Lenovo ThinkCentre M58p (English) Hardware Password Manager Deployment Guide
Lenovo ThinkCentre M58p Manual
View all Lenovo ThinkCentre M58p manuals
Add to My Manuals
Save this manual to your list of manuals |
Lenovo ThinkCentre M58p manual content summary:
- Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 1
Hardware Password Manager Deployment Guide Updated: July, 2010 - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 2
- Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 3
Hardware Password Manager Deployment Guide Updated: July, 2010 - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 4
Note: Before using this information and the product it supports, read the general information in Appendix D "Notices" on page 49. Third Edition (July 2010) © Copyright Lenovo 2010. LENOVO products, data, computer software, and services have been developed exclusively at private expense and are sold - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 5
. . . 31 Scenario 8 - Replace or move a hard disk drive 31 Scenario 9 - Change the hard disk location within a system 32 Scenario 10 - Remove a hard disk drive . . . 32 Scenario 11 - Flashing the BIOS 32 Scenario 12 - Registered system can no longer access the Hardware Password Manager server 33 - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 6
Appendix C. Hints and tips 43 Appendix D. Notices 49 Trademarks 50 iv Hardware Password Manager Deployment Guide - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 7
professionals and the unique challenges they may encounter. This deployment guide will provide instructions and solutions for working with Hardware Password Manager. If you have suggestions or comments, communicate with your Lenovo authorized representative. To learn more about the technologies that - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 8
vi Hardware Password Manager Deployment Guide - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 9
server. On Lenovo client devices which support HPM, the administrator installs an agent that contains a Hardware Password Manager application. When the client device powers on, it communicates through UDP port 50001 with the HPM server. After the client has booted to the operating system, it uses - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 10
2 Hardware Password Manager Deployment Guide - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 11
LDAP server to provide authentication services for HPM. Policies for how hardware passwords are generated and how client devices are managed are defined in the console as well. Next, you install the HPM client software on individual Lenovo devices that support HPM. A BIOS setting is used to enable - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 12
Application Development. p. Scroll down to the bottom of the list and select IIS 6 Management Compatibility. q. Click Next. r. The Confirm Installation Selections dialog box is displayed. Click Install. s. Click Close when the installation completes. 4 Hardware Password Manager Deployment Guide - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 13
3. Select SNMP Services. 4. Click Next. 5. Click Install. 6. Click Close. When using the Windows Server 2003 R2 (32-bit) operating system with SP2, additional Windows components must be installed. 1. Click Start ➙ Control Panel ➙ Add or Remove Programs. 2. Click Add/Remove Windows Components. 3. Add - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 14
on a Lenovo device To add Hardware Password Manager features to a Lenovo device, you must deploy an HPM agent to the device. You can do this by using either a push or a pull method. To deploy an agent with Hardware Password Manager client features: 6 Hardware Password Manager Deployment Guide - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 15
be disabled on the Lenovo device. This is normally disabled by default for devices that log in to a domain. You can turn off this option from Windows Explorer. Click Tools ➙ Folder Options ➙ View, scroll to the bottom of the list and clear Use simple file sharing. 3. For Windows Vista® it is a good - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 16
background for about a minute. Two executable files and two log files will be created. One executable, designated by "_with_status", will provide an installer that displays installation status to the user. The other executable will be installed silently. 8 Hardware Password Manager Deployment Guide - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 17
Hardware Password Manager devices and their properties In the Network View, a separate folder under the Devices folder is added for Lenovo Hardware Password Manager devices that have been discovered and managed. Open this Hardware Password Managed devices folder to view a list of Computers and Hard - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 18
Password Manager device. The Remove user remote actions section lists users that were enrolled on the device but whose access has been removed. Client policy: The Windows policy list shows the status of operating system related policy settings currently applied on the device. The BIOS policy list - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 19
use a port other than the default to access the server, clear Use default port and enter another port number. Password Manager users and their properties The HPM Enrolled Users tool enables you to view all users that are enrolled to access Lenovo Hardware Password Manager devices. You can view a list - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 20
In the user list, select the user(s). 3. Click Revoke user on the toolbar. 4. In the Create Remote Action dialog box, clear the checkbox for one or more devices from which you want to remove the user. 5. Click OK. Managing Hardware Password Manager groups Hardware Password Manager groups link user - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 21
Hardware Password Manager server. This includes system and user password backups. • Deregister PC: clears the hardware passwords and changes the status in the BIOS of the client device from Registered to Enabled and removes the device from the list of registered Hardware Password Manager devices in - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 22
• Remove User: removes a user from the list of users authorized to access a Hardware Password Manager device. • Update Client Policy: saves an updated client policy to the Hardware Password Manager BIOS of the device, replacing the previous policy. • Update Common Hardware Passwords: saves new - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 23
of BIOS settings. It is a superset of the power-on password. • POP - The power-on password enables the user to power on the device and access it with normal user privileges. • MHDP - The master hard disk password enables the user to access the hard disk and reset the user hard disk password. It - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 24
by Type. 3. Expand Update Common Hardware Passwords. 4. Click either the All Devices folder or one of the status folders. Double-click a device name in the list of devices. The View Hardware Passwords dialog box displays the current password settings for the device that were changed with the remote - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 25
but a Service Tech might have a limited set of options available. If a user tries an option that is not selected for that role, an error message will be displayed. • BIOS - This tab specifies which menu items are enabled for display on the BIOS menu of managed Hardware Password Manager devices, and - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 26
Service Technician might have a limited set of options available. Note: When the client policy is set to Hardware Account equals Windows credentials, the Change Hardware Account password option will not be displayed whether or not it is selected for the role. The BIOS version exclude list controlled - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 27
AD group field and click Find. 5. Click >> to add the appropriate group to the Targeted AD groups list. 6. Repeat step 5 as needed. 7. Select the role(s) to be assigned to this group permission. have just defined. Chapter 3. Managing Hardware Password Manager devices with ThinkManagement Console 19 - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 28
20 Hardware Password Manager Deployment Guide - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 29
manage registration and enrollment on these devices. On a Hardware Password Manager device, management features are accessed through a BIOS menu (accessed before the operating system starts) and through the Client Portal menu (accessed automatically after Windows login or from a Start menu option - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 30
The system will automatically suspend and then resume. 8. After logging on to the desktop, it will prompt you to restart. 9. Click OK to restart the device. 10. At the BIOS login prompt, log in using your Windows credentials or hardware account credentials for the device. If you clear Enable First - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 31
user or administrator right in the BIOS, according to the role of the group, user, administrator, or service tech. Removing a user from a Hardware Password Manager device When a user should no longer have access to a Hardware Password Manager device, you can remove the user to terminate access. When - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 32
. 3. Select Intranet account login to open the HPM BIOS Menu. 4. Enter valid corporate credentials. 5. The Hardware Password Manager menu opens. To open the Client Portal, click Start ➙ All Programs ➙ ThinkVantage ➙ Hardware Password Manager in Windows. 24 Hardware Password Manager Deployment Guide - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 33
.sys device driver, cmp_server_dll.dll • Usage: cmp_util.exe where is one of the following: - supported* - returns whether the utility is supported on the current system - registered - returns whether the current system is registered in the utility © Copyright Lenovo 2010 25 - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 34
the current Windows system user is enrolled in the utility - enabled - returns whether the utility is enabled in the BIOS program - show - displays results to the console for all of the above commands • Return codes: - 0 - false - 1 - true - 2 - error • Example: cmp_util.exe -supported The behavior - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 35
to the one manual step required by the administrator to register the system in Hardware Password Manager. When the system is registered and delivered to users, enrollment can automatically be initiated (based on policy) for any user successfully logging in to Windows on the system, either a local or - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 36
28 Hardware Password Manager Deployment Guide - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 37
manual login and enter the PAP/SVP. You can obtain the PAP/SVP from the Hardware Password Manager Admin Console. Notes: 1. If the PAP is not known on a desktop system, you can remove the CMOS battery to clear both the POP and PAP. 2. Hardware changes on Lenovo ThinkPads do not generate BIOS errors - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 38
at the prompt, the BIOS will release the actual hardware passwords from the hardware account. The BIOS displays the fingerprint swipe prompt first when starting the system. To open the User Login window, the user must press Esc. If the fingerprint device is removed, the fingerprint swipe prompt - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 39
and disable Hardware Password Manager • ThinkPad - Removing the CMOS battery will not clear the SVP - you must obtain the SVP from the ThinkManagement Console in order to enter the BIOS setup and disable Hardware Password Manager. Note: When replacing a system board, you must reset the machine type - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 40
