Lenovo ThinkPad T400 (English) Hardware Password Manager Deployment Guide - Page 33

Chapter 5. Deployment This chapter contains additional deployment information for using Hardware Password Manager devices with Hardware Password Manager. It is written for the administrator who will manage devices with the Hardware Password Manager server and configure these devices with other. This guide includes the following sections: • "Fingerprint integration" on page 25 • "Safe Guard Easy/Safe Guard Enterprise compatibility" on page 26 • "One-touch registration" on page 26 Fingerprint integration Hardware Password Manager is fully compatible with the Lenovo preferred fingerprint software (Authentec and UPEK). For Windows XP® clients, it is recommended that the Hardware Password Manager client is installed without the Hardware Password Manager GINA. Doing so will allow the user to perform single sign-on into Windows using their fingerprints. To install the Hardware Password Manager client application without the GINA, use the following install command: HPMClientInstall.exe /vNOGINA=1 Furthermore, the order of enrollment is important when using Hardware Password Manager with the fingerprint software. First register in Hardware Password Manager to set hardware passwords. Then enroll your fingerprints for pre-boot access using the fingerprint software. When your fingerprints are enrolled for the first time, shut down and restart the computer. When you swipe your fingerprint, the user login will prompt you to enter your credentials and log in to the desktop. After restarting the computer for the second time, swipe your fingerprint, and the BIOS will release the actual hardware passwords. From this point on you will be able to single-sign-on to Windows with just a swipe of the finger at pre-boot. If you see the fingerprint enrollment wizard and the Hardware Password Manager registration wizard displayed at the same time after you log into Windows, proceed first to the Hardware Password Manager registration wizard. However, if you enroll your fingerprints first and have not already set hardware passwords, you can still synchronize your fingerprints with the Hardware Password Manager account. Launch the fingerprint software and enable pre-boot authentication and single sign-on. Then follow the instructions below: If you are creating an image, you can use the following steps in your image to suppress the fingerprint enrollment wizard until the system is registered with the Hardware Password Manager : 1. Disable the Fingerprint Enrollment wizard on startup by setting the following values to 0. Authentec: HKEY_CURRENT_USER\Software\Authentic Biometric Suite\bFingerprintSoftwareStartUp UPEK: HKEY_CURRENT_USER\Software\Protector Suite\Control Center\1.0\ShowOnStartup 2. Create a script that enables the Fingerprint Enrollment wizard if the system is registered in Hardware Password Manager and the current user is enrolled in Hardware Password Manager. A utility is provided in the Hardware Password Manager program folder that IT administrators can use to obtain registration and enrollment status within a script.The script interface is defined as follows: • Utility Name: cmp_util.exe • Prerequisite: psadd.sys device driver, cmp_server_dll.dll • Usage: cmp_util.exe where is one of the following: - supported* - returns whether the utility is supported on the current system - registered - returns whether the current system is registered in the utility © Copyright Lenovo 2010 25