Lenovo ThinkVantage (Hardware Password Manager Deployment Bedienungsanleitung

HardwarePasswordManagerDeploymentGuideUpdated:July,2010

2HardwarePasswordManagerDeploymentGuide

Chapter2.InstallingHardwarePasswordManageronThinkManagementConsoleTouseHPMfunctionality,theLenovoThinkManagementConsolemustbeinstalled.Asyoucongureth

PreparingthecoreserverTheHPMcoreserverwillusetheThinkManagementConsole9.0thatisbasedonLANDeskManagementSuite9.0.FormoreinformationaboutLANDeskManageme

WhenusingtheWindowsServer2008R2(64-bit)operatingsystem,theMonitoring/Alerts(SNMP)additionalfeaturemustbeinstalledaswell.1.ClickStart➙ServerManager.2.I

3.RuntheThinkManagementConsoleAutorun.exefromthelocationwheretheinstallationpackagewasextractedto.SelectInstallonthecoreserver.FollowthepromptsintheIn

1.IntheThinkManagementconsole,clickTools➙Conguration➙AgentConguration.2.ClickNewontheAgentCongurationtoolbar,andenteranameforthisagentconguration.

Thenameoftheexecutablelewillbebasedonthenameoftheagentconguration.Theprocesswillruninthebackgroundforaboutaminute.Twoexecutablelesandtwologleswill

Chapter3.ManagingHardwarePasswordManagerdeviceswithThinkManagementConsoleTheavailableHardwarePasswordManagerfunctionsintheconsolearedescribedinthefoll

Enrolledusers:AllusersthatareenrolledtoaccesstheHardwarePasswordManagerdevicearelistedonthistab.TheintranetaccountusernameisthenameusedforLDAPuseracco

YoucanmigratefromoneLDAPservertoanotherwithoutlosingdata.IfyoundthatyouneedtouseadifferentserverforLDAPauthentication,enterthecongurationdataforthen

ThistablistsanyRemoveUseractionsthathavebeenperformedontheuser,includingthenameofthedevicefromwhichtheuserwasremovedandthedateandtimeofthelaststatusch

5.IfyouselectedWithexpiration,selectDuration,andthenselectthebeginningandendtimefortheaccesstoHardwarePasswordManagerdevices;orselectLogincountremaini

•RemoveUser:removesauserfromthelistofusersauthorizedtoaccessaHardwarePasswordManagerdevice.•UpdateClientPolicy:savesanupdatedclientpolicytotheHardware

•Allowmultipleuserstoenrollonasingledevice:morethanoneusercanbeenrolledonadevice.Ifthischeckboxiscleared,onlytherstusertobeenrolledonadevicecanbeanen

1.ClickRemoteActionsandPolicySettingsinthetoolboxorclickT ools➙ThinkVantageHardwarePasswordManager➙RemoteActionsandPolicySettings.2.IntheRemoteActions

ChangingserverpolicysettingsServerpolicysettingsincludevariouswaystomanageuserenrollment,credentials,andclientportalandBIOSsettingsfortheLenovoHardwar

HardwarePasswordManagergroups”onpage12foradescriptionofroles.)So,forexample,ausermightseealloptionsontheHardwarePasswordManagerBIOSmenubutaServiceTech

5.ClickOK.Toassignpermissionstoagroupthatcanbeauthenticatedthroughthenewauthentication,dothefollowing:1.IntheUser'stool,click+onthetoolbarorright

20HardwarePasswordManagerDeploymentGuide

Chapter4.HardwarePasswordManagerClientLenovodevicesthatsupportHardwarePasswordManagerneedtoberegisteredwithamanagementserver(referredtoastheHardwarePa

HardwarePasswordManagerDeploymentGuideUpdated:July,2010

Whentheclientisinstalled,itcommunicateswiththeHardwarePasswordManagerservertoauthenticatethedevice.TheclientcanthenrequestHardwarePasswordManagerpolic

•YoushoulddragthedevicesunderHardwarePasswordManagerDevicestotheActiveDirectoryoreDirectorygrouplistedintheHPMGroupstool.Ifyouradministratorhasenabled

UpdatingcredentialsonaHardwarePasswordManagerdeviceAfterHardwarePasswordManagementisenabledonadevice,youcanaccesstheHardwarePasswordManagerLoginMenuto

Chapter5.DeploymentThischaptercontainsadditionaldeploymentinformationforusingHardwarePasswordManagerdeviceswithHardwarePasswordManager.Itiswrittenfort

–enrolled-returnswhetherthecurrentWindowssystemuserisenrolledintheutility–enabled-returnswhethertheutilityisenabledintheBIOSprogram–show-displaysresul

Thisprocessisinitiatedautomaticallyontheclientsystembasedonpolicy,andadministratorcorporatecredentialsareobtainedfromtheHardwarePasswordManagerservert

28HardwarePasswordManagerDeploymentGuide

Chapter6.ScenariosThischapterdescribesscenariosassociatedwithhardwareandusercongurationchanges.Forthepurposeofthesescenarios,allsystemsareconsideredt

•EnterthehardwareaccountcredentialswithHardwarePasswordManagerAdministratorprivilegestoreleasetheSVP/PAP,suchastheEmergencyAdminaccount.Ifhardwareacco

HardwarePasswordManager,theBIOSwillclearthehardwarepasswordsanddeletethelocalhardwareaccountandSST.Scenario6-ReplacethesystemboardWhenthesystemboardis

Note:Beforeusingthisinformationandtheproductitsupports,readthegeneralinformationinAppendixD“Notices”onpage49.ThirdEdition(July2010)©CopyrightLenovo201

Ifthesystemisstillbootable,itisrecommendedtode-registerthesystemwithHardwarePasswordManager.Thiswillclearallthehardwarepasswordsfromthesystem.Installt

structuresarestoredinash,theashutilitieshavebeenupdatedtonotoverwriteHardwarePasswordManagerrelatedstructures.•ForwardFlashing-Whenashingtoanewerve

Note:TheharddriveshouldnotbeconnectedwhenthesystemisregisteredinHardwarePasswordManagerorelsetheharddiskwillbeassignedanHDP.UserScenariosThissectionde

acompletelydifferentsetofscancodesonanotherkeyboardtype.Forexample,considerthepasswordazw.OnanEnglishkeyboard,thescancoderepresentationis0x1E,0x2C,0x1

36HardwarePasswordManagerDeploymentGuide

AppendixA.SecurityandconvenienceComputersecurityisoftenconsideredmuchmoreimportantmoreconvenience.ThefollowingtableillustrateshowHardwarePasswordManag

Table1.HardwarePasswordManagerpolicysettings(continued)PolicysettingDescriptionMostsecureMostconvenientCommonEmergencyUserNameandPasswordDenestheemer

AppendixB.DisasterrecoveryBackingupthe9.0coreserverBeforeupgradingorotherwisemodifyingthecurrentHardwarePasswordManagercoreserver,itisimportanttobacku

1.CreateafoldercalledLANDeskBackuponashareonaseparateserverthatisnotthecoreserver.2.OpenacommandpromptonthecoreserverbyclickingStart➙Run,andlaunchingC

Ifmigratingtoanewdatabase,manyitemscannotbeexported.Takescreenshotsofsuchcongurationssothattheycanbeappliedtothenewcoreserver.Anexampleoftheseinclude

ContentsPreface...vChapter1.Overview...1Chapter2.InstallingHardwarePasswordManageronThinkManagementConsole...3Prerequisites...

42HardwarePasswordManagerDeploymentGuide

AppendixC.HintsandtipsThefollowingisalistoftipsassociatedwithHardwarePasswordManagerVersion1.0:•Symptom:Bitlockerrecoverymodeistriggeredifyouregistera

Problemdescription:Singlesign-ontoWindowswillnotworkiftheWindowspolicysettingisenabledthatrequirestheusertoPressCtrl+Alt+Deltologin.Thissecuritysettin

•Symptom:YoureceivetheFailedtogenerateencryptionkeyerrormessageduringtheHardwarePasswordManagerregistration.Problemdescription:UserswithaWindowsuserna

Ifyouhavealreadyrestoredyoursystem(forexample,lostyourCAPIkeystore),deregisterandreregisterinHardwarePasswordManager.•Symptom:WhenregisteringinHardwar

Solution:TheusermustuseawirednetworkconnectionwhenperforminganintranetloginfromtheBIOS.•Symptom:Receivetheincorrectusernameorpasswordspeciedmessagewh

48HardwarePasswordManagerDeploymentGuide

AppendixD.NoticesLenovomaynotoffertheproducts,services,orfeaturesdiscussedinthisdocumentinallcountries.ConsultyourlocalLenovorepresentativeforinformat

TrademarksThefollowingtermsaretrademarksofLenovointheUnitedStates,othercountries,orboth:AccessConnectionsLenovoThinkVantageThinkPadThefollowingtermsar

AppendixC.Hintsandtips...43AppendixD.Notices...49Trademarks...50ivHardwarePasswordManagerDeploymentGuide

PrefaceThisguideisintendedforITadministrators,orthosewhoareresponsiblefordeployingtheLenovo®HardwarePasswordManager™programoncomputersintheirorganizat

viHardwarePasswordManagerDeploymentGuide

Chapter1.OverviewTheLenovoHardwarePasswordManager(HPM)givesanadministratortheabilitytomanagehardwarepasswordsforallregisteredPCdevices.Further,itcreat