to prepare for registering the system with Hardware Password Manager again. If the replacement hard disk was previously managed by Hardware Password, so it is known to the Hardware Password Manager server and has a HDP set, the HDP must be cleared manually using the BIOS Setup Utility. Press F1 - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 41
protect all hard drives This scenario describes a scenario where a user registers their system in Hardware Password Manager, but then wants to use an additional hard drive that is NOT protected. The hard drive most likely will be an external hard drive or one installed in a docking station. Chapter - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 42
from the Hardware Password Manager Services menu. • Log into Windows by manually entering their Windows credentials. • Launch the Client Portal and select Remove User. • Re-enroll the account in Hardware Password Manager. Scenario 2 - Forgot Hardware Account credentials, NOT network connected This - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 43
ASCII text to scan codes based on the keyboard type of the target system. These passwords (represented by scan codes) are sent to the client to be set in the hardware. Changing keyboard types is not supported for manual entry of passwords. If a user wants to change keyboard types, the best practice - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 44
36 Hardware Password Manager Deployment Guide - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 45
MHDP can make it easier for the administrator to manually enter the MHDP if necessary (for example, to enter the BIOS setup and clear the UHDP and MHDP). Set Common UHDP Determines whether to set the User Hard Drive Password (UHDP) to a common hard-coded value or to generate the UHDP automatically - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 46
for the administrator to enter the BIOS setup or login in to the system without manually entering hardware passwords or requiring an intranet login (which requires a network connection). Server Policy - General tab Allow users to enroll on multiple devices Determines whether all HPM users can - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 47
.exe. The system drive, and the drive on which the core server is installed, if different, should be backed up. For information about backing up the core server with ImageW.exe, see Manually Capturing an Image with ImageW.exe at the following Web site: http://community.landesk.com/support/docs/DOC - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 48
when running these commands if the domain controller is not accessible at the time the command is run (for example if the core server is moved to a lab environment for upgrading). If migrating to a new database status (which patches are set to autofix) 40 Hardware Password Manager Deployment Guide - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 49
a new database, many items cannot be exported. Take screen shots of such configurations so that they can be applied Template user Preferred Server settings Unmanaged Device Discovery configurations Preferred Server settings Settings under Configure ➙ Services PXE Boot Menu Security and Patch - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 50
42 Hardware Password Manager Deployment Guide - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 51
hard disk. Problem description: Hard disks with passwords set cannot be shared between registered systems. Hard disk passwords are handled as follows: 1. To allow for consistency between desktop and mobile, all HDPs are the same within a given system (even though mobile BIOS could support different - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 52
: All hard drive passwords (HDPs) are the same within a registered Hardware Password Manager system. However, the passwords will differ between systems where policy is set for the Hardware Password Manager server to generate the passwords (for example, non-common HDPs). Problem description: The - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 53
installed . Problem description: If installing SGN or SGE on Windows XP when the Hardware Password Manager client is installed, an error is displayed indicating the Lenovo GINA is active and the installation fails. Solution: Uninstall the Hardware Password Manager client, restart the system, install - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 54
the BIOS. Problem description:Hardware Password Manager supports all Windows-based functions via wireless connections, such as registration, renew vault, restore vault, and the execution of remote actions. However, BIOS does not support wireless network connections. So, the computer must have a hard - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 55
a message indicating internal error. Problem description: If the user has registered in Hardware Password Manager, then restores from a backup where the Hardware Password Manager client application was not installed, the system is left in a state where BIOS thinks the system is registered (the - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 56
48 Hardware Password Manager Deployment Guide - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 57
this Lenovo product, and use of those Web sites is at your own risk. Any performance data contained herein was determined in a controlled environment. Therefore, the result in other operating environments may vary significantly. Some measurements may have been made on development-level systems and - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 58
countries, or both. Microsoft and Windows 2000, Windows XP and Windows Vista are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. 50 Hardware Password Manager Deployment Guide - Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 59
- Lenovo ThinkCentre M58p | (English) Hardware Password Manager Deployment Guide - Page 60
Hardware Password Manager
Deployment Guide
Updated: July, 2010