Troubleshooting. HP ProBook 4510s Notebook PC, Compaq 6735s Notebook PC, Compaq 615 Notebook PC, EliteBook 8730w Mobile Workstation, Compaq 610 Notebook PC, EliteBook 6930p Notebook PC, EliteBook 8730w Base Model Mobile Workstation, Compaq 6530b Notebook PC, 550 Notebook PC, EliteBook 8530w Mobile Workstation
Add to my manuals
106 Pages
advertisement
9 Troubleshooting
Credential Manager for HP ProtectTools
Short description Details Solution
Using the Credential
Manager Network
Accounts option, a user can select which domain account to log on to. When
TPM authentication is used, this option is not available. All other authentication methods work properly.
Using TPM authentication, the user is only logged on to the local computer.
Using Credential Manager Single Sign On tools allows the user to authenticate other accounts.
Smart cards and USB tokens are not available in
Credential Manager if installed after the
Credential Manager installation.
In order to use smart cards or USB tokens in Credential Manager, the supporting software (drivers, PKCS#11 providers, etc.) must be installed prior to
Credential Manager installation.
Log on to Credential Manager.
In HP ProtectTools Security Manager, click Credential
Manager, click Advanced Settings, and then click the
Smart Cards and Tokens tab. A list of available tokens is displayed under Local Tokens.
If you already have the Credential
Manager installed do the following steps after installing smart card or token supporting software:
Access a popup menu by right-clicking the Local
Tokens node, and then select Scan for New Smart
Cards and Tokens.
Restart your computer if prompted.
Some application Web pages create errors that prevent the user from performing or completing tasks.
Some Web-based applications stop functioning and report errors due to the disabling functionality pattern of Single
Sign On. For example, an ! in a yellow triangle is observed in Internet Explorer, indicating an error has occurred.
Credential Manager Single Sign On does not support all software Web interfaces. Disable Single Sign On support for the specific Web page by turning off Single
Sign On support. See complete documentation on
Single Sign On, which is available in the Credential
Manager software Help files.
The option to Browse for
Virtual Token is not displayed during the logon process.
The user cannot move the location of a registered virtual token in Credential
Manager because the option to browse was removed to reduce security risks.
Domain administrators cannot change Windows password even with authorization.
This happens after a domain administrator logs on to a domain and registers the domain identity with
Credential Manager using an account with Administrator's rights on the domain and the local PC. When the domain administrator attempts to change the
If a specific Single Sign On cannot be disabled for a given application, call HP technical support and request
3rd-level support through your HP Service contact.
The browse option was removed because it allowed non-users to delete and rename files and take control of Windows.
Credential Manager cannot change a domain user's account password through Change Windows
password. Credential Manager can only change the local PC account passwords. The domain user can change his/her password through the Change
password option of Windows security, but since the domain user does not have a physical account on the
Credential Manager for HP ProtectTools 79
Short description Details Solution
Users can lose all
Credential Manager credentials protected by the TPM.
Windows password from Credential
Manager, the administrator gets an error logon failure: User account restriction.
local PC, Credential Manager can only change the password used to log on.
Credential Manager has incompatibility issues with
Corel WordPerfect 12 password GINA.
If the user logs on to Credential Manager, creates a document in WordPerfect, and saves with password protection,
Credential Manager cannot detect or recognize, either manually or automatically, the password GINA.
HP is researching a workaround for future product enhancements.
Credential Manager does not recognize the
Connect button on screen.
If the Single Sign On credentials for
Remote Desktop Connection (RDP) are set to Connect, when Single Sign On is relaunched, it always enters Save As instead of Connect.
If the TPM module is removed or damaged, users lose all credentials protected by the TPM.
HP is researching a workaround for future product enhancements.
This is as designed.
The TPM Module is designed to protect the Credential
Manager credentials. HP recommends that the user back up their identity from Credential Manager prior to removing the TPM module.
The user is unable to log on to Credential Manager after transitioning from sleep mode to hibernation on Windows XP Service
Pack 1 only.
