Lenovo ThinkPad T400 (English) Hardware Password Manager Deployment Guide - Page 45

Appendix A.

Security and convenience

Computer security is often considered much more important more convenience. The following table

illustrates how Hardware Password Manager policy settings can be conﬁgured to optimize security and

convenience.

Note:

Default values are highlighted in italics.

Table 1. Hardware Password Manager policy settings

Policy setting

Description

Most secure

Most convenient

Client - BIOS Policy

Show last logon account

for Hardware Account

Determines whether BIOS should cache

the Hardware Account user name that

successfully logged in to the system last time.

The password is not cached and the user will

have to enter it each time.

Not Selected

Selected

Prompt for Hardware

Account on warm boot

Determines whether to prompt for the

Hardware Account each time the system

restarts.

Selected

Not selected

Client - Common

Hardware Passwords

Set Common SVP

Determines whether to set the Supervisor

Password (SVP) to a common hard-coded

value, or to generate the password

automatically. Using a common SVP can

make it easier for the administrator to manually

enter the SVP if necessary (for example, to

enter the BIOS setup and change settings).

Not Selected

(auto-generated

password)

Selected

(hard-code

password)

Set Common POP

Determines whether to set the Power-on

Password (POP) to a common hard-coded

value or to generate the POP automatically.

Not Selected

(auto-generated

password)

Selected

(hard-code

password)

Set Common MHDP

Determines whether to set the Master Hard

Drive Password (MHDP) to a common

hard-coded value or to generate the password

automatically. Using a common MHDP can

make it easier for the administrator to manually

enter the MHDP if necessary (for example, to

enter the BIOS setup and clear the UHDP and

MHDP).

Not Selected

(auto-generated

password)

Selected

(hard-code

password)

Set Common UHDP

Determines whether to set the User Hard Drive

Password (UHDP) to a common hard-coded

value or to generate the UHDP automatically.

Not Selected

(auto-generated

password)

Selected

(hard-code

password)

Client - Emergency

Account

© Copyright Lenovo 2010

37

Section	Page
Preface	7
Chapter 1. Overview	9
Chapter 2. Installing Hardware Password Manager on ThinkManagement Console	11
Prerequisites	11
Preparing the core server	12
ThinkManagement Console with HPM server setup	13
Migrating to a new LDAP server	14
Installing Hardware Password Manager on a Lenovo device	14
Chapter 3. Managing Hardware Password Manager devices with ThinkManagement Console	17
Viewing Hardware Password Manager devices and their properties	17
Managing enrolled users on Hardware Password Manager devices	18
Configuring an LDAP server connection	18
Viewing Hardware Password Manager users and their properties	19
Removing a user’s access to a Hardware Password Manager device	20
Managing Hardware Password Manager groups	20
Managing remote actions and policy settings for Hardware Password Manager devices	21
Updating client policies globally	22
Updating hardware passwords globally	23
Updating the emergency account	24
Changing server policy settings	25
Defining scopes and roles for console users	26
Chapter 4. Hardware Password Manager Client	29
Hardware Password Manager device setup	29
Registering a device with the Hardware Password Manager server and enrolling the first user	29
Enrolling additional users on a Hardware Password Manager device	30
Removing a user from a Hardware Password Manager device	31
Unregistering a device from the Hardware Password Manager server	31
Updating credentials on a Hardware Password Manager device	32
Chapter 5. Deployment	33
Fingerprint integration	33
Safe Guard Easy/Safe Guard Enterprise compatibility	34
One-touch registration	34
Pre-registration	35
User enrollment on a pre-registered system	35
Chapter 6. Scenarios	37
Service scenarios (configuration changes)	37
Scenario 1 - Hardware configuration changes	37
Scenario 2 - CMOS error	37
Scenario 3 - Replace the fingerprint device	38
Scenario 4 - Hardware passwords already set	38
Scenario 5 - Setup under the operating system (remote BIOS settings)	38
Scenario 6 - Replace the system board	39
Scenario 7 - Add a hard disk drive	39
Scenario 8 - Replace or move a hard disk drive	39
Scenario 9 - Change the hard disk location within a system	40
Scenario 10 - Remove a hard disk drive	40
Scenario 11 - Flashing the BIOS	40
Scenario 12 - Registered system can no longer access the Hardware Password Manager server	41
Scenario 13 - Enter the BIOS setup	41
Scenario 14 - Load default settings in the BIOS setup	41
Scenario 15 - Do not protect all hard drives	41
User Scenarios	42
Scenario 1 - Forgot Hardware Account credentials, network connected	42
Scenario 2 - Forgot Hardware Account credentials, NOT network connected	42
Scenario 3 - Forgot the corporate password	42
Scenario 4 - Manual login using different keyboard types	42
Scenario 5 - Handling enrollment from multiple boot partitions	43
Scenario 6 - BitLocker	43
Appendix A. Security and convenience	45
Appendix B. Disaster recovery	47
Appendix C. Hints and tips	51
Appendix D. Notices	57

Lenovo ThinkPad T400 (English) Hardware Password Manager Deployment Guide - Page 45

Appendix A. Security and convenience, Policy setting, Description, Most secure, Most convenient - user s manual

Page 45 highlights