ThinkVantage Hardware Password Manager installation and deployment
ThinkVantage Hardware Password Manager is a hardware-based password manager application that is an add-on to Ivanti® Endpoint Manager. It provides secure password authentication for Lenovo devices equipped with Hardware Password Manager BIOS chips.
This chapter contains instructions for installing ThinkVantage Hardware Password Manager on Endpoint Manager and installing the Hardware Password Manager client on managed devices. It also contains deployment information, including integration with Lenovo fingerprint utilities and other hardware configuration information. The following sections are included:
- Overview of ThinkVantage Hardware Password Manager
- Installing ThinkVantage Hardware Password Manager on Endpoint Manager
- ThinkVantage Hardware Password Manager client guide
- ThinkVantage Hardware Password Manager client deployment guide
When ThinkVantage Hardware Password Manager is installed, the Endpoint Manager core server acts as the Hardware Password Manager server—it manages and authenticates Hardware Password Manager devices. In addition, an LDAP server functions as the authentication server for Hardware Password Manager—the Hardware Password Manager server checks user credentials against data on the LDAP server.
On client devices with Lenovo Hardware Password Manager BIOS chips, the administrator installs a Ivanti agent that contains a Hardware Password Manager driver. When the client device boots, it communicates through a UDP channel with the Hardware Password Manager server module (a Windows service) on the LDMS core server.
After the client has booted to the operating system, it uses PSI.DLL (installed with the Ivanti agent) to communicate with a Web service on the LDMS core server. This communication is through an HTTPS channel.
The administrator uses the Hardware Password Manager features in Endpoint Manager to manage Hardware Password Manager devices and create and deploy policies to these devices. These policies determine how Hardware Password Manager is implemented for the devices; for example, the administrator selects which user options are available on Hardware Password Manager devices as part of the policy definition.
Each managed Hardware Password Manager device is registered with the Hardware Password Manager server when the user logs in. One or more users are also enrolled on the device, which gives them login access to the device as an authorized user. In addition, both administrative and service technician users can access devices within the parameters set by the Ivanti administrator.
As you configure this installation, you will set up an LDAP server to act as the LDAP authentication server for Hardware Password Manager. Next, you install the Hardware Password Manager client software on individual Lenovo devices that are equipped with an HPM BIOS.
After completing these installation tasks, you can begin registering Lenovo Hardware Password Manager devices on the Hardware Password Manager server (the Ivanti core server) and enroll users on those devices.
Installing Hardware Password Manager on the Endpoint Manager core server and setting up the LDAP authentication server
The first task is to install the ThinkVantage Hardware Password Manager patch on an LDMS core server. As part of this installation, you need to configure the settings for an LDAP server on your network that will perform LDAP authentication of users enrolled on Lenovo Hardware Password Manager devices.
To install Hardware Password Manager on a Endpoint Manager core server
- Launch the Endpoint Manager console.
- In the toolbox, there is a ThinkVantage Hardware Password Manager group with three items: Enrolled users, Intranet account groups, and Remote actions and policy settings. Click Intranet account groups and click the Configure LDAP server button on the toolbar. Enter the information for the LDAP server that will serve as the authentication server (items are described below).
- Click OK when the information is complete.
The following items need to be defined for the LDAP server:
- Hostname: the name of the LDAP server
- Port: the port number to communicate with the server; default port is 389
- Server type: select the type, either MS Active Directory or Novell eDirectory
- Encryption type: select the type of encryption used for communication with the server
- Authorized user: the username for logging in to the LDAP server; may include a domain name\username or simply a username
- Password: the password for the authorized user on the LDAP server
Migrating to a new LDAP server
After you have installed ThinkVantage Hardware Password Manager features on Endpoint Manager, you may find that you need to change the IP address or hostname of your LDAP server. You may also need to change to a new server with a different IP address, or even change to a different type of LDAP server.
If any of these changes occur, you need to migrate the LDAP server data by purging the old data from your Ivanti database and creating a new LDAP server configuration. To do this, run the HpmDbUtil.exe utility located on the ldmain share on your core server, then repeat the LDAP configuration task in step 3 above. This utility will make the necessary changes in the database and allow Endpoint Manager to communicate with the new LDAP server.
Note that the following will occur when you run HpmDbUtil.exe:
- All previous Hardware Password Manager data in the database will be removed, including registered devices, enrolled users, and remote actions.
- All hardware passwords will be removed.
- Global server settings will be reset to default values, except for the portal service. Both IIS and the portal service will be restarted.
IMPORTANT: Before you purge data using HpmDbUtil.exe, make sure that all hardware password protected devices can be unlocked.
