beautypg.com

One-touch registration – Lenovo ThinkVantage (Hardware Password Manager Deployment Guide) User Manual

Page 34

background image

– enrolled - returns whether the current Windows system user is enrolled in the utility

– enabled - returns whether the utility is enabled in the BIOS program

– show - displays results to the console for all of the above commands

• Return codes:

0 - false

1 - true

2 - error

Example:

cmp_util.exe -supported

The behavior of the fingerprint enrollment differs slightly between a Hardware Password Manager registered
system and a non-registered system. For registered systems, the BIOS program prompts for Hardware
Password Manager User Login credentials (Hardware account ID and password) instead of actual hardware
passwords. After verifying the specified user login credentials, the BIOS program obtains the actual
hardware passwords from the hardware account and saves them in the fingerprint device.

Other fingerprint scenarios to consider:

1. User enrolls in Hardware Password Manager after enrolling fingerprints for pre-boot

authentication (hardware passwords are set) In this scenario, the user has already set a POP and has
enrolled for pre-boot fingerprint authentication. The Client Portal treats the scenario the same as when
any pre-boot passwords are set prior to registering in Hardware Password Manager. In this case, the
Client Portal instructs the user to remove all hardware passwords.

2. User enrolls in Hardware Password Manager after enrolling fingerprints for pre-boot

authentication (hardware passwords are cleared) In this