Lenovo ThinkPad T400 (English) Hardware Password Manager Deployment Guide - Page 52

Problem description, Solution, Symptom, LANDesk User's Guide, Do not require Ctrl+Alt+Del

Get Lenovo ThinkPad T400 PDF manuals and user guides View all Lenovo ThinkPad T400 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 52 highlights

Problem description: Single sign-on to Windows will not work if the Windows policy setting is enabled that requires the user to Press Ctrl+Alt+Del to login. This security setting determines whether pressing Ctrl+Alt+Del is required before a user can log in. When this policy is enabled on a computer, a user is not required to press Ctrl+Alt+Del to log in. If this policy is disabled, any user is required to press Ctrl+Alt+Del before logging on to Windows (unless they are using a smart card for Windows logon) The default on domain-computers is Disabled. The default on stand-alone computers is Enabled. Solution: Enable the Do not require Ctrl+Alt+Del Windows policy. • Symptom: You receive Antivirus messages during client installation. Problem description: The client agent must be installed with Antivirus and Firewalls disabled. After being installed, these can be re-enabled. This is documented in the LANDesk User's Guide as an installation requirement. Solution: Disable Antivirus and Firewall protection during client agent installation. • Symptom: All hard drive passwords (HDPs) are the same within a registered Hardware Password Manager system. However, the passwords will differ between systems where policy is set for the Hardware Password Manager server to generate the passwords (for example, non-common HDPs). Problem description: The Hardware Password Manager server will generate the same HDPs for all hard disks attached to a machine during registration (in order to comply with desktop BIOS capabilities). Note: The MHDP and UHDP may differ for a drive, but all MHDPs will be the same and all UHDP will be the same across attached drives within a system. Solution: None • Symptom: When changing your Windows password to a blank password after registering in Hardware Password Manager, the client application does not think the user is registered and prompts the user to enroll again. Problem description: Blank passwords cause problems on the Windows Vista operating system due to limitations with the CAPI implementation on the Windows Vista operating system. Once this problem occurs, even if the user tries to change their password back to a non-blank value, the situation does not repair itself (user will still be prompted to enroll). The user must deregister (via BIOS setup) and reregister. Solution: Set Windows policy to NOT allow blank Windows passwords. If there is a strong desire to allow blank Windows passwords, Vista SP2 includes a fix that resolves this problem. • Symptom: A user can perform an intranet login and choose to deregister (remove hardware passwords) a system in which they are not enrolled. Problem description: When a system is registered via the one-touch registration process (only an emergency admin account is created), the user can perform an intranet login and see the Deregister PC option. Ideally, this option would not be visible by default as it allows a secured PC to be deregistered before any users enroll. Solution: Administrator can disable the Deregister PC from the BIOS menu as a policy setting in the Admin Console. Doing this will prevent the user from seeing the Deregister PC option. • Symptom: When policy dictates that Hardware Account and Windows credentials are to be kept in sync, a change to the Vault password via the intranet login menu is not detected by the Client application. Problem description: The Client Portal cannot update the Windows password as a result of changes to the Vault password. This is because the Client Portal cannot accurately or securely monitor changes to the Vault password after Windows starts (for example, the client can only know if a password change occurred, but not what the password change actually is). Note: If the user changes their Windows password, the Client application will prompt the user to update their Vault password on the next Windows login. Solution: Administrators can prevent this from happening if they disable the Change Hardware Account password policy setting (BIOS menu setting). 44 Hardware Password Manager Deployment Guide

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
Problem description:
Single sign-on to Windows will not work if the Windows policy setting is enabled
that requires the user to Press Ctrl+Alt+Del to login. This security setting determines whether pressing
Ctrl+Alt+Del is required before a user can log in. When this policy is enabled on a computer, a user is not
required to press Ctrl+Alt+Del to log in. If this policy is disabled, any user is required to press Ctrl+Alt+Del
before logging on to Windows (unless they are using a smart card for Windows logon)
The default on domain-computers is Disabled. The default on stand-alone computers is Enabled.
Solution:
Enable the
Do not require Ctrl+Alt+Del
Windows policy.
Symptom:
You receive Antivirus messages during client installation.
Problem description:
The client agent must be installed with Antivirus and Firewalls disabled. After being
installed, these can be re-enabled. This is documented in the
LANDesk User's Guide
as an installation
requirement.
Solution:
Disable Antivirus and Firewall protection during client agent installation.
Symptom:
All hard drive passwords (HDPs) are the same within a registered Hardware Password Manager
system. However, the passwords will differ between systems where policy is set for the Hardware
Password Manager server to generate the passwords (for example, non-common HDPs).
Problem description:
The Hardware Password Manager server will generate the same HDPs for all hard
disks attached to a machine during registration (in order to comply with desktop BIOS capabilities).
Note:
The MHDP and UHDP may differ for a drive, but all MHDPs will be the same and all UHDP will be
the same across attached drives within a system.
Solution:
None
Symptom:
When changing your Windows password to a blank password after registering in Hardware
Password Manager, the client application does not think the user is registered and prompts the user to
enroll again.
Problem description:
Blank passwords cause problems on the Windows Vista operating system due to
limitations with the CAPI implementation on the Windows Vista operating system. Once this problem
occurs, even if the user tries to change their password back to a non-blank value, the situation does not
repair itself (user will still be prompted to enroll). The user must deregister (via BIOS setup) and reregister.
Solution:
Set Windows policy to NOT allow blank Windows passwords. If there is a strong desire to allow
blank Windows passwords, Vista SP2 includes a fix that resolves this problem.
Symptom:
A user can perform an intranet login and choose to deregister (remove hardware passwords) a
system in which they are not enrolled.
Problem description:
When a system is registered via the one-touch registration process (only an
emergency admin account is created), the user can perform an intranet login and see the Deregister PC
option. Ideally, this option would not be visible by default as it allows a secured PC to be deregistered
before any users enroll.
Solution:
Administrator can disable the Deregister PC from the BIOS menu as a policy setting in the
Admin Console. Doing this will prevent the user from seeing the Deregister PC option.
Symptom:
When policy dictates that Hardware Account and Windows credentials are to be kept in sync,
a change to the Vault password via the intranet login menu is not detected by the Client application.
Problem description:
The Client Portal cannot update the Windows password as a result of changes to
the Vault password. This is because the Client Portal cannot accurately or securely monitor changes to
the Vault password after Windows starts (for example, the client can only know if a password change
occurred, but not what the password change actually is).
Note:
If the user changes their Windows password, the Client application will prompt the user to update
their Vault password on the next Windows login.
Solution:
Administrators can prevent this from happening if they disable the Change Hardware Account
password policy setting (BIOS menu setting).
44
Hardware Password Manager Deployment Guide