Installing ThinkVantage Hardware Password Manager on a Lenovo device
To add ThinkVantage Hardware Password Manager features to a Lenovo device, deploy a Ivanti agent to the device that includes the ThinkVantage HPM client component. You can do this by pushing a Ivanti agent to the notebook (such as with a scheduled task) or by pulling the agent.
To deploy an agent with ThinkVantage Hardware Password Manager client features
- In the Endpoint Manager console, click Tools | Configuration | Agent Configuration.
- In the Agent components to install section, make sure ThinkVantage HPM client is selected.
- Save the configuration, and then schedule a task to deploy the agent to selected Lenovo devices.
When the agent is deployed, the Client Portal is installed on the device with associated .dll files. The filename of the Client Portal is cmp_portal.exe, which is located in the C:\Program Files\Lenovo\Hardware Password Manager folder.
Lenovo devices with Hardware Password Manager BIOS chips need to be registered with a management server (referred to as the Hardware Password Manager server). The process of registering a device begins with the installation of an agent on the device. After the user runs a BIOS-level program the device is registered; one or more users are then enrolled as authenticated users on that device. When Hardware Password Manager is installed, only enrolled users (or users in a group that the device is associated with) can log on to the device. Access to the device, and even access to the hard drive, is restricted to enrolled users (or users in the same group as the device) as long as Hardware Password Manager is running.
The Endpoint Manager core server acts as the Hardware Password Manager server, and management features are accessed through the LDMS console. These features allow the administrator to manage Hardware Password Manager devices, install agents on Hardware Password Manager BIOS-enabled devices, and manage registration and enrollment on these devices.
On a Hardware Password Manager device, management features are accessed through a BIOS menu (accessed before the OS starts) and through the Client Portal menu (accessed at Windows login or from a Start menu option). The administrator can customize these menus to determine which features are available.
About this guide
This guide contains information about using Hardware Password Manager devices with Lenovo Hardware Password Manager. It is written for the end user who will register the device with the Hardware Password Manager server and enroll as a user. This guide includes the following sections:
- Registering a device with the Hardware Password Manager server and enrolling the first user
- Enrolling additional users on a Hardware Password Manager device
- Unenrolling a user from a Hardware Password Manager device
- Unregistering a device from the Hardware Password Manager server
- Updating credentials on a Hardware Password Manager device
In order to register a device with the Hardware Password Manager server, the Hardware Password Manager client must have been installed on the device. This is done by the Ivanti administrator, who installs an agent with the Hardware Password Manager client on the device.
When the client is installed, it communicates with the Hardware Password Manager server to authenticate the device. The client can then request Hardware Password Manager policy settings from the Hardware Password Manager server. The registration process is then completed when the user enters credentials for logging on to the device.
For registration to occur, the device must be connected to the network on which the Hardware Password Manager server is located.
The administrator has two options for initiating registration of Hardware Password Manager devices:
- Registration is automatically started when the user logs on to Windows. For this option, the administrator selects the Auto-start registration at Windows login option in the client policy that is applied to Hardware Password Manager devices.
- The user opens the Client Portal to begin registration (see steps below).
To register a device with the Hardware Password Manager server and enroll a user
- Click Start | All Programs | ThinkVantage | ThinkVantage Hardware Password Manager to open the Client Portal. (If your administrator has set up auto-start, the portal will open automatically when you log in.)
- Click Register PC.
For the program to run at the BIOS level, the device must be rebooted.
- Click OK to reboot the device.
- As the BIOS runs, the HPM Initialization Process verifies that you want to continue with registration. Select Yes at the prompt.
After Windows starts and you log in, the Client Portal dialog opens.
- Under Windows Login Credentials, enter your username and password for logging into Windows on this device.
- Under Corporate Login Credentials, enter your username, password, and domain for logging in to the domain in which the Hardware Password Manager server is running.
- Click Register.
The system asks to go into a suspended state to make changes in the BIOS.
- Click OK to suspend the system.
After it is suspended and changes to the BIOS are made, the device will wake up automatically. You can then log in to continue and finish the registration process.
- After the success message is displayed, click OK.
- Turn off the device, then turn it on again.
- At the BIOS login prompt, log in using your Windows credentials for the device.
Single sign-on to both the device and the corporate domain are automatically enabled.
More than one user can log on to a Hardware Password Manager device with single-sign-on protection if your Ivanti administrator has enabled multiple users. When any of the enrolled users log on to the device, the Client Portal runs and they can access the device with single sign-on. This includes administrative users who are enrolled by the Endpoint Manager console.
