background image

Technical Reference Guide

www.hp.com

1

HP ProtectTools Troubleshooting Guide

Overview

HP ProtectTools Security is a new technology offered by HP on some Business PCs. This 
technology offers enhanced security support for file/folder encryption, user identity and 
protection, Single Sign On, multi-factor authentication, smart card, smart card preboot, token 
and biometric support and works natively with the operating system to enhance security aware 
applications, such as secure e-mail. The enhanced security is achieved through both hardware 
and software. Windows-based management of the BIOS is also incorporated through a BIOS 
Configuration module. All software is centrally managed through an HP Security Manager 
interface, which can be accessed from the task tray, start menu, or control panel. A properly 
enabled security system requires a TPM-enabled BIOS, versions 1.54 or greater, obtainable 
through 

www.hp.com

 support, and security software available via purchase.

Administrators are encouraged to perform “best practices” in restricting end-user privileges and 
restrictive access to users.

Hardware 

The hardware consists of a Trusted Platform Module (TPM) which meets the Trusted Computing 
Group requirements of TPM 1.2 standards. The card is integrated with the system board and is 
part of the NIC. The NIC and TPM solution contains on-chip memory and off-chip memory, 
functions and firmware are located on an external flash integrated with the system board. All 
TPM functions are encrypted or protected to ensure secure flash or communications.

Software

The software, HP ProtectTools, has two parts: HP ProtectTools Security Manager and HP 
plug-in modules. Security Manager is the interface (shell) that centralizes all security 
applications (plug-ins). The computer offers security in both configure-to-order and aftermarket 
configurations. Both offerings provide a CD which can be used in Microsoft Windows to install 
the HP ProtectTools security products. Customers using a non-HP corporate image are 
encouraged to use the provided CD to install security software. Some HP Web-based downloads 
(SoftPaqs) will not install unless previous versions of security software are already installed on 
the target PC.

HP ProtectTools security applications for the computer are:

HP ProtectTools Security Manager: The software is preinstalled on the hard drive and can be 
accessed from the Start Menu or Control Panel applet. The Security Manager shell interface 
provides a central point for administering all security plug-in modules. Security plug-ins like 
the TPM, Smart Card, and future security products cannot be installed unless the Security 
Manager interface is present.

HP ProtectTools Embedded Security: This supports the TPM 1.2 hardware directly and is 
preinstalled on the imaged drive for desktop. In Windows 2000 and Windows XP 
environments, this software supports enhanced security for secure e-mail with Microsoft 

Summary of Contents for 413742-001

Page 1: ...aq Business Desktops Document Part Number 413742 001 January 2006 This document contains information and recommendations for the ProtectTools administrator concerning questions that may arise in the administration and operation of HP ProtectTools ...

Page 2: ...nical or editorial errors or omissions contained herein This document contains proprietary information that is protected by copyright No part of this document may be photocopied reproduced or translated to another language without the prior written consent of Hewlett Packard Company ÅWARNING Text set off in this manner indicates that failure to follow directions could result in bodily harm or loss...

Page 3: ...off chip memory functions and firmware are located on an external flash integrated with the system board All TPM functions are encrypted or protected to ensure secure flash or communications Software The software HP ProtectTools has two parts HP ProtectTools Security Manager and HP plug in modules Security Manager is the interface shell that centralizes all security applications plug ins The compu...

Page 4: ... applications and protected network resources Support for optional security devices such as smart cards and biometric readers Support for additional security settings such as requiring authentication with an optional security device to unlock the computer and access applications Enhanced encryption for stored passwords when implemented with a TPM Embedded Security chip Smart Card Security for Prot...

Page 5: ...cure Multipurpose Internet Mail Extensions A specification for secure electronic messaging using PKCS S MIME offers authentication via digital signatures and privacy via encryption TCG Trusted Computing Group Industry association set up to promote the concept of a Trusted PC TCG supersedes TCPA TCPA Trusted Computing Platform Alliance Trusted computing alliance now superseded by TCG TPM Trusted Pl...

Page 6: ...lete or move contents of the folder This is as designed It is a feature of EFS not the Embedded Security TPM Embedded Security uses Microsoft EFS software and EFS preserves file folder access rights for all administrators HP ProtectTools Embedded Security Encrypted folders with EFS in Windows 2000 are not shown highlighted in green Encrypted folders with EFS are highlighted in green in Windows XP ...

Page 7: ...s security approach and instruct users never to encrypt or delete the recovery archive files HP ProtectTools Embedded Security HP ProtectTools Embedded Security EFS interaction with Norton Antivirus produces longer encryption decryption and scan times Encrypted files interfere with Norton Anti Virus 2005 virus scan During the scan process the Basic User Key password prompt asks the user for a pass...

Page 8: ... is not initialized To use the wizard the Embedded Security must be initialized first Perform the following procedure to recover from the power loss Use the Arrow keys to select various menus menu items and to change values unless otherwise specified 1 Start or restart the computer 2 Press F10 when the F10 Setup message appears on screen or as soon as the monitor LED turns green 3 Select the appro...

Page 9: ...incorrect password or cancels the password dialog the encrypted file will open as if the administrator had entered the correct password This happens regardless of the security settings used when encrypting the data The Data Recovery Policy is automatically configured to designate an administrator as a recovery agent When a user key cannot be retrieved as in the case of entering the wrong password ...

Page 10: ...r transfer If the user attempts to access the PSD when the removable hard drive is not present an error message is displayed stating that the device is not ready HP ProtectTools Embedded Security During uninstall if user has not initialized the Basic User Key and opens the Administration tool the Disable option is not available and Uninstaller will not continue until the Administration tool is clo...

Page 11: ...s Embedded Security EFS User Authentication password request times out with access denied The EFS User Authentication password reopens after clicking OK or returning from standby state after timeout This is by design to avoid issues with Microsoft EFS a 30 second timer watchdog timer was created to generate the error message HP ProtectTools Embedded Security Minor truncation during setup of Japane...

Page 12: ... Click System Devices 5 Click Broadcom TPM The device status should indicate This device is working properly A 3 minute delay occurs as applications and Windows services time out after attempting connection to the damaged TPM The Security Manager recovers and the user can run the self test and confirm damaged module HP ProtectTools Embedded Security Running Large Scale Deployment a second time on ...

Page 13: ...rforming a firmware update The firmware version is not identified correctly until after the reboot 1 Reinstall HP ProtectTools Embedded Security Software 2 Run the Platform and User configuration wizard 3 Ensure that the system contains Microsoft NET framework 1 1 installation Click Start Click Control Panel Click Add or remove programs Ensure Microsoft NET Framework 1 1 is listed 4 Check the hard...

Page 14: ...e error occurs after user 1 Initializes owner and user in Embedded Security using the default locations My Documents 2 Resets the chip to factory settings in the BIOS 3 Reboots the machine 4 Begins to restore Embedded Security During the restore process Credential Manager 1 5 0 631 35 asks user if the system can automate the logon to Infineon TPM User Authentication If user selects Yes then the lo...

Page 15: ...t errors due to the disabling functionality pattern of Single Sign On For example an in a yellow triangle is observed in Internet Explorer indicating an error has occurred Credential Manager Single Sign On does not support all software Web interfaces Disable Single Sign On support for the specific Web page by turning off Single Sign On support Please see complete documentation on Single Sign On wh...

Page 16: ...ass Security Manager and initialize a basic user During the basic user initialization the guest could create a PSD that monopolizes the hard drive The system administrator can resolve this by deleting the guest user created PSD HP is working with plug in suppliers to be aware of limited guest user capabilities for future product enhancements HP ProtectTools Embedded Security Guest User receives me...

Page 17: ...PSD HP ProtectTools General Unrestricted access or uncontrolled administrator privileges pose security risk Numerous risks are possible with unrestricted access to the client PC deletion of PSD malicious modification of user settings disabling of security policies and functions Administrators are encouraged to follow best practices in restricting end user privileges and restricting user access Una...

Page 18: ...cryption process failed message is displayed The non selected users can be restored by resetting the TPM running the restore process and selecting all users before the next default daily back runs If the automated backup runs it overwrites the non restored users and their data is lost If a new system backup is stored the previous non selected users cannot be restored Also user must restore the ent...

Page 19: ... minutes after the uninstall completes when the user selects Yes to reboot numerous end task errors appear with Japanese JP Taiwanese TW Traditional Chinese TZ These end tasks include persistWnd hkem exe conime exe ccapp PSD HP ProtectTools Embedded Security Icon tray This occurs only on first uninstall attempt Allow more time and the stalled process will successfully complete Software Impacted Sh...

Page 20: ... currently not accessible Click here if you want to backup to a temporary archive until the Backup Archive is accessible again If the Automatic Backup is scheduled for a specific time however the backup fails without displaying notice of the failure The workaround is to change the NT AUTHORITY SYSTEM to computer name admin name This is the default setting if the Scheduled Task is created manually ...

Page 21: ... HP is researching a workaround for future product enhancements HP ProtectTools Credential Manager Credential Manager creates long account names that are truncated When registering a password in Credential Manager the user can click Options and select Prompt to select account for this application User must then enter a unique name for each document so Credential Manager can tell which password to ...

Page 22: ...loop Single Sign On default is set to log users automatically However when creating the second of two different password protected documents Credential Manager uses the last password recorded the one from the first document HP is researching a workaround for future product enhancements HP ProtectTools Credential Manager Incompatibility issues with Corel WordPerfect 12 password gina If the user log...

Page 23: ...isable opening of Credential Manager upon smart card insertion 1 Click Advanced Settings 2 Click Service Applications 3 Click Smart Cards and Tokens 4 Click when smart card token is inserted 5 Select the Advise to log on checkbox HP ProtectTools Smart Card Manager The option to Require PIN at Boot does not work The Settings button at HP ProtectTools Security Manager Smart Card Security BIOS Smart ...

Page 24: ...l credentials protected by the TPM This is as designed The TPM Module is designed to protect the Credential Manager credentials HP recommends that the user back up identity from Credential Manager prior to removing the TPM module HP ProtectTools Credential Manager Credential Manager not being set as primary logon in Windows 2000 During Windows 2000 install the logon policy is set for manual or aut...

Page 25: ... Microsoft knowledge base article 813301 for more information on the cause of the issue Customer Workaround In order to logon user must select Credential Manager and log in After logging into Credential Manager user is prompted to log in to Windows user may have to select the Windows login option to complete login process If user logs into Windows first then user must manually log into Credential ...

Page 26: ... cannot register smart card in Credential Manager through the More option Cannot register Smart Card in Credential Manager through the My Identity More Register Credentials option User must use Register Smart Card or Token option This functionality was not originally designed into the product This is being implemented in future product revisions being designed by HP HP ProtectTools Credential Mana...

Reviews: