Microsoft, Windows, and Windows Vista are
either trademarks or registered trademarks
of Microsoft Corporation in the United States
and/or other countries.
The only warranties for HP products and
services are set forth in the express warranty
statements accompanying such products
and services. Nothing herein should be
construed as constituting an additional
warranty. HP shall not be liable for technical
or editorial errors or omissions contained
herein.
This document contains proprietary
information that is protected by copyright. No
part of this document may be photocopied,
reproduced, or translated to another
language without the prior written consent of
Hewlett-Packard Company.
HP ProtectTools User Guide
HP Compaq Business PC
First Edition: July 2008
Document Part Number: 491163-001
About This Book
This guide provides basic information for upgrading this computer model.
WARNING! Text set off in this manner indicates that failure to follow directions could result in bodily
harm or loss of life.
CAUTION: Text set off in this manner indicates that failure to follow directions could result in damage
to equipment or loss of information.
NOTE: Text set off in this manner provides important supplemental information.
ENWWiii
iv About This BookENWW
Table of contents
1 Introduction to security
HP ProtectTools features ..................................................................................................................... 2
Accessing HP ProtectTools Security .................................................................................................... 4
Power ................................................................................................................................................. 70
Index ................................................................................................................................................................... 97
ENWWix
xENWW
1Introduction to security
HP ProtectTools Security Manager for Administrators software provides security features that help
protect against unauthorized access to the computer, networks, and critical data. Enhanced security
functionality is provided by the following software modules:
Credential Manager for HP ProtectTools
●
Drive Encryption for HP ProtectTools
●
Privacy Manager for HP ProtectTools
●
File Sanitizer for HP ProtectTools
●
Java Card Security for HP ProtectTools
●
BIOS Configuration for HP ProtectTools
●
Embedded Security for HP ProtectTools
●
Device Access Manager for HP ProtectTools
●
NOTE: Credential Manager, Java Card Security, and Drive Encryption are configured using the
Security Manager setup wizard.
HP ProtectTools software modules may be preinstalled, preloaded, or available as a configurable option
or as an after market option. Visit
NOTE: The instructions in this guide are written with the assumption that you have already installed
the applicable HP ProtectTools software modules.
http://www.hp.com for more information.
ENWW1
HP ProtectTools features
The following table details the key features of HP ProtectTools modules:
ModuleKey features
HP ProtectTools Security Manager for Administrators
Credential Manager for HP ProtectTools
Drive Encryption for HP ProtectTools
The Security Manager setup wizard is used by administrators to
●
set up and configure levels of security and security logon methods.
Users can also use the setup wizard to configure their logon
●
methods.
Administrator tools are used to add and remove ProtectTools
●
users and view user status.
Backs up and restores security modules from installed
●
HP ProtectTools modules.
Credential Manager acts as a personal password vault,
●
streamlining the logon process with the Single Sign On feature,
which automatically remembers and applies user credentials.
Single Sign On also offers additional protection by requiring
●
combinations of different security technologies, such as a Java™
Card and biometrics, for user authentication.
Password storage is protected through software encryption and
●
can be enhanced through the use of a TPM embedded security
chip and/or security device authentication, such as Java Cards or
biometrics.
Drive Encryption provides complete, full-volume hard drive
●
encryption.
Drive Encryption forces pre-boot authentication in order to decrypt
●
and access the data on the hard drive.
Privacy Manager for HP ProtectTools
File Sanitizer for HP ProtectTools
Java Card Security for HP ProtectTools
Privacy Manager is a tool used to obtain Certificates of Authority,
●
which verify the source, integrity, and security of communication
when using Microsoft mail, Microsoft Office documents, and Live
Messenger.
File Sanitizer allows you to securely shred digital assets (securely
●
delete sensitive information including application files, historical
or Web-related content, or other confidential data) on your
computer and periodically bleach the hard drive (write over data
that has been previously deleted but is still present on the hard
drive in order to make recovery of the data more difficult).
Java Card Security is a management software interface for Java
●
Card. Java Card is a personal security device that protects
authentication data requiring both the card and a PIN number to
grant access. The Java Card can be used to access Credential
Manager, Drive Encryption, HP BIOS, or any number of third party
access points.
Java Card Security configures the HP ProtectTools Java Card for
●
user authentication before the hard drive boots. Java Card
Security can be accessed by Embedded Security, Java Card, and
passwords.
Java Card Security configures separate Java Cards for an
●
administrator and a user.
2Chapter 1 Introduction to securityENWW
ModuleKey features
BIOS Configuration for HP ProtectTools
Embedded Security for HP ProtectTools
Device Access Manager for HP ProtectTools
BIOS Configuration provides access to power-on user and
●
administrator password management.
BIOS Configuration provides an alternative to the pre-boot BIOS
●
configuration utility known as Computer Setup.
BIOS Configuration enablement of automatic DriveLock support,
●
which is enhanced with the embedded security chip, helps protect
a hard drive from unauthorized access, even if it is removed from
a system, without requiring the user to remember any additional
passwords beyond the embedded security chip user password.
Embedded Security uses a Trusted Platform Module (TPM)
●
embedded security chip to help protect against unauthorized
access to sensitive user data or credentials stored locally on a PC.
Embedded Security allows creation of a personal secure drive
●
(PSD), which is useful in protecting user file and folder information.
Embedded Security supports third-party applications (such as
●
Microsoft Outlook and Internet Explorer) for protected digital
certificate operations.
Device Access Manager allows IT managers to control access to
●
devices such as USB ports, optical drives, etc. based on user
profiles.
Device Access Manager prevents unauthorized users from
●
removing data using external storage media and from introducing
viruses into the system from external media.
The administrator can disable access to writeable devices for
●
specific individuals or groups of users.
ENWWHP ProtectTools features3
Accessing HP ProtectTools Security
To access HP ProtectTools Security Manager for Administrators from Windows® Control Panel:
In Windows Vista®, click Start, click All Programs, and then click HP ProtectTools Security
▲
Manager for Administrators.
– or –
In Windows XP, click Start, click All Programs, and then click HP ProtectTools Security
Manager.
NOTE: If you are not an HP ProtectTools administrator, you can run HP ProtectTools in
nonadministrator mode to view information, but you cannot make changes.
NOTE: After you have configured the Credential Manager module, you can also open HP ProtectTools
by logging on to Credential Manager directly from the Windows logon screen. For more information,
refer to
Logging on to Windows with Credential Manager on page 24.
Achieving key security objectives
The HP ProtectTools modules can work together to provide solutions for a variety of security issues,
including the following key security objectives:
Protecting against targeted theft
●
Restricting access to sensitive data
●
Preventing unauthorized access from internal or external locations
●
Creating strong password policies
●
Addressing regulatory security mandates
●
4Chapter 1 Introduction to securityENWW
Protecting against targeted theft
An example of this type of incident would be the targeted theft of a computer or its confidential data and
customer information. This can easily occur in open office environments or in unsecured areas. The
following features help protect the data if the computer is stolen:
The pre-boot authentication feature, if enabled, helps prevent access to the operating system. See
●
the following procedures:
Credential Manager
◦
Embedded Security
◦
Drive Encryption
◦
DriveLock helps ensure that data cannot be accessed even if the hard drive is removed and
●
installed into an unsecured system.
The Personal Secure Drive feature, provided by the Embedded Security for HP ProtectTools
●
module, encrypts sensitive data to help ensure it cannot be accessed without authentication. See
the following procedures:
Embedded Security “
◦
“
Using the Personal Secure Drive on page 74”
◦
Setup procedures on page 72”
Restricting access to sensitive data
Suppose a contract auditor is working onsite and has been given computer access to review sensitive
financial data; you do not want the auditor to be able to print the files or save them to a writeable device
such as a CD. The following features help restrict access to data:
Device Access Manager for HP ProtectTools allows IT managers to restrict access to writeable
●
devices so sensitive information cannot be printed or copied from the hard drive onto removable
media. See
DriveLock helps ensure that data cannot be accessed even if the hard drive is removed and
●
installed into an unsecured system.
Device class configuration (advanced) on page 79.
Preventing unauthorized access from internal or external locations
Unauthorized access to an unsecured business PC presents a very tangible risk to corporate network
resources such as information from financial services, an executive, or R&D team, and to private
ENWWAchieving key security objectives5
information such as patient records or personal financial records. The following features help prevent
unauthorized access:
The pre-boot authentication feature, if enabled, helps prevent access to the operating system. See
●
the following procedures:
Credential Manager
◦
Embedded Security
◦
Drive Encryption
◦
Embedded Security for HP ProtectTools helps protect sensitive user data or credentials stored
●
locally on a PC using the following procedures:
Embedded Security “
◦
“
Using the Personal Secure Drive on page 74”
◦
Using the following procedures, Credential Manager for HP ProtectTools helps ensure that an
●
unauthorized user cannot get passwords or access to password-protected applications:
Credential Manager “
◦
“
Using Single Sign On on page 25”
◦
Device Access Manager for HP ProtectTools allows IT managers to restrict access to writeable
●
devices so sensitive information cannot be copied from the hard drive. See
on page 78.
The Personal Secure Drive feature encrypts sensitive data to help ensure it cannot be accessed
●
without authentication using the following procedures:
Embedded Security “
◦
“
Using the Personal Secure Drive on page 74”
◦
File Sanitizer allows you to securely delete data by shredding assets or bleaching the hard drive
●
(write over data that has been previously deleted but is still present on the hard drive in order to
make recovery of the data more difficult).
Privacy Manager allows you to obtain Certificates of Authority when using Microsoft mail, Office
●
documents, and Live Messenger, making the process of sending and saving important information
safe and secure.
Setup procedures on page 72”
Setup procedures on page 20”
Simple configuration
Setup procedures on page 72”
Creating strong password policies
If a mandate goes into effect that requires the use of strong password policy for dozens of Web-based
applications and databases, Credential Manager for HP ProtectTools provides a protected repository
for passwords and Single Sign On convenience using the following procedures:
Credential Manager “
●
“
Using Single Sign On on page 25”
●
For stronger security, Embedded Security for HP ProtectTools then protects that repository of user
names and passwords. This allows users to maintain multiple strong passwords without having to write
them down or try to remember them. See Embedded Security
6Chapter 1 Introduction to securityENWW
Setup procedures on page 20”
Setup procedures on page 72.
Additional security elements
Assigning security roles
In managing computer security (particularly for large organizations), one important practice is to divide
responsibilities and rights among various types of administrators and users.
NOTE: In a small organization or for individual use, these roles may all be held by the same person.
For HP ProtectTools, the security duties and privileges can be divided into the following roles:
Security officer—Defines the security level for the company or network and determines the security
●
features to deploy, such as Java™ Cards, biometric readers, or USB tokens.
IT administrator—Applies and manages the security features defined by the security officer. Can
●
also enable and disable some features. For example, if the security officer has decided to deploy
Java Cards, the IT administrator can enable Java Card BIOS security mode.
User—Uses the security features. For example, if the security officer and IT administrator have
●
enabled Java Cards for the system, the user can set the Java Card PIN and use the card for
authentication.
Managing HP ProtectTools passwords
Most of the HP ProtectTools Security Manager features are secured by passwords. The following table
lists the commonly used passwords, the software module where the password is set, and the password
function.
The passwords that are set and used by IT administrators only are indicated in this table as well. All
other passwords may be set by regular users or administrators.
HP ProtectTools passwordSet in this HP ProtectTools
module
Credential Manager logon
password
Credential Manager recovery file
password
Basic User Key password
NOTE: Also known as:
Embedded Security password
Emergency Recovery Token
password
Credential ManagerThis password offers 2 options:
Credential Manager, by IT
administrator
Embedded SecurityUsed to access Embedded Security
Embedded Security, by IT
administrator
Function
It can be used in a separate logon to
●
access Credential Manager after
logging on to Windows.
It can be used in place of the Windows
●
logon process, allowing access to
Windows and Credential Manager
simultaneously.
Protects access to the Credential Manager
recovery file.
features, such as secure e-mail, file, and
folder encryption. When used for power-on
authentication, also protects access to the
computer contents when the computer is
turned on, restarted, or restored from
hibernation.
Protects access to the Emergency Recovery
Token, which is a backup file for the
embedded security chip.
ENWWAdditional security elements7
HP ProtectTools passwordSet in this HP ProtectTools
module
NOTE: Also known as:
Emergency Recovery Token Key
password
Function
Owner passwordEmbedded Security, by IT
Java™ Card PINJava Card SecurityProtects access to the Java Card contents
Computer Setup password
NOTE: Also known as BIOS
administrator, F10 Setup, or
Security Setup password
Power-on passwordBIOS ConfigurationProtects access to the computer contents
Windows Logon passwordWindows Control PanelCan be used for manual logon or saved on
administrator
BIOS Configuration, by IT
administrator
Protects the system and the TPM chip from
unauthorized access to all owner functions
of Embedded Security.
and authenticates users of the Java Card.
When used for power-on authentication, the
Java Card PIN also protects access to the
Computer Setup utility and to the computer
contents.
Authenticates users of Drive Encryption, if
the Java Card token is selected.
Protects access to the Computer Setup
utility.
when the computer is turned on, restarted,
or restored from hibernation.
the Java Card.
8Chapter 1 Introduction to securityENWW
Creating a secure password
When creating passwords, you must first follow any specifications that are set by the program. In
general, however, consider the following guidelines to help you create strong passwords and reduce
the chances of your password being compromised:
Use passwords with more than 6 characters, preferably more than 8.
●
Mix the case of letters throughout your password.
●
Whenever possible, mix alphanumeric characters and include special characters and punctuation
●
marks.
Substitute special characters or numbers for letters in a key word. For example, you can use the
●
number 1 for letters I or L.
Combine words from 2 or more languages.
●
Split a word or phrase with numbers or special characters in the middle, for example,
●
“Mary2-2Cat45.”
Do not use a password that would appear in a dictionary.
●
Do not use your name for the password, or any other personal information, such as birth date, pet
●
names, or mother's maiden name, even if you spell it backwards.
Change passwords regularly. You might change only a couple of characters that increment.
●
If you write down your password, do not store it in a commonly visible place very close to the
●
computer.
Do not save the password in a file, such as an e-mail, on the computer.
●
Do not share accounts or tell anyone your password.
●
Backing up and restoring HP ProtectTools credentials
To back up and restore credentials from all supported HP ProtectTools modules, reference the following:
Backing up credentials and settings
You can back up credentials in the following ways:
Use Drive Encryption for HP ProtectTools to select and back up HP ProtectTools credentials.
●
You can also register for Online Drive Encryption Key Recovery Service to store a backup copy of
your encryption key, which will enable you to access your computer if you forget your password
and do not have access to your local backup.
NOTE: You must be connected to the Internet and have a valid e-mail address to register and to
recover your password through this service.
Use Embedded Security for HP ProtectTools to back up HP ProtectTools credentials.
●
Use the Backup and Recovery tool in HP ProtectTools Security Manager for Administrators as a
●
central location from which you can back up and restore security credentials from installed
HP ProtectTools modules.
ENWWAdditional security elements9
2HP ProtectTools Security Manager for
Administrators
About HP ProtectTools Security Manager for
Administrators
HP ProtectTools Security Manager for Administrators provides security features that help protect against
unauthorized access to the computer, networks, and critical data. Security Manager is extensible and
can therefore grow to handle new threats as they emerge and offer new technologies as they become
available.
Use the modules HP ProtectTools Security Manager for Administrators for the initial security setup. The
Security Manager centralized user interface has the following features:
Getting Started - Setup wizard that guides Windows operating system administrators through the
●
configuration of levels of security and of the security login methods that are used in a pre-boot
environment, Credential Manager, and Drive Encryption. Users also use the setup wizard to
configure their security login methods. Refer to
Security Manager for Administrators on page 11 and Getting Started - Configuring user security
login methods on page 13 for more information.
Getting Started - Configuring HP ProtectTools
Administrators Tools - Allows Windows administrators to add and remove ProtectTools users
●
and view user status. Refer to
on page 15 for more information.
Backup and Restore - Backs up and restores security credentials from installed HP ProtectTools
●
modules. Refer to
Settings - Allows you to customize the behavior of a variety of items. Refer to
●
on page 19 for more information.
The Security Manager centralized user interface also contains a list of add-on software modules
designed to maximize computer security. You can select and configure any number of the available
modules.
Backup and Restore on page 16 for more information.
10Chapter 2 HP ProtectTools Security Manager for AdministratorsENWW
Getting Started - Configuring HP ProtectTools Security
Manager for Administrators
The Getting Started setup wizard allows a Windows administrator to establish and/or update levels of
security and security login methods.
Users also use the setup wizard to configure their security logon methods.
NOTE: The Windows administrator can run the setup wizard whenever he or she wants to change the
levels of security or security login methods.
The setup wizard guides the Windows administrator through configuring Security Manager:
1.In HP ProtectTools Security Manager for Administrators, click Getting Started, and then click the
Security Manager Setup button. A demonstration that describes the Security Manager features
may start.
2.On the “Welcome” page, if available, clear the Automatically play video when wizard starts
check box if you want to bypass the demonstration of the Security Manager features the next time
you run the setup wizard.
3.Read the page, and then click Next.
4.Choose the levels of security on the “Set Levels of Security” page. You can choose one or more
of the following levels:
HP Credential Manager - Protects your Windows account.
●
Pre-boot Security (some models) - Protects your computer before Windows starts.
●
HP Drive Encryption - Protects your computer data by encrypting the hard drive. Selecting
●
this option will require you to back up the unique encryption key to a removable storage device.
NOTE: The Security meter changes according to your selections. The more levels you select,
the more secure your computer will be.
After selecting the security levels, click Next.
ENWWGetting Started - Configuring HP ProtectTools Security Manager for Administrators11
5.One or more of the following pages will be displayed, depending on the levels of security you chose
in step 4.
Protect your Windows account - The Windows password is required because Security
●
Manager must synchronize the password for each level of security.
Enter and confirm a Windows password, or enter your password if one has already been
established, and then click Next.
Protect your system before Windows start-up (optional) - If you or the user knows the BIOS
●
administrator password, the BIOS administrator password can be entered. If the BIOS
administrator password is entered, the Windows administrator or user becomes a BIOS
administrator.
NOTE: If a BIOS administrator password does not exist, you must establish one before you
can continue. When a BIOS administrator password is entered, you will become a BIOS
administrator.
Enter and confirm a BIOS administrator password, or enter the password if one has already
been established. Then click Next.
Protect your data by encrypting your hard drive - You must use a USB storage device to save
●
the encryption key. Select the drive(s) to be encrypted (at least one drive must be selected),
insert the storage device into the appropriate slot, select the storage device where the
encryption key will be saved, then click Next.
6.Choose one or more security login methods on the “Set Security Login Methods” page.
a.Under Step 1, select one or more security login methods.
NOTE: The selections apply to both administrators and users.
b.Under Step 2, if you want to increase security, select the check box to require all of the security
login methods you selected under Step 1 when logging in to the computer.
If you want any one of the selected security login methods to be permissible when logging in
to the computer, do not select the check box.
CAUTION: If you select the check box and a user has not yet configured his or her login
methods (Windows password, fingerprint authentication, and/or the HP ProtectTools Java™
Card), that user will not be able to log in to the computer. It is recommended that all users first
configure their login methods before this option is selected.
c.Click Next. A summary page opens, allowing you to review your selections.
7.Click Enable on the “Review and Enable Security Settings” page.
When you click Enable, the computer sets your security choices. You will not be able to return to
any of the preceding wizard pages until security setup is complete. After you complete the wizard,
you can change your settings by running the wizard again.
12Chapter 2 HP ProtectTools Security Manager for AdministratorsENWW
8.Depending on the security login method(s) you chose in step 6, one or more of the following pages
will be displayed. Follow the on-screen instructions, and then click Next.
“Enroll your fingerprints” - Click the finger on the screen that corresponds to the finger you
●
want to register (you must register at least 2 fingerprints), slowly swipe your chosen finger
over the fingerprint sensor, then continue swiping the same finger over the fingerprint sensor
until you have completed the required swipes. Repeat the process to register a second finger
then click Finish.
“Register an HP ProtectTools Java Card” - Insert the HP ProtectTools Java Card, enter the
●
Java Card PIN, then click Finish.
9.On the “Congratulations” page, review your selections, and then click Done.
Getting Started - Configuring user security login methods
After the Windows administrator has configured the levels of security and security login methods, users
run the setup wizard to be added as HP ProtectTools users on the computer:
NOTE: Users who run the setup wizard will see most of the wizard pages. However, the “Set Levels
of Security” and “Set Security Login Methods” pages are not configurable because they are administrator
tasks only.
1.Log in to the computer.
2.In Security Manager, click Getting Started, and then click the Security Manager Setup button.
3.On the “Welcome” page, clear the Automatically play video when wizard starts check box if you
want to bypass the demonstration of the Security Manager features the next time you run the setup
wizard.
4.Read the page, and then click Next.
5.On the “Set Levels of Security” page, click Next.
6.Depending on the levels of security set by the administrator, one or both of the following pages will
be displayed.
Protect your Windows account - The Windows password is required because Security
●
Manager must synchronize the password for each level of security.
NOTE: If HP Credential Manager is the only level of security selected, you will not be
prompted for your Windows password because Credential Manager already knows your
Windows password.
Enter and confirm a Windows password, or enter your password if one has already been
established, and then click Next.
Protect your system before Windows start-up (optional) - If you know the BIOS administrator
●
password, the BIOS administrator password can be entered. If the BIOS administrator
password is entered, the Windows administrator or user becomes a BIOS administrator.
NOTE: If a BIOS administrator password does not exist, you must establish one before you
can continue. When a BIOS administrator password is entered, you will become a BIOS
administrator.
Enter and confirm a BIOS administrator password, or enter the password if one has already
been established. Then click Next.
ENWWGetting Started - Configuring user security login methods13
7.On the “Set Security Login Methods” page, click Next.
8.On the “Review and Enable Security Settings” page, click Enable.
9.Depending on the security login methods set by the administrator, one or both of the following
pages will be displayed. Follow the on-screen instructions, and then click Next.
“Enroll your fingerprints” - Click the finger on the screen that corresponds to the finger you
●
want to register (you must register at least 2 fingerprints), slowly swipe your chosen finger
over the fingerprint sensor, then continue swiping the same finger over the fingerprint sensor
until you have completed the required swipes. Repeat the process to register a second finger
then click Finish.
“Register an HP ProtectTools Java Card” - Insert the HP ProtectTools Java Card, enter the
●
Java Card PIN, then click Finish.
10. On the “Congratulations” page, review your selections, and then click Done.
Logging in after Security Manager is configured
Login scenarios vary, depending on the levels of security and security login methods chosen by the
Windows administrator during configuration. Several possible scenarios follow:
If all 3 levels of security have been configured and all security login methods are required, users
●
must log in using all of the configured methods when the computer is first turned on. This action
logs the user in to Windows.
If all 3 levels of security have been configured and any of the security login methods is permissible,
●
users may log in using any one of the configured security login methods when the computer is first
turned on. This action logs the user in to Windows.
If the HP Drive Encryption and the HP Credential Manager levels of security have been configured
●
and all security login methods are required, users must log in using all of the configured methods
when the HP Drive Encryption login screen opens. This action logs the user in to Windows.
If the HP Drive Encryption and the HP Credential Manager levels of security have been configured
●
and any of the configured security login methods is permissible, users may log in using any one of
the security login methods when the HP Drive Encryption login screen opens. This action logs the
user in to Windows.
If the HP Credential Manager level of security has been configured and all of the security login
●
methods are required, users must log in using all of the configured methods when the Credential
Manager login screen opens. This action logs the user in to Windows.
If the HP Credential Manager level of security option has been configured and any of the configured
●
security login methods is permissible, users may log in using any one of the security login methods
when the Credential Manager login screen opens. This action logs the user in to Windows.
NOTE: If the HP Credential Manager level of security has not been configured, users must still
enter their Windows password at the Windows login screen, regardless of the security login
methods that are required by other levels of security.
14Chapter 2 HP ProtectTools Security Manager for AdministratorsENWW
Windows administrators can add and remove HP ProtectTools users and view user status using the
Administrator Tools feature.
In Administrator Tools, the Administrator and User tabs show the selected security login methods and
whether a user can choose to use any one of them or must use all of them. If you want to change levels
of security or security login methods, you must run the setup wizard to make those changes.
Adding a user
The Windows administrator can add additional administrators or regular users to the users list. The
process is the same for both.
NOTE: Before you add a user, that user must already have a Windows user account on the computer
and must be present during the following procedure to provide the password.
To add a user to the users list:
1.Click Start, click All Programs, and then click HP ProtectTools Security Manager for
Administrators.
2.Click Administrator Tools.
3.Click the Manage Users button.
4.Select the Administrator or User tab.
5.Click Add.
6.Click the user name for the account you want to add or type it in the User Name box, and then
click Next.
NOTE: You must use an existing Windows account and click the name or type it exactly. You
cannot modify or add a Windows user account using this dialog box.
7.Type the Windows password for the selected account, and then click OK.
NOTE: If the user will be logging in with the fingerprint and/or HP ProtectTools Java Card security
login method, he or she must now log in to the computer and run the setup wizard to configure
those security login methods.
Removing a user
NOTE: This procedure does not delete the Windows user account. It only removes that account from
Security Manager. To completely remove the user, you must remove the user from both Security
Manager and Windows.
To remove a user from the users list:
1.Click Start, click All Programs, and then click HP ProtectTools Security Manager for
5.Click the user name for the account you want to remove, and then click Remove.
NOTE: You cannot remove an administrator if there is only one administrator listed in the
Administrator list.
6.In the confirmation dialog box, click Yes.
Checking user status
In Administrator Tools, the Administrator and User tabs show current status of each user:
Green check mark - Indicates that the user has configured the required security login method(s).
●
Yellow exclamation point - Indicates that a user has not configured one or more of the required
●
or permissible security login method(s). For example, if the Windows administrator configures at
least 2 required security login methods, and indicates that either of them can be used for logging
in to the computer, a user who has already configured one of those methods may log in using that
method. The yellow exclamation point indicates to the Windows administrator that the user has not
configured the other security login method.
Red X - Indicates that the user has not configured a required security login method and will be
●
locked out of the computer when trying to log in. The user must run the setup wizard to configure
the required login method(s).
Blank - Indicates that a security login method is not required.
●
Backup and Restore
HP ProtectTools Backup and Restore provides a central location from which you can back up and restore
security credentials from installed HP ProtectTools modules.
In Security Manager, click Backup and Restore, and then click the one of the following buttons:
Backup Options button - Allows you to configure backup settings. For details, refer to
●
Backup wizard on page 17.
Backup button - Allows you to perform an immediate backup of all security credentials.
●
NOTE: You must configure backup settings using the Backup Options button before you can
perform a backup.
Schedule Backups button - Allows you to set up scheduled backups. If you need help with
●
scheduling, search for the topic “task scheduling” in Windows Help.
NOTE: You must configure backup settings using the Backup Options button before you can
schedule a backup.
Restore button - Allows you to restore previously backed up security credentials. For details, refer
●
to
Using the Restore wizard on page 18.
Using the
CAUTION: Backup files created outside of HP ProtectTools Backup and Restore (for example, files
created previously by a specific security module) are not compatible with HP ProtectTools Backup and
Restore, and therefore cannot be restored by HP ProtectTools Backup and Restore or by new versions
of the security modules themselves. HP recommends that you create a new backup file with
HP ProtectTools Backup and Restore.
16Chapter 2 HP ProtectTools Security Manager for AdministratorsENWW
Using the Backup wizard
1.In Security Manager, click Backup and Restore, and then click Backup Options to start the
Backup wizard.
2.Clear the Show Welcome Screen check box if you want to bypass the “Welcome” page the next
time the Backup wizard is run.
3.Click Next. The “Security Modules” page opens.
4.Refer to the following subsections below to continue.
Security Modules
To select modules to back up, follow these steps:
1.Select the check box at the beginning of a row to add the associated module to the backup list.
Click the Select All or Clear All buttons to quickly add or remove all modules from the backup list.
Note that the Status column for the module must display “Ready” or “Needs Authentication” before
you can select it.
NOTE: The check box is unavailable if the module is not ready. After you update a module's
status, click the Refresh button on the right side of the row to update the Status field. Click the
Refresh All button to update the status for all modules.
2.If necessary, type the required value in the Authentication column for each selected module. The
security device may require the entry of authentication values to access the credential data on the
device. These values may include passwords, PINs, and so on.
3.Click Next. The ”File Location” page opens.
File Location
The “File Location” page allows you to choose the location of the backup storage file and the security
token file.
The security token file securely stores the key used to encrypt the backup storage file. A password
encrypts the contents of the security token file. Saving the security token file to an offline location (USB
flash drive, disc, or other media) provides a two-factor level of security, because to access the backedup data in the storage file, you must have the security token file and know the password. Therefore, HP
recommends that you store the storage file and the token file on two different removable media that are
stored in different locations.
To configure file location:
1.Confirm or change the file name and location where you want to save the storage file and security
token file. To change the location, click the Edit button, and then type the new file name, or click
Browse to select a new location. An extension of .ptb is automatically appended to the file name.
NOTE: Only one instance of backup data is allowed for each module in a given storage file. If
you specify an existing storage file, you will be given the option to overwrite the selected module's
data within the storage file or to specify a different storage file. If you specify an existing storage
file, the entire file is not overwritten, only the backup data for the selected module.
2.To encrypt and protect the storage file with the security token and password, click Password
protect the storage file. Then type and confirm the password with which to encrypt the security
token file.
ENWWUsing the Backup wizard17
3.Click Remember all passwords and authentication values to configure the system to securely
cache (save) passwords, which enables unattended backups. Enabling this feature also caches
any authentication values entered in Security Modules.
4.Click Backup Now to start the backup, or click Next to save the backup configuration without
performing a backup at this time.
If you choose to start the backup, the “Backup Complete” page opens at the end of the operation.
Backup Complete
The “Backup Complete” page shows the status of the backup operation.
1.Click View Log to see more details about the backup operation, including any errors.
2.Click Finish to exit the wizard.
Using the Restore wizard
1.In Security Manager, click Backup and Restore, and then click Restore to start the Restore
wizard.
2.Clear the Show Welcome Screen check box if you want to bypass the “Welcome” page the next
time the Restore wizard is run.
3.Click Next. The “File Location” page opens.
4.Refer to the following subsections below to continue.
File Location
The “File Location” page allows you to choose the backup storage file and the security token file (if
applicable) that contain the security credentials to restore.
To select the location of the backup files, follow these steps:
1.If the storage file is not displayed on the page, click the Edit button, and then click Browse to
navigate to the file.
2.If the security token file is not displayed on the page, click the Edit button, and then click
Browse to navigate to the security token file location.
3.If necessary, type the password for the file.
4.Click Next. The “Security Modules” page opens.
Security Modules
This page displays all installed modules that have backup data in the file selected in the “File Location”
page.
18Chapter 2 HP ProtectTools Security Manager for AdministratorsENWW
To select modules to restore:
1.Select the check box at the beginning of each row to add the associated module to the restore list.
Click the Select All or Clear All buttons to quickly add or remove modules from the restore list.
Note that the Status column for the module must display “Ready” or “Needs Authentication” before
you can select it.
NOTE: The check box is unavailable if the module is not ready. After you update a module's
status, click the Refresh button on the right side of the row to update the Status field. Click the
Refresh All button to update the status for all modules.
2.If necessary, type the required value in the Authentication column for each selected module.
Authentication values may be required to access the security device to restore. These values may
include passwords, PINs, and so on. Values typed in these fields are immediately validated.
3.Click Next. The “Confirmation” page opens.
Confirmation
1.If you want to change the restore settings, click Previous to go back to the restore configuration
screens.
2.Confirm that you want to restore the credentials for the listed modules, and then click Restore
Now to begin the restore.
3.Select the files you want to restore and click Finish.
4.Click Yes in the confirmation dialog box
CAUTION: Restoring credentials will overwrite current credentials which could lead to loss of data or
system lockout.
Restore Complete
The “Restore Complete” page shows the status of the restore operation.
Click View Log to see more details about the restore operation, including any errors.
●
Click Finish to exit the wizard.
●
Settings
IN HP ProtectTools Security Manager for Administrators, click Settings to change the settings options.
The following Security Manager settings are available:
Select the Show icon on the taskbar check box to display a taskbar icon that allows you to start
●
the host and activate a specific page and/or launch a specific application.
Select the Show Security Desktop Notifications check box to display notifications generated by
●
the installed modules.
View or bypass the Backup wizard “Welcome” page.
●
View or bypass the Restore wizard “Welcome” page.
●
ENWWSettings19
3Credential Manager for
HP ProtectTools
Credential Manager for HP ProtectTools protects against unauthorized access to your computer using
the following security features:
Alternatives to passwords when logging on to Windows, such as using a Java Card or biometric
●
reader to log on to Windows. For additional information, refer to
on page 21.
Single Sign On feature that automatically remembers credentials for Web sites, applications, and
●
protected network resources.
Support for optional security devices, such as Java Cards and biometric readers.
●
Support for additional security settings, such as requiring authentication using an optional security
●
device to unlock the computer.
Registering credentials
Setup procedures
Logging on to Credential Manager
Depending on the configuration, you can log on to Credential Manager in any of the following ways:
HP ProtectTools Security Manager for Administrators icon in the notification area
●
In Windows Vista®, click Start, click All Programs, and then click HP ProtectTools Security
●
Manager for Administrators.
In Windows XP, click Start, click All Programs, and then click HP ProtectTools Security
●
Manager.
NOTE: In Windows Vista, you must launch the HP ProtectTools Security Manager for Administrators
to make changes.
After logging on to Credential Manager, you can register additional credentials, such as a fingerprint or
a Java Card. For additional information, refer to
At the next logon, you can select the logon policy and use any combination of the registered credentials.
Registering credentials on page 21.
20Chapter 3 Credential Manager for HP ProtectToolsENWW
Using the Credential Manager Logon Wizard
To log on to Credential Manager using the Credential Manager Logon Wizard, use the following steps:
1.Open the Credential Manager Logon Wizard in any of the following ways:
From the Windows logon screen
●
From the notification area, by double-clicking the HP ProtectTools Security Manager for
●
Administrators icon
From the “Credential Manager” page of HP ProtectTools Security Manager for Administrators,
●
by clicking the Log On link in the upper-right corner of the window
2.Follow the on-screen instructions to log on to Credential Manager.
Registering credentials
You can use the “My Identity” page to register your various authentication methods, or credentials. After
they have been registered, you can use these methods to log on to Credential Manager.
Registering fingerprints
A fingerprint reader allows you to log on to Windows using your fingerprint for authentication instead of
using a Windows password.
Setting up the fingerprint reader
1.In HP ProtectTools Security Manager for Administrators, click Credential Manager in the left pane.
2.Click My Identity, and then click Register Fingerprints.
3.Follow the on-screen instructions to complete registering your fingerprints and setting up the
fingerprint reader.
4.To set up the fingerprint reader for a different Windows user, log on to Windows as that user and
then repeat the steps listed above.
Using your registered fingerprint to log on to Windows
1.Immediately after you have registered your fingerprints, restart Windows.
2.At the Windows Welcome screen, swipe any of your registered fingers to log on to Windows.
ENWWSetup procedures21
Registering a Smart Card or Token
A smart card is a plastic card about the size of a credit card with an embedded microchip that can be
loaded with information. Smart cards provide protection of information and authentication for individual
users. Logging on to a network with a smart card can provide a strong form of authentication when it
uses cryptography-based identification and proof of possession when authenticating a user to a domain.
A USB token is simply a smart card in a different form factor. Rather than deploying the smart chip on
a plastic credit platform, the smart chip is inserted into a plastic token, also known as a USB key. The
major difference between a smart card and a token is in the access interface. A card requires a reader,
while a token plugs directly into any USB port. There is no difference in the core functionality of storing
and providing credentials.
A USB token is used for strong authentication. It provides enhanced security and ensures safe
information access.
NOTE: You must have a card reader configured for this procedure. If you do not have a reader
installed, you can register a virtual token as described in
1.In HP ProtectTools Security Manager for Administrators, click Credential Manager in the left pane.
2.Click My Identity, and then click Register Smart Card or Token.
3.On the Device Type dialog box, click the desired type of device, and then click Next.
4.If a smart card or USB token was selected as the device type, make sure that smart card is inserted
or the token is connected to a USB port.
Creating a virtual token on page 23.
NOTE: If the smart card is not inserted or the USB token is not connected, the Next button is
disabled in Select Token dialog box.
5.On the Device Type dialog box, select Next.
The Token Properties dialog box is displayed.
6.Type the User PIN, select Register smart card or token for authentication, and then click
Finish.
Registering other credentials
1.In HP ProtectTools Security Manager for Administrators, click Credential Manager.
2.Click My Identity, and then click Register Credentials.
The Credential Manager Registration Wizard opens.
3.Follow the on-screen instructions.
22Chapter 3 Credential Manager for HP ProtectToolsENWW
General tasks
All users have access to the “My Identity” page in Credential Manager. From the “My Identity” page, you
can perform the following tasks:
Change the Windows logon password
●
Change a token PIN
●
Lock a workstation
●
NOTE: This option is available only if the Credential Manager classic logon prompt is enabled.
Example 1—Using the “Advanced Settings” page to allow Windows logon from Credential
See
Manager on page 30.
Creating a virtual token
A virtual token works very much like a Java Card or USB Token. The token is saved either on the
computer hard drive or in the Windows registry. When you log on with a virtual token, you are asked for
a user PIN to complete the authentication.
To create a new virtual token:
1.In HP ProtectTools Security Manager for Administrators, click Credential Manager in the left pane.
2.Click My Identity, and then click Register Smart Card or Token.
3.On the Device Type dialog box, click Virtual Token, and then click Next.
4.Specify the token name and location, and click Next.
A new virtual token can be stored either in a file or in the Windows registry database.
5.On the Token Properties dialog box, specify the Master PIN and User PIN for the newly created
virtual token, select Register smart card or token for authentication, and then click Finish.
The Token Properties dialog box is displayed.
6.Type the User PIN, select Register smart card or token for authentication, and then click
Finish.
Changing the Windows logon password
1.In HP ProtectTools Security Manager for Administrators, click Credential Manager in the left pane.
2.Click My Identity, and then click Change Windows Password.
3.Type your old password in the Old password box.
4.Type your new password in the New password and Confirm password boxes.
5.Click Finish.
Changing a token PIN
1.In HP ProtectTools Security Manager for Administrators, click Credential Manager in the left pane.
2.Click My Identity, and then click Change Token PIN.
ENWWGeneral tasks23
3.On the Device Type dialog box, click the desired type of device, and then click Next.
4.Select the token for which you want to change the PIN, and then click Next.
5.Follow the on-screen instructions to complete the PIN change.
NOTE: If you enter the incorrect PIN for the token several times in sequence, the token gets locked
out. You will be unable to use this token until you unlock it.
Locking the computer (workstation)
This feature is available if you log on to Windows using Credential Manager. To secure your computer
when you are away from your desk, use the Lock Workstation feature. This prevents unauthorized users
from gaining access to your computer. Only you and members of the administrators group on your
computer can unlock it.
NOTE: This option is available only if the Credential Manager classic logon prompt is enabled. See
Example 1—Using the “Advanced Settings” page to allow Windows logon from Credential Manager
on page 30.
For added security, you can configure the Lock Workstation feature to require a Java Card, biometric
reader, or token to unlock the computer. For more information, see
settings on page 30.
1.In HP ProtectTools Security Manager for Administrators, click Credential Manager in the left pane.
Configuring Credential Manager
2.Click My Identity.
3.Click Lock Workstation to lock your computer immediately.
You must use a Windows password or the Credential Manager Logon Wizard to unlock the
computer.
Using Windows Logon
You can use Credential Manager to log on to Windows, either at a local computer or on a network
domain. When you log on to Credential Manager for the first time, the system automatically adds your
local Windows user account as the account for the Windows Logon service.
Logging on to Windows with Credential Manager
You can use Credential Manager to log on to a Windows network or local account.
1.If you have registered your fingerprint to log on to Windows, swipe your finger to log on.
2.In Windows XP, if you have not registered your fingerprint to log on to Windows, click the keyboard
icon in the upper-left corner of the screen next to the fingerprint icon. The Credential Manager
Logon Wizard opens.
In Windows Vista, if you have not registered your fingerprint to log on to Windows, click the
Credential Manager icon at the logon screen. The Credential Manager Logon Wizard opens.
3.Click the User name arrow, and then click your name.
4.Type your password in the Password box, and then click Next.
24Chapter 3 Credential Manager for HP ProtectToolsENWW
5.Select More, and then click Wizard Options.
a.If you want this to be the default user name the next time that you log on to the computer,
select the Use last user name on next logon check box.
b.If you want this logon policy to be the default method, select the Use last policy on next
logon check box.
6.Follow the on-screen instructions. If your authentication information is correct, you will be logged
on to your Windows account and to Credential Manager.
Using Single Sign On
Credential Manager has a Single Sign On feature that stores user names and passwords for multiple
Internet and Windows programs, and automatically enters logon credentials when you access a
registered program.
NOTE: Security and privacy are important features of Single Sign On. All credentials are encrypted
and are available only after successful logon to Credential Manager.
NOTE: You can also configure Single Sign On to validate your authentication credentials with a Java
Card, a fingerprint reader, or a token before logging on to a secure site or program. This is particularly
useful when logging on to programs or Web sites that contain personal information, such as bank
account numbers. For more information, refer to
on page 30.
Configuring Credential Manager settings
Registering a new application
Credential Manager prompts you to register any application that you launch while you are logged on to
Credential Manager. You can also register an application manually.
Using automatic registration
1.Open an application that requires you to log on.
2.Click the Credential Manager SSO icon in the program or Web site password dialog box.
3.Type your password for the program or Web site, and then click OK. The Credential Manager
Single Sign On dialog box opens.
4.Click More and select from the following options:
Do not use SSO for this site or application.
●
Prompt to select account for this application.
●
Fill in credentials but do not submit.
●
Authenticate user before submitting credentials.
●
Show SSO shortcut for this application.
●
5.Click Yes to complete the registration.
ENWWGeneral tasks25
Using manual (drag and drop) registration
1.In HP ProtectTools Security Manager for Administrators, click Credential Manager, and then click
Services and Applications in the left pane.
2.Click Manage Applications and Credentials.
The Credential Manager Single Sign On dialog box is displayed.
3.To modify or remove a previously registered web site or application, select the desired record in
the list.
4.Follow the on-screen instructions.
Managing applications and credentials
Modifying application properties
1.In HP ProtectTools Security Manager for Administrators, click Credential Manager, and then click
Services and Applications from the left pane.
2.Click Manage Applications and Credentials.
The Credential Manager Single Sign On dialog box is displayed.
3.Click the application entry you want to modify, and then click Properties.
4.Click the General tab to modify the application name and description. Change the settings by
selecting or clearing the check boxes next to the appropriate settings.
5.Click the Script tab to view and edit the SSO application script.
6.Click OK.
Removing an application from Single Sign On
1.In HP ProtectTools Security Manager for Administrators, click Credential Manager, and then click
Services and Applications in the left pane.
2.Click Manage Applications and Credentials.
The Credential Manager Single Sign On dialog box is displayed.
3.Click the application entry you want to remove, and then click Remove.
4.Click Yes in the confirmation dialog box.
5.Click OK.
Exporting an application
You can export applications to create a backup copy of the Single Sign On application script. This file
can then be used to recover the Single Sign On data. This acts as a supplement to the identity backup
file, which contains only the credential information.
26Chapter 3 Credential Manager for HP ProtectToolsENWW
To export an application:
1.In HP ProtectTools Security Manager for Administrators, click Credential Manager, and then click
Services and Applications in the left pane.
2.Click Manage Applications and Credentials.
The Credential Manager Single Sign On dialog box is displayed.
3.Click the application entry you want to export, and then click More.
4.Follow the on-screen instructions to complete the export.
5.Click OK.
Importing an application
1.In HP ProtectTools Security Manager for Administrators, click Credential Manager, and then click
Services and Applications in the left pane.
2.Click Manage Applications and Credentials.
The Credential Manager Single Sign On dialog box is displayed.
3.Click the application entry you want to import, and then click More.
4.Follow the on-screen instructions to complete the import.
5.Click OK.
Modifying credentials
1.In HP ProtectTools Security Manager for Administrators, click Credential Manager, and then click
Services and Applications.
2.Click Manage Applications and Credentials.
The Credential Manager Single Sign On dialog box is displayed.
3.Click the application entry you want to modify, and then click More.
4.Some of the options that can be selected include:
Applications
●
◦
◦
◦
◦
◦
Credentials
●
Add New
Remove
Properties
Import Script
Export Script
Create New
◦
View Password
●
ENWWGeneral tasks27
NOTE: You must authenticate your identity before viewing the password.
5.Follow the on-screen instructions.
6.Click OK.
Using Application Protection
This feature allows you to configure access to applications. You can restrict access based on the
following criteria:
Category of user
●
Time of use
●
User inactivity
●
Restricting access to an application
1.In HP ProtectTools Security Manage for Administrators, click Credential Manager in the left pane,
and then click Services and Applications.
2.Click Application Protection, and then click Manage Protected Applications.
3.Select a category of user whose access you want to manage.
NOTE: If the category is not Everyone, you may need to select Override default settings to
override the settings for the Everyone category.
4.Click Add.
The Add a Program Wizard opens.
5.Follow the on-screen instructions.
Removing protection from an application
To remove restrictions from an application:
1.In HP ProtectTools Security Manager for Administrators, click Credential Manager in the left pane.
2.Click Services and Applications.
3.Click Application Protection, and then click Manage Protected Applications.
4.Select a category of user whose access you want to manage.
NOTE: If the category is not Everyone, you may need to click Override default settings to
override the settings for the Everyone category.
5.Click the application entry you want to remove, and then click Remove.
6.Click OK.
28Chapter 3 Credential Manager for HP ProtectToolsENWW
Changing restriction settings for a protected application
1.Click Application Protection, and then click Manage Protected Applications.
2.Select a category of user whose access you want to manage.
NOTE: If the category is not Everyone, you may need to click Override default settings to
override the settings for the Everyone category.
3.Click the application you want to change, and then click Properties. The Properties dialog box
for that application opens.
4.Click the General tab. Select one of the following settings:
Disabled (Cannot be used)
●
Enabled (Can be used without restrictions)
●
Restricted (Usage depends on settings)
●
5.When you select Restricted, the following settings are available:
a.If you want to restrict usage based on time, day, or date, click the Schedule tab and configure
the settings.
b.If you want to restrict usage based on inactivity, click the Advanced tab and select the period
of inactivity.
6.Click OK to close the application Properties dialog box.
7.Click OK.
Advanced tasks (administrator only)
The “Multifactor Authentication” page and the “Settings” page of Credential Manager are available only
to those users with administrator rights. From these pages, you can perform the following tasks:
Configuring credential properties
●
Configuring Credential Manager settings
●
Configuring credential properties
On the Credentials tab of the “Multifactor Authentication” page, you can view the list of available
authentication methods, and modify the settings.
To configure the credentials:
1.In HP ProtectTools Security Manager for Administrators, click Credential Manager in the left pane.
2.Click Multifactor Authentication.
3.Click the Credentials tab.
ENWWAdvanced tasks (administrator only)29
4.Click the credential type you want to modify. You can modify the credential using one of the
following choices:
To register the credential, click Register, and then follow the on-screen instructions.
●
To delete the credential, click Clear, and then click Yes in the confirmation dialog box.
●
To modify the credential properties, click Properties, and then follow the on-screen
●
instructions.
5.Click Apply, and then click OK.
Configuring Credential Manager settings
From the “Settings” page, you can access and modify various settings using the following tabs:
General—Allows you to modify the settings for basic configuration.
●
Single Sign On—Allows you to modify the settings for how Single Sign On works for the current
●
user, such as how it handles detection of logon screens, automatic logon to registered logon
dialogs, and password display.
Services and Applications—Allows you to view the available services and modify the settings for
●
those services.
Security—Allows you to select the fingerprint reader software and adjust the security level of the
●
fingerprint reader.
Smart Cards and Tokens—Allows you to view and modify properties for all available Java Cards
●
and tokens.
To modify Credential Manager settings:
1.In HP ProtectTools Security Manager for Administrators, click Credential Manager in the left pane.
2.Click Settings.
3.Click the appropriate tab for the settings you want to modify.
4.Follow the on-screen instructions to modify the settings.
5.Click Apply, and then click OK.
Example 1—Using the “Advanced Settings” page to allow Windows logon from
Credential Manager
1.In HP ProtectTools Security Manager for Administrators, click Credential Manager in the left pane.
2.Click Settings.
3.Click the General tab.
4.Under Select the way users log on to Windows, select the Use Credential Manager to log on
to Windows check box.
5.Click Apply, and then click OK.
6.Restart the computer.
30Chapter 3 Credential Manager for HP ProtectToolsENWW
NOTE: Selecting the Use Credential Manager to log on to Windows check box allows you to lock
your computer. See
NOTE: The procedure above may be slightly different for Windows XP.
Locking the computer (workstation) on page 24.
Example 2—Using the “Advanced Settings” page to require user verification before
Single Sign On
1.In HP ProtectTools Security Manager for Administrators, click Credential Manager, and then click
Settings.
2.Click the Single Sign On tab.
3.Under When registered logon dialog or Web page is visited, select the Authenticate user
before submitting credentials check box.
4.Click Apply, and then click OK.
5.Restart the computer.
ENWWAdvanced tasks (administrator only)31
4Drive Encryption for HP ProtectTools
CAUTION: If you decide to uninstall the Drive Encryption module or if you are using a backup and
restore solution, you must first decrypt all encrypted drives. If you do not, you will not be able to access
the data on encrypted drives unless you have registered with the Drive Encryption recovery service.
Reinstalling the Drive Encryption module will not enable you to access the encrypted drives.
Setup procedures
Opening Drive Encryption
1.Click Start, click All Programs, and then click HP ProtectTools Security Manager for
Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.Click Drive Encryption.
General tasks
Activating Drive Encryption
Use the HP ProtectTools Security Manager for Administrators setup wizard to activate Drive Encryption.
Deactivating Drive Encryption
Use the HP ProtectTools Security Manager for Administrators setup wizard to deactivate Drive
Encryption.
Logging in after Drive Encryption is activated
When you turn on the computer after Drive Encryption is activated and your user account is enrolled,
you must log in at the Drive Encryption logon screen:
NOTE: If the Windows administrator has enabled Pre-boot Security in the HP ProtectTools Security
Manager for Administrators, you will log in to the computer immediately after the computer is turned on,
rather than at the Drive Encryption logon screen.
1.Select your user name, and then type your Windows password or Java™ Card PIN, or swipe a
registered finger.
2.Click OK.
NOTE: If you use a recovery key to log in at the Drive Encryption logon screen, you will also be
prompted to select your Windows user name and type your password at the Windows logon screen.
32Chapter 4 Drive Encryption for HP ProtectToolsENWW
Advanced tasks
Managing Drive Encryption (administrator task)
The “Encryption Management” page allows Windows administrators to view and change the status of
Drive Encryption (active or inactive) and to view the encryption status of all of the hard drives on the
computer.
Activating a TPM-protected password
Use Embedded Security for HP ProtectTools to activate the TPM. After activation, logging in at the Drive
Encryption logon screen requires the Windows user name and password.
NOTE: Because the password is protected by a TPM security chip, if the hard drive is moved to another
computer, data cannot be accessed unless the TPM settings are migrated to that computer.
1.Use Embedded Security for HP ProtectTools to activate the TPM.
2.Open Drive Encryption, and click Encryption Management.
3.Select the TPM-protected password check box.
Encrypting or decrypting individual drives
1.Open Drive Encryption, and click Encryption Management.
2.Click Change Encryption.
3.In the Change Encryption dialog box, select or clear the check box next to each hard drive you
want to encrypt or decrypt, and then click OK.
NOTE: When the drive is being encrypted or decrypted, the progress bar shows the time remaining
to complete the process during the current session. If the computer is shut down or initiates Sleep or
Hibernation during the encryption process and then restarts, the Time Remaining display resets to the
beginning, but the actual encryption resumes where it last stopped. The time remaining and progress
display will change more quickly to reflect the previous progress.
Backup and recovery (administrator task)
The “Recovery” page allows Windows administrators to back up and recover encryption keys.
Creating backup keys
CAUTION: Be sure to keep the storage device containing the backup key in a safe place, because if
you forget your password or lose your Java Card, this device provides your only access to your hard
drive.
1.Open Drive Encryption, and then click Recovery.
2.Click Backup Keys.
3.On the “Select Backup Disk” page, click the name of the device where you want to back up your
encryption key, and then click Next.
4.Read the information on the next page that is displayed, and then click Next.
ENWWAdvanced tasks33
The encryption key is saved on the storage device you selected.
5.Click OK when the confirmation dialog box opens.
Registering for online recovery
The Online Drive Encryption Key Recovery Service stores a backup copy of your encryption key, which
will enable you to access your computer if you forget your password and do not have access to your
local backup.
NOTE: You must be connected to the Internet and have a valid e-mail address to register and to
recover your password through this service.
1.Open Drive Encryption, and then click Recovery.
2.Click Register.
3.Click one of the following options:
I want to create a new recovery account for this PC. If you choose this option, type your e-
●
mail address and other information, and then click Next.
I want to add this PC to my existing web recovery account.
●
4.Create and confirm a password, select security questions and type the answers, and then click
Next.
NOTE: An account activation code will be sent to the e-mail address you provided.
5.Enter the activation code, and then click Next.
6.Enter the computer serial number, and then click Next.
NOTE: To locate the computer serial number, click Start, and then click Help and Support.
7.If you do not have a subscription coupon, click the Click here to purchase coupons link.
Clicking the link directs you to the SafeBoot Recovery Service Web site. Do not exit the wizard.
8.Click Purchase Coupon Codes.
9.Select your country, the type of computer, and then click Start.
10. Click Buy next to the 1-year subscription option or the 3-year subscription option.
11. Click Checkout.
12. Read the terms and conditions, and then click Accept.
13. Enter your billing information, and then click Continue.
14. Enter your credit card information, and then click Make Payment.
15. Write down your coupon code, and then return to the “Account Activation” page in the wizard.
16. Enter your account activation code, and then click Next.
17. When the confirmation dialog box opens, click OK.
34Chapter 4 Drive Encryption for HP ProtectToolsENWW
Managing an existing online recovery account
After you create an online recovery account, you can access the SafeBoot Recovery Service Web site
to recover access to your computer if you lose your password, modify your personal settings, reset the
password you use for the online recovery account, and view or renew your account.
1.Open Drive Encryption, and then click Recovery.
2.Click Manage.
3.When the “SafeBoot Recovery Service” Web page opens, click Recovery Service Account or
Recovery Process.
4.On the recovery service logon page, enter your e-mail address, password, and the numbers and
letters you see in the box.
5.Click Logon.
6.Click Profile to update your personal information, such as your telephone or billing address.
– or –
Click Reset Password to reset or change your password.
– or –
Click My Subscriptions to view your current subscription information.
NOTE: The “My Subscriptions” page also allows you to renew your subscription. Click Renew
Subscription to perform this action.
Performing a recovery
Performing a local recovery
1.Turn on the computer.
2.Insert the removable storage device that stores your backup key.
3.When the Drive Encryption for HP ProtectTools logon dialog box opens, click Cancel.
4.Click Options in the lower-left corner of the screen, and then click Recovery.
5.Click Local recovery, and then click Next.
6.Select the file that contains your backup key or click Browse to search for it, and then click Next.
7.When the confirmation dialog box opens, click OK.
The recovery process is completed and your computer starts.
NOTE: It is highly recommended that you reset your password after performing a recovery.
Performing an online recovery
ENWWAdvanced tasks35
NOTE: This section describes how to perform an online recovery when you have access to a different
computer with an Internet connection. If you do not have access to such a computer, contact HP
technical support.
1.Turn on the computer.
2.When the Drive Encryption for HP ProtectTools logon dialog box opens, click Cancel.
3.Click Options in the lower-left corner of the screen, and then click Recovery.
4.Click Web recovery, and then click Next.
5.Record the client code, and then click Next.
6.On a different computer with an Internet connection, access the SafeBoot Recovery Service Web
http://www.safeboot-hp.com.
site at
7.Click Recovery Process.
8.On the recovery service logon page, enter your e-mail address, password, and the numbers and
letters you see in the box.
9.Click Logon.
10. Click Recovery Process.
11. Enter the client code you recorded from the computer you are recovering, and enter the numbers
and letters you see in the box.
12. Click Submit.
13. Record each line of the response key.
14. On the computer you are recovering, enter line 1 of the response key that you recorded from the
SafeBoot Recovery Service Web site, and then click Enter.
15. Enter line 2 of the response key, and then click Enter.
16. Enter line 3 of the response key, and then click Enter.
17. Enter line 4 of the response key, and then click Enter.
NOTE: Line 4 of the response key is shorter than the first 3 lines.
18. Click Finish.
NOTE: It is highly recommended that you reset your password after performing a recovery.
36Chapter 4 Drive Encryption for HP ProtectToolsENWW
5Privacy Manager for HP ProtectTools
Privacy Manager is a tool used to obtain Certificates of Authority, which verify the source, integrity, and
security of communication when using Microsoft mail, Microsoft Office documents, and Live Messenger.
Privacy Manager leverages the security infrastructure provided by HP ProtectTools Security Manager
for Administrators, which includes the following security logon methods:
Fingerprint authentication
●
Windows® password
●
HP ProtectTools Java™ Card
●
Virtual Token
●
Embedded Security for HP ProtectTools Basic User Key
●
You may use any of the above security logon methods in Privacy Manager.
Opening Privacy Manager
To open Privacy Manager:
1.Click Start, click All Programs, and then click HP ProtectTools Security Manager for
Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.Click Privacy Manager: Sign and Chat.
– or –
Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, click PrivacyManager: Sign and Chat, and then click Configuration.
– or –
On the toolbar of a Microsoft Outlook e-mail message, click the down arrow next to Send Securely,
and then click Certificate Manager or Trusted Contact Manager.
– or –
On the toolbar of a Microsoft Office document, click the down arrow next to Sign and Encrypt, and then
click Certificate Manager or Trusted Contact Manager.
ENWWOpening Privacy Manager37
Setup procedures
Managing Privacy Manager Certificates
Manager Certificates protect data and messages using a cryptographic technology called public key
infrastructure (PKI). PKI requires users to obtain cryptographic keys and a Privacy Manager Certificate
issued by a certificate authority (CA). Unlike most data encryption and authentication software that only
requires you to authenticate periodically, Privacy Manager requires authentication each time you sign
an e-mail message or a Microsoft Office document using a cryptographic key. Privacy Manager makes
the process of saving and sending your important information safe and secure.
Requesting and installing a Privacy Manager Certificate
Before you can use the Privacy Manager features, you must request and install a Privacy Manager
Certificate (from within Privacy Manager) using a valid e-mail address. The e-mail address must be set
up as an account within Microsoft Outlook on the same computer from which you are requesting the
Privacy Manager Certificate.
Requesting a Privacy Manager Certificate
1.Open Privacy Manager, and click Certificate Manager.
2.Click Request a Privacy Manager Certificate.
3.On the “Welcome” page, read the text, and then click Next.
4.On the “License Agreement” page, read the license agreement.
5.Be sure that the check box next to Check here to accept the terms of this license agreement
is selected, and then click Next.
6.On the “Your Certificate Details” page, enter the required information, and then click Next.
7.On the “Certificate Request Accepted” page, click Finish.
You will receive an e-mail in Microsoft Outlook with your Privacy Manager Certificate attached.
Installing a Privacy Manager Certificate
1.When you receive the e-mail with your Privacy Manager Certificate attached, open the e-mail and
click the Setup button, in the lower-right corner of the message.
2.Authenticate using your chosen security logon method.
3.On the “Certificate Installed” page, click Next.
4.On the “Certificate Backup” page, enter a location and name for the backup file, or click Browse
to search for a location.
CAUTION: Be sure that you save the file to a location other than your hard drive and put it in a
safe place. This file should be for your use only, and is required in case you need to restore your
Privacy Manager Certificate and associated keys.
5.Enter and confirm a password, and then click Next.
38Chapter 5 Privacy Manager for HP ProtectToolsENWW
6.Authenticate using your chosen security logon method.
7.If you choose to begin the Trusted Contact invitation process, follow the on-screen instructions.
– or –
If you click Cancel, refer to Managing Trusted Contacts for information on adding a Trusted Contact
at a later time.
Viewing Privacy Manager Certificate details
1.Open Privacy Manager, and click Certificate Manager.
2.Click a Privacy Manager Certificate.
3.Click Certificate details.
4.When you have finished viewing the details, click OK.
Renewing a Privacy Manager Certificate
When your Privacy Manager Certificate nears expiration, you will be notified that you need to renew it:
1.Open Privacy Manager, and click Certificate Manager.
2.Click a Privacy Manager Certificate.
3.Click Renew certificate.
4.Follow the on-screen instructions to purchase a new Privacy Manager Certificate.
NOTE: The Privacy Manager Certificate renewal process does not replace your old Privacy
Manager Certificate. You will need to purchase a new Privacy Manager Certificate and install it
using the same procedures as in Requesting and installing a Privacy Manager Certificate.
Setting a default Privacy Manager Certificate
Only Privacy Manager Certificates are visible from within Privacy Manager, even if additional certificates
from other certificate authorities are installed on your computer.
If you have more than one Privacy Manager Certificate on your computer that was installed from within
Privacy Manager, you can specify one as the default certificate:
1.Open Privacy Manager, and click Certificate Manager.
2.Click the Privacy Manager Certificate that you want to use as the default, and then click Set
default.
3.Click OK.
NOTE: You are not required to use your default Privacy Manager Certificate. From within the various
Privacy Manager functions, you can select any of your Privacy Manager Certificates to use.
Deleting a Privacy Manager Certificate
If you delete a Privacy Manager Certificate, you cannot open any files or view any data that you
encrypted with that certificate. If you have accidentally deleted a Privacy Manager Certificate, you can
restore it using the backup file that you created when you installed the certificate.
ENWWSetup procedures39
To delete a Privacy Manager Certificate:
1.Open Privacy Manager, and click Certificate Manager.
2.Click the Privacy Manager Certificate you want to delete, and then click Advanced.
3.Click Delete.
4.When the confirmation dialog box opens, click Yes.
5.Click Close, and then click Apply.
Restoring a Privacy Manager Certificate
If you have accidentally deleted a Privacy Manager Certificate, you can restore it using the backup file
that you created when you installed or exported the certificate:
1.Open Privacy Manager, and click Migration.
2.Click Import migration file..
3.Click On the “Migration File” page, click Browse to search for the .dppsm file that you created when
you installed or exported the Privacy Manager Certificate, and then click Next.
4.On the “Migration File Import” page, click Finish.
5.Click Close, and then click Apply.
NOTE: Refer to Installing a Privacy Manager Certificate or Exporting Privacy Manager Certificates
and Trusted Contacts for more information.
Revoking your Privacy Manager Certificate
If you feel that the security of your Privacy Manager Certificate has been jeopardized, you may revoke
your own certificate:
NOTE: A revoked Privacy Manager Certificate is not deleted. The certificate can still be used to view
files that are encrypted.
1.Open Privacy Manager, and click Certificate Manager.
2.Click Advanced.
3.Click the Privacy Manager Certificate you want to revoke, and then click Revoke.
4.When the confirmation dialog box opens, click Yes.
5.Authenticate using your chosen security logon method.
6.Follow the on-screen instructions.
Managing Trusted Contacts
Trusted Contacts are users with whom you have exchanged Privacy Manager Certificates, enabling you
to securely communicate with one another.
40Chapter 5 Privacy Manager for HP ProtectToolsENWW
Adding Trusted Contacts
1.You send an e-mail invitation to a Trusted Contact recipient.
2.The Trusted Contact recipient responds to the e-mail.
3.You receive the e-mail response from the Trusted Contact recipient, and click Accept.
You can send Trusted Contact e-mail invitations to individual recipients or you can send the invitation
to all the contacts in your Microsoft Outlook address book.
NOTE: To respond to your invitation to become a Trusted Contact, Trusted Contact recipients must
have Privacy Manager installed on their computers or have the alternate client installed. For information
on installing the alternate client, access the DigitalPersona Web site at
PrivacyManager.
Adding a Trusted Contact
1.Open Privacy Manager, click Trusted Contacts Manager, and then click Invite Contacts.
– or –
In Microsoft Outlook, click the down arrow next to Send Securely on the toolbar, and then click
Invite Contacts.
2.If the Select Certificate dialog box opens, click the Privacy Manager Certificate you want to use,
and then click OK.
http://DigitalPersona.com/
3.When the Trusted Contact Invitation dialog box opens, read the text, and then click OK.
An e-mail is automatically generated.
4.Enter one or more e-mail addresses of the recipients you want to add as Trusted Contacts.
5.Edit the text and sign your name (optional).
6.Click Send.
NOTE: If you have not obtained a Privacy Manager Certificate, a message informs you that you
must have a Privacy Manager Certificate in order to send a Trusted Contact request. Click OK to
launch the Certificate Request Wizard.
7.Authenticate using your chosen security logon method.
8.When you receive an e-mail response from a recipient accepting the invitation to become a Trusted
Contact, click Accept in the lower-right corner of the e-mail.
A dialog box opens, confirming that the recipient has been successfully added to your Trusted
Contacts list.
9.Click OK.
ENWWSetup procedures41
Adding Trusted Contacts using your Microsoft Outlook address book
1.Open Privacy Manager, click Trusted Contacts Manager, and then click Invite Contacts.
– or –
In Microsoft Outlook, click the down arrow next to Send Securely on the toolbar, and then click
Invite All My Outlook Contacts.
2.When the “Trusted Contact Invitation” page opens, select the e-mails address of the recipients you
want to add as Trusted Contacts and then click Next.
3.When the “Sending Invitation” page opens, click Finish.
An e-mail listing the selected Microsoft Outlook e-mail addresses is automatically generated.
4.Edit the text and sign your name (optional).
5.Click Send.
NOTE: If you have not obtained a Privacy Manager Certificate, a message informs you that you
must have a Privacy Manager Certificate in order to send a Trusted Contact request. Click OK to
launch the Certificate Request Wizard.
6.Authenticate using your chosen security logon method.
NOTE: When the e-mail is received by the Trusted Contact recipient, the recipient must open the
e-mail and click Accept in the lower-right corner of the e-mail, and then click OK when the
confirmation dialog box opens.
7.When you receive an e-mail response from a recipient accepting the invitation to become a Trusted
Contact, click Accept in the lower-right corner of the e-mail.
A dialog box opens, confirming that the recipient has been successfully added to your Trusted
Contacts list.
8.Click OK.
Viewing Trusted Contact details
1.Open Privacy Manager, and click Trusted Contacts Manager.
2.Click a Trusted Contact.
3.Click Contact details.
4.When you have finished viewing the details, click OK.
Deleting a Trusted Contact
1.Open Privacy Manager, and click Trusted Contacts Manager.
2.Click the Trusted Contact you want to delete.
3.Click Delete contact.
4.When the confirmation dialog box opens, click Yes.
42Chapter 5 Privacy Manager for HP ProtectToolsENWW
Checking revocation status for a Trusted Contact
1.Open Privacy Manager, and click Trusted Contacts Manager.
2.Click a Trusted Contact.
3.Click the Advanced button.
The Advanced Trusted Contact Management dialog box opens.
4.Click Check Revocation.
5.Click Close.
General tasks
Using Privacy Manager in Microsoft Office
After you install your Privacy Manager Certificate, a Sign and Encrypt button is displayed on the right
side of the toolbar of all Microsoft Word, Microsoft Excel, and Microsoft PowerPoint documents.
Configuring Privacy Manager in a Microsoft Office document
1.Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, click
File Sanitizer, and then click Shred Now.
2.When the confirmation dialog box opens, click Yes.
– or –
1.Open Privacy Manager, click Settings, and then click the Documents tab.
– or –
On the toolbar of a Microsoft Office document, click the down arrow next to Sign and Encrypt,
and then click Settings.
2.Select the actions you want to configure, and then click OK.
Signing a Microsoft Office document
1.In Microsoft Word, Microsoft Excel, or Microsoft PowerPoint, create and save a document.
2.Click the down arrow next to Sign and Encrypt, and then click Sign Document.
3.Authenticate using your chosen security logon method.
4.When the confirmation dialog box opens, read the text, and then click OK.
If you later decide to edit the document, follow these steps:
1.Click the Office button in the upper-left corner of the screen.
2.Click Prepare, and then click Mark as Final.
3.When the confirmation dialog box opens, click Yes, and continue working.
4.When you have completed your editing, sign the document again.
Adding a signature line when signing a Microsoft Word or Microsoft Excel document
ENWWGeneral tasks43
Privacy Manager allows you to add a signature line when you sign a Microsoft Word or Microsoft Excel
document:
1.In Microsoft Word or Microsoft Excel create and save a document.
2.Click the Home menu.
3.Click the down arrow next to Sign and Encrypt, and then click Add Signature Line Before
Signing.
NOTE: A check mark is displayed next to Add Signature Line Before Signing when this option is
selected. By default, this option is enabled.
4.Click the down arrow next to Sign and Encrypt, and then click Sign Document.
5.Authenticate using your chosen security logon method.
Adding suggested signers to a Microsoft Word or Microsoft Excel document
You can add more than one signature line to your document by appointing suggested signers. A
suggested signer is a user who is designated by the owner of a Microsoft Word or Microsoft Excel
document to add a signature line to the document. Suggested signers can be you or another person
who you want to sign your document. For example, if you prepare a document that needs to be signed
by all members of your department, you can include signature lines for those users at the bottom of the
final page of the document with instructions to sign by a specific date.
To add a suggested signer to a Microsoft Word or Microsoft Excel document:
1.In Microsoft Word or Microsoft Excel, create and save a document.
2.Click the Insert menu.
3.In the Text group on the toolbar, click the arrow next to Signature Line, and then click Privacy
Manager Signature Provider.
The Signature Setup dialog box opens.
4.In the box under Suggested signer, enter the name of the suggested signer.
5.In the box under Instructions to the signer, enter a message for this suggested signer.
NOTE: This message will appear in place of a title, and is either deleted or replaced by the user's
title when the document is signed.
6.Select the Show sign date in signature line check box to show the date.
7.Select the Show signer's title in signature line check box to show the title.
NOTE: Because the owner of the document assigns suggested signers to his or her document,
if the Show sign date in signature line and/or Show signer's title in signature line check boxes
are not selected, the suggested signer will not be able to display the date and/or title in the signature
line even if the suggested signer's document settings are configured to do so.
8.Click OK.
Adding a suggested signer's signature line
When suggested signers open the document, they will see their name in brackets, indicating that their
signature is required.
44Chapter 5 Privacy Manager for HP ProtectToolsENWW
To sign the document:
1.Double-click the appropriate signature line.
2.Authenticate using your chosen security logon method.
The signature line will be shown according to the settings specified by the owner of the document.
Encrypting a Microsoft Office document
You can encrypt a Microsoft Office document for you and for your Trusted Contacts. When you encrypt
a document and close it, you and the Trusted Contact(s) you select from the list must authenticate before
opening it.
To encrypt a Microsoft Office document:
1.In Microsoft Word, Microsoft Excel, or Microsoft PowerPoint, create and save a document.
2.Click the Home menu.
3.Click the down arrow next to Sign and Encrypt, and then click Encrypt Document.
The Select Trusted Contacts dialog box opens.
4.Click the name of a Trusted Contact who will be able to open the document and view its contents.
NOTE: To select multiple Trusted Contact names, hold down the Ctrl key and click the individual
names.
5.Click OK.
6.Authenticate using your chosen security logon method.
If you later decide to edit the document, follow the steps in Signing a Microsoft Office Document.
When the encryption is removed, you can edit the document. Follow the steps in this section to encrypt
the document again.
Removing the encryption from a Microsoft Office document
When you remove encryption from a Microsoft Office document, you and your Trusted Contacts are no
longer required to authenticate to open and view the contents of the document.
To remove encryption from a Microsoft Office document:
1.Open an encrypted Microsoft Word, Microsoft Excel, or Microsoft PowerPoint document.
2.Authenticate using your chosen security logon method.
3.Click the Home menu.
4.Click the down arrow next to Sign and Encrypt, and then click Remove Encryption.
Sending an encrypted Microsoft Office document
You may attach an encrypted Microsoft Office document to an e-mail message without signing or
encrypting the e-mail itself. To do this, create and send an e-mail with a signed or encrypted document
just as you normally would a regular e-mail with an attachment.
However, for optimum security, it is recommended that you encrypt the e-mail when attaching a signed
or encrypted Microsoft Office document.
ENWWGeneral tasks45
To send a sealed e-mail with an attached signed and/or encrypted Microsoft Office document, follow
these steps:
1.In Microsoft Outlook, click New or Reply.
2.Type your e-mail message.
3.Attach the Microsoft Office document.
4.Refer to Sealing and sending an e-mail message for further instructions.
Viewing a signed Microsoft Office document
NOTE: You do not need to have a Privacy Manager Certificate in order to view a signed Microsoft
Office document.
When a signed Microsoft Office document is opened, a Signatures dialog box opens next to the
document, displaying the name of the user who signed the document and the date it was signed. You
can right-click the name to view additional details.
Viewing an encrypted Microsoft Office document
To view an encrypted Microsoft Office document from another computer, Privacy Manager must be
installed on that computer. In addition, you must import the Privacy Manager Certificate that was used
to encrypt the file.
A Trusted Contact wanting to view an encrypted Microsoft Office document must have a Privacy
Manager Certificate, and Privacy Manager must be installed on his or her computer. In addition, the
Trusted Contact must be selected by the owner of the encrypted Microsoft Office document.
Using Privacy Manager in Microsoft Outlook
When Privacy Manager is installed, a Privacy button is displayed on the Microsoft Outlook toolbar, and
a Send Securely button is displayed on the toolbar of each Microsoft Outlook e-mail message.
Configuring Privacy Manager for Microsoft Outlook
1.Open Privacy Manager, click Settings, and then click the E-mail tab.
– or –
On the main Microsoft Outlook toolbar, click the down arrow next to Privacy, and then click
Settings.
– or –
On the toolbar of a Microsoft e-mail message, click the down arrow next to Send Securely, and
then click Settings.
2.Select the actions you want to perform when you send a secure e-mail, and then click OK.
46Chapter 5 Privacy Manager for HP ProtectToolsENWW
Signing and sending an e-mail message
In Microsoft Outlook, click New or Reply.
▲
Type your e-mail message.
▲
Click the down arrow next to Send Securely, and then click Sign and Send.
▲
Authenticate using your chosen security logon method.
▲
Sealing and sending an e-mail message
Sealed e-mail messages that are digitally signed and sealed (encrypted) can only be viewed by people
you choose from your Trusted Contacts list.
To seal and send an e-mail message to a Trusted Contact:
1.In Microsoft Outlook, click New or Reply.
2.Type your e-mail message.
3.Click the down arrow next to Send Securely, and then click Seal for Trusted Contacts and
Send.
4.Authenticate using your chosen security logon method.
Viewing a sealed e-mail message
When you open a sealed e-mail message, the security label is displayed in the heading of the e-mail.
The security label provides the following information:
Which credentials were used to verify the identity of the person who signed the e-mail
●
The product that was used to verify the credentials of the person who signed the e-mail
●
Using Privacy Manager in Windows Live Messenger
Adding Privacy Manager Chat activity
To add the Privacy Manager Chat feature to Windows Live Messenger, follow these steps:
1.Log in to Windows Live Home.
2.Click the Windows Live icon, and then click Windows Live Services.
3.Click Gallery, and then click Messenger.
4.Click Activities, and then click Safety and Security.
5.Click Privacy Manager Chat, and then follow the on-screen instructions.
Starting Privacy Manager Chat
ENWWGeneral tasks47
NOTE: In order to use Privacy Manager Chat, both parties must have Privacy Manager and a Privacy
Manager Certificate installed. For details about installing a Privacy Manager Certificate, see Requesting
and installing a Privacy Manager Certificate on page 5.
1.To start Privacy Manager Chat in Windows Live Messenger, perform either of the following
procedures:
a.Right-click an online contact in Live Messenger, and then select Start an Activity.
b.Click Start Privacy Manager Chat.
– or –
a.Double-click an online contact in Live Messenger, and then click the Conversation menu.
b.Click Action, and then click Start Privacy Manager Chat.
Privacy Manager sends an invitation to the contact to start Privacy Manager Chat. When the invited
contact accepts, the Privacy Manager Chat window opens. If the invited contact does not have
Privacy Manager, he or she will be prompted to download it.
2.Click Start to begin a secure chat.
Configuring Privacy Manager Chat for Windows Live Messenger
1.In Privacy Manager Chat, click the Settings button.
– or –
In Privacy Manager, click Settings, and then click the Chat tab.
– or –
In Privacy Manager History Viewer, click the Settings button.
2.To specify the amount of time Privacy Manager Chat waits before locking your session, select a
number from the Lock session after _ minutes of inactivity box.
3.To specify a history folder for your chat sessions, click Browse to search for a folder, and then
click OK.
4.To automatically encrypt and save your sessions when you close them, select the Automatically
save secure chat history check box.
5.Click OK.
Chatting in the Privacy Manager Chat window
After starting Privacy Manager Chat, a Privacy Manager Chat window opens in Windows Live
Messenger. Using Privacy Manager Chat is similar to using basic Windows Live Messenger, except that
the following additional features are available in the Privacy Manager Chat window:
Save–Click this button to save your chat session to the folder specified in your configuration
●
settings. You can also configure Privacy Manager Chat to automatically save each session when
it is closed.
Hide all and Show all–Click the appropriate button to expand or collapse the messages shown in
●
the Secure Communications window. You can also hide or show individual messages by clicking
the message header.
48Chapter 5 Privacy Manager for HP ProtectToolsENWW
Are you there?–Click this button to request authentication from your contact.
●
Lock–Click this button to close the Privacy Manager Chat window and return to the Chat Entry
●
window. To display the Secure Communications window again, click Resume the session, and
then authenticate using your chosen security logon method.
Send–Click this button to send an encrypted message to your contact.
●
Send signed–Select this check box to electronically sign and encrypt your messages. Then, if the
●
message is tampered with, it will be marked as invalid when the recipient receives it. You must
authenticate each time you send a signed message.
Send hidden–Select this check box to encrypt and send a message showing only the message
●
heading. Your contact must authenticate to read the content of the message.
Viewing chat history
The Privacy Manager Chat History Viewer displays encrypted Privacy Manager Chat session files.
Sessions may be saved by clicking Save in the Privacy Manager Chat window, or by configuring
automatic saving on the Chat tab in Privacy Manager. In the viewer, each session shows the (encrypted)
Contact Screen Name, and the date and time the session began and ended. By default, sessions are
shown for all e-mail accounts that you have set up. You can use the Display history for menu to select
only specific accounts to view.
Starting the Chat History viewer
1.Click Start, click All Programs, and then click HP ProtectTools Security Manager for
Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.Click Privacy Manager: Sign and Chat, and then click Chat History Viewer.
– or –
In a Chat session, click History Viewer or History.
▲
– or –
On the “Chat Configuration” page, click Start Live Messenger History Viewer.
▲
Reveal all sessions
Revealing all sessions displays the decrypted Contact Screen Name for the currently selected session
(s) and all sessions in the same account.
1.In the Chat History Viewer, right-click any session, and then select Reveal All Sessions.
2.Authenticate using your chosen security logon method.
The Contact Screen Names are decrypted.
3.Double-click any session to view its content.
Reveal sessions for a specific account
ENWWGeneral tasks49
Revealing a session displays the decrypted Contact Screen Name for the currently selected session.
1.In the Chat History Viewer, right-click any session, and then select Reveal Session.
2.Authenticate using your chosen security logon method.
The Contact Screen Names are decrypted.
3.Double-click the revealed session to view its content.
NOTE: Additional sessions encrypted with the same certificate will show an unlocked icon, indicating
that you can view them by double-clicking any of those sessions without additional authentication.
Sessions encrypted with a different certificate will show a locked icon, indicating that further
authentication is required for those sessions before viewing the Contact Screen Names or contents.
View a session ID
In the Chat History View, right-click any revealed session, and select View session ID.
▲
View a session
Viewing a session opens the file for viewing. If the session has not been revealed (displaying the
decrypted Contact Screen Name) previously, it is revealed at the same time.
1.In the Chat History Viewer, right-click any revealed session, and select View.
2.If prompted, authenticate using your chosen security logon method.
The session content is decrypted.
Search sessions for specific text
You can only search for text in revealed (decrypted) sessions that are displayed in the viewer window.
These are the sessions where the Contact Screen Name is shown in plain text.
1.In the Chat History Viewer, click the Search button.
2.Enter the search text, configure any desired search parameters, and then click OK.
Sessions that contain the text are highlighted in the viewer window.
Delete a session
1.Select a chat history session.
2.Click Delete.
Add or remove columns
By default, the 3 most used columns are displayed in the Chat History Viewer. You can add additional
columns to the display, or you can remove columns from the display.
To add columns to the display:
1.Right-click on any column heading, and then select Add/Remove Columns.
2.Select a column heading in the left panel, and then click Add to move it to the right panel.
50Chapter 5 Privacy Manager for HP ProtectToolsENWW
To remove columns from the display:
1.Right-click on any column heading, and then select Add/Remove Columns.
2.Select a column heading in the right panel, and then click Remove to move it to the left panel.
Filter displayed sessions
A list of sessions for all of your accounts is displayed in the Chat History Viewer.
Displaying sessions for a specific account
In the Chat History Viewer, select an account from the Display history for menu.
▲
Displaying sessions for a range of dates
1.In the Chat History View, click the Advanced Filter icon.
The Advanced Filter dialog box opens.
2.Select the Display only sessions within specified date range check box.
3.In the From date and To date boxes, enter the day, month, and/or year, or click the arrow next to
the calendar to select the dates.
4.Click OK.
Displaying sessions that are saved in a folder other than the default folder
1.In the Chat History View, click the Advanced Filter icon.
2.Select the Use an alternate history files folder check box.
3.Enter the folder location, or click Browse to search for a folder.
4.Click OK.
ENWWGeneral tasks51
Advanced tasks
Migrating Privacy Manager Certificates and Trusted Contacts to a different
computer
You can securely migrate your Privacy Manager Certificates and Trusted Contacts to a different
computer. To do this, export them as a password-protected file to a network location or any removable
storage device, and then import the file to the new computer.
Exporting Privacy Manager Certificates and Trusted Contacts
To export your Privacy Manager Certificates and Trusted Contacts to a password-protected file, follow
these steps:
1.Open Privacy Manager, and click Migration.
2.Click Export migration file.
3.On the “Select Data” page, select the data categories to be included in the migration file, and then
click Next.
4.On the “Migration File” page, enter a file name or click Browse to search for a location, and then
click Next.
5.Enter and confirm a password, and then click Next.
NOTE: Store this password in a safe place, because you will need it when you import the
migration file.
6.Authenticate using your chosen security logon method.
7.On the “Migration File Saved” page, click Finish.
Importing Privacy Manager Certificates and Trusted Contacts
To import your Privacy Manager Certificates and Trusted Contacts to a password-protected file, follow
these steps:
1.Open Privacy Manager, and click Migration.
2.Click Import migration file.
3.On the “Select Data” page, select the data categories to be included in the migration file, and then
click Next.
4.On the “Migration File” page, enter a file name or click Browse to search for a location, and then
click Next.
5.On the “Migration File Import” page, click Finish.
52Chapter 5 Privacy Manager for HP ProtectToolsENWW
6File Sanitizer for HP ProtectTools
File Sanitizer is a tool that allows you to securely shred assets (personal information or files, historical
or Web-related data, or other data components) on your computer and periodically bleach your hard
drive.
NOTE: File Sanitizer currently operates only on the hard drive.
About shredding
Deleting an asset in Windows does not completely remove the contents of the asset from your hard
drive. Windows only deletes the reference to the asset. The content of the asset still remains on the
hard drive until another asset overwrites that same area on the hard drive with new information.
Shredding is different than a standard Windows® delete (also known as a simple delete in File Sanitizer)
in that when you shred an asset, an algorithm that obscures the data is invoked, which makes it virtually
impossible to retrieve the original asset.
When you choose a shred profile (High Security, Medium Security, or Low Security), a predefined list
of assets and an erase method are automatically selected for shredding. You can also customize a
shred profile, which allows you to specify the number of shred cycles, which assets to include for
shredding, which assets to confirm before shredding, and which assets to exclude from shredding.
You can set up an automatic shred schedule, and you can also manually shred assets whenever you
want.
About free space bleaching
Free space bleaching allows you to securely write random data over deleted assets, preventing users
from viewing the original contents of the deleted asset.
NOTE: Free space bleaching is for those assets that you delete using the Windows Recycle Bin or
when you manually delete an asset. Free space bleaching provides no additional security to shredded
assets.
You can set an automatic free space bleaching schedule or you can manually activate free space
bleaching using the HP ProtectTools icon in the notification area, at the far right of the taskbar.
ENWW53
Setup procedures
Opening File Sanitizer
To open File Sanitizer:
1.Click Start, click All Programs, and then click HP ProtectTools Security Manager for
Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.Click File Sanitizer.
– or –
Double-click the File Sanitizer icon.
●
– or –
Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, click File
●
Sanitizer, and then click Open File Sanitizer.
Setting a free space bleaching schedule
NOTE: Free space bleaching is for those assets that you delete using the Windows Recycle Bin or for
manually deleted assets. Free space bleaching provides no additional security to shredded assets.
To set a free space bleaching schedule:
1.Open File Sanitizer, and click Free Space Bleaching.
2.Select the Activate Scheduler check box, enter your Windows password, and then enter a day
and time to bleach your hard drive.
3.Click Apply, and then click OK.
NOTE: The free space bleaching operation can take a long time. Even though free space
bleaching is performed in the background, your computer may run slower due to increased
processor usage.
Selecting or creating a shred profile
You can specify a method of erasure and select the assets to shred by selecting a predefined profile or
by creating your own profile.
Selecting a predefined shred profile
When you choose a predefined shred profile (High Security, Medium Security, or Low Security), a
predefined erasure method and list of assets are automatically selected. You can click the View Details
button to view the predefined list of assets that are selected for shredding.
To select a predefined shred profile:
1.Open File Sanitizer, and then click Settings.
2.Click a predefined shred profile.
3.Click View Details to view the list of assets that are selected for shredding.
54Chapter 6 File Sanitizer for HP ProtectToolsENWW
4.Under Shred the following, select the check box next to each asset that you want to confirm before
shredding.
5.Click Apply, and then click OK.
Customizing a shred profile
When you create a shred profile, you specify the number of shred cycles, which assets to include for
shredding, which assets to confirm before shredding, and which assets to exclude from shredding:
1.Open File Sanitizer, and click Settings, click Advanced Security Settings, and then click View
Details.
2.Specify the number of shred cycles.
NOTE: The selected number of shredding cycles will be performed for each asset. For example,
if you choose 3 shred cycles, an algorithm that obscures the data is executed 3 different times. If
you choose the higher security shred cycles, shredding may take a significant length of time;
however, the higher the number of shred cycles you specify, the more secure the computer is.
3.Select the assets you want to shred:
a.Under Available shred options, click an asset, and then click Add.
b.To add a custom asset, click Add Custom Option, enter a file name or folder name, and then
click OK. Click the custom asset, and then click Add.
NOTE: To delete an asset from the available shred options, click the asset, and then click
Delete.
4.Under Shred the following, select the check box next to each asset that you want to confirm before
shredding.
NOTE: To remove an asset from the shred list, click the asset, and then click Remove.
5.Under Do not shred the following, click Add to select the specific assets that you want to exclude
from shredding.
NOTE: Only file extensions can be excluded from shredding. For example, if you add the .BMP
file extension, all files with the .BMP extension will be excluded from shredding.
To remove an asset from the exclusions list, click the asset, and then click Delete.
6.When you finish configuring the shred profile, click Apply, and then click OK.
Customizing a simple delete profile
The simple delete profile performs a standard asset delete without shredding. When you customize a
simple delete profile, you specify which assets to include for a simple delete, which assets to confirm
before a simple delete is executed, and which assets to exclude from a simple delete:
ENWWSetup procedures55
NOTE: It is highly recommended that you run free space bleaching regularly if you use the simple
delete option.
1.Open File Sanitizer, click Settings, click Simple Delete Setting, and then click View Details.
2.Select the assets you want to delete:
a.Under Available delete options, click an asset, and then click Add.
b.To add a custom asset, click Add Custom Option, enter a file name or folder name, and then
click OK. Click the custom asset, and then click Add.
NOTE: To delete an asset from the available delete options, click the asset, and then click
Delete.
3.Under Delete the following, select the check box next to each asset that you want to confirm
before deleting.
NOTE: To remove an asset from the delete list, click the asset, and then click Remove
4.Under Do not shred the following, click Add to select the specific assets that you want to exclude
from shredding.
NOTE: Only file extensions can be excluded from deleting. For example, if you add the .BMP file
extension, all files with the .BMP extension will be excluded from deletion.
To remove an asset from the exclusions list, click the asset, and then click Delete.
5.When you finish configuring the simple delete profile, click Apply, and then click OK.
Setting a shred schedule
1.Open File Sanitizer, and click Shred.
2.Select a shred option:
Windows startup — Choose this option to shred all selected assets when Windows starts
●
up.
Windows shutdown — Choose this option to shred all selected assets when Windows shuts
●
down.
NOTE: When this option is selected, a dialog box is displayed at shutdown, asking if you
want to continue with shredding selected assets or if you want to bypass the procedure. Click
Yes to bypass the shred procedure or click No to continue with shredding.
Web browser open — Choose this option to shred all selected Web-related assets, such as
●
browser URL history, when you open a Web browser.
Web browser quit — Choose this option to shred all selected Web-related assets, such as
●
browser URL history, when you close a Web browser.
Scheduler — Select the Activate Scheduler check box, enter your Windows password, and
●
then enter a day and time to shred selected assets.
3.Click Apply, and then click OK.
56Chapter 6 File Sanitizer for HP ProtectToolsENWW
Setting a free space bleaching schedule
NOTE: Free space bleaching is for those assets that you delete using the Windows Recycle Bin or for
manually deleted assets. Free space bleaching provides no additional security to shredded assets.
To set a free space bleaching schedule:
1.Open File Sanitizer, and click Free Space Bleaching.
2.Select the Activate Scheduler check box, enter your Windows password, and then enter a day
and time to bleach your hard drive.
3.Click Apply, and then click OK.
NOTE: The free space bleaching operation can take a long time. Even though free space
bleaching is performed in the background, your computer may run slower due to increased
processor usage.
Selecting or creating a shred profile
Selecting a predefined shred profile
When you choose a predefined shred profile (High Security, Medium Security, or Low Security), a
predefined erasure method and list of assets are automatically selected. You can click the View Details
button to view the predefined list of assets that are selected for shredding.
To select a predefined shred profile:
1.Open File Sanitizer, and then click Settings.
2.Click a predefined shred profile.
3.Click View Details to view the list of assets that are selected for shredding.
4.Under Shred the following, select the check box next to each asset that you want to confirm before
shredding.
5.Click Cancel, and then click OK.
Customizing a shred profile
When you create a shred profile, you specify the number of shred cycles, which assets to include for
shredding, which assets to confirm before shredding, and which assets to exclude from shredding:
1.Open File Sanitizer, and click Settings, click Advanced Security Settings, and then click View
Details.
2.Specify the number of shred cycles.
NOTE: The selected number of shredding cycles will be performed for each asset. For example,
if you choose 3 shred cycles, an algorithm that obscures the data is executed 3 different times. If
you choose the higher security shred cycles, shredding may take a significant length of time;
however, the higher the number of shred cycles you specify, the more secure the computer is.
ENWWSetup procedures57
3.Select the assets you want to shred:
a.Under Available shred options, click an asset, and then click Add.
b.To add a custom asset, click Add Custom Option, enter a file name or folder name, and then
click OK. Click the custom asset, and then click Add.
NOTE: To delete an asset from the available shred options, click the asset, and then click
Delete.
4.Under Shred the following, select the check box next to each asset that you want to confirm before
shredding.
NOTE: To remove an asset from the shred list, click the asset, and then click Remove.
5.Under Do not shred the following, click Add to select the specific assets that you want to exclude
from shredding.
NOTE: Only file extensions can be excluded from shredding. For example, if you add the .BMP
file extension, all files with the .BMP extension will be excluded from shredding.
To remove an asset from the exclusions list, click the asset, and then click Delete.
6.When you finish configuring the shred profile, click Apply, and then click OK.
Customizing a simple delete profile
The simple delete profile performs a standard asset delete without shredding. When you customize a
simple delete profile, you specify which assets to include for a simple delete, which assets to confirm
before a simple delete is executed, and which assets to exclude from a simple delete:
NOTE: It is highly recommended that you run free space bleaching regularly if you use the simple
delete option.
1.Open File Sanitizer, click Settings, click Simple Delete Setting, and then click View Details.
2.Select the assets you want to delete:
Under Available delete options, click an asset, and then click Add.
●
To add a custom asset, click Add Custom Option, enter a file name or folder name, and then
●
click OK. Click the custom asset, and then click Add.
NOTE: To delete an asset from the available delete options, click the asset, and then click
Delete.
3.Under Delete the following, select the check box next to each asset that you want to confirm
before deleting.
NOTE: To remove an asset from the delete list, click the asset, and then click Remove.
4.Under Do not delete the following, click Add to select the specific assets that you want to exclude
from shredding.
58Chapter 6 File Sanitizer for HP ProtectToolsENWW
NOTE: Only file extensions can be excluded from deleting. For example, if you add the .BMP file
extension, all files with the .BMP extension will be excluded from deletion.
To remove an asset from the exclusions list, click the asset, and then click Delete.
5.When you finish configuring the simple delete profile, click Apply, and then click OK.
General tasks
Using a key sequence to initiate shredding
To specify a key sequence, follow these steps:
1.Open File Sanitizer, and click Shred.
2.Select the Key sequence check box.
3.Enter a character in the available box, and then select the CTRL, ALT, or SHIFT box, or select all
three.
For example, to initiate automatic shredding using the S key and Ctrl+Shift, enter S in the box, and
then select the CTRL and SHIFT options.
NOTE: Be sure to select a key sequence that is different from other key sequences you have
configured.
To initiate shredding using a key sequence:
1.Hold down the Ctrl, Alt, or Shift key (or whichever combination you specified) while pressing your
chosen character.
2.If a confirmation dialog box opens, click Yes.
Using the File Sanitizer icon
CAUTION: Shredded assets cannot be recovered. Carefully consider which items you select for
manual shredding.
1.Navigate to the document or folder you want to shred.
2.Drag the asset to the File Sanitizer icon on the desktop.
3.When the confirmation dialog box opens, click Yes.
4.Click Yes to confirm that you want to remove the selected user.
ENWWGeneral tasks59
Manually shredding one asset
CAUTION: Shredded assets cannot be recovered. Carefully consider which items you select for
manual shredding.
1.Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, click
File Sanitizer, and then click Shred One.
2.When the Browse dialog box opens, navigate to the asset you want to shred, and then click OK.
NOTE: The asset you select can be a single file or folder.
3.When the confirmation dialog box opens, click Yes.
– or –
1.Right-click the File Sanitizer icon on the desktop, and then click Shred One.
2.When the Browse dialog box opens, navigate to the asset you want to shred, and then click OK.
3.When the confirmation dialog box opens, click Yes.
– or –
1.Open File Sanitizer, and click Shred.
2.Click the Browse button.
3.When the Browse dialog box opens, navigate to the asset you want to shred, and then click OK.
4.When the confirmation dialog box opens, click Yes.
Manually shredding all selected items
1.Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, click
File Sanitizer, and then click Shred Now.
2.When the confirmation dialog box opens, click Yes.
– or –
1.Right-click the File Sanitizer icon on the desktop, and then click Shred Now.
2.When the confirmation dialog box opens, click Yes.
Manually activating free space bleaching
1.Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, click
File Sanitizer, and then click Bleach Now.
2.When the confirmation dialog box opens, click Yes.
– or –
1.Open File Sanitizer, and click Free Space Bleaching.
2.Click Bleach Now.
3.When the confirmation dialog box opens, click Yes.
60Chapter 6 File Sanitizer for HP ProtectToolsENWW
Aborting a shred or free space bleaching operation
When a shred or free space bleaching operation is in progress, a message above the HP ProtectTools
Security Manager for Administrators icon in the notification area is displayed. The message provides
details on the shred or free space bleaching process (percentage complete), and gives you the option
to abort the operation.
To abort the operation:
Click the message, and then click Stop to cancel the operation.
▲
Viewing the log files
Each time a shred or free space bleaching operation is performed, log files of any errors or failures are
generated. The log files are always updated according to the latest shred or free space bleaching
operation.
NOTE: Files that are successfully shredded or bleached do not appear in the log files.
One log file is created for shred operations and another log file is created for free space bleaching
operations. Both log files are located on the hard drive at:
Java Card Security for HP ProtectTools manages the Java Card setup and configuration for use with
the HP Smart Card keyboard. HP's Java Card is a personal security device that protects authentication
data requiring both the card and a PIN number to grant access – like using an ATM card with a PIN.
The Java Card can be used to access Credential Manager, Drive Encryption, HP BIOS, or any number
of third party access points.
With Java Card Security, you can accomplish the following tasks:
Access Java Card Security features
●
Work with the Computer Setup utility to enable Java Card authentication in a power-on environment
●
Configure separate Java Cards for an administrator and a user. A user must insert the Java Card
●
and type a PIN before the operating system will load
Set and change the PIN used to authenticate users of the Java Card
●
General tasks
The “General” page allows you to perform the following tasks:
Change a Java Card PIN
●
Select the card reader or smart card keyboard
●
NOTE: The card reader uses both Java Cards and smart cards. This feature is available if you
have more than one card reader on the computer.
Changing a Java Card PIN
To change a Java Card PIN:
NOTE: The Java Card PIN must be between 4 and 8 numeric characters.
1.Select Start > All Programs > HP ProtectTools Security Manager for Administrators in
Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.In the left pane, click Java Card Security, and then click General.
3.Insert a Java Card (with an existing PIN) into the card reader.
4.In the right pane, click Change.
5.In the Change PIN dialog box, type the current PIN in the Current PIN box.
62Chapter 7 Java Card Security for HP ProtectToolsENWW
6.Type a new PIN in the New PIN box, and then type the PIN again in the Confirm New PIN box.
7.Click OK.
Selecting the card reader
Be sure that the correct card reader is selected in Java Card Security before using the Java Card. If the
correct reader is not selected, some of the features may be unavailable or incorrectly displayed. In
addition, the card reader drivers must be correctly installed, as shown in Windows Device Manager.
To select the card reader:
1.Select Start > All Programs > HP ProtectTools Security Manager for Administrators in
Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.In the left pane, click Java Card Security, and then click General.
3.Insert the Java Card into the card reader.
4.In the right pane, under Selected card reader, click the correct reader.
Advanced tasks (administrators only)
The “Advanced” page allows you to perform the following tasks:
Assign a Java Card PIN
●
Assign a name to a Java Card
●
Set power-on authentication
●
Back up and restore Java Cards
●
NOTE: You must have Windows administrator privileges in order to display the “Advanced” page.
Assigning a Java Card PIN
You must assign a name and a PIN to a Java Card before it can be used in Java Card Security.
To assign a Java Card PIN:
NOTE: The Java Card PIN must be between 4 and 8 numeric characters.
1.Select Start > All Programs > HP ProtectTools Security Manager for Administrators in
Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.In the left pane, click Java Card Security, and then click Advanced.
3.Insert a new Java Card into the card reader.
4.When the New Card dialog box opens, type a new name in the New display name box, type a
new PIN in the New PIN box, and then type the new PIN again in the Confirm New PIN box.
5.Click OK.
ENWWAdvanced tasks (administrators only)63
Assigning a name to a Java Card
You must assign a name to a Java Card before it can be used for power-on authentication.
To assign a name to a Java Card:
1.Select Start > All Programs > HP ProtectTools Security Manager for Administrators in
Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.In the left pane, click Java Card Security, and then click Advanced.
3.Insert the Java Card into the card reader.
NOTE: If you have not assigned a PIN to this card, the New Card dialog box opens, allowing you
to type a new name and PIN.
4.In the right pane, under Display name, click Change.
5.Type a name for the Java Card in the Name box.
6.Type the current Java Card PIN in the PIN box.
7.Click OK.
Setting power-on authentication
When enabled, power-on authentication requires you to use a Java Card to start the computer.
The process of enabling Java Card power-on authentication involves the following steps:
1.Enable Java Card power-on authentication support in BIOS Configuration or Computer Setup.
2.Enable Java Card power-on authentication in Java Card Security.
3.Create and enable the administrator Java Card.
64Chapter 7 Java Card Security for HP ProtectToolsENWW
Enabling Java Card power-on authentication and creating an administrator Java Card
To enable Java Card power-on authentication:
1.Select Start > All Programs > HP ProtectTools Security Manager for Administrators in
Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.In the left pane, click Java Card Security, and then click Advanced.
3.Insert the Java Card into the card reader.
NOTE: If you have not assigned a name and PIN to this card, the New Card dialog box opens,
allowing you to type a new name and PIN.
4.In the right pane, under Power-on authentication, select the Enable check box.
5.Type your Computer Setup password in the Computer Setup Password dialog box, and then click
OK.
6.If you do not have DriveLock enabled, type the Java Card PIN, and then click OK.
– or –
If you do have DriveLock enabled:
a.Click Make Java card identity unique.
– or –
Click Make the Java card identity the same as the DriveLock password.
NOTE: If DriveLock is enabled on the computer, you can set the Java Card identity to be
the same as the DriveLock user password, which allows you to validate both DriveLock and
the Java Card using only the Java Card when starting the computer.
b.If applicable, type your DriveLock user password in the DriveLock password box, and then
type it again in the Confirm password box.
c.Type the Java Card PIN.
d.Click OK.
7.When you are prompted to create a recovery file, click Cancel to create a recovery file at a later
time or click OK and follow the on-screen instructions in the HP ProtectTools Backup Wizard to
create a recovery file now.
NOTE: For more information, see Backing up and restoring HP ProtectTools credentials
on page 9.
ENWWAdvanced tasks (administrators only)65
Creating a user Java Card
NOTE: Power-on authentication and an administrator card must be set up in order to create a user
Java Card.
To create a user Java Card:
1.Select Start > All Programs > HP ProtectTools Security Manager for Administrators in
Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.In the left pane, click Java Card Security, and then click Advanced.
3.Insert a Java Card that will be used as a user card.
4.In the right pane, under Power-on authentication, click Create next to User card identity.
5.Type a PIN for the user Java Card, and then click OK.
Disabling Java Card power-on authentication
When you disable Java Card power-on authentication, the use of the Java Card is no longer needed to
access the computer.
1.Select Start > All Programs > HP ProtectTools Security Manager for Administrators in
Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.In the left pane, click Java Card Security, and then click Advanced.
3.Insert the administrator Java Card.
4.In the right pane, under Power-on authentication, clear the Enable check box.
5.Type a PIN for the Java Card, and then click OK.
66Chapter 7 Java Card Security for HP ProtectToolsENWW
8BIOS Configuration for
HP ProtectTools
BIOS Configuration for HP ProtectTools provides access to the Computer Setup utility security and
configuration settings giving users Windows access to system security features that are managed by
Computer Setup. The options within BIOS Configuration for HP ProtectTools are:
File
●
Storage
●
Security
●
Power
●
Advanced
●
NOTE: Support for specific Computer Setup options may vary depending on the hardware
configuration.
BIOS Configuration allows you to manage various computer settings that would otherwise be accessible
only by pressing F10 at startup and entering Computer Setup. With BIOS Configuration, you can
accomplish the following objectives:
Manage power-on passwords and administrator passwords.
●
Configure other power-on authentication features, such as enabling embedded security
●
authentication support.
Enable and disable hardware features, such as removable media boot or different hardware ports.
●
Configure boot options, which includes enabling MultiBoot and changing the boot order.
●
NOTE: All of the features in BIOS Configuration for HP ProtectTools are also available in F10 Setup.
For detailed instructions on using F10 Setup, refer to the Computer Setup (F10) Utility Guide included
with your computer or BIOS update.
ENWW67
General tasks
BIOS Configuration allows you to manage various computer settings that would otherwise be accessible
only by pressing F10 at startup to enter Computer Setup.
Accessing BIOS Configuration
To access BIOS Configuration:
1.Click Start, click Settings, and then click Control Panel.
2.Click HP ProtectTools Security Manager for Administrators, and then click BIOS
Configuration.
You can also access BIOS Configuration from an icon in the notification area, at the far right of the
taskbar.
NOTE: To display the HP ProtectTools Security Manager for Administrators icon, you may need
to click the Show Hidden Icons icon (< or <<) in the notification area.
Right-click the HP ProtectTools Security Manager for Administrators icon in the
●
notification area.
Click BIOS Configuration.
●
3.If you are an HP ProtectTools user, enter your Windows password.
If you enter the Windows password correctly, but you are not a BIOS administrator, your ability
●
to make changes varies according to the security level settings.
NOTE: An HP ProtectTools user may or may not be a BIOS administrator.
If you enter the Windows password incorrectly, you can only view BIOS configuration settings
●
but not change them.
4.If you are not an HP ProtectTools user, the BIOS Configuration software checks to see whether a
BIOS administrator password has been set up.
If a BIOS administrator password has been set up, you must enter it.
●
If you enter the BIOS administrator password correctly, you can both view and make
◦
changes to the BIOS configuration settings.
If a BIOS administrator password has been set up, but if you fail to enter it or enter it
◦
incorrectly, you can view BIOS configuration settings but you cannot change them.
If a BIOS administrator password has not been set, you can both view and make changes to
●
BIOS configuration settings.
68Chapter 8 BIOS Configuration for HP ProtectToolsENWW
Viewing or changing settings
To view or change configuration settings:
1.Click one of the BIOS Configuration pages.
2.Make your changes, and then click Apply to save your changes.
3.Exit and restart the computer.
Your changes go into effect when the computer restarts.
NOTE: Password changes take effect immediately with no need to restart the computer.
File
The File option within BIOS Configuration for HP ProtectTools provides system information such as
processor type, system BIOS name and version, chassis, serial number, etc. The only File data that can
be edited is the asset tracking number. All other data is read only.
NOTE: For more information on File options, refer to the Computer Setup (F10) Utility Guide.
Storage
The Storage option within BIOS Configuration for HP ProtectTools provides information about all
bootable devices configured in the computer system and allows you to specify settings for these devices.
The settings accessible in Storage include:
●
●
●
●
NOTE: For more information on Storage options, refer to the Computer Setup (F10) Utility Guide.
Security
The Security option within BIOS Configuration for HP ProtectTools is the central location for all settings
related to security and passwords. The settings included are:
●
●
●
●
●
●
Device Configuration
Storage Options
DPS Self-Test
Boot Order
Setup Password
Power-On Password
Password Options
Smart Cover (some models)
Device Security
Network Service Boot
System IDs
●
ENWWFile69
DriveLock Security
●
System Security (some models)
●
Setup Security Level
●
NOTE: For more information on Security options, refer to the Computer Setup (F10) Utility Guide.
Power
The Power option within BIOS Configuration for HP ProtectTools provides settings that control power
management at a hardware level. Settings included are:
OS Power Management
●
Hardware Power Management
●
Thermal
●
NOTE: For more information on Power options, refer to the Computer Setup (F10) Utility Guide.
Advanced
The settings within the Advanced option of BIOS Configuration for HP ProtectTools are intended for
advanced users. These settings include:
Power-On Options
●
Execute Memory Test (some models)
●
BIOS Power-On
●
Onboard Devices
●
PCI Devices
●
PCI VGA Configuration
●
Bus Options
●
Device Options
●
Management Devices
●
Management Operations
●
NOTE: For more information on Advanced options, refer to the Computer Setup (F10) Utility Guide.
70Chapter 8 BIOS Configuration for HP ProtectToolsENWW
9Embedded Security for
HP ProtectTools
NOTE: The integrated Trusted Platform Module (TPM) embedded security chip must be installed in
your computer to use Embedded Security for HP ProtectTools.
Embedded Security for HP ProtectTools protects against unauthorized access to user data or
credentials. This software module provides the following security features:
Enhanced Microsoft® Encryption File System (EFS) file and folder encryption
●
Creation of a personal secure drive (PSD) for protecting user data
●
Data management functions, such as backing up and restoring the key hierarchy
●
Support for third-party applications (such as Microsoft Outlook and Internet Explorer) for protected
●
digital certificate operations when using the Embedded Security software
The TPM embedded security chip enhances and enables other HP ProtectTools Security Manager for
Administrators security features. For example, Credential Manager for HP ProtectTools can use the
embedded chip as an authentication factor when the user logs on to Windows. On select models, the
TPM embedded security chip also enables enhanced BIOS security features accessed through BIOS
Configuration for HP ProtectTools.
ENWW71
Setup procedures
CAUTION: To reduce security risk, it is highly recommended that your IT administrator immediately
initialize the embedded security chip. Failure to initialize the embedded security chip could result in an
unauthorized user, a computer worm, or a virus taking ownership of the computer and gaining control
over the owner tasks, such as handling the emergency recovery archive, and configuring user access
settings.
Follow the steps in the following 2 sections to enable and initialize the embedded security chip.
Enabling the embedded security chip in Computer Setup
The embedded security chip can be enabled in the Quick Initialization Wizard or in the Computer Setup
utility as described below. This procedure cannot be performed in BIOS Configuration for
HP ProtectTools.
To enable the embedded security chip in Computer Setup:
1.Open Computer Setup by turning on or restarting the computer, and then pressing F10 while the
“F10 = ROM Based Setup” message is displayed in the lower-left corner of the screen.
2.If you have not set an administrator password, use the arrow keys to select Security, select Setup
password, and then press Enter.
3.Type your password in the New password and Verify new password boxes, and then press
F10.
4.In the Security menu, use the arrow keys to select TPM Embedded Security, and then press
Enter.
5.Under Embedded Security, if the device is hidden, select Available.
6.Select Embedded security device state and change to Enable.
7.Press F10 to accept the changes to the Embedded Security configuration.
8.To save your preferences and exit Computer Setup, use the arrow keys to select File, and click
Save Changes and Exit. Then follow the on-screen instructions.
72Chapter 9 Embedded Security for HP ProtectToolsENWW
Initializing the embedded security chip
In the initialization process for Embedded Security, you will perform the following tasks:
Set an owner password for the embedded security chip that protects access to all owner functions
●
on the embedded security chip.
Set up the emergency recovery archive, which is a protected storage area that allows reencryption
●
of the Basic User Keys for all users.
To initialize the embedded security chip:
1.Right-click the HP ProtectTools Security Manager for Administrators icon in the notification area,
at the far right of the taskbar, and then select Embedded Security Initialization.
The HP ProtectTools Embedded Security Initialization Wizard opens.
2.Follow the on-screen instructions.
Setting up the basic user account
Setting up a basic user account in Embedded Security accomplishes the following tasks:
Produces a Basic User Key that protects encrypted information, and sets a Basic User Key
●
password to protect the Basic User Key.
Sets up a personal secure drive (PSD) for storing encrypted files and folders.
●
CAUTION: Safeguard the Basic User Key password. Encrypted information cannot be accessed or
recovered without this password.
To set up a basic user account and enable the user security features:
1.If the Embedded Security User Initialization Wizard is not open, click Start, click All Programs,
and then click HP ProtectTools Security Manager for Administrators in Windows Vista or
HP ProtectTools Security Manager in Windows XP.
2.In the left pane, click Embedded Security, and then click User Settings.
3.In the right pane, under Embedded Security Features, click Configure.
The Embedded Security User Initialization Wizard opens.
4.Follow the on-screen instructions.
NOTE: To use secure e-mail, you must first configure the e-mail client to use a digital certificate
that is created with Embedded Security. If a digital certificate is not available, you must obtain one
from a certification authority. For instructions on configuring your e-mail and obtaining a digital
certificate, refer to the e-mail client software Help.
ENWWSetup procedures73
General tasks
After the basic user account is set up, you can perform the following tasks:
Encrypting files and folders
●
Sending and receiving encrypted e-mail
●
Using the Personal Secure Drive
After setting up the PSD, you are prompted to type the Basic User Key password at the next logon. If
the Basic User Key password is entered correctly, you can access the PSD directly from Windows
Explorer.
Encrypting files and folders
When working with encrypted files, consider the following rules:
Only files and folders on NTFS partitions can be encrypted. Files and folders on FAT partitions
●
cannot be encrypted.
System files and compressed files cannot be encrypted, and encrypted files cannot be
●
compressed.
Temporary folders should be encrypted, because they are potentially of interest to hackers.
●
A recovery policy is automatically set up when you encrypt a file or folder for the first time. This
●
policy ensures that if you lose your encryption certificates and private keys, you will be able to use
a recovery agent to decrypt your information.
To encrypt files and folders:
1.Right-click the file or folder that you want to encrypt.
2.Click Encrypt.
3.Click one of the following options:
Apply changes to this folder only.
●
Apply changes to this folder, subfolders, and files.
●
4.Click OK.
Sending and receiving encrypted e-mail
Embedded Security enables you to send and receive encrypted e-mail, but the procedures vary
depending upon the program you use to access your e-mail. For more information, refer to the
Embedded Security software Help, and the software Help for your e-mail program.
74Chapter 9 Embedded Security for HP ProtectToolsENWW
Changing the Basic User Key password
To change the Basic User Key password:
1.Click Start, click All Programs, and then click HP ProtectTools Security Manager for
Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.In the left pane, click Embedded Security, and then click User Settings.
3.In the right pane, under Basic User Key password, click Change.
4.Type the old password, and then set and confirm the new password.
5.Click OK.
Advanced tasks
Backing up and restoring
The Embedded Security backup feature creates an archive that contains certification information to be
restored in case of emergency.
Creating a backup file
To create a backup file:
1.Click Start, click All Programs, and then click HP ProtectTools Security Manager for
Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.In the left pane, click Embedded Security, and then click Backup.
3.In the right pane, click Backup. The HP Embedded Security for ProtectTools Backup Wizard
opens.
4.Follow the on-screen instructions.
Restoring certification data from the backup file
To restore data from the backup file:
1.Click Start, click All Programs, and then click HP ProtectTools Security Manager for
Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.In the left pane, click Embedded Security, and then click Backup.
3.In the right pane, click Restore. The HP Embedded Security for ProtectTools Backup Wizard
opens.
4.Follow the on-screen instructions.
ENWWAdvanced tasks75
Changing the owner password
To change the owner password:
1.Click Start, click All Programs, and then click HP ProtectTools Security Manager for
Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.In the left pane, click Embedded Security, and then click Advanced.
3.In the right pane, under Owner Password, click Change.
4.Type the old owner password, and then set and confirm the new owner password.
5.Click OK.
Resetting a user password
An administrator can help a user to reset a forgotten password. For more information, refer to the
software Help.
Enabling and disabling Embedded Security
It is possible to disable the Embedded Security features if you want to work without the security function.
The Embedded Security features can be enabled or disabled at 2 different levels:
Temporary disabling—With this option, embedded security is automatically reenabled on Windows
●
restart. This option is available to all users by default.
Permanent disabling—With this option, the owner password is required to reenable Embedded
●
Security. This option is available only to administrators.
Permanently disabling Embedded Security
To permanently disable Embedded Security:
1.Click Start, click All Programs, and then click HP ProtectTools Security Manager for
Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.In the left pane, click Embedded Security, and then click Advanced.
3.In the right pane, under Embedded Security, click Disable.
4.Type your owner password at the prompt, and then click OK.
Enabling Embedded Security after permanent disable
To enable Embedded Security after permanently disabling it:
1.Click Start, click All Programs, and then click HP ProtectTools Security Manager for
Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.In the left pane, click Embedded Security, and then click Advanced.
3.In the right pane, under Embedded Security, click Enable.
4.Type your owner password at the prompt, and then click OK.
76Chapter 9 Embedded Security for HP ProtectToolsENWW
Migrating keys with the Migration Wizard
Migration is an advanced administrator task that allows the management, restoration, and transfer of
keys and certificates.
For details on migration, refer to the Embedded Security software Help.
ENWWAdvanced tasks77
10Device Access Manager for
HP ProtectTools
This security tool is available to administrators only. Device Access Manager for HP ProtectTools has
the following security features that protect against unauthorized access to devices attached to your
computer system:
Device profiles that are created for each user to define device access
●
Device access that can be granted or denied on the basis of group membership
●
Starting background service
For device profiles to be applied, the HP ProtectTools Device Locking/Auditing background service must
be running. When you first attempt to apply device profiles, HP ProtectTools Security Manager for
Administrators opens a dialog box to ask if you would you like to start the background service. Click
Yes to start the background service and set it to start automatically whenever the system boots.
Simple configuration
This feature allows you to deny access to the following classes of devices:
USB devices for all non-administrators
●
All removable media (floppy disks, pen drives, etc.) for all non-administrators
●
All DVD/CD-ROM drives for all non-administrators
●
All serial and parallel ports for all non-administrators
●
To deny access to a class of device for all non-administrators:
1.Click Start, click All Programs, and then click HP ProtectTools Security Manager for
Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.In the left pane, click Device Access Manager, and then click Simple Configuration.
3.In the right pane, select the check box of a device to deny access.
4.Click Apply.
NOTE: If background service is not running, it attempts to start now. Click Yes to allow it.
5.Click OK.
78Chapter 10 Device Access Manager for HP ProtectToolsENWW
Device class configuration (advanced)
More selections are available to allow specific users or groups of users to be granted or denied access
to types of devices.
Adding a user or a group
1.Click Start, click All Programs, and then click HP ProtectTools Security Manager for
Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.In the left pane, click Device Access Manager, and then click Device Class Configuration.
3.In the device list, click the device class that you want to configure.
4.Click Add. The Select Users or Groups dialog box opens.
5.Click Advanced, and then click Find Now to search for users or groups to add.
6.Click a user or a group to be added to the list of available users and groups, and then click OK.
7.Click OK.
Removing a user or a group
1.Click Start, click All Programs, and then click HP ProtectTools Security Manager for
Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.In the left pane, click Device Access Manager, and then click Device Class Configuration.
3.In the device list, click the device class that you want to configure.
4.Click the user or group you want to remove, and then click Remove.
5.Click Apply, then click OK.
Denying access to a user or group
1.Click Start, click All Programs, and then click HP ProtectTools Security Manager for
Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP.
2.In the left pane, click Device Access Manager, and then click Device Class Configuration.
3.In the device list, click the device class that you want to configure.
4.Under User/Groups, click the user or group to be denied access.
5.Click Deny next to the user or group to be denied access.
6.Click Apply, and then click OK.
ENWWDevice class configuration (advanced)79
11Troubleshooting
Credential Manager for HP ProtectTools
Short descriptionDetailsSolution
Using the Credential
Manager Network
Accounts option, a user
can select which domain
account to log on to. When
TPM authentication is
used, this option is not
available. All other
authentication methods
work properly.
Smart cards and USB
tokens are not available in
Credential Manager if
installed after the
Credential Manager
installation.
Some application Web
pages create errors that
prevent the user from
performing or completing
tasks.
Using TPM authentication, the user is
only logged on to the local computer.
In order to use smart cards or USB
tokens in Credential Manager, the
supporting software (drivers, PKCS#11
providers, etc.) must be installed prior to
Credential Manager installation.
If you already have the Credential
Manager installed do the following steps
after installing smart card or token
supporting software:
Some Web-based applications stop
functioning and report errors due to the
disabling functionality pattern of Single
Sign On. For example, an ! in a yellow
triangle is observed in Internet Explorer,
indicating an error has occurred.
Using Credential Manager Single Sign On tools allows
the user to authenticate other accounts.
Log on to Credential Manager.
In HP ProtectTools Security Manager, click Credential
Manager, click Advanced Settings, and then click the
Smart Cards and Tokens tab. A list of available tokens
is displayed under Local Tokens.
Access a popup menu by right-clicking the Local
Tokens node, and then select Scan for New Smart
Cards and Tokens.
Restart your computer if prompted.
Credential Manager Single Sign On does not support
all software Web interfaces. Disable Single Sign On
support for the specific Web page by turning off Single
Sign On support. See complete documentation on
Single Sign On, which is available in the Credential
Manager software Help files.
If a specific Single Sign On cannot be disabled for a
given application, call HP technical support and request
3rd-level support through your HP Service contact.
The option to Browse forVirtual Token is not
displayed during the logon
process.
Domain administrators
cannot change Windows
password even with
authorization.
The user cannot move the location of a
registered virtual token in Credential
Manager because the option to browse
was removed to reduce security risks.
This happens after a domain
administrator logs on to a domain and
registers the domain identity with
Credential Manager using an account
with Administrator's rights on the domain
and the local PC. When the domain
administrator attempts to change the
The browse option was removed because it allowed
non-users to delete and rename files and take control
of Windows.
Credential Manager cannot change a domain user's
account password through Change Windowspassword. Credential Manager can only change the
local PC account passwords. The domain user can
change his/her password through the Changepassword option of Windows security, but, since the
domain user does not have a physical account on the
80Chapter 11 TroubleshootingENWW
Short descriptionDetailsSolution
Credential Manager has
incompatibility issues with
Corel WordPerfect 12
password GINA.
Credential Manager does
not recognize the
Connect button on
screen.
Users can lose all
Credential Manager
credentials protected by
the TPM.
The user is unable to log
on to Credential Manager
after transitioning from
sleep mode to hibernation
on Windows XP Service
Pack 1 only.
Windows password from Credential
Manager, the administrator gets an error
logon failure: User account restriction.
If the user logs on to Credential Manager,
creates a document in WordPerfect, and
saves with password protection,
Credential Manager cannot detect or
recognize, either manually or
automatically, the password GINA.
If the Single Sign On credentials for
Remote Desktop Connection (RDP) are
set to Connect, when Single Sign On is
relaunched, it always enters Save As
instead of Connect.
If the TPM module is removed or
damaged, users lose all credentials
protected by the TPM.
After allowing system to transition into
hibernation and sleep mode, the
Administrator or user is unable to log on
to Credential Manager and the Windows
logon screen remains displayed no
matter which logon credential
(password, fingerprint, or Java Card) is
selected.
local PC, Credential Manager can only change the
password used to log on.
HP is researching a workaround for future product
enhancements.
HP is researching a workaround for future product
enhancements.
This is as designed.
The TPM Module is designed to protect the Credential
Manager credentials. HP recommends that the user
back up their identity from Credential Manager prior to
removing the TPM module.
Update Windows to Service Pack 2 via Windows
Update. Refer to Microsoft knowledge base article
813301 at
information on the cause of the issue.
In order to log on, the user must select Credential
Manager and log on. After logging on to Credential
Manager, the user is prompted to log on to Windows
(the user may have to select the Windows logon option)
to complete the logon process.
http://www.microsoft.com for more
Restoring Embedded
Security causes
Credential Manager to fail.
Credential Manager fails to register any
credentials after the ROM is restored to
factory settings.
If the user logs on to Windows first, then the user must
manually log on to Credential Manager.
Credential Manager fails to access the TPM if the ROM
is reset to factory settings after installing Credential
Manager.
The TPM embedded security chip can be enabled using
the F10 Computer Setup utility, BIOS Configuration, or
HP Client Manager. To enable the TPM embedded
security chip using Computer Setup, follow these steps:
1.Open Computer Setup by turning on or restarting
the computer, and then pressing F10 while the
F10 = ROM Based Setup message is displayed
in the lower-left corner of the screen.
2.Use the arrow keys to click Security, and then
click Setup Password. Set a password.
3.Select Embedded Security Device.
4.Use the arrow keys to select Embedded Security
Device—Disable. Use the arrow keys to changeit to Embedded Security Device—Enable.
5.Click Enable, and then click Save changes and
exit.
ENWWCredential Manager for HP ProtectTools81
Short descriptionDetailsSolution
HP is investigating resolution options for future
customer software releases.
The security RestoreIdentity process loses
association with virtual
token.
When user restores identity, Credential
Manager can lose the association with
the location of the virtual token at logon
screen. Even though Credential
Manager has the virtual token registered,
the user must reregister the token to
restore the association.
This is currently by design.
When uninstalling Credential Manager without keeping
identities, the system (server) part of the token is
destroyed, so the token cannot be used anymore for
logging on, even if the client part of the token is restored
through identity restore.
HP is investigating long-term options for resolution.
82Chapter 11 TroubleshootingENWW
Embedded Security for HP ProtectTools
Short descriptionDetailsSolution
Encrypting folders,
subfolders, and files on
PSD causes an error
message.
Cannot Take Ownership
With Another OS In
MultiBoot Platform.
An unauthorized
administrator can view,
delete, rename, or move
the contents of encrypted
EFS folders.
The user has no encrypt
options when attempting
to restore the hard drive
using FAT32.
The user is able to encrypt
or delete the recovery
archive XML file.
If the user copies files and folders to the
PSD and tries to encrypt folders/files or
folders/subfolders, the Error ApplyingAttributes message is displayed. The
user can encrypt the same files on the C:\
drive or an extra installed hard drive.
If a drive is set up for multiple OS boot,
ownership can only be taken with the
platform initialization wizard in one
operating system.
Encrypting a folder does not stop an
unauthorized user with administrative
rights to view, delete, or move contents
of the folder.
If the user attempts to restore the hard
drive using FAT32, there will be no
encrypt options for any files/folders using
EFS.
By design, the ACLs for this folder are not
set; therefore, a user can inadvertently or
purposely encrypt or delete the file, thus
making it inaccessible. After this file has
been encrypted or deleted, no one can
use the TPM software.
This is as designed.
Moving files/folders to the PSD automatically encrypts
them. There is no need to “double-encrypt” the files/
folders. Attempting to double-encrypt them on the PSD
using EFS produces this error message.
This is as designed, for security reasons.
This is as designed.
It is a feature of EFS, not the Embedded Security TPM.
Embedded Security uses Microsoft EFS software, and
EFS preserves file/folder access rights for all
administrators.
This is as designed. Software should not be installed
on a restore with a FAT32 partition.
Microsoft EFS is supported only on NTFS and does not
function on FAT32. This is a feature of Microsoft EFS
and is not related to HP ProtectTools software.
This is as designed.
Users have access rights to an emergency archive so
that they can save/update their Basic User Key backup
copy. Users should be instructed never to encrypt or
delete the recovery archive files.
Embedded Security EFS
interaction with Symantec
Antivirus or McAfee Total
Protection produces
longer encryption/
decryption and scan
times.
The emergency recovery
archive cannot be saved
to removable media.
Encrypted files interfere with Symantec
Antivirus or McAfee Total Protection
virus scan. Encrypting files using
Embedded Security EFS takes longer
when Symantec Antivirus or McAfee
Total Protection is running.
If the user inserts a MultiMediaCard or
Secure Digital (SD) Memory Card when
creating the emergency recovery archive
path during Embedded Security
initialization, an error message is
displayed.
To reduce the time required to scan Embedded
Security EFS files, the user can either type the
encryption password before scanning or decrypt before
scanning.
To reduce the time required to encrypt/decrypt data
using Embedded Security EFS, the user should disable
Auto-Protect on Symantec Antivirus or McAfee Total
Protection.
This is as designed.
Storage of the recovery archive on removable media is
not supported. The recovery archive can be stored on
a network drive or on another local drive other than the
C drive.
ENWWEmbedded Security for HP ProtectTools83
Short descriptionDetailsSolution
Errors occur after a power
loss interrupts Embedded
Security initialization.
If there is a power loss during the
initialization of the Embedded Security
chip, the following issues occur:
When attempting to launch the
●
Embedded Security Initialization
Wizard, the following error
message is displayed: The
Embedded security cannot be
initialized since the Embedded
Security chip already has an
Embedded Security owner.
When attempting to launch the User
●
Initialization Wizard, the following
error message is displayed: The
Embedded security is not
initialized. To use the wizard, the
Embedded Security must be
initialized first.
Perform the following procedure to recover from the
power loss:
NOTE: Use the arrow keys to select various menus,
menu items, and to change values (unless otherwise
specified).
1.Start or restart the computer.
2.Press F10 when the F10=Setup message
appears on the screen.
3.Select the appropriate language option.
4.Press Enter.
5.Select Security, and then click Embedded
Security.
6.Set the Embedded Security Device option to
Enable.
7.Press F10 to accept the change.
8.Select File, and then click Save Changes and
Exit.
9.Press Enter.
10. Press F10 to save the changes and exit the utility.
The Computer Setup
(F10) Utility password can
be removed after enabling
the TPM Module.
The PSD password box is
no longer displayed when
the system becomes
active after standby status
No password is required
to change the Security
Platform Policies.
When a certificate is
viewed, it shows as nontrusted.
Enabling the TPM module requires a
Computer Setup (F10) Utility password.
When the module has been enabled, the
user can remove the password. This
allows anyone with direct access to the
system to reset the TPM module and
cause possible loss of data.
When a user logs on to the system after
creating a PSD, the TPM asks for the
Basic User password. If the user does
not type the password and the system
initiates Standby, the password dialog
box is no longer available when the user
resumes.
Access to Security Platform Policies
(both Machine and User) does not
require a TPM password for users who
have administrative rights on the system.
After setting up HP ProtectTools and
running the User Initialization Wizard, the
user has the ability to view the certificate
issued; however, when the certificate is
viewed, it shows as non-trusted. While
the certificate can be installed at this
point by clicking the install button,
installing it does not make it trusted.
This is as designed.
The Computer Setup (F10) Utility password can only be
removed by a user who knows the password. However,
HP strongly recommends having the Computer Setup
(F10) Utility password protected at all times.
This is by design.
The user has to log off and back on to view the PSD
password box again.
This is by design.
Any administrator can modify the Security Platform
Policies with or without TPM user initialization.
Self-signed certificates are not trusted. In a properly
configured enterprise environment, EFS certificates are
issued by online Certification Authorities and are
trusted.
84Chapter 11 TroubleshootingENWW
Short descriptionDetailsSolution
An intermittent encrypt
and decrypt error occurs:
The process cannot
access the file because
it is being used by
another process.
Data loss in removable
storage occurs if the
storage media is removed
prior to completing the
new data generation or
transfer.
During uninstall, if the user
has not initialized the
Basic User and opens the
Administration tool, the
Disable option is not
available and Uninstaller
will not continue until the
Administration tool is
closed.
This is an extremely intermittent error
during file encryption or decryption which
occurs because the file is being used by
another process, even though that file or
folder is not being processed by the
operating system or other applications.
Removing storage media such as a
MultiBay hard drive still shows PSD
availability and does not generate errors
while adding/modifying data to the PSD.
After the system is restarted, the PSD
does not reflect file changes that
occurred while the removable storage
was unavailable.
The user has the option of uninstalling
either without disabling the TPM or by
first disabling the TPM (through the
Administration tool), and then
uninstalling. Accessing the
Administration tool requires Basic User
Key initialization. If basic initialization has
not occurred, all options are inaccessible
to the user.
Since the user has explicitly chosen to
open the Administration tool (by clicking
Yes in the dialog box prompting Click
Yes to open Embedded Security
Administration tool), uninstall waits
until the Administration tool is closed. If
the user clicks No in that dialog box, the
Administration tool does not open at all
and uninstall proceeds.
To resolve the failure:
1.Restart the system.
2.Log off.
3.Log back on.
Do not remove a PSD before data generation or
transfer is complete. This issue is only experienced if
the user accesses the PSD, then removes the hard
drive before completing new data generation or
transfer. If the user attempts to access the PSD when
the removable hard drive is not present, an error
message is displayed stating that the device is notready.
The Administration tool is used for disabling the TPM
chip, but that option is not available unless the Basic
User Key has already been initialized. If it has not been
initialized, select OK or Cancel to continue with the
uninstallation.
Intermittent system lockup
occurs after creating PSD
on 2-user accounts and
using fast-user-switching
in 128-MB system
configurations.
EFS User Authentication
(password request) times
out with access denied.
Minor truncation during
setup of Japanese is
observed in functional
descriptions.
EFS Encryption works
without a password being
typed in the prompt.
The system may lock up with a black
screen and nonresponding keyboard
and mouse instead of showing welcome
(logon) screen when using fast-switching
with minimal RAM.
The EFS User Authentication password
reopens after the user clicks OK or the
system exits Standby.
Functional descriptions during custom
setup option during installation wizard
are truncated.
By allowing the prompt for User
password to time out, encryption is still
available on a file or folder.
The root cause is suspected to be a timing issue in low
memory configurations.
Integrated graphics uses UMA architecture taking 8 MB
of memory, which leaves only 120 MB available to the
user. The error is generated when this 120 MB is shared
by both users who are logged on and are fast-userswitching.
The workaround is to reboot the system and increase
memory configuration (HP does not ship 128-MB
configurations with security modules).
This is by design—to avoid issues with Microsoft EFS,
a 30-second watchdog timer was created to generate
the error message).
HP will correct this in a future release.
The ability to encrypt does not require password
authentication, since this is a feature of the Microsoft
EFS encryption. Decryption will require the user
password to be supplied.
ENWWEmbedded Security for HP ProtectTools85
Short descriptionDetailsSolution
Secure e-mail is
supported, even when
secure e-mail is not
specified in the User
Initialization Wizard or
when secure e-mail
configuration is disabled in
user policies.
Running Large Scale
Deployment a second
time on the same PC or on
a previously initialized PC
overwrites Emergency
Recovery and Emergency
Token files. The new files
are useless for recovery.
Automated logon scripts
do not function during user
restore in Embedded
Security.
Embedded security software and the
wizard do not control settings of an email client (Outlook, Outlook Express, or
Netscape).
Running Large Scale Deployment on any
previously initialized HP ProtectTools
Embedded Security system renders
existing Recovery Archives and
Recovery Tokens useless by overwriting
those XML files.
The error occurs after the user performs
the following actions:
Initializes owner and user in
●
Embedded Security (using the
default locations—MyDocuments).
Resets the chip to factory settings
●
in the BIOS.
Reboots the computer.
●
This behavior is as designed. Configuration of TPM email settings does not prohibit editing encryption
settings directly in an e-mail client. Usage of secure email is set and controlled by 3rd-party applications. The
HP wizard allows linkage to the three reference
applications for immediate customization.
HP is working to resolve the XML-file-overwrite issue
and will provide a solution in a future SoftPaq.
Click the Browse button on the screen to select the
location, and the restore process proceeds.
Multiple-User PSDs do not
function in a fast-userswitching environment.
The PSD is disabled and
cannot be deleted after
formatting the hard drive
on which the PSD was
generated.
Begins to restore Embedded
●
Security. During the restore
process, Credential Manager asks
if the system can automate the
logon to Infineon TPM User
Authentication. If the user selects
Yes, the location of
SPEmRecToken is automatically
displayed in the text box.
Even though this location is correct, the
following error message is displayed: No
Emergency Recovery Token is
provided. Select the token location
the Emergency Recovery Token
should be retrieved from.
This error occurs when multiple users
have been created and given a PSD with
the same drive letter. If an attempt is
made to fast-user-switch between users
when the PSD is loaded, the second
user's PSD is unavailable.
The PSD icon is still visible, but the error
message drive is not accessible is
displayed when the user attempts to
access the PSD.
The user is not able to delete the PSD
and the following message is displayed:
your PSD is still in use, please be sure
that your PSD contains no open files
The second user's PSD will be available only if it is
reconfigured to use another drive letter or if the first user
is logged off.
As designed: If a customer force-deletes or disconnects
from the storage location of the PSD data, the
Embedded Security PSD drive emulation continues to
function and will produce errors based on lack of
communication with the missing data.
Resolution: After the next reboot, the emulations fail to
load and user can delete the old PSD emulation and
create a new PSD.
86Chapter 11 TroubleshootingENWW
Short descriptionDetailsSolution
and is not accessed by another
process. The user must reboot the
system in order to delete the PSD and it
is not loaded after reboot.
An internal error is
detected when the user is
restoring from the
Automatic Backup
Archive.
The security system
exhibits a restore error
with multiple users.
Resetting System ROM to
default hides the TPM.
In Embedded Security, if the user clicks
the Restore under Backup option to
restore from the automatic backup
Archive and then selects
SPSystemBackup.xml, the Restore
Wizard fails and the following error
message is displayed: The selected
Backup Archive does not match the
restore reason. Please select another
archive and continue.
During the restore process, if the
administrator selects users to restore,
the users not selected are not able to
restore the keys when trying to restore at
a later time. A decryption processfailed error message is displayed.
Resetting the system ROM to default
hides the TPM to Windows. This does
not allow the security software to operate
properly and makes TPM-encrypted data
inaccessible.
If the user selects SpSystemBackup.xml when the
SpBackupArchive.xml is required, the Embedded
Security Wizard fails and displays the following
message: An internal Embedded Security error has
been detected.
The user must select the correct XML file to match the
required reason.
The processes are working as designed and function
properly; however, the internal Embedded Security
error message is not clear and should state a more
appropriate message. HP is working to enhance this in
future products.
The non-selected users can be restored by resetting
the TPM, running the restore process, and selecting all
users before the next default daily backup runs. If the
automated backup runs, it overwrites the non-restored
users and their data is lost. If a new system backup is
stored, the previous unselected users cannot be
restored.
Also, the user must restore the entire system backup.
An Archive Backup can be restored individually.
Unhide the TPM in BIOS:
Open the Computer Setup (F10) Utility, navigate to
Security > Device security, and then modify the field
from Hidden to Available.
ENWWEmbedded Security for HP ProtectTools87
Short descriptionDetailsSolution
Automatic backup does
not work with the mapped
drive.
Embedded Security
cannot be temporarily
disabled in the Embedded
Security GUI.
When an administrator sets up
Automatic Backup in Embedded
Security, it creates an entry in
Windows > Tasks > Scheduled Task.
This Windows Scheduled Task is set to
use NT AUTHORITY\SYSTEM for rights
to execute the backup. This works
properly to any local drive.
When the administrator instead
configures the Automatic Backup to save
to a mapped drive, the process fails
because the NT AUTHORITY\SYSTEM
does not have the rights to use the
mapped drive.
If the Automatic Backup is scheduled to
occur upon logon, Embedded Security
TNA Icon displays the following
message: The Backup Archive
location is currently not accessible.
Click here if you want to backup to a
temporary archive until the Backup
Archive is accessible again. If the
Automatic Backup is scheduled for a
specific time, however, the backup fails
without displaying notice of the failure.
The current 4.0 software was designed
for HP Notebook 1.1B implementations,
as well as supporting HP Desktop 1.2
implementations.
The workaround is to change the NT AUTHORITY
\SYSTEM to (computer name)\(admin name). This is
the default setting if the Scheduled Task is created
manually.
HP is working to provide future product releases with
default settings that include computer name\admin
name.
HP will address this issue in future releases.
This option to disable is still supported in
the software interface for TPM 1.1
platforms.
88Chapter 11 TroubleshootingENWW
Device Access Manager for HP ProtectTools
Short descriptionDetailsSolution
Users have been denied
access to devices within
Device Access Manager,
but the devices are still
accessible.
A user has unexpected
access to a device or a
user is unexpectedly
denied access to a device.
Allow or deny—which
takes precedence?
Simple Configuration and/or Device
Class Configuration have been used
within Device Access Manager to deny
users access to devices. Despite being
denied access, users can still access the
devices.
Device Access Manager has been used
to deny users access to some devices
and allow users access to other devices.
When the user is using the system, they
can access devices they believe Device
Access Manager has denied and are
denied access to devices they believe
Device Access Manager should allow.
Within Device Class Configuration, the
following configuration has been set:
The Allow permission has been
●
granted to a Windows group (e.g.,
BUILTIN\Administrators) and the
Deny permission has been granted
to another Windows group (e.g.,
BUILTIN\Users) at the same level in
the device class hierarchy (e.g.,
DVD/CD-ROM Drives).
If a user is a member of both those
groups (e.g., Administrator), which takes
precedence?
Verify that the HP ProtectTools Device Locking service
has started.
As an administrative user, browse to Control Panel >
Administrative Tools > Services. In the Services
window, search for the HP ProtectTools DeviceLocking/Auditing service. Be sure that the service is
started and that the startup type is Automatic.
The Device Class Configuration within Device Access
Manager should be used to investigate the Users
device settings.
Click Security Manager, click Device Access
Manager, and then click Device Class
Configuration. Expand the levels in the Device Class
tree and review the settings applicable to the User.
Check for any “Deny” permissions that may be set on
the user or any Windows Group of which they may be
a member, e.g., Users, Administrators.
The user is denied access to the device. Deny takes
precedence over Allow.
Access is denied due to the way in which Windows
works out the effective permission for the device. One
group is denied, and one group is allowed, but the user
is a member of both groups. The user is denied
because denying access is given precedence over
allowing access.
One workaround is to deny the Users group at the DVD/
CD-ROM Drives level and to allow the Administrators
group at the level below DVD/CD-ROM Drives.
A further workaround would be to have specific
Windows groups, one for allowing access to DVD/CD
and one for denying access to DVD/CD. Specific users
would then be added to the appropriate group.
ENWWDevice Access Manager for HP ProtectTools89
Miscellaneous
Software Impacted—
Short description
Security Manager—
Warning received: The
security application can
not be installed until the
HP Protect Tools
Security Manager is
installed.
TPM Firmware Update
Utility for models
containing Broadcomenabled TPMs—The tool
provided through HP
support Web site reports
ownership required.
DetailsSolution
All security applications such as
Embedded Security, Java Card Security,
and biometrics are extendable plug-ins
for the Security Manager interface.
Security Manager must be installed
before an HP-approved security plug-in
can be loaded.
This is the expected behavior of the TPM
firmware utility for models containing
Broadcom-enabled TPMs.
The firmware upgrade tool allows the
user to upgrade the firmware, with or
without an endorsement key (EK). When
there is no EK, no authorization is
required to complete the firmware
upgrade.
When there is an EK, a TPM owner must
exist, since the upgrade requires owner
authorization. After the successful
upgrade, the platform must be restarted
for the new firmware to take effect.
If the BIOS TPM is factory-reset,
ownership is removed and firmware
update capability is prevented until the
Embedded Security Software platform
and User Initialization Wizard have been
configured.
NOTE: A reboot is always
recommended after performing a
firmware update. The firmware version is
not identified correctly until after the
reboot.
The Security Manager software must be installed
before installing any security plug-in.
1.Reinstall Embedded Security Software.
2.Run the Platform and User Configuration Wizard.
3.Be sure that the system contains Microsoft .NET
framework 1.1 installation:
a.Click Start.
b.Click Control Panel.
c.Click Add or remove programs.
d.Be sure that Microsoft .NET Framework
4.Check the hardware and software configuration:
a.Click Start.
b.Click All Programs.
c.Click HP ProtectTools Security Manager
d.Select Embedded Security from the tree
e.Click More Details. The system should have
1.1 is listed.
for Administrators in Windows Vista or
HP ProtectTools Security Manager in
Windows XP.
menu.
the following configuration:
Product version = V4.0.1
●
Embedded Security State: Chip State =
●
Enabled, Owner State = Initialized,
User State = Initialized
Component Info: TCG Spec. Version =
●
1.2
Vendor = Broadcom Corporation
●
FW Version = 2.18 (or greater)
●
TPM Device driver library version
●
2.0.0.9 (or greater)
5.If the FW version does not match 2.18, download
and update the TPM firmware. The TPM Firmware
SoftPaq is a support download available on the
HP Web site at
http://www.hp.com.
90Chapter 11 TroubleshootingENWW
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.