The following are required for enrolling additional users on a device:
- In the client policy applied to the device, Allow multiple users to enroll on a single device must be selected.
- For each additional user, an account must be created on the device.
- The device must be associated with an Active Directory or eDirectory group that contains the additional users.
If your administrator has enabled multiple users on a device, complete the following steps to enroll more than one user.
To enroll an additional user on a Hardware Password Manager device
- Log in to Windows.
- Click Start | All Programs | ThinkVantage | ThinkVantage Hardware Password Manager to open the Client Portal. (If your administrator has set up auto-start, the portal will open automatically.)
- Click Enroll additional user.
- Enter the user’s login credentials, and click Register.
- Click OK to suspend the system.
- After the success message is displayed, click OK.
- Turn off the device, then turn it on again.
- At the BIOS login prompt, log in using the Windows credentials for the additional user on this device.
When a user should no longer have access to a Hardware Password Manager device, you can unenroll the user to terminate access. When a user is unenrolled, only that user’s credentials are removed from the hardware account. Hardware credentials remain on the device, and other users’ credentials are not affected.
To unenroll a user from a Hardware Password Manager device
- Log in to Windows.
- Click Start | All Programs | ThinkVantage | ThinkVantage Hardware Password Manager to open the Client Portal.
- Click Unenroll user.
- Enter your login credentials when prompted.
- Click OK to confirm that the system will suspend.
The system will resume automatically after it has suspended and completed unenrolling the user.
A device can be unregistered from the Hardware Password Manager server in two ways:
- The user can open the Hardware Password Manager Login Menu in the BIOS and unregister the device. (See To open the Hardware Password Manager Login Menu.)
- The administrator can unregister the device using the Hardware Password Manager administration tools in Endpoint Manager.
After the device is unregistered, the Hardware Password Manager functionality is no longer in effect unless the device is registered again with the Hardware Password Manager server.
After Hardware Password Management is enabled on a device, you can access the Hardware Password Manager Login Menu to make changes to password management. You can also access the Client Portal to perform enrollment and registration tasks.
These menus display password management options that are available on your device. Options available on these menus are configured by the administrator on the Hardware Password Manager server; not all of the following options may be available depending on how your administrator has set up Hardware Password Manager.
The options below refer to a hardware account. This is a secure area of non-volatile memory that can only be accessed by the computer’s BIOS. Hardware credentials and all user credentials are stored in the hardware account. While the user does not directly access the hardware account, when credentials are added or changed, they are written in the hardware account.
The Hardware Password Manager Login Menu can include the following tasks:
- Restore hardware account (restore credentials saved in the hardware account)
- Change hardware account Password
- Unregister the device from the Hardware Password Manager server
The Client Portal menu can include the following tasks:
- Register the device
- Enroll User
- Unenroll User
- Renew hardware account
- Restore hardware account
- Power on the device.
- At the User Login prompt, press Esc.
- Select HPM Login Prompt to open the HPM BIOS Menu.
To open the Client Portal
- In Windows, click Start | All Programs | ThinkVantage | ThinkVantage Hardware Password Manager.
This guide contains additional deployment information for using Hardware Password Manager devices with ThinkVantage Hardware Password Manager. It is written for the administrator who will manage devices with the Hardware Password Manager server and configure these devices with other . This guide includes the following sections:
- Fingerprint integration
- Safe Guard Easy/Safe Guard Enterprise compatibility
- One-touch registration
- Client policy settings
- Service scenarios
- User scenarios
The Hardware Password Manager utility is fully compatible with the Lenovo preferred fingerprint utilities (Authentec and UPEK). For Windows XP clients, it is recommended that the Hardware Password Manager client is installed without the Hardware Password Manager GINA. Doing so will allow the user to perform single sign-on into Windows using their fingerprints. To install the Hardware Password Manager client application without the GINA, use the following install command:
Furthermore, the order of enrollment is important when using Hardware Password Manager with fingerprint utilities. First register in Hardware Password Manager to set hardware passwords. Then enroll your fingerprints for pre-start access using the Fingerprint Setup Utility. When your fingerprints are enrolled, the BIOS program will release actual hardware passwords from the hardware account when you swipe your registered fingerprint at the BIOS fingerprint prompt.
If you see the fingerprint enrollment wizard and the Hardware Password Manager registration wizard displayed at the same time after you log into the Windows operating system, proceed first to the Hardware Password Manager registration wizard. However, if you enroll your fingerprints first, you can still register your fingerprints with the Hardware Password Manager provided that you have not already set hardware passwords.
If you are creating an image, you can use the following steps in your image to suppress the fingerprint enrollment wizard until the system is registered in the Hardware Password Manager utility:
- Disable the fingerprint enrollment wizard by default.
HKEY_CURRENT_USER\Software\Authentic Biometric Suite\bFingerprintSoftwareStartUp
HKEY_CURRENT_USER\Software\Protector Suite\Control Center\1.0\ShowOnStartup
- Create a script that enables the fingerprint enrollment wizard if the system is registered in the Hardware Password Manager utility and the current user is enrolled in Hardware Password Manager. A utility is provided in the Hardware Password Manager program folder that IT administrators can use to obtain registration and enrollment status within a script.
The script interface is defined as follows:
|Prerequisite:||psadd.sys device driver, cmp_server_dll.dll|
|Usage:||cmp_util.exe -<command> where <command> is|
|supported* – returns whether the utility is supported on the current system.|
|registered – returns whether the current system is registered in the utility.|
|enrolled – returns whether the current Windows system user is enrolled in the utility.|
|enabled – returns whether the utility is enabled in the BIOS program.|
|show – displays results to the console for all of the above commands.|
0 – false
1 – true
2 – error
|Example :||cmp_util.exe -supported|
*Note: For any scripts specifying the cmp_util.exe executable, first invoke the supported command to ensure the utility is supported on the current system before using the registered, enrolled, or enabled commands.
The behavior of the fingerprint enrollment differs slightly between a Hardware Password Manager registered system and a non-registered system. For registered systems, the BIOS program prompts for Hardware Password Manager User Login credentials (Hardware account ID and password) instead of actual hardware passwords. After verifying the specified User Login credentials, the BIOS program obtains the actual hardware passwords from the hardware account and saves them in the fingerprint device.
Other fingerprint scenarios to consider:
- User enrolls in Hardware Password Manager after enrolling fingerprints for pre-start access (hardware passwords are set)
In this scenario, the user has already set a POP and has enrolled for pre-start fingerprint access. The Client Portal treats the scenario the same as when any pre-start passwords are set prior to registering in Hardware Password Manager. In this case, the Client Portal instructs the user to remove all hardware passwords.
- User enrolls in Hardware Password Manager after enrolling fingerprints for pre-start access (hardware passwords are cleared)
In this scenario, the user has already enrolled for pre-start fingerprint access but has manually cleared the POP and HDP (as requested in the previous scenario). The system starts and the user can enroll in the Hardware Password Manager utility. However, the next time the user starts the system and swipes their finger, the BIOS program retrieves the old password or passwords from the fingerprint device and determines that they are not valid. The BIOS program then prompts for User Login credentials. If the user is validated with their hardware account, the hardware passwords are retrieved from the system hardware account by the BIOS program and the passwords are validated. If they are confirmed, the new passwords are stored in the fingerprint device automatically.
In environments where the Safe Guard Easy/Safe Guard Enterprise utility is used, the Hardware Password Manager client must be installed after the Safe Guard Easy/Safe Guard Enterprise utility.
There is also a limitation where the Hardware Password Manager single sign-on feature does not work when the Safe Guard Easy/Safe Guard Enterprise utility is installed. Thus, the user is not automatically logged into the Windows operating system when the user performs a normal Hardware Password Manager User Login.
As an administrator, you can register your systems in the Hardware Password Manager utility to protect them from unauthorized users during the deployment and distribution process. This is accomplished by allowing an administrator to pre-register all of their systems in the Hardware Password Manager utility with a common local administrator account. This process requires a single manual step (one-touch) to complete, which is required to prevent denial of service attacks.
This process is initiated by policy, and administrator corporate credentials are obtained from the Hardware Password Manager server which is provided as a policy setting. When you enable one-touch registration, the Admin Console automatically prompts for corporate credentials to use for the registration process.
NOTE: “One-touch” refers to the one manual step required by the administrator to register the system in the Hardware Password Manager utility. When the system is registered and delivered to users, enrollment can automatically be initiated (based on policy) for any user successfully logging into the Windows system on the system, either a local or domain login. The “one touch” registration process is ignored if the system is already registered.
This process is the same as the normal registration process, except for the following differences:
- Based on policy, the Client Portal (which is automatically launched when logging into Windows) initiates the one-touch Hardware Password Manager registration function based on the one-touch policy setting.
- The Client Portal does not prompt for confirmation to proceed with registration and enrollment.
- The Client Portal does not prompt for a restart prior to confirming user presence.
- The Client Portal does not prompt for corporate, Windows, or hardware account credentials. The corporate credentials used are the administrator-level credentials provided by the administrator. The Windows and hardware account credentials are not required since no user account is created; only the common Administrator account is enrolled.
- The Client Portal proceeds with the suspend and resume operation without notifying the user.
- The Client Portal returns a success or failure code to the calling process. It does not inform the user that the operation is complete.
When the one-touch registration process is complete, the system is password-protected and a single local hardware account exists. The hardware account is set to the common administrator hardware account credentials. These systems can be safely distributed by the administrator to end-users knowing that they are protected with hardware passwords.
User enrollment on a pre-registered system
When the system is delivered to the user, the user must perform a Hardware Password Manager login (network access is required) in order to gain access to the system. If no network access is available or the Hardware Password Manager server is behind a VPN, then the administrator has the option to provide the common administrator hardware account credentials to allow access to the system.
This flow is the same as the normal “Enroll Additional Users” flow, except for the following differences:
- When the user logs in to the Windows system, the Client Portal is automatically initiated and prompts the User to enroll in Hardware Password Manager. Note: Automatic enrollment can be managed by policy.
- The Client Portal prompts the User to enter a hardware account (hardware account ID and password).
The following are client-specific policy settings managed by the Hardware Password Manager server.
|Synchronize Hardware account with Windows account (same user name and password)||
Defines whether the client should attempt to keep the hardware account credentials in sync with the users’ Windows credentials.
When enabled, changes to the Windows password by the user results in updating the hardware account. More specifically, the new Windows password is stored in the hardware account (for single sign-on) and the hardware account password is updated to be the same as the new Windows password.
|Auto-start registration at Windows login||
Defines whether Hardware Password Manager registration should automatically start at Windows login when the following conditions exist:
When the system is registered, the registration prompt is not displayed to users at Windows login.
|Auto-start user enrollment at Windows login||
Defines whether the Hardware Password Manager enrollment should automatically start at Windows login when the following conditions exist:
NOTE: Client policy settings can be applied globally or individually to specific systems. Client policy settings are updated automatically at Windows login.
This section describes scenarios associated with hardware and user configuration changes. For the purpose of these scenarios, all systems are considered to be registered in Hardware Password Manager.
Scenario 1: Hardware configuration changes
When you make a hardware change, a BIOS error is triggered and you are prompted to enter your administrator password (PAP/SVP) in order to enter the BIOS setup. Once in the BIOS setup, accept the changes to clear the BIOS error.
You can also skip the administrator password prompt and re-start the system. In this case, the BIOS error is not cleared and you will be prompted again for the administrator password on all subsequent re-starts until entering the BIOS setup and accepting the memory changes.
When hardware changes are made to a system, the BIOS error occurs, and the User Login window is displayed. You can perform one of these actions:
- Enter the hardware account credentials at the User Login window using an account with either Hardware Password Manager Administrator or Hardware Password Manager Service Tech privileges. If the Hardware Account credentials with Hardware Password Manager User privileges are entered, the BIOS will prompt for the administrator password separately
- At the User Login window, press Esc to open the Login Menu window and select Internet Account Login to open the window. Enter the administrator corporate credentials to release the PAP/SVP.
- At the User Login window, press Esc to go to the Login Menu window and select Manually Enter Passwords to go to the manual login and enter the PAP/SVP. You can obtain the PAP/SVP from the Hardware Password Manager Admin Console.
NOTE: If the PAP is not known on a desktop system, you can remove the CMOS battery to clear both the POP and PAP.
NOTE: Hardware changes on Lenovo ThinkPads do not generate BIOS errors to allow for hot or warm-swapping, so the PAP/SVP is not required.
Scenario 2: CMOS error
To protect BIOS settings in CMOS memory, a checksum is computed and saved for error detection. Each time the system starts, this number is recomputed and checked against the stored value. If they do not match, an error notification is generated to inform the user that CMOS contents may have been corrupted and therefore some settings may be wrong. The most common cause of checksum errors in CMOS is a battery that is losing power, or a virus or system board problem.
CMOS errors require you to enter BIOS setup and select Load Default Settings before the system can start the operating system. In order to enter BIOS setup, the SVP must be provided.
When a CMOS error occurs, the User Login window is displayed when this BIOS error occurs. Do one of the following:
- Enter the hardware account credentials with Hardware Managed Password Administrator or Hardware Managed Password Service Tech privileges to release the SVP/PAP, such as the Emergency Admin account, If hardware account credentials with Hardware Managed Password User privileges are entered, the BIOS will prompt for the PAP/SVP.
- Enter corporate credentials by doing the following:
- Press the Esc key to open Login Menu window
- Click Intranet Account Login to open the Internet Account Login window
- Enter the username and password at the Internet Account Login window.
NOTE: For desktop systems, you can skip the CMOS error by pressing F2 and starting the system. The next start will give you the same error until you enter the BIOS setup and load the default settings by pressing F9.
Scenario 3: Replace fingerprint device
Users can enroll their fingerprints for single sign-on capability using Hardware Managed Password. When a fingerprint is enrolled for pre-start access, hardware passwords are associated with the swiped fingerprint and are stored within the fingerprint device. When the user swipes an enrolled fingerprint at the prompt, the BIOS will release the actual hardware passwords from the hardware account. The BIOS displays the fingerprint swipe prompt first when starting the system. To open the User Login window, the user must press the Esc key. If the fingerprint device is removed, the fingerprint swipe prompt will no longer be displayed, and the User Login window is displayed first.
When a defective fingerprint device is replaced, the registered fingerprints and associated hardware passwords go away. Hardware Managed Password is not affected except that the user can no longer using their fingerprint. The fingerprint swipe prompt will not be displayed and the User Login window is displayed first.
To regain fingerprint access, the user must register their fingerprint for Windows and pre-start credentials using the Fingerprint Setup Utility.
If a fingerprint device is replaced with another fingerprint device that already has registered fingerprints and passwords, the BIOS will overwrite those passwords as long as the user provides correct passwords using either manual, User Login or Hardware Managed Password Login. If hardware account credentials without Hardware Managed Password Administrator or Hardware Managed Password Service Tech privileges are provided, only the Power On Password and Hard Drive Passwords are updated in the fingerprint device (PAP/SVP is not added to the fingerprint device until a user logs in with Hardware Managed Password Administrator credentials or manually enters the correct PAP/SVP).
Scenario 4: Hardware passwords already set
When hardware passwords are already set prior to registering, the user cannot register in Hardware Managed Password. When starting the registration process, the Client Portal will inform the user that they must manually clear hardware passwords before registering. Once the hardware passwords are cleared by the user, registration will proceed normally.
Scenario 5: Setup under the OS (remote BIOS settings)
This scenario can occur when you receive new machines and want to roll out default BIOS settings, such as disable serial port or set admin password.
When a machine is registered in Hardware Managed Password, hardware passwords cannot be changed by Setup under the OS (since they are managed by the HPM server) unless the current password is provided which you can obtain using the LDMS Console. If a user disables Hardware Managed Password either manually through the BIOS setup or by Setup under the OS on a machine that is registered in Hardware Managed Password, the BIOS will clear the hardware passwords and delete the local hardware account and SST.
Scenario 6: Replace system board
When the system board is replaced, the POP, SVP, SST, hardware account and server credentials no longer exist on the system. Only the HDPs remain set. In this case, you must manually clear the HDP in the BIOS setup, start the machine, and re-register in Hardware Managed Password using the Client Portal. In order to clear the HDP, you must enter it manually. You can obtain it from the LDMS console.
You must have the HDD ID for the hard disk in order to locate the correct HDP. The HDD ID can be retrieved using a Lenovo-supplied Hardware Managed Password DOS utility.
When a system board is moved from one system to another system, it is assumed that the system board is not registered in Hardware Managed Password. You must clear or disable Hardware Managed Password prior to redeploying the system board in the field.
[Desktop] If the system board was not deregistered, you can remove the CMOS battery to clear the POP/SVP, then enter BIOS setup and disable Hardware Managed Password.
[Thinkpad] Removing the CMOS battery will not clear the SVP – you must obtain the SVP from the LDMS console in order to enter the BIOS setup and disable Hardware Managed Password.
NOTE: When replacing a system board, you must reset the machine type/model and serial number to match the correct values prior to registering in Hardware Managed Password.
When re-registering the client system with the new system board in the same Hardware Managed Password server domain, the server will recognize that the machine is already registered (i.e. machine/user/hdd instances & hardware account backup already exist) and clear all of the structures on the server before proceeding with the registration.
Scenario 7: Add a hard disk
When a hard disk is added to a system registered in Hardware Managed Password, you must renew the hardware account in order for Hardware Managed Password to assign a password to the new hard disk. Renew Hardware Account will renumber the hard disks in the machine and set passwords on all detected drives.
If the hard disk already has a HDP set, you must manually clear the HDP before running Renew Hardware Account. If you do not know the HDP, then the hard disk can no longer be used.
In order to clear the HDP, you must have the HDD ID and the system ID in order to obtain the correct HDP and SVP. The HDD ID and machine ID can be retrieved using a Lenovo supplied Hardware Managed Password DOS utility.
NOTE: The SVP is not required to clear a HDP for ThinkPad systems.
When an unprotected hard disk is added to a Hardware Managed Password registered system, the BIOS will detect that the hard disk is not protected. In this case, when logging into Windows, the Client Portal will inform the user that an unprotected device (HDD) was found and ask them if they want to renew the hardware. You can set a policy to allow the Client Portal to provide a Do not show me this again popup so the user is not prompted at every Windows login.
Scenario 8: Replace hard disk
This scenario is the same as Scenario 7: Add a hard disk if the replacement hard disk does not have a HDP set.
If the hard disk was previously managed by Hardware Managed Password, so it is known to the LDMS server and has a HDP set, the HDP must be cleared manually using BIOS setup. Once the HDP is cleared, the scenario is the same as Scenario 7.
In order to clear the HDP, you must have the HDD ID and the system ID in order to obtain the correct HDP and SVP. The HDD ID and machine ID can be retrieved using a Lenovo supplied Hardware Managed Password DOS utility.
Once you obtain the HDD ID and machine ID, you can obtain the HDP and SVP using the LDMS Admin Console. Now you can clear the HDP using BIOS setup.
NOTE: The SVP is not required to clear a HDP on ThinkPad systems.
Scenario 9: Change hard disk location within a system
This scenario occurs when the physical position of hard disk 1 and 2 are swapped on the bus. There is no impact to Hardware Managed Password because hard disk position is not maintained within the HDD instance on the server.
Scenario 10: Remove a hard disk
When removing a hard disk, the recommended solution is to deregister the system prior to removing the hard disk, and then re-register the system once the hard disk has been removed. Doing this will make sure the hard disk does not have an HDP set.
If the hard disk is no longer going to be used, it does not matter whether the HDP is cleared prior to removing the hard disk. When the system is started the next time, run Renew Hardware Account, which will update the local hardware account.
Note: Removing the hard disk without first deregistering will leave an orphaned HDD instance on the server. You can opt to let such records remain in case the HDP is ever needed in the future, or clean them up using the LDMS Admin Console.
Scenario 11: Flashing the BIOS
This scenario describes the impact to Hardware Managed Password when updating the BIOS with a flash image (applied using a flash utility). Since flash utilities exist in both DOS and Windows, all flash scenarios must be tested with both types of utilities. Although Hardware Managed Password hardware account structures are stored in flash, the flash utilities have been updated to not overwrite Hardware Managed Password related structures.
When flashing to a newer version of BIOS on a Hardware Managed Password registered system, the hardware account should not be disrupted (e.g. the user’s Hardware Managed Password registration status and hardware account credentials should not change).
When flashing back to a previous version of BIOS that supports Hardware Managed Password, the hardware account should not be disrupted (e.g. the User’s Hardware Managed Password registration status and hardware account credentials should not change).
BIOS flash utilities that support Hardware Password Manager should not be flashed back to a previous BIOS version that does not include Hardware Managed Password support. The system must be deregistered before back flashing.
Scenario 12: Registered system can no longer access LDMS server
If a Hardware Managed Password registered system is reassigned or moved to a location that does not have network connectivity to the LDMS server, you must have a way to clear the hardware accounts and passwords to allow usage of the system.
In order to do this, you must login to the emergency account to gain access to the SVP and all HDPs, and disable Hardware Managed Password. When Hardware Managed Password is disabled, the BIOS will clear the hardware account structures, the SST, and all hardware passwords.
If the emergency account is unknown, you must obtain the SVP and HDPs using the LDMS console in order to disable Hardware Managed Password.
In this case, the LDMS server will be left with an orphaned entry (such as machine instance and hardware account backup). You can use the LDMS console to identify these orphaned entries and clean them up if you desire.
Scenario 13 - Enter BIOS setup
Users can enter the BIOS setup in one of these ways:
- User Login: User must have a local account that is a member of the Hardware Managed Password Service Tech or Hardware Managed Password Administrator group.
- Hardware Managed Password Login: User must have a corporate account that is a member of the Service Tech or Hardware Managed Password Administrator group.
- Manual Login: User must obtain the SVP from the administrator using the LDMS Admin Console
Scenario 14 - Load default settings in BIOS setup
This scenario describes the implications of loading default BIOS settings on a system that uses Hardware Managed Password. Users may load default BIOS settings if CMOS is cleared or corrupted.
When default settings are loaded, the POP and SVP remain set and all Hardware Managed Password structures remain intact.
Scenario 15 - Do not protect all hard drives
This scenario describes a scenario where a user registers their system in Hardware Managed Password, but then wants to use an additional hard drive that is NOT protected. The hard drive most likely will be an external hard drive or one installed in a docking station.
NOTE: The hard drive should not be connected when the system is registered in Hardware Managed Password or else the hard disk will be assigned an HDP.
This section describes scenarios that may be encountered by the user.
Scenario 1: Forgot Hardware Account credentials, network connected
This scenario occurs when a user forgets their hardware account credentials but has network connectivity to the LDMS server. To resolve this, the user should do the following:
- Perform a Hardware Managed Password Login.
- Start Windows from the Hardware Managed Password Services menu.
- Log into Windows by manually entering their Windows credentials.
- Launch the Client Portal and select Remove User.
- Re-enroll the account in Hardware Managed Password.
Scenario 2: Forgot Hardware Account credentials, NOT network connected
This scenario occurs when a user forgets their hardware account credentials and does not have network connectivity to the LDMS server. To resolve, the user should do the following:
- Call the IT administrator and obtain local Administrator account credentials.
- Power on the system and enter administrator account credentials at the User Login prompt.
- Log into Windows by manually entering their Windows credentials.
- Launch Client Portal and select Remove User.
- Re-enroll their account in Hardware Managed Password.
Another way to do this is for the user to enter the BIOS setup after providing the Administrator account credentials and disabling Hardware Managed Password. This will clear the hardware account, SST, and hardware passwords. The user can then start Hardware Managed Password and re-register the system when returning to a location with network connectivity to the LDMS server.
Scenario 3: Forgot corporate password
This scenario occurs when a user forgets their corporate password. In this case, the user can still use their system via User Login. The user can reset their corporate password using their corporate process (website or manual reset by IT Administrator).
Once the corporate password is reset, verify the user can still perform a Hardware Managed Password Login using the new corporate credentials.
Scenario 4: Manual login using different keyboard types
Hardware passwords such as POP, SVP and HDP that are handled by BIOS are not portable between systems with different keyboard types. This is because text at the BIOS level is recognized as scan codes and cannot be translated within BIOS to or from a more portable format such as ASCII. Trying to manage passwords stored as scan codes can result in a password entered on one keyboard type may be a completely different set of scan codes on another keyboard type. For example, consider the password azw. On an English keyboard, the scan code representation is 0x1E, 0x2C, 0x11. However, on a German keyboard, the scan code representation is 0x1E, 0x15, 0x11.
There are 3 keyboard types used to support different languages:
- French, Belgian
- German, Swiss, Hungarian, Polish, Czech, Slovenian, Slovakian
- All other languages
When deploying hardware passwords from the server, such as POP, SVP and HDP, the server converts the ASCII text to scan codes based on the keyboard type of the target system. These passwords (represented by scan codes) are sent to the client to be set in the hardware.
Changing keyboard types is not supported for manual entry of passwords. If a user wants to change keyboard types, the best practice is to do this:
- Deregister from Hardware Managed Password.
- Change the keyboard.
- Reregister in Hardware Managed Password.
Scenario 5: Handling enrollment from multiple boot partitions
This scenario can occur when a user registers and enrolls on one boot partition (such as Vista), and wants to enroll in Hardware Managed Password on a second boot partition (such as XP). In this case, the Hardware Managed Password Client code should be installed in each boot partition. The user should register and enroll in Hardware Managed Password from one boot partition. Once enrolled, Hardware Managed Password functions normally in all boot partitions where the Hardware Managed Password Client code is installed assuming the Windows login credentials are the same in all boot partitions. If the Windows login credentials are different, the user will have to manually enter their Windows credentials in the Windows Gina/CP when using boot partitions other than the one used to register in Hardware Managed Password.
Scenario 6: BitLocker
BitLocker and Hardware Managed Password are compatible meaning a client enrolled in Hardware Password Manager (for BIOS password protection - POP, SVP, HDPs) can further protect their data using BitLocker (logical volume encryption). BitLocker enrollment and key retrieval is handled the same way as is done today by customers (outside the scope of Hardware Managed Password).
The best practice when using both technologies is to enroll in Hardware Managed Password prior to enabling BitLocker. If the user first enables BitLocker, then registers in Hardware Managed Password, the fact that BIOS passwords are set will cause BitLocker to fail its integrity check (BIOS passwords are validated within PCR1) and cause the BitLocker Recovery Mode to start.
Hardware Managed Password will warn the user of this issue during the registration flow if BitLocker is enabled. The user can choose to continue with the registration or cancel at this point. If the user continues, then BitLocker Recovery Mode will be executed on the next start since the integrity check on BIOS passwords (PCR1) will have failed.