenovo devices that support Console core server acts Lenovo Hardware Password Manager. It is written for the end user who will register the device with the Hardware Password Manager server and enroll as a user. This guide BIOS: 1. Power on the computer. 2. Press F1 to enter the BIOS setup window - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 30
prompt you to restart. 9. Click OK to restart the device. 10. At the BIOS login prompt, log in using your Windows credentials or hardware account credentials for the device. If you clear Enable First User enrolled on must be created on the device. 22 Hardware Password Manager Deployment Guide - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 31
vault credentials do not equal Windows credentials, log in using the hardware account credentials for the additional user. The enrolled additional user will have user or administrator right in the BIOS, according to the role of the group, user, administrator, or service tech. Removing a user from - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 32
tasks. These menus display password management options can only be accessed by the computer's BIOS. Hardware credentials and all user following tasks: • Start Windows. • Restore hardware accounts Select Intranet account login to open the HPM BIOS Menu. 4. Enter valid corporate credentials. - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 33
your credentials and log in to the desktop. After restarting the computer for the second time, swipe your fingerprint, and the BIOS will release the actual hardware passwords. From this point on you will be able to single-sign-on to Windows with just a swipe of the finger at pre-boot. If you - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 34
the current Windows system user is enrolled in the utility - enabled - returns whether the utility is enabled in the BIOS program - show - displays results to the console for all of the above commands • Return codes: - 0 - false - 1 - true - 2 - error • Example: cmp_util.exe -supported The behavior - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 35
registration to proceed unattended. Note: One-touch refers to the one manual step required by the administrator to register the system in Hardware be initiated (based on policy) for any user successfully logging in to Windows on the system, either a local or domain login. The one-touch registration - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 36
28 Hardware Password Manager Deployment Guide - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 37
remove the CMOS battery to clear both the POP and PAP. 2. Hardware changes on Lenovo ThinkPads do not generate BIOS errors to allow for hot or warm-swapping, so the PAP/SVP is not required. Scenario 2 - CMOS error To protect BIOS settings in CMOS memory, a checksum is computed and saved for error - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 38
BIOS will release the actual hardware passwords from the hardware account. The BIOS displays the fingerprint swipe prompt first when starting the system. To open the User Login window credentials or manually enters the must manually clear Manager either manually through the BIOS setup or - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 39
• Desktop systems - If the system board was not deregistered, you can remove the CMOS battery to clear the POP/SVP, then enter BIOS setup and disable Hardware Password Manager • ThinkPad - Removing the CMOS battery will not clear the SVP - you must obtain the SVP from the ThinkManagement Console in - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 40
administrator or service tech role BIOS Setup Utility. Press Esc when prompted for the Hardware Password Manager Login. Select Manually the BIOS Setup have the computer name of retrieved using a Lenovo supplied Hardware Password BIOS setup. Note: The SVP is not required to clear a HDP for ThinkPad - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 41
back to a previous version of BIOS that supports Hardware Password Manager, the hardware account is a member of the Service Tech or Hardware Password Manager Administrator group. • Manual Login - User must obtain external hard drive or one installed in a docking station. Chapter 6. Scenarios 33 - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 42
. To resolve this problem, do the following: 1. Call the IT administrator and obtain the Emergency Administrator account credentials. Power on the computer and enter these credentials per the User Login prompt. 2. Log in to Windows by manually entering their Windows credentials. 3. Launch Client - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 43
These passwords (represented by scan codes) are sent to the client to be set in the hardware. Changing keyboard types is not supported for manual entry of passwords. If a user wants to change keyboard types, the best practice is to do this: 1. Deregister from Hardware Password Manager. 2. Change the - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 44
36 Hardware Password Manager Deployment Guide - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 45
A. Security and convenience Computer security is often considered MHDP can make it easier for the administrator to manually enter the MHDP if necessary (for example, to enter the BIOS setup and clear the UHDP and MHDP). Set password) Selected (hard-code password) © Copyright Lenovo 2010 37 - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 46
for the administrator to enter the BIOS setup or login in to the system without manually entering hardware passwords or requiring allow the user to enter the BIOS setup and change settings if desired. This does not give the user Windows Administrator privileges. Client Portal Menu Deployment Guide - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 47
companies have a backup policy to back up servers to a specific external media type such as tape drive, DVD, or even external drives. If your company has a back-up policy, this policy should be implemented before upgrading the core server. Backing up the core server with ImageW.exe and Phylock The - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 48
the time the command is run (for example if the core server is moved to a lab environment for upgrading). If migrating to a new database, many items can Software License Monitoring Custom Vulnerabilities Patch status (which patches are set to autofix) 40 Hardware Password Manager Deployment Guide - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 49
be exported. Take screen shots of such configurations so that they can be applied to the new core server. An Services PXE Boot Menu Security and Patch settings Document any custom changes made for your operating environment. Many companies have made custom alterations or changes for reasons specific - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 50
42 Hardware Password Manager Deployment Guide - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 51
disk. Problem description: Hard disks with passwords set cannot be shared between registered systems. Hard disk passwords are handled as follows: 1. To allow for consistency between desktop and mobile, all HDPs are the same within a given system (even though mobile BIOS could support different HDPs - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 52
Windows logon) The default on domain-computers is Disabled. The default on stand-alone computers is Enabled. Solution: Enable the Do not require Ctrl+Alt+Del Windows policy. • Symptom: You receive Antivirus messages during client installation. Problem comply with desktop BIOS capabilities). Note: - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 53
installation fails if the Hardware Password Manager client is installed . Problem description: If installing SGN or SGE on Windows XP when the Hardware Password Manager client is installed, an error is displayed indicating the Lenovo GINA is active and the installation fails. Solution: Uninstall the - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 54
in the BIOS. Problem description:Hardware Password Manager supports all Windows-based functions via wireless connections, such as registration, renew vault, restore vault, and the execution of remote actions. However, BIOS does not support wireless network connections. So, the computer must have - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 55
correct and is greater than 63 characters in length. Problem description: BIOS allows a maximum 64 byte user name and password Problem description: If a domain user is configured with a hard-coded DNS server address (not automatically detected) and Hardware Password Manager policy is set for Windows - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 56
48 Hardware Password Manager Deployment Guide - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 57
the operation of any other product, program, or service. Lenovo may have patents or pending patent applications covering support applications where malfunction may result in injury or death to persons. The information contained in this document does not affect or change Lenovo product specifications - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 58
, or both: Access Connections Lenovo ThinkVantage ThinkPad The following terms are trademarks of Windows 2000, Windows XP and Windows Vista are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product, or service names may be trademarks or service - Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 59
- Lenovo ThinkPad R400 | (English) Hardware Password Manager Deployment Guide - Page 60
Hardware Password Manager
Deployment Guide
Updated: July, 2010