HP ProtectTools Troubleshooting
Guide
HP Compaq Business Desktops
Document Part Number: 413742-001
January 2006
This document contains information and recommendations for the
ProtectTools administrator concerning questions that may arise in the
administration and operation of HP ProtectTools.
HP ProtectTools Troubleshooting Guide
Overview
HP ProtectTools Security is a new technology offered by HP on some Business PCs. This
technology offers enhanced security support for file/folder encryption, user identity and
protection, Single Sign On, multi-factor authentication, smart card, smart card preboot, token
and biometric support and works natively with the operating system to enhance security aware
applications, such as secure e-mail. The enhanced security is achieved through both hardware
and software. Windows-based management of the BIOS is also incorporated through a BIOS
Configuration module. All software is centrally managed through an HP Security Manager
interface, which can be accessed from the task tray, start menu, or control panel. A properly
enabled security system requires a TPM-enabled BIOS, versions 1.54 or greater, obtainable
Administrators are encouraged to perform “best practices” in restricting end-user privileges and
restrictive access to users.
Hardware
The hardware consists of a Trusted Platform Module (TPM) which meets the Trusted Computing
Group requirements of TPM 1.2 standards. The card is integrated with the system board and is
part of the NIC. The NIC and TPM solution contains on-chip memory and off-chip memory,
functions and firmware are located on an external flash integrated with the system board. All
TPM functions are encrypted or protected to ensure secure flash or communications.
Software
The software, HP ProtectTools, has two parts: HP ProtectTools Security Manager and HP
plug-in modules. Security Manager is the interface (shell) that centralizes all security
applications (plug-ins). The computer offers security in both configure-to-order and aftermarket
configurations. Both offerings provide a CD which can be used in Microsoft Windows to install
the HP ProtectTools security products. Customers using a non-HP corporate image are
encouraged to use the provided CD to install security software. Some HP Web-based downloads
(SoftPaqs) will not install unless previous versions of security software are already installed on
the target PC.
HP ProtectTools security applications for the computer are:
■
HP ProtectTools Security Manager: The software is preinstalled on the hard drive and can be
accessed from the Start Menu or Control Panel applet. The Security Manager shell interface
provides a central point for administering all security plug-in modules. Security plug-ins like
the TPM, Smart Card, and future security products cannot be installed unless the Security
Manager interface is present.
■
HP ProtectTools Embedded Security: This supports the TPM 1.2 hardware directly and is
preinstalled on the imaged drive for desktop. In Windows 2000 and Windows XP
environments, this software supports enhanced security for secure e-mail with Microsoft
Technical Reference Guide
1
HP ProtectTools Troubleshooting Guide
Outlook or Outlook Express, and it supports enhanced security for Microsoft EFS file/folder
encryption. The software also provides a function called Personal Secure Drive (PSD). The
PSD is a function in addition to the EFS-based file/folder encryption, and it uses the
Advanced Encryption Standard (AES) encryption algorithm. It is important to note that HP
ProtectTools Personal Secure Drive cannot function unless the TPM is unhidden, enabled
with appropriate software installed with ownership, and the user configuration initialized.
Additionally, the TPM also supports data management functions, such as backing up and
restoring the key hierarchy, support for third-party applications that use MSCAPI (such as
Microsoft Outlook and Internet Explorer) and applications that use PKCS#11 (such as
Netscape) for protected digital certificate operations when using the Embedded Security
software.
■
■
HP ProtectTools TPM Firmware Update Utility: This utility is a Web-based SoftPaq for
updating your TPM firmware.
HP Credential Manager for ProtectTools: This tool provides identity management and has
security features that protect against unauthorized access to your computer. These features
include the following:
❏
Alternatives login capability as opposed to passwords when logging on to Windows,
such as using a smart card or biometric reader to log on to Windows
❏
Single Sign On feature that automatically remembers credentials for Web sites,
applications, and protected network resources
❏
❏
Support for optional security devices, such as smart cards and biometric readers
Support for additional security settings, such as requiring authentication with an optional
security device to unlock the computer and access applications
❏
Enhanced encryption for stored passwords, when implemented with a TPM Embedded
Security chip
■
■
Smart Card Security for ProtectTools: This tool manages the smart card setup and
configuration for computers equipped with an optional smart card reader. The smart card
BIOS security mode is available on some models. When enabled, this mode requires you to
use a smart card to log on to the computer.
BIOS Configuration for ProtectTools: This configuration provides access to the Computer
Setup Utility security and configuration settings. This allows users to access system security
features managed by Computer Setup through Windows.
Please consult the HP ProtectTools Security Manager Guide that shipped with the computer or
support materials. Help files provided with the installed product contain a variety of
troubleshooting, configuration, and functional product data, and they are considered the first
direct source of information.
Table A Glossary of HP ProtectTools Embedded Security Related Terminology
Acronym
Term
Detail
AES
Advanced Encryption
Standard
A symmetric 128-bit block data encryption technique
API
Application Programming A series of internal operating system functions that applications
Interface
can use to perform various tasks
CSP
Cryptographic Service
Provider
A software component that interfaces with the MSCAPI
2
Technical Reference Guide
HP ProtectTools Troubleshooting Guide
Acronym
Term
Detail
EFS
Encryption File System
A transparent file encryption service provided by Microsoft for
Windows 2000 or later
LPC
Low Pin Count
Defines an interface used by the HP ProtectTools Embedded
Security device to connect with the platform chipset. The bus
consists of 4 bits of Address/Data pins, along with a 33Mhz
clock and several control/status pins.
MSCAPI:
PKCS
PKI
Microsoft Cryptographic
API, or CryptoAPI
An API from Microsoft that provides an interface to the
Windows operating system for cryptographic applications
Public Key Cryptographic
Standards
Standards generated that govern definition and use of Public
Key/Private Key means of encryption and decryption.
Public Key Infrastructure
A general term defining the implementation of security systems
that use Public Key/Private Key encryption and decryption
PSD
Personal Secure Drive
A feature that is provided by HP ProtectTools Embedded
Security. This application creates a virtual drive on the user's
machine that automatically encrypts files/folders that are moved
into the virtual drive.
S/MIME
Secure Multipurpose
Internet Mail Extensions
A specification for secure electronic messaging using PKCS.
S/MIME offers authentication via digital signatures and privacy
via encryption
TCG
TCPA
TPM
Trusted Computing Group Industry association set up to promote the concept of a “Trusted
PC.” TCG supersedes TCPA
Trusted Computing Platform Trusted computing alliance; now superseded by TCG
Alliance
Trusted Platform Module
TPM hardware and software enhances the security of EFS and
the Personal Secure Drive by protecting the keys used by EFS
and the Personal Secure Drive.
In systems without the TPM, the keys used for EFS and the PSD
are normally stored on the hard drive. This makes the keys
potentially vulnerable. In systems with the TPM card, the TPM's
private Storage Root Keys, which never leave the TPM chip, are
used to “wrap” or protect the keys used by EFS and by the PSD.
Breaking into the TPM to extract the private keys is much more
difficult than hacking onto the system's hard drive to obtain the
keys.
The TPM also enhances the security of secure e-mail via
S/MIME in Microsoft Outlook and Outlook Express. The TPM
functions as a Cryptographic Service Provider (CSP). Keys and
certificates are generated and/or supported by the TPM
hardware, providing significantly greater security than
software-only implementations.
Technical Reference Guide
3
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Embedded If the user copies files and
This is as designed.
Security—Encrypting
folders, sub folders, and
files on PSD cause error
message
folders to the PSD and tries to
encrypt folders/files or
Moving files/folders to the PSD automatically
encrypts them. There is no need to
“double-encrypt” the files/folders. Attempting to
double-encrypt them using on the PSD using EFS
will produce this error message.
folders/subfolders, the Error
Applying Attributes
message appears. The user
can encrypt the same files on
the C:\ drive on an extra
installed hard drive.
HP ProtectTools Embedded If a drive is set up for multiple This is as designed.
Security—Cannot Take
Ownership With Another
OS In Multi-Boot Platform
OS boot, ownership can only
be taken with the platform
initialization wizard in one
operating system.
For security reasons, the Embedded Security is
designed to work with only one OS per system.
HP ProtectTools Embedded Encrypting a folder does not This is as designed.
Security—Unauthorized
administrator can view,
delete, rename, or move
the contents of encrypted
EFS folders
stop an unauthorized user
with administrative rights to
view, delete, or move
It is a feature of EFS, not the Embedded Security
TPM. Embedded Security uses Microsoft EFS
software, and EFS preserves file/folder access
rights for all administrators.
contents of the folder.
HP ProtectTools Embedded Encrypted folders with EFS
Security—Encrypted folders are highlighted in green in
with EFS in Windows 2000 Windows XP, but not in
are not shown highlighted Windows 2000.
in green
This is as designed.
It is a feature of EFS that it does not highlight
encrypted folders in Windows 2000, but it does
in Windows XP. This is true whether or not an
Embedded Security TPM is installed.
HP ProtectTools Embedded If a user sets up the
This is as designed.
Security—EFS does not
Embedded Security, logs on
It is a feature of EFS in Windows 2000. EFS in
Windows XP, by default, will not let the user
open files/folders without a password.
require a password to view as an administrator, then logs
encrypted files in Windows off and back on as the
2000
administrator, the user can
subsequently see files/folders
in Windows 2000 without a
password.
HP ProtectTools Embedded If the user attempts to restore This is as designed.
Security—Software should the hard drive using FAT32,
not be installed on a restore there will be no encrypt
Microsoft EFS is supported only on NTFS and
will not function on FAT32. This is a feature of
Microsoft's EFS and is not related to HP
ProtectTools software.
with FAT32 partition
options for any files/folders
using EFS.
4
Technical Reference Guide
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Embedded If the user restores the hard
Security—Initialization fails drive from the restore CD,
for TPM module after
system restore.
This is as designed.
The TPM must be reset and enabled again in
Computer Setup (F10) Utility prior to
initialization.
initialization of the TPM fails.
HP ProtectTools Embedded Windows 2000 User can
The PSD is not normally shared on the network,
Security—Windows 2000 share to the network any PSD but it can be through the hidden ($) share in
User can share to the with the hidden ($) share. The W2K only. HP recommends always having the
network any PSD with the hidden share can be
built-in Administrator account
password-protected.
hidden ($) share
accessed over the network
using the hidden ($) share.
HP ProtectTools Embedded By design, the ACLs for this
This is as designed.
Security—User is able to
encrypt or delete the
recovery archive XML file
folder is not set; therefore, a
user can inadvertently or
purposely encrypt or delete
the file, making it
inaccessible. Once this file
has been encrypted or
deleted, no one can use the
TPM software.
Users have access rights to an emergency
archive in order to save/update their basic user
key backup copy. Customers should adopt a
'best practices' security approach and instruct
users never to encrypt or delete the recovery
archive files.
HP ProtectTools Embedded Encrypted files interfere with To reduce the time required to scan HP
Security—HP ProtectTools
Embedded Security EFS
interaction with Norton
Antivirus produces longer
Norton Anti Virus 2005 virus ProtectTools Embedded Security EFS files, the
scan. During the scan
user can either enter the encryption password
before scanning or decrypt before scanning.
To reduce the time required to encrypt/decrypt
data using HP ProtectTools Embedded Security
EFS, the user should disable Auto-Protect on
Norton Antivirus.
process, the Basic User Key
password prompt asks the
encryption/decryption and user for a password every
scan times
10 files or so. If the user does
not enter a password, the
Basic User Key password
prompt times out, allowing
NAV2005 to continue with
the scan. Encrypting files
using HP ProtectTools
Embedded Security EFS takes
longer when Norton Antivirus
is running.
HP ProtectTools Embedded If the user inserts an MMC or This is as designed.
Security—Cannot save
emergency recovery
archive to removable
media
SD card when creating the
emergency recovery archive
path during Embedded
Security Initialization, an
error message is displayed.
Storage of the recovery archive on removable
media is not supported. The recovery archive
can be stored on a network drive or another
local drive other than the C drive.
Technical Reference Guide
5
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Embedded There is no Encrypt selection This is a Microsoft operating system limitation. If
Security—Cannot encrypt when right-clicking a file icon. the locale is changed to anything else (French
any data in the Windows
2000 French (France)
environment.
(Canada), for example), then the Encrypt
selection will appear.
To work around the problem, encrypt the file as
follows: right-click the file icon and select
Property > Advanced > Encrypt
Contents.
HP ProtectTools Embedded If there is a power loss while Perform the following procedure to recover from
Security—Errors occur after initializing the Embedded
experiencing a power loss Security chip, the following
the power loss:
Use the Arrow keys to select various menus,
menu items, and to change values (unless
otherwise specified).
✎
while taking ownership
during the Embedded
Security Initialization
issues will occur:
• When attempting to
launch the Embedded
Security Initialization
Wizard, the following
error is displayed:
1. Start or restart the computer.
2. Press F10 when the F10=Setup message
appears on screen (or as soon as the
monitor LED turns green).
The Embedded
3. Select the appropriate language option.
4. Press Enter.
security cannot be
initialized since the
Embedded Security
chip has already an
Embedded Security
owner.
5. Select Security > Embedded Security.
6. Set the Embedded Security Device option to
Enable.
7. Press F10 to accept the change.
8. Select File > Save Changes and Exit.
9. Press ENTER.
• When attempting to
launch the User
Initialization Wizard, the
following error is
displayed:
The Embedded
security is not
initialized. To use the
wizard, the
10. Press F10 to save the changes and exit the
F10 Setup utility.
Embedded Security
must be initialized
first.
HP ProtectTools Embedded Enabling the TPM module
Security—Computer Setup requires a Computer Setup
(F10) Utility password can (F10) Utility password. Once
be removed after enabling the module has been
This is as designed.
The Computer Setup (F10) Utility password can
only be removed by a user who knows the
password. However, HP strongly recommends
having the Computer Setup (F10) Utility
password protected at all times.
TPM Module
enabled, the user can remove
the password. This allows
anyone with direct access to
the system to reset the TPM
module and cause possible
loss of data.
6
Technical Reference Guide
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Embedded When a user logs on the
Security—The PSD system after creating a PSD,
password box is no longer the TPM asks for the basic
displayed when the system user password. If the user
This is by design.
The user has to log off and back on to view the
PSD password box again.
becomes active after
Standby status
does not enter the password
and the system goes into
Standby, the password
dialog box is no longer
available when the user
resumes.
HP ProtectTools Embedded Access to Security Platform
This is by design.
Security—No password
required to change the
Security Platform Policies
Policies (both Machine and
User) does not require a TPM
password for users who have
administrative rights on the
system.
Any administrator can modify the Security
Platform Policies with or without TPM user
initialization.
HP ProtectTools Embedded An administrator can access The Data Recovery Policy is automatically
Security—Microsoft EFS
does not fully work in
Windows 2000
encrypted information on the configured to designate an administrator as a
system without knowing the
correct password. If the
administrator enters an
recovery agent. When a user key cannot be
retrieved (as in the case of entering the wrong
password or canceling the Enter Password
incorrect password or cancels dialog), the file is automatically decrypted with
the password dialog, the
encrypted file will open as if
the administrator had entered
the correct password. This
happens regardless of the
security settings used when
encrypting the data.
a recovery key.
This is due to the Microsoft EFS. Please refer to
Microsoft Knowledge Base Technical Article
Q257705 for more information.
The documents cannot be opened by a
non-administrator user.
HP ProtectTools Embedded After setting up HP
Self-signed certificates are not trusted. In a
Security—When viewing a ProtectTools and running the properly configured enterprise environment, EFS
certificate, it shows as
non-trusted.
User Initialization Wizard,
the user has the ability to
view the certificate issued;
however, when viewing the
certificate, it shows as
certificates are issued by online Certification
Authorities and are trusted.
non-trusted. While the
certificate can be installed at
this point by clicking the
install button, installing it
does not make it trusted.
Technical Reference Guide
7
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Embedded Extremely intermittent error
Security—Intermittent during file encryption or
To resolve the failure, the user can log off and
back on to the system. Restart, log off, and log
encrypt and decrypt error decryption occurs due to the back in to resolve the issue.
occurs: The process file being used by another
cannot access the file process, even though that file
because it is being
used by another
process.
or folder is not being
processed by the operating
system or other applications.
HP ProtectTools Embedded Removing storage mediums
Security—Data loss in such as a MultiBay hard drive accesses the PSD, then removes the hard drive
removable storage occurs if still shows PSD availability before completing new data generation or
storage is removed prior to and does not generate errors transfer. If the user attempts to access the PSD
The issue is only experienced if the user
new data generation or
transfer
while adding/modifying data when the removable hard drive is not present,
to the PSD. After system
restart, the PSD does not
reflect file changes that
an error message is displayed stating that the
device is not ready.
occurred while the removable
storage was not available.
HP ProtectTools Embedded During uninstallation, the user The Admin tool is used for disabling the TPM
Security—During uninstall, has the option of uninstalling chip, but that option is not available unless the
if user has not initialized
the Basic User Key and
opens the Administration
either without disabling the
TPM or by first disabling the has not, then select Ok or Cancel in order to
TPM (through Admin. tool), continue with the uninstallation process.
Basic User Key has already been initialized. If it
tool, the Disable option is then uninstalling. Accessing
not available and the Admin tool requires Basic
Uninstaller will not continue User Key initialization. If
until the Administration tool basic initialization has not
is closed.
occurred, all options are
inaccessible to the user.
Since the user has explicitly
chosen to open the Admin
tool (by clicking Yes in the
dialog box prompting Click
Yes to open Embedded
Security Administration
tool), uninstall waits until the
Admin tool is closed. If user
clicks No in that dialog box,
then the Admin tool does not
open at all and uninstall
proceeds.
8
Technical Reference Guide
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Embedded System may lock up with a
Security—Intermittent black screen and
system lockup occurs after non-responding keyboard
Root Cause suspicion is a timing issue in low
memory configurations.
Integrated graphics uses UMA architecture
taking 8 MB of memory, leaving only 120
available to user. This 120 MB is shared by
both users who are logged in and are
creating PSD on 2 users
accounts and using
fast-user-switching in
128-MB system
and mouse instead of
showing welcome (logon)
screen when using
fast-switching with minimal
RAM.
fast-user-switching when error is generated.
configurations
Workaround is to reboot system and customer is
encouraged to increase memory configuration
(HP does not ship 128-MB configurations by
default with security modules).
HP ProtectTools Security
Manager—Warning
All security applications such HP ProtectTools Security Manager software must
as Embedded Security, smart be installed before installing any security
received: The security
card, and biometrics are
plug-in.
application can not be extendable plug-ins for the HP
installed until the HP
Security Manager interface.
Protect Tools Security Security Manager must be
Manager is installed
installed before an
HP-approved security plug-in
can be loaded.
HP ProtectTools Embedded The EFS User Authentication This is by design—to avoid issues with Microsoft
Security—EFS User
Authentication (password
request) times out with
access denied
password reopens after
EFS, a 30-second timer watchdog timer was
clicking OK or returning from created to generate the error message).
standby state after timeout.
HP ProtectTools Embedded Functional descriptions during HP is aware of translation issues and will be
Security—Minor truncation custom setup option during
during setup of Japanese is installation wizard are
observed in functional
description
translating in future Web release.
truncated.
HP ProtectTools Embedded By allowing prompt for User The ability to encrypt does not require password
Security—EFS Encryption
works without entering
password in the prompt
password to time out,
encryption is still capable on Microsoft EFS encryption. The decryption will
a file or folder. require the user password to be supplied.
authentication, since this is a feature of the
HP ProtectTools Embedded Embedded security software In future releases, the wizard and user policies
Security—Secure e-mail is and the wizard do not control descriptions will be modified for better clarity.
supported, even if
settings of an e-mail client
(Outlook, Outlook Express, or configured after Embedded Security is
Netscape) initialized.
This behavior is as designed. Encrypted mail is
unchecked in User
Initialization Wizard or if
secure e-mail configuration
is disabled in user policies
Technical Reference Guide
9
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Embedded When the TPM module is
If system appears not to function properly or the
Security—Application
lock-ups occur when the
connection with a TPM
Module is lost
damaged or the connection is TPM is not found, perform the following manual
lost, the Security Manager
inspections to ensure the system is properly
locks up. Attempting to close configured:
the Security Manager causes
• Check in the Computer Setup (F10) Utility to
ensure that the TPM is unhidden.
Windows error messages.
• Check the Device Manager reports to
ensure that the TPM Device Driver is
installed:
1. Click Start.
2. Click Control Panel.
3. Click System.
4. Click System Devices.
5. Click Broadcom TPM. (The device status
should indicate This device is working
properly.)
A 3-minute delay occurs as applications and
Windows services time out after attempting
connection to the damaged TPM. The Security
Manager recovers and the user can run the self
test and confirm damaged module.
HP ProtectTools Embedded Running Large Scale
Security—Running Large Deployment on any
Scale Deployment a second previously initialized HP
time on the same PC or on ProtectTools Embedded
a previously initialized PC Security system will render
HP is working to resolve the xml-file-overwrite
issue and will provide a solution in a future
SoftPaq.
overwrites Emergency
existing Recovery Archives
and Recovery Tokens useless
by overwriting those xml files.
Recovery and Emergency
Token files. The new files
are useless for recovery.
10
Technical Reference Guide
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools TPM
Firmware Update
Expected Behavior of TPM
firmware Utility
1. Reinstall HP ProtectTools Embedded Security
Software
Utility—The tool provided
through HP support Web
site reports ownership
required
The firmware upgrade tool
allows the user to upgrade
the firmware, both when
there is and when there is not
an endorsement key (EK)
present. When there is no EK,
no authorization is required
to complete the firmware
upgrade.
When there is an EK, a TPM
owner must exist, since the
upgrade requires owner
authorization. After the
successful upgrade, the
platform must be restarted for
the new firmware to take
effect.
2. Run the Platform and User configuration
wizard.
3. Ensure that the system contains Microsoft
.NET framework 1.1 installation:
• Click Start.
• Click Control Panel.
• Click Add or remove programs.
• Ensure Microsoft .NET Framework 1.1
is listed.
4. Check the hardware and software
configuration:
• Click Start.
• Click All Programs.
• Click HP ProtectTools Security
Manager.
If the BIOS TPM is
• Select Embedded Security from tree
menu.
factory-reset, ownership is
removed and firmware
update capability is
prevented until the Embedded
Security Software platform
and User Initialization
Wizard have been
• Click More Details.
The system should have the following
configuration:
—Product version = V4.0.1
—Embedded Security State: Chip State =
Enabled, Owner State = Initialized, User
State = Initialized
configured.
*A reboot is always
recommended after
performing a firmware
update. The firmware version
is not identified correctly until
after the reboot.
—Component Info: TCG Spec. Version =
1.2
—Vendor = Broadcom Corporation
—FW Version = 2.18 (or greater)
—TPM Device driver library version 2.0.0.9
(or greater)
If the FW version does not match 2.18,
download and update the TPM firmware. The
TPM Firmware SoftPaq is a support download
Technical Reference Guide
11
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Credential Using TPM authentication, the Using Credential Manager Single Sign On tools
Manager—Using
user is only logged into the
local machine.
allows user to authenticate other accounts.
Credential Manager
Network Accounts option,
a user can select which
domain account to log into.
When TPM authentication
is used, this option is not
available. All other
authentication methods
work properly.
HP ProtectTools Embedded The error occurs after user
Use the Browse button to select the location,
and the restore process proceeds.
Security—Automated logon
1. Initializes owner and user
scripts not functioning
in Embedded Security
during user restore in
(using the default
Embedded Security
locations—My
Documents).
2. Resets the chip to factory
settings in the BIOS.
3. Reboots the machine.
4. Begins to restore
Embedded Security.
During the restore
process, Credential
Manager 1.5.0.631.35
asks user if the system
can automate the logon
to Infineon TPM User
Authentication. If user
selects Yes, then the
location of
SPEmRecToken
automatically appears in
the text box.
Even though this location is
correct, the following error
message is displayed: No
Emergency Recovery
Token is provided.
Select the token location
the Emergency Recovery
Token should be
retrieved from.
12
Technical Reference Guide
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Credential After installing USB token
Manager—USB token
credential is not available token credential, and setting to correct.
with login to Windows XP Credential Manager as
This only occurs with Windows XP SP1; update
software, registering the USB Windows version to SP2 via Windows Update
To work around if retaining SP1, re-log back
into Windows using another credential
(Windows password) in order to log off and
re-log back into Credential Manager.
SP1
primary login, the USB Token
is neither listed nor available
in the Credential
Manager/gina logon.
When logging back into
Windows, log off Credential
Manager, re-log back into
Credential Manager and
reselect token as primary
login, the token login
operation functions normally.
HP ProtectTools Credential Some Web-based
Credential Manager Single Sign On does not
Manager—Some
applications stop functioning support all software Web interfaces. Disable
and report errors due to the Single Sign On support for the specific Web
disabling functionality pattern page by turning off Single Sign On support.
application Web pages
create errors that prevent
user from performing or
completing tasks
of Single Sign On. For
example, an ! in a yellow
triangle is observed in
Internet Explorer indicating
an error has occurred.
Please see complete documentation on Single
Sign On, which is available in the Credential
Manager help files.
If a specific Single Sign On cannot be disabled
for a given application. Call 3rd level support
for HP direct assistance.
HP ProtectTools Credential System intermittently locks up Press the power button for 3 seconds to force the
Manager—System
and displays the going into system to reboot.
intermittently locks up and hibernation screen when
HP is working on a resolution. The resolution
will be made available in future Credential
Manager product development.
goes into hibernation when APC Personal biometric USB
an APC biometric
fingerprint reader is
configured as an
Pod (BIOPOD) is configured
as an authentication tool for
Credential Manager.
authentication tool for
Credential Manager
Technical Reference Guide
13
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Security
Manager—Intermittently,
an error is returned when
closing the Security
Intermittently (1 in 12
This is related to a timing dependency on
instances), an error is created plug-in services load time when closing and
by using the close button in
the upper right of the screen is the shell housing the other applications
to close Security Manager (plug-ins), it depends on the ability of the plug-in
before all plug-in applications to complete its load time (services). Closing the
restarting Security Manager. Since PTHOST.exe
Manager interface
have finished loading.
shell before the plug-in has had time to complete
loading is the root cause.
To resolve, allow Security Manager to complete
services loading message (seen at top of
Security Manager window) and all plug-ins
listed in left column. To avoid failure, allow a
reasonable time for these plug-ins to load.
No corrective action is planned by HP for the
Security Manager product.
HP ProtectTools Embedded Using the Embedded Security The system administrator can resolve this by
Security—Guest User Task Notification Area (task deleting the guest-user-created PSD.
account can violate policy tray) icon, a guest user can
HP is working with plug-in suppliers to be aware
of limited/guest user capabilities for future
product enhancements.
through the PSD interface
bypass Security Manager
and initialize a basic user.
During the basic user
initialization, the guest could
create a PSD that
monopolizes the hard drive.
HP ProtectTools Embedded The following error message Guest user support is not provided by HP, HP
Security—Guest User
receives message that
PTHOST.exe has not
been approved by
Hewlett-Packard Company Files\HPQ\HP Protect
Tools
appears when a guest user
opens HP ProtectTools
Security Manager: this
module ‘C:\Program
recommends limited user support by the
administrator.
Future improvements are planned to prevent
Security Manager runtime in Guest mode.
Security\PTHOST.EXE’
has not been approved
by Hewlett-Packard
Company. Do you want
to continue?
HP ProtectTools Embedded This error occurs when
The second user's PSD will only be available if it
is reconfigured to use another drive letter or if
Security—Multiple User
PSDs do not function in a
fast-user-switching
multiple users have been
created and given a PSD with the first user is logged off.
the same drive letter. If an
attempt is made to
environment
fast-user-switch between users
when the PSD is loaded, the
second user's PSD will be
unavailable.
14
Technical Reference Guide
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Embedded The PSD is disabled and
Security—PSD is disabled cannot be deleted after
and cannot be deleted after formatting the secondary
As designed: If a customer force-deletes or
disconnects from the storage location of the PSD
data, the Embedded Security PSD drive
formatting the hard drive
on which the PSD was
generated
hard drive on which the PSD emulation continues to function and will produce
was generated. The PSD icon errors based on lack of communication with the
is still visible, but the error
message drive is not
accessible appears when
the user attempts to access
the PSD.
missing data.
Resolution: After the next reboot, the emulations
fail to load and user can delete the old PSD
emulation and create a new PSD.
User is not able to delete the
PSD and a message appears
that states: your PSD is still
in use, please ensure
that your PSD contains
no open files and is not
accessed by another
process. User must reboot
the system in order to delete
the PSD and it is not loaded
after reboot.
HP ProtectTools *
Numerous risks are possible Administrators are encouraged to follow “best
with unrestricted access to the practices” in restricting end-user privileges and
General—Unrestricted
access or uncontrolled
administrator privileges
pose security risk
client PC:
restricting user access.
Unauthorized users should not be granted
administrative privileges.
• deletion of PSD
• malicious modification of
user settings
• disabling of security
policies and functions
HP ProtectTools Embedded Hiding the TPM chip in the
Security—Hiding the BIOS with Embedded
Broadcom TPM in the BIOS Security software loaded
Hiding the TPM in BIOS makes the TPM invisible
to the ACPI table and Windows, and installed
software cannot recognize the device.
causes the Embedded
Security Software to stop
functioning and produce
error messages
stops functioning if Security
Manager is launched in
Windows. User will
eventually see two errors
indicating inability to connect
to the TPM three minutes after
the application hangs up.
This behavior is as designed, as the Security
Manager requires the TPM hardware.
Customers wishing to avoid this behavior should
re-enable their TPM or remove the HP
Embedded Security software through
Add/remove programs.
Technical Reference Guide
15
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Embedded If the user
Security—An internal error
has been detected restoring
from Automatic Backup
Archive
If the user selects the SpSystemBackup.xml when
the SpBackupArchive.xml is required,
Embedded Security Wizard fails with: An
internal Embedded Security error has
been detected.
User must select the correct .xml file to match the
required reason.
1. clicks Restore under
Backup option of
Embedded Security in
HPPTSM to restore from
the automatic backup
Archive
The processes are working as designed and
function properly; however, the internal
Embedded Security error message is not clear
and should state a more appropriate message.
We are working to enhance this in future
products.
2. selects
SPSystemBackup
.xml
the Restore Wizard fails and
the following error message is
displayed: The selected
Backup Archive does not
match the restore
reason. Please select
another archive and
continue.
HP ProtectTools Embedded During the restore process, if The non-selected users can be restored by
Security—Security System the administrator selects users resetting the TPM, running the restore process,
restore error with multiple
users
to restore, the users not
selected are not able to
restore the keys when trying overwrites the non-restored users and their data
to restore at a later time. An is lost. If a new system backup is stored, the
error that a decryption
process failed message is
displayed.
and selecting all users before the next default
daily back runs. If the automated backup runs, it
previous non-selected users cannot be restored.
Also, user must restore the entire system backup.
An Archive Backup can be restored individually.
HP ProtectTools Embedded After reinstalling Embedded A reboot is not requested, but it is required. The
Security—After reinstalling Security, either by setup.bat reinstallation of Embedded Security produces
Embedded Security, user
sees general driver error
or through supplemental CD this error if it is used before the computer is
autorun, a general driver
error is displayed when
opening Security Manager,
Embedded Security, user
settings, configure, check
PSD.
rebooted.
HP is working on an enhancement to be made
available in future product versions.
HP ProtectTools Embedded Resetting the system ROM to Unhide the TPM in BIOS:
Security—Resetting System default hides the TPM to
ROM to default hides TPM. Windows. This does not
allow the security software to
Open the Computer Setup (F10) Utility, navigate
to Security > Device security, modify the
field from Hidden to Available.
operate properly and makes
TPM-encrypted data
inaccessible.
16
Technical Reference Guide
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Embedded If the user uninstalls HP
This occurs only on first uninstall attempt. Allow
more time and the stalled process will
successfully complete.
Security—Numerous
end-task errors during
reboot after uninstalling
ProtectTools Embedded
Security and waits a few
minutes after the uninstall
completes, when the user
selects Yes to reboot,
numerous end-task errors
appear with Japanese (JP),
Taiwanese (TW), Traditional
Chinese (TZ).
These end tasks include:
• persistWnd
• hkem.exe
• conime.exe
• ccapp
• PSD
• HP ProtectTools
Embedded Security Icon
tray
Technical Reference Guide
17
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Embedded When an administrator sets The workaround is to change the NT
Security—Automatic up Automatic Backup in AUTHORITY\SYSTEM to (computer
backup does not work with Embedded Security, it creates name)\(admin name). This is the default setting
mapped drive
an entry in Windows >
Tasks > Scheduled Task.
This Windows Scheduled
Task is set to use NT
AUTHORITY\ SYSTEM for
rights to execute the backup.
This works properly to any
local drive.
if the Scheduled Task is created manually.
HP is working to provide future product releases
with default settings that include computer
name\admin name.
When the administrator
instead configures the
Automatic Backup to save to
a mapped drive, the process
fails because the NT
AUTHORITY\SYSTEM does
not have the rights to use the
mapped drive.
If the Automatic Backup is
scheduled to occur upon
login, Embedded Security
TNA Icon displays the
following message: The
Backup Archive location
is currently not
accessible. Click here if
you want to backup to a
temporary archive until
the Backup Archive is
accessible again. If the
Automatic Backup is
scheduled for a specific time,
however, the backup fails
without displaying notice of
the failure.
HP ProtectTools Embedded The current 4.0 software was HP will address this issue in future releases.
Security—Unable to designed for HP Notebook
disable Embedded Security 1.1B implementations, as
State temporarily in
Embedded Security GUI
well as supporting HP
Desktop 1.2 implementations.
This option to disable is still
supported in the software
interface for TPM 1.1
platforms.
18
Technical Reference Guide
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Credential User cannot move the
The browse option was removed from current
Manager—No option to
Browse for Virtual
Token during the login
process
location of registered virtual product offerings because it allowed non-users
token in Credential Manager to delete and rename files and take control of
because the option to browse Windows.
was removed due to security
risks.
HP ProtectTools Credential Using the Network
HP is researching a workaround for future
Manager—Login with TPM Accounts option, a user can product enhancements.
authentication does not
give the Network
Accounts option
select which domain account
to log into. When TPM
authentication is used, this
option is not available.
HP ProtectTools Credential When registering a password HP is researching workaround for future product
Manager—Credential
Manager creates long
account names that are
truncated.
in Credential Manager, the
user can click Options and
select Prompt to select
account for this
enhancements.
application. User must then
enter a unique name for each
document so Credential
Manager can tell which
password to apply. When
creating these unique names,
Credential Manager fills in
the application name and the
user enters the document
name. In this window, the
user can scroll to view the
document name. When
reopening the
password-protected
document, the document
names cannot scroll.
Credential Manager
automatically fills in the
application name; only 9
characters can be viewed
when selecting the unique
name.
Technical Reference Guide
19
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Credential This happens after a domain Credential Manager cannot change a domain
Manager—Domain
administrators cannot
change Windows
password even with
authorization
administrator logs on to a
domain and registers the
domain identity with
Credential Manager using an passwords. The domain user can change
account with Administrator's his/her password through Windows security
rights on the domain and the > Change password option, but, since the
local PC. When the domain domain user does not have a physical account
user's account password through Change
Windows password. Credential Manager
can only change the local PC account
administrator attempts to
change the Windows
on the local PC, Credential Manager can only
change the password used to log in.
password from Credential
Manager, the administrator
gets an error logon failure:
User account restriction.
HP ProtectTools Credential Single Sign On default is set HP is researching a workaround for future
Manager—Credential
to log users automatically.
product enhancements.
Manager Single Sign On However, when creating the
default settings should be
set to prompt to prevent
loop
second of two different
password-protected
documents, Credential
Manager uses the last
password recorded—the one
from the first document.
HP ProtectTools Credential If the user logs in to
HP is researching a workaround for future
Manager—Incompatibility Credential Manager, creates product enhancements.
issues with Corel a document in WordPerfect
WordPerfect 12 password and saves with password
gina
protection, Credential
Manager cannot detect or
recognize, either manually or
automatically, the password
gina.
HP ProtectTools Credential If the Single Sign On
HP is researching a workaround for future
product enhancements.
Manager—Credential
Manager does not
recognize the Connect
button
credentials for Remote
Desktop Connection (RDP)
are set to Connect, Single
Sign On, upon relaunch,
always enters Save As
instead of Connect.
HP ProtectTools Credential Credential Manager Single
Disable the Credential Manager Single Sign
Manager—ATI Catalyst
Sign On conflicts with the ATI On.
configuration wizard is not Catalyst configure wizard.
usable with Credential
Manager
20
Technical Reference Guide
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Credential If user using TPM login
HP is researching a workaround for future
Manager— When logging authentication for Credential product enhancements.
in using TPM
Manager enters his/her
authentication, the Back
button skips the option to
choose another
password, the Back button
does not work properly, but
instead immediately displays
the Windows login screen.
authentication method
HP ProtectTools Credential When use Credential
With no administrator password set, user
Manager—Credential
Manager opens out of
standby when it is
Manager log on to
cannot logon to Windows through Credential
Windows is not selected as Manager because of account restrictions
an option, allowing the
system to go into S3 suspend
and then waking the system
causes the Credential
Manager logon to Windows
to open.
invoked by the Credential Manager.
Without smart card/token:
User can cancel the Credential Manager login
and user will see the Microsoft Windows login.
User can log in at this point.
configured not to
With smart card/token:
The following workaround allows the user to
enable/disable opening of Credential Manager
upon smart card insertion.
1. Click Advanced Settings.
2. Click Service & Applications.
3. Click Smart Cards and Tokens.
4. Click when smart card/token is inserted.
5. Select the Advise to log-on checkbox.
HP ProtectTools Smart Card The Settings button, at HP The message box that asks the operator for a
Manager—The option to
Require PIN at Boot
does not work
ProtectTools Security
Manager > Smart Card on the card. This method requires the operator
Security > BIOS > Smart to have a card and optionally, determined by
Card BIOS Password
Properties, is a function of the computer.
PIN at boot time is then determined by the data
the card owner, know a PIN to gain access of
the card properties, as the
name states. This button is
functional for any supported
card placed in the reader.
The button becomes grayed
out if there is no smart card
administrator or user
For the computer power-on authentication to
work, the BIOS Security Mode, at the top of
the Smart Card Security > BIOS page must
be enabled. If not enabled, the PIN at boot time
will not have any functionality.
HP is researching a resolution for next product
offering.
password on the card and it
is available if there is a
password on the card. This
allows the card owner to
change the card PIN at boot
properties at any time.
Technical Reference Guide
21
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Smart Card After unplugging the USB
Refresh the graphical user interface by closing
and reopening the smart card software.
Manager—Smart card
software displaying
incorrect USB status
cable of the Smart Card
terminal, the status remains
´blue.´ To get the correct
status, ProtectTools Security
Manager must be reopened.
HP ProtectTools Smart Card If the customer set up the
There is a BIOS limitation of available
Manager—Smart Card
Security Manager allows
user to enter Japanese
system to request PIN input,
fonts/characters. Multi-byte characters stored on
the BIOS screen stays on with smart card are not correctly displayed. At this
garbage admin name and
point, there is no real solution for this.
characters for the name of prompts for corresponding
the card owner, but password, so the customer
Japanese name will be in impact is not minimal. It may
HP is working to add information in product
help files to further clarify this limitation in future
product offerings.
garbage characters in
authentication
lead customer to type wrong
password and lock up the
system.
HP ProtectTools Credential If the TPM module is removed This is as designed.
Manager—Users lose all
Credential Manager
credentials protected by the TPM.
TPM, if the TPM module is
removed or damaged
or damaged, users lose all
credentials protected by the
The TPM Module is designed to protect the
Credential Manager credentials. HP
recommends that the user back up identity from
Credential Manager prior to removing the TPM
module.
HP ProtectTools Credential During Windows 2000
This is as designed.
Manager—Credential
install, the logon policy is set
If user wishes to modify operating system level
settings for auto admin logon values for
bypassing the edit path is:
HKEY_LOCAL_MACHINE/Software/Microsoft/
WindowsNT/CurrentVersion/WinLogon
Manager not being set as for manual or auto logon
primary logon in Windows admin. If auto logon is
2000
chosen, then the Windows
default registry settings sets
the default auto admin logon
value at 1, and Credential
Manager does not override
this.
Use Registry Editor at your own risk!
Using the Registry Editor (regedit) incorrectly
Å
can cause serious problems that may require
you to reinstall your operating system. There
is no guarantee that problems resulting from
the incorrect use of Registry Editor can be
solved.
HP ProtectTools Credential If user selects Windows
The purpose of the desktop alert is to notify the
Manager— Fingerprint
logon message appears
logon, the following desktop user that fingerprint authentication is available,
alert appears in the
if it is configured.
whether or not fingerprint Credential Manager task bar:
reader is installed or
registered
You can place your
finger on the fingerprint
reader to log on to
Credential Manager.
22
Technical Reference Guide
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Credential The Windows Credential
Manager—Credential Manager Welcome screen
The purpose of the alert is to notify the user that
smart card authentication is available, if it is
Manager logon window for suggests the user can logon configured.
Windows 2000 states
insert card when no
reader is attached
with insert card when no
smart card reader is
attached.
HP ProtectTools Credential After allowing system to
This issue appears to be resolved in SP2 from
Microsoft. Refer to Microsoft knowledge base
Manager—Unable to log
into Credential Manager
after transitioning from
transition into hibernation
or user is unable to log into cause of the issue.
sleeping to hibernation on Credential Manager and the
Customer Workaround:
Windows XP SP1 only
Windows logon screen
remains displayed no matter
which logon credential
(password, finger print or
smart card) is selected.
In order to logon, user must select Credential
Manager and log in. After logging into
Credential Manager, user is prompted to log in
to Windows (user may have to select the
Windows login option) to complete login
process.
If user logs into Windows first, then user must
manually log into Credential Manager.
HP ProtectTools Credential Credential Manager fails to The HP Credential Manager for ProtectTools
Manager—Restoring register any credentials after fails to access the TPM if the TPM was reset to
Embedded Security causes the TPM Embedded Security factory settings or replaced after the Credential
Credential Manager to fail Module is restored.
Manager installation.
Workaround:
1. Back up the user identity before replacing
or resetting the TPM.
2. Uninstall the Credential Manager.
3. Enable and initialize the TPM.
4. Install the Credential Manager.
5. Restore the user identity.
HP is investigating resolution options for future
customer software releases.
Technical Reference Guide
23
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
Details
Solution / Workaround
HP ProtectTools Credential The Embedded Security
Users should regularly back up their credentials,
Manager—Credentials are device encrypts and protects as referenced in help files. The Credential
lost from Credential
Manager when Embedded Embedded Security software available on the Credential Manager menu. If
Security is uninstalled causes a loss of all encrypted the user does not back up credentials prior to
the credentials. Removing the Manager Backup and Restore options are
data.
removing the embedded Security Manager,
his/her credentials are lost.
Users who have backed up encrypted
credentials should:
1. Reinstall HP ProtectTools Embedded Security
software.
2. Perform the restore option for both their
Embedded Security device and their
Credential Manager backup files.
HP ProtectTools Credential Cannot register Smart Card This functionality was not originally designed
Manager—Security cannot in Credential Manager into the product. This is being implemented in
register smart card in
Credential Manager
through the More option
through the My Identity > future product revisions being designed by HP.
More > Register
Credentials option. User
must use Register Smart
Card or Token option.
HP ProtectTools Credential When user restores identity, This is currently by design.
Manager—Security
Credential Manager can lose
When uninstalling Credential Manager without
keeping identities, the system (server) part of the
token is destroyed, so the token cannot be used
anymore for logon, even if the client part of the
token is restored through identity restore.
HP is investigating long-term options for
resolution.
Restore Identity process association with the location
loses association with
virtual token
of the virtual token at login
screen. Even though
Credential Manager has the
virtual token registered, user
must reregister the token to
restore association.
24
Technical Reference Guide
|