Lenovo ThinkPad T500 (English) Hardware Password Manager Deployment Guide
Lenovo ThinkPad T500 Manual
View all Lenovo ThinkPad T500 manuals
Add to My Manuals
Save this manual to your list of manuals |
Lenovo ThinkPad T500 manual content summary:
- Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 1
Hardware Password Manager Deployment Guide Updated: July, 2010 - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 2
- Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 3
Hardware Password Manager Deployment Guide Updated: July, 2010 - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 4
Note: Before using this information and the product it supports, read the general information in Appendix D "Notices" on page 49. Third Edition (July 2010) © Copyright Lenovo 2010. LENOVO products, data, computer software, and services have been developed exclusively at private expense and are sold - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 5
system board . . . 31 Scenario 7 - Add a hard disk drive . . . . . 31 Scenario 8 - Replace or move a hard disk drive 31 Scenario 9 - Change the hard disk location within a system 32 Scenario 10 - Remove a hard disk drive . . . 32 Scenario 11 - Flashing the BIOS 32 Scenario 12 - Registered system - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 6
Appendix C. Hints and tips 43 Appendix D. Notices 49 Trademarks 50 iv Hardware Password Manager Deployment Guide - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 7
help, which administrators and users can consult for information about using the application itself. Lenovo Hardware Password Manager is developed for IT professionals and the unique challenges they may encounter. This deployment guide will provide instructions and solutions for working with - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 8
vi Hardware Password Manager Deployment Guide - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 9
use as a single sign-on proxy. This user ID and password can be synchronized with the Windows ID and password for the user. The user also has the option to authenticate himself to BIOS using his fingerprint. When the device powers on, the user is asked for these credentials. If provided, the device - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 10
2 Hardware Password Manager Deployment Guide - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 11
devices that support HPM. A BIOS setting is used to enable or disable HPM support on these devices. This setting must be set to Enabled for the device to work with HPM. After completing these installation tasks, you can begin registering Lenovo HPM devices with the HPM server and enroll users on - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 12
to the following Web site: http://community.landesk.com/support/docs/DOC-6767 The preferred platform for ThinkManagement Console 9.0 is the Windows Server 2008 R2 (64-bit) operating system. The following instructions describe how to configure the Windows Server 2008 R2 (64-bit) operating system to - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 13
www.landesk.com/lenovo. After completing the registration, you will receive an email with a link to download the installation package as well as LANDesk credentials for activating the core server after installation. After you have downloaded the installation package, follow the instructions below to - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 14
items: HPM Enrolled Users, HPM Groups, user: - The user name for logging in to the Microsoft Active Directory server. - A domain\user name or simply a user name. - The user password for the authorized user on the LDAP server. Lenovo device To add Hardware Password Manager features to a Lenovo device - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 15
Services Tool and Configure Scheduler Credentials steps. Notes: 1. To simplify the device discovery process, turn off the Windows® firewall. 2. For Windows XP, simple file sharing must be disabled on the Lenovo For Windows Vista® it is a good practice to turn User Account a network drive to \\ - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 16
. Two executable files and two log files will be created. One executable, designated by "_with_status", will provide an installer that displays installation status to the user. The other executable will be installed silently. 8 Hardware Password Manager Deployment - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 17
either Computers or Hard disks depending BIOS profile and the date/time the profile was last backed up. This section includes the supervisor password (SVP), which logs on to the device with administrator access, and the power-on password (POP), which logs on to the device as a user. • Hard disk - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 18
of BIOS-related policy settings currently applied on the device. These settings are selected in the Update Client Policy dialog; see "Updating hardware passwords globally" on page 15 for more information. Managing enrolled users on Hardware Password Manager devices When a Lenovo Hardware Password - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 19
and Password field. The user can be in the form of the domain\user name or can simply be the user name. Viewing Hardware Password Manager users and their properties The HPM Enrolled Users tool enables you to view all users that are enrolled to access Lenovo Hardware Password Manager devices. You - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 20
update its policy, the user will be removed from the list of users for that device. To remove a user from a Hardware Password Manager device: 1. Click HPM Enrolled Users of time or a specific number of logins. (This applies only to Service Tech users.) 12 Hardware Password Manager Deployment Guide - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 21
that can only be accessed by the computer's BIOS. • Restore Hardware Account: restores the BIOS hardware passwords in the hardware account with the backup credentials stored in the Hardware Password Manager server. This includes system and user password backups. • Deregister PC: clears the hardware - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 22
• Remove User: removes a user from the list of users authorized to access a Hardware Password Manager device. • Update Client Policy: saves an updated client policy to the Hardware Password Manager BIOS of the device, replacing the previous policy. • Update Common Hardware Passwords: saves new - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 23
of BIOS settings. It is a superset of the power-on password. • POP - The power-on password enables the user to power on the device and access it with normal user privileges. • MHDP - The master hard disk password enables the user to access the hard disk and reset the user hard disk password - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 24
computers as well as any newly registered Hardware Password Manager devices. Updating the emergency account Each Lenovo Hardware Password Manager device has an emergency access account that can be used to log in to the device if the user The Update Option can be found in the Update Emergency Account - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 25
Password Manager devices, and allows you to specify which BIOS versions are excluded from Hardware Password Manager device management. BIOS menu items are selected separately for the three user roles: User, Service Tech, and Administrator. Users log in to Hardware Password Manager devices with an - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 26
of roles.) So, for example, a user might see all options on the Hardware Password Manager BIOS menu but a Service Technician might have a limited set of options available. Note: When the client policy is set to Hardware Account equals Windows credentials, the Change Hardware Account password option - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 27
the Targeted AD groups list. 6. Repeat step 5 as needed. 7. Select the role(s) to be assigned to this group permission. 8. Click Save. Now when users log in to the console they need to select the appropriate authentication and enter their credentials. The level of access granted will be determined - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 28
20 Hardware Password Manager Deployment Guide - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 29
the BIOS: 1. Power on the computer. 2. Press F1 to enter the BIOS setup window. 3. Select Password on the Security tab. 4. Select Hardware Password Manager and set to Enabled. 5. Press F10 to save and exit. Registering a device with the Hardware Password Manager server and enrolling the first user - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 30
then completed when the user enters credentials for logging on 10. At the BIOS login prompt, log in using your Windows credentials or hardware account credentials for the device. If you clear Enable First User enrolled on a machine as Administrator, the first enrolled user has user privilege in BIOS - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 31
do not equal Windows credentials, log in using the hardware account credentials for the additional user. The enrolled additional user will have user or administrator right in the BIOS, according to the role of the group, user, administrator, or service tech. Removing a user from a Hardware Password - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 32
• Enroll first user • Enroll additional users • Remove user • Renew hardware account • Restore hardware account To open the Hardware Password Manager Login Menu: 1. Power on the device. 2. At the User Login prompt, press Esc. 3. Select Intranet account login to open the HPM BIOS Menu. 4. Enter - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 33
your fingerprint, the user login will prompt you to enter your credentials and log in to the desktop. After restarting the computer for the second time, swipe your fingerprint, and the BIOS will release the actual hardware passwords. From this point on you will be able to single-sign-on to Windows - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 34
• Example: cmp_util.exe -supported The behavior of the fingerprint enrollment differs slightly between a Hardware Password Manager registered system and a non-registered system. For registered systems, the BIOS program prompts for Hardware Password Manager User Login credentials (Hardware account - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 35
refers to the one manual step required by the administrator to register the system in Hardware Password Manager. When the system is registered and delivered to users, enrollment can automatically be initiated (based on policy) for any user successfully logging in to Windows on the system, either - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 36
28 Hardware Password Manager Deployment Guide - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 37
a battery that is losing power, or a virus or system board problem. CMOS errors require you to enter BIOS setup and select Load Default Settings before the system can start the operating system. In order to enter BIOS setup, the SVP must be provided. When a CMOS error occurs, the User Login window - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 38
privileges are provided, only the Power On Password and Hard Drive Passwords are updated in the fingerprint device (PAP/SVP is not added to the fingerprint device until a user logs in with Hardware Password Manager Administrator credentials or manually enters the correct PAP/SVP.) Scenario - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 39
, the BIOS will detect that the hard disk is not protected. In this case, when logging into Windows, the Client Portal will inform the user that an unprotected device (HDD) was found and ask them if they want to renew the hardware. Scenario 8 - Replace or move a hard disk drive If the hard disk of - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 40
the system with Hardware Password Manager again. If the replacement hard disk was previously managed by Hardware Password, so it is known to the Hardware Password Manager server and has a HDP set, the HDP must be cleared manually using the BIOS Setup Utility. Press F1 during POST to enter the - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 41
protect all hard drives This scenario describes a scenario where a user registers their system in Hardware Password Manager, but then wants to use an additional hard drive that is NOT protected. The hard drive most likely will be an external hard drive or one installed in a docking station. Chapter - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 42
and obtain the Emergency Administrator account credentials. Power on the computer and enter these credentials per the User Login prompt. 2. Log in to Windows by manually entering their Windows credentials. 3. Launch Client Portal and select Remove User. 4. Re-enroll their account in Hardware - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 43
keyboard types is not supported for manual entry of passwords. If a user wants to change keyboard user can choose to continue with the registration or cancel at this point. If the user continues, then BitLocker Recovery Mode will be executed on the next start since the integrity check on BIOS - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 44
36 Hardware Password Manager Deployment Guide - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 45
MHDP can make it easier for the administrator to manually enter the MHDP if necessary (for example, to enter the BIOS setup and clear the UHDP and MHDP). Set Common UHDP Determines whether to set the User Hard Drive Password (UHDP) to a common hard-coded value or to generate the UHDP automatically - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 46
the SVP to be released when logging in to the system, which will allow the user to enter the BIOS setup and change settings if desired. This does not give the user Windows Administrator privileges. Client Portal Menu Options - Client Portal tab Deregister PC Determines whether the Deregister - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 47
specific external media type such as tape drive, DVD, or even external drives. If your company has a back-up policy, this policy should be implemented before upgrading restored, the upgrade problem can be resolved, and the database can then be upgraded is an updated CoreDataMigration. Lenovo 2010 39 - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 48
Migration or a clean core server installation with an upgraded database, because in both cases the core server will be new and will not have that information. Export the users and groups added to the LANDesk Management Suite patches are set to autofix) 40 Hardware Password Manager Deployment Guide - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 49
Services PXE Boot Menu Security and Patch settings Document any custom changes made for your operating environment. Many companies have made custom alterations or changes for reasons specific to their operating environments. Most of these changes are only known to you. Appendix B. Disaster recovery - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 50
42 Hardware Password Manager Deployment Guide - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 51
, if the user wants to share a drive between 2 or more systems, the recommendation is to remove the HDP on that drive (manually through BIOS setup) or remove the drive when initially registering so that an HDP is not set for that drive. • Symptom: HPM client installation fails. Problem description - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 52
for example, non-common HDPs). Problem description: The Hardware Password Manager server will generate the same HDPs for all hard disks attached to a machine during registration (in order to comply with desktop BIOS capabilities). Note: The MHDP and UHDP may differ for a drive, but all MHDPs will be - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 53
two hardware accounts associated with one Windows account. Problem description: This problem occurs when restoring a system from a backup that was taken prior to registering in Hardware Password Manager. When enrolling in Hardware Password Manager, the user's Windows credentials are stored in secure - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 54
the BIOS. Problem description:Hardware Password Manager supports all Windows-based functions via wireless connections, such as registration, renew vault, restore vault, and the execution of remote actions. However, BIOS does not support wireless network connections. So, the computer must have a hard - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 55
application prompts you to enroll even though user has already enrolled. Problem description: If a domain user is configured with a hard-coded DNS server address (not automatically detected) and Hardware Password Manager policy is set for Windows and User Login to be synchronized, the Hardware - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 56
48 Hardware Password Manager Deployment Guide - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 57
services currently available in your area. Any reference to a Lenovo product, program, or service is not intended to state or imply that only that Lenovo product, program, or service Users of this document should verify the applicable data for their specific environment. © Copyright Lenovo 2010 49 - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 58
in the United States, other countries, or both: Access Connections Lenovo ThinkVantage ThinkPad The following terms are trademarks of International Business Machines Corporation in the United States, other countries, or both: IBM Lotus Lotus Notes Intel is a trademark of Intel Corporation in the - Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 59
- Lenovo ThinkPad T500 | (English) Hardware Password Manager Deployment Guide - Page 60
Hardware Password Manager
Deployment Guide
Updated: July, 2010