After allowing system to transition into hibernation and sleep mode, the
Administrator or user is unable to log on to Credential Manager and the Windows logon screen remains displayed no matter which logon credential
(password, fingerprint, or Java Card) is selected.
Update Windows to Service Pack 2 via Windows
Update. Refer to Microsoft knowledge base article
813301 at http://www.microsoft.com
for more information on the cause of the issue.
In order to log on, the user must select Credential
Manager and log on. After logging on to Credential
Manager, the user is prompted to log on to Windows
(the user may have to select the Windows logon option) to complete the logon process.
Restoring Embedded
Security causes
Credential Manager to fail.
Credential Manager fails to register any credentials after the ROM is restored to factory settings.
If the user logs on to Windows first, then the user must manually log on to Credential Manager.
Credential Manager fails to access the TPM if the ROM is reset to factory settings after installing Credential
Manager.
The TPM embedded security chip can be enabled using the f10 Computer Setup utility, BIOS Configuration, or
HP Client Manager. To enable the TPM embedded security chip using Computer Setup, follow these steps:
1.
Open Computer Setup by turning on or restarting the computer, and then pressing f10 while the f10
= ROM Based Setup message is displayed in the lower-left corner of the screen.
2.
Use the arrow keys to click Security, and then clickSetup Password. Set a password.
3.
Select Embedded Security Device.
4.
Use the arrow keys to select Embedded Security
Device—Disable. Use the arrow keys to change it to Embedded Security Device—Enable.
5.
Click Enable, and then click Save changes and
exit.
80 Chapter 9 Troubleshooting
Short description
The security Restore
Identity process loses association with virtual token.
Details Solution
HP is investigating resolution options for future customer software releases.
When user restores identity, Credential
Manager can lose the association with the location of the virtual token at logon screen. Even though Credential
Manager has the virtual token registered, the user must reregister the token to restore the association.
This is currently by design.
When uninstalling Credential Manager without keeping identities, the system (server) part of the token is destroyed, so the token cannot be used anymore for logging on, even if the client part of the token is restored through identity restore.
HP is investigating long-term options for resolution.
Credential Manager for HP ProtectTools 81
Embedded Security for HP ProtectTools (select models only)
Short description Details Solution
Encrypting folders, subfolders, and files on
PSD causes an error message.
Cannot Take Ownership
With Another OS In
MultiBoot Platform.
If the user copies files and folders to the
PSD and tries to encrypt folders/files or folders/subfolders, the Error Applying
Attributes message is displayed. The user can encrypt the same files on the C:
\ drive or an extra installed hard drive.
This is as designed.
Moving files/folders to the PSD automatically encrypts them. There is no need to “double-encrypt” the files/ folders. Attempting to double-encrypt them on the PSD using EFS produces this error message.
If a drive is set up for multiple OS boot, ownership can only be taken with the platform initialization wizard in one operating system.
This is as designed, for security reasons.
An unauthorized administrator can view, delete, rename, or move the contents of encrypted
EFS folders.
The user has no encrypt options when attempting to restore the hard drive using FAT32.
Encrypting a folder does not stop an unauthorized user with administrative rights to view, delete, or move contents of the folder.
This is as designed.
It is a feature of EFS, not the Embedded Security TPM.
Embedded Security uses Microsoft EFS software, and
EFS preserves file/folder access rights for all administrators.
If the user attempts to restore the hard drive using FAT32, there will be no encrypt options for any files/folders using
EFS.
This is as designed. Software should not be installed on a restore with a FAT32 partition.
Microsoft EFS is supported only on NTFS and does not function on FAT32. This is a feature of Microsoft EFS and is not related to HP ProtectTools software.
The user is able to encrypt or delete the recovery archive XML file.
By design, the ACLs for this folder are not set; therefore, a user can inadvertently or purposely encrypt or delete the file, thus making it inaccessible. After this file has been encrypted or deleted, no one can use the TPM software.
This is as designed.
Users have access rights to an emergency archive so that they can save/update their Basic User Key backup copy. Users should be instructed never to encrypt or delete the recovery archive files.
Embedded Security EFS interaction with Symantec
Antivirus or McAfee Total
Protection produces longer encryption/ decryption and scan times.
Encrypted files interfere with Symantec
Antivirus or McAfee Total Protection virus scan. Encrypting files using
Embedded Security EFS takes longer when Symantec Antivirus or McAfee
Total Protection is running.
To reduce the time required to scan Embedded
Security EFS files, the user can either type the encryption password before scanning or decrypt before scanning.
To reduce the time required to encrypt/decrypt data using Embedded Security EFS, the user should disable
Auto-Protect on Symantec Antivirus or McAfee Total
Protection.
The emergency recovery archive cannot be saved to removable media.
If the user inserts a MultiMediaCard or
Secure Digital (SD) Memory Card when creating the emergency recovery archive path during Embedded Security initialization, an error message is displayed.
This is as designed.
Storage of the recovery archive on removable media is not supported. The recovery archive can be stored on a network drive or on another local drive other than the
C drive.
82 Chapter 9 Troubleshooting
Short description Details Solution
Errors occur after a power loss interrupts Embedded
Security initialization.
If there is a power loss during the initialization of the Embedded Security chip, the following issues occur:
Perform the following procedure to recover from the power loss:
●
When attempting to launch the
Embedded Security Initialization
Wizard, the following error message is displayed: The
Embedded security cannot be initialized since the Embedded
Security chip already has an
Embedded Security owner.
NOTE:
Use the arrow keys to select various menus, menu items, and to change values (unless otherwise specified).
1.
2.
Start or restart the computer.
Press f10 when the f10=Setup message appears on the screen.
3.
Select the appropriate language option.
● When attempting to launch the User
Initialization Wizard, the following error message is displayed: The
Embedded security is not initialized. To use the wizard, the
Embedded Security must be initialized first.
4.
Press enter .
5.
Select Security, and then click Embedded
Security.
6.
Set the Embedded Security Device option to
Enable.
7.
Press f10 to accept the change.
8.
Select File, and then click Save Changes and
Exit.
9.
Press enter .
10.
Press f10 to save the changes and exit the utility.
The Computer Setup
(f10) Utility password can be removed after enabling the TPM Module.
Enabling the TPM module requires a
Computer Setup (f10) Utility password.
When the module has been enabled, the user can remove the password. This allows anyone with direct access to the system to reset the TPM module and cause possible loss of data.
This is as designed.
The Computer Setup (f10) Utility password can only be removed by a user who knows the password. However,
HP strongly recommends having the Computer Setup
(f10) Utility password protected at all times.
The PSD password box is no longer displayed when the system becomes active after standby status
When a user logs on to the system after creating a PSD, the TPM asks for the
Basic User password. If the user does not type the password and the system initiates Standby, the password dialog box is no longer available when the user resumes.
This is by design.
The user has to log off and back on to view the PSD password box again.
No password is required to change the Security
Platform Policies.
Access to Security Platform Policies
(both Machine and User) does not require a TPM password for users who have administrative rights on the system.
This is by design.
Any administrator can modify the Security Platform
Policies with or without TPM user initialization.
When a certificate is viewed, it shows as nontrusted.
After setting up HP ProtectTools and running the User Initialization Wizard, the user has the ability to view the certificate issued; however, when the certificate is viewed, it shows as non-trusted. While the certificate can be installed at this point by clicking the install button, installing it does not make it trusted.
Self-signed certificates are not trusted. In a properly configured enterprise environment, EFS certificates are issued by online Certification Authorities and are trusted.
Embedded Security for HP ProtectTools (select models only) 83
Short description Details Solution
An intermittent encrypt and decrypt error occurs:
The process cannot access the file because it is being used by another process.
This is an extremely intermittent error during file encryption or decryption which occurs because the file is being used by another process, even though that file or folder is not being processed by the operating system or other applications.
To resolve the failure:
1.
Restart the system.
2.
Log off.
3.
Log back on.
Data loss in removable storage occurs if the storage media is removed prior to completing the new data generation or transfer.
Removing storage media such as a
MultiBay hard drive still shows PSD availability and does not generate errors while adding/modifying data to the PSD.
After the system is restarted, the PSD does not reflect file changes that occurred while the removable storage was unavailable.
Do not remove a PSD before data generation or transfer is complete. This issue is only experienced if the user accesses the PSD, then removes the hard drive before completing new data generation or transfer. If the user attempts to access the PSD when the removable hard drive is not present, an error message is displayed stating that the device is not
ready.
During uninstall, if the user has not initialized the
Basic User and opens the
Administration tool, the
Disable option is not available and Uninstaller will not continue until the
Administration tool is closed.
The user has the option of uninstalling either without disabling the TPM or by first disabling the TPM (through the
Administration tool), and then uninstalling. Accessing the
Administration tool requires Basic User
Key initialization. If basic initialization has not occurred, all options are inaccessible to the user.
The Administration tool is used for disabling the TPM chip, but that option is not available unless the Basic
User Key has already been initialized. If it has not been initialized, select OK or Cancel to continue with the uninstallation.
Since the user has explicitly chosen to open the Administration tool (by clicking
Yes in the dialog box prompting Click
Yes to open Embedded Security
Administration tool), uninstall waits until the Administration tool is closed. If the user clicks No in that dialog box, the
Administration tool does not open at all and uninstall proceeds.
Intermittent system lockup occurs after creating PSD on 2-user accounts and using fast-user-switching in 128-MB system configurations.
The system may lock up with a black screen and nonresponding keyboard and mouse instead of showing welcome
(logon) screen when using fast-switching with minimal RAM.
The root cause is suspected to be a timing issue in low memory configurations.
Integrated graphics uses UMA architecture taking 8 MB of memory, which leaves only 120 MB available to the user. The error is generated when this 120 MB is shared by both users who are logged on and are fast-userswitching.
EFS User Authentication
(password request) times out with access denied.
Minor truncation during setup of Japanese is observed in functional descriptions.
EFS Encryption works without a password being typed in the prompt.
The EFS User Authentication password reopens after the user clicks OK or the system exits Standby.
Functional descriptions during custom setup option during installation wizard are truncated.
By allowing the prompt for User password to time out, encryption is still available on a file or folder.
The workaround is to reboot the system and increase memory configuration (HP does not ship 128-MB configurations with security modules).
This is by design—to avoid issues with Microsoft EFS, a 30-second watchdog timer was created to generate the error message).
HP will correct this in a future release.
The ability to encrypt does not require password authentication, since this is a feature of the Microsoft
EFS encryption. Decryption will require the user password to be supplied.
84 Chapter 9 Troubleshooting
Short description Details Solution
Secure e-mail is supported, even when secure e-mail is not specified in the User
Initialization Wizard or when secure e-mail configuration is disabled in user policies.
Embedded security software and the wizard do not control settings of an email client (Outlook, Outlook Express, or
Netscape).
This behavior is as designed. Configuration of TPM email settings does not prohibit editing encryption settings directly in an e-mail client. Usage of secure email is set and controlled by 3rd-party applications. The
HP wizard allows linkage to the three reference applications for immediate customization.
Running Large Scale
Deployment a second time on the same PC or on a previously initialized PC overwrites Emergency
Recovery and Emergency
Token files. The new files are useless for recovery.
Running Large Scale Deployment on any previously initialized HP ProtectTools
Embedded Security system renders existing Recovery Archives and
Recovery Tokens useless by overwriting those XML files.
HP is working to resolve the XML-file-overwrite issue and will provide a solution in a future SoftPaq.
Automated logon scripts do not function during user restore in Embedded
Security.
The error occurs after the user performs the following actions:
● Initializes owner and user in
Embedded Security (using the default locations—My
Documents).
Click the Browse button on the screen to select the location, and the restore process proceeds.
●
Resets the chip to factory settings in the BIOS.
● Reboots the computer.
●
Begins to restore Embedded
Security. During the restore process, Credential Manager asks if the system can automate the logon to Infineon TPM User
Authentication. If the user selects
Yes, the location of
SPEmRecToken is automatically displayed in the text box.
Multiple-User PSDs do not function in a fast-userswitching environment.
This error occurs when multiple users have been created and given a PSD with the same drive letter. If an attempt is made to fast-user-switch between users when the PSD is loaded, the second user's PSD is unavailable.
The second user's PSD will be available only if it is reconfigured to use another drive letter or if the first user is logged off.
The PSD is disabled and cannot be deleted after formatting the hard drive on which the PSD was generated.
Even though this location is correct, the following error message is displayed: No
Emergency Recovery Token is provided. Select the token location the Emergency Recovery Token should be retrieved from.
The PSD icon is still visible, but the error message drive is not accessible is displayed when the user attempts to access the PSD.
The user is not able to delete the PSD and the following message is displayed:
your PSD is still in use, please be sure that your PSD contains no open files
As designed: If a customer force-deletes or disconnects from the storage location of the PSD data, the
Embedded Security PSD drive emulation continues to function and will produce errors based on lack of communication with the missing data.
Resolution: After the next reboot, the emulations fail to load and user can delete the old PSD emulation and create a new PSD.
Embedded Security for HP ProtectTools (select models only) 85
Short description Details Solution and is not accessed by another
process. The user must reboot the system in order to delete the PSD and it is not loaded after reboot.
An internal error is detected when the user is restoring from the
Automatic Backup
Archive.
In Embedded Security, if the user clicks the Restore under Backup option to restore from the automatic backup
Archive and then selects
SPSystemBackup.xml, the Restore
Wizard fails and the following error message is displayed: The selected
Backup Archive does not match the restore reason. Please select another archive and continue.
If the user selects SpSystemBackup.xml when the
SpBackupArchive.xml is required, the Embedded
Security Wizard fails and displays the following message: An internal Embedded Security error has
been detected.
The user must select the correct XML file to match the required reason.
The processes are working as designed and function properly; however, the internal Embedded Security error message is not clear and should state a more appropriate message. HP is working to enhance this in future products.
The security system exhibits a restore error with multiple users.
During the restore process, if the administrator selects users to restore, the users not selected are not able to restore the keys when trying to restore at a later time. A decryption process
failed error message is displayed.
The non-selected users can be restored by resetting the TPM, running the restore process, and selecting all users before the next default daily backup runs. If the automated backup runs, it overwrites the non-restored users and their data is lost. If a new system backup is stored, the previous unselected users cannot be restored.
Also, the user must restore the entire system backup.
An Archive Backup can be restored individually.
Resetting System ROM to default hides the TPM.
Resetting the system ROM to default hides the TPM to Windows. This does not allow the security software to operate properly and makes TPM-encrypted data inaccessible.
Unhide the TPM in BIOS:
Open the Computer Setup (f10) Utility, navigate to
Security > Device security, and then modify the field from Hidden to Available.
86 Chapter 9 Troubleshooting
Short description Details Solution
Automatic backup does not work with the mapped drive.
When an administrator sets up
Automatic Backup in Embedded
Security, it creates an entry in
Windows > Tasks > Scheduled Task.
This Windows Scheduled Task is set to use NT AUTHORITY\SYSTEM for rights to execute the backup. This works properly to any local drive.
The workaround is to change the NT AUTHORITY
\SYSTEM to (computer name)\(admin name). This is the default setting if the Scheduled Task is created manually.
HP is working to provide future product releases with default settings that include computer name\admin name.
When the administrator instead configures the Automatic Backup to save to a mapped drive, the process fails because the NT AUTHORITY\SYSTEM does not have the rights to use the mapped drive.
If the Automatic Backup is scheduled to occur upon logon, Embedded Security
TNA Icon displays the following message: The Backup Archive
location is currently not accessible.
Click here if you want to backup to a temporary archive until the Backup
Archive is accessible again. If the
Automatic Backup is scheduled for a specific time, however, the backup fails without displaying notice of the failure.
Embedded Security cannot be temporarily disabled in the Embedded
Security GUI.
The current 4.0 software was designed for HP Notebook 1.1B implementations, as well as supporting HP Desktop 1.2
implementations.
HP will address this issue in future releases.
This option to disable is still supported in the software interface for TPM 1.1
platforms.
Embedded Security for HP ProtectTools (select models only) 87
Device Access Manager for HP ProtectTools
Short description Details Solution
Users have been denied access to devices within
Device Access Manager, but the devices are still accessible.
A user has unexpected access to a device or a user is unexpectedly denied access to a device.
Device Access Manager has been used to deny users access to some devices and allow users access to other devices.
When the user is using the system, they can access devices they believe Device
Access Manager has denied and are denied access to devices they believe
Device Access Manager should allow.
The Device Class Configuration within Device Access
Manager should be used to investigate the Users device settings.
Click Security Manager, click Device Access
Manager, and then click Device Class
Configuration. Expand the levels in the Device Class tree and review the settings applicable to the User.
Check for any “Deny” permissions that may be set on the user or any Windows Group of which they may be a member, e.g., Users, Administrators.
Allow or deny—which takes precedence?
Simple Configuration and/or Device
Class Configuration have been used within Device Access Manager to deny users access to devices. Despite being denied access, users can still access the devices.
Verify that the HP ProtectTools Device Locking service has started.
As an administrative user, browse to Control Panel >
Administrative Tools > Services. In the Services window, search for the HP ProtectTools Device
Locking/Auditing service. Be sure that the service is started and that the startup type is Automatic.
Within Device Class Configuration, the following configuration has been set:
The user is denied access to the device. Deny takes precedence over Allow.
●
The Allow permission has been granted to a Windows group (e.g.,
BUILTIN\Administrators) and the
Deny permission has been granted to another Windows group (e.g.,
BUILTIN\Users) at the same level in the device class hierarchy (e.g.,
DVD/CD-ROM Drives).
Access is denied due to the way in which Windows works out the effective permission for the device. One group is denied, and one group is allowed, but the user is a member of both groups. The user is denied because denying access is given precedence over allowing access.
If a user is a member of both those groups (e.g., Administrator), which takes precedence?
One workaround is to deny the Users group at the DVD/
CD-ROM Drives level and to allow the Administrators group at the level below DVD/CD-ROM Drives.
A further workaround would be to have specific
Windows groups, one for allowing access to DVD/CD and one for denying access to DVD/CD. Specific users would then be added to the appropriate group.
88 Chapter 9 Troubleshooting
Miscellaneous
Software Impacted—
Short description
Details Solution
Security Manager—
Warning received: The
security application can not be installed until the
HP Protect Tools
Security Manager is
installed.
All security applications such as
Embedded Security, Java Card Security, and biometrics are extendable plug-ins for the Security Manager interface.
Security Manager must be installed before an HP-approved security plug-in can be loaded.
The Security Manager software must be installed before installing any security plug-in.
TPM Firmware Update
Utility for models containing Broadcomenabled TPMs—The tool provided through HP support Web site reports
ownership required.
This is the expected behavior of the TPM firmware utility for models containing
Broadcom-enabled TPMs.
1.
2.
Reinstall Embedded Security Software.
Run the Platform and User Configuration Wizard.
The firmware upgrade tool allows the user to upgrade the firmware, with or without an endorsement key (EK). When there is no EK, no authorization is required to complete the firmware upgrade.
3.
Be sure that the system contains Microsoft .NET
framework 1.1 installation:
a.
b.
Click Start.
Click Control Panel.
When there is an EK, a TPM owner must exist, since the upgrade requires owner authorization. After the successful upgrade, the platform must be restarted for the new firmware to take effect.
c.
d.
Click Add or remove programs.
Be sure that Microsoft .NET Framework
1.1 is listed.
4.
Check the hardware and software configuration:
If the BIOS TPM is factory-reset, ownership is removed and firmware update capability is prevented until the
Embedded Security Software platform and User Initialization Wizard have been configured.
a.
b.
c.
Click Start.
Click All Programs.
Click HP ProtectTools Security Manager.
d.
Select Embedded Security from the tree menu.
NOTE:
A reboot is always recommended after performing a firmware update. The firmware version is not identified correctly until after the reboot.
e.
Click More Details. The system should have the following configuration:
●
Product version = V4.0.1
● Embedded Security State: Chip State =
Enabled, Owner State = Initialized,
User State = Initialized
●
Component Info: TCG Spec. Version =
1.2
● Vendor = Broadcom Corporation
●
FW Version = 2.18 (or greater)
● TPM Device driver library version
2.0.0.9 (or greater)
HP ProtectTools Security
Manager—Intermittently,
5.
If the FW version does not match 2.18, download and update the TPM firmware. The TPM Firmware
SoftPaq is a support download available on the HP
Web site at http://www.hp.com
.
Intermittently (1 in 12 instances), an error is created by using the close button in the
This is related to a timing dependency on plug-in services load time when closing and restarting Security
Miscellaneous 89
Software Impacted—
Short description
Details Solution
an error is returned when closing the Security
Manager interface.
upper right of the screen to close
Security Manager before all plug-in applications have finished loading.
Manager. Since PTHOST.exe is the shell housing the other applications (plug-ins), it depends on the ability of the plug-in to complete its load time (services). Closing the shell before the plug-in has had time to complete loading is the root cause.
HP ProtectTools—
Unrestricted access or uncontrolled administrator privileges pose security risk.
Numerous risks are possible with unrestricted access to the client PC, including the following:
● Deletion of PSD
●
Malicious modification of user settings
The BIOS and OS
Embedded Security passwords are out of synch.
Allow Security Manager to complete the services loading message (seen at top of Security Manager window) and all plug-ins listed in left column. To avoid failure, allow a reasonable time for these plug-ins to load.
Administrators are encouraged to follow “best practices” in restricting end-user privileges and restricting user access.
Unauthorized users should not be granted administrative privileges.
● Disabling of security policies and functions
If a user does not validate a new password as the BIOS Embedded
Security password, the BIOS Embedded
Security password reverts back to the original embedded security password through f10 BIOS.
This is functioning as designed; these passwords can be re-synchronized by changing the OS Basic User password and authenticating it at the BIOS Embedded
Security password prompt.
Only one user can log on to the system after TPM preboot authentication is enabled in BIOS.
The user has to change their PIN to make TPM preboot work after a TPM factory reset.
Power-on authentication support
is not set to default using
Embedded Security
Reset to Factory
Settings
The TPM BIOS PIN is associated with the first user who initializes the user setting. If a computer has multiple users, the first user is, in essence, the administrator. The first user will have to give his TPM user PIN to other users to use to log on.
This is functioning as designed; HP recommends that the customer's IT department follow good security policies for rolling out their security solution and ensuring that the BIOS administrator password is configured by IT administrators for system level protection.
The user has to change their PIN or create another user to initialize their user setting to make TPM BIOS authentication work after reset. There is no option to make TPM BIOS authentication work.
This is as designed; the factory reset clears the Basic
User Key. The user must change his user PIN or create a new user to re-initialize the Basic User Key.
In Computer Setup, the Power-on
authentication support option is not being reset to factory settings when using the Embedded Security Device option Reset to Factory Settings. By default, Power-on authentication
support is set to Disable.
The Reset to Factory Settings option disables
Embedded Security Device, which hides the other
Embedded Security options (including Power-on
authentication support). However, after reenabling
Embedded Security Device, Power-on authentication
support remains enabled.
HP is working on a resolution, which will be provided in future Web-based ROM SoftPaq offerings.
90 Chapter 9 Troubleshooting
Software Impacted—
Short description
Details Solution
Security Power-On
Authentication overlaps the BIOS Password during boot sequence.
Power-On Authentication prompts the user to log on to the system using the
TPM password, but, if the user presses
f10 to access the BIOS, the user is granted Read rights access only.
The BIOS asks for both the old and new passwords through
Computer Setup after the
Owner password is changed.
The BIOS asks for both the old and new passwords through Computer Setup after the Owner password is changed in
Embedded Security Windows software.
To be able to write to BIOS, the user must type the BIOS password instead of the TPM password at the Poweron Authentication window.
This is as designed. This is due to the inability of the
BIOS to communicate with the TPM, after the operating system is up and running, and to verify the TPM pass phrase.
Miscellaneous 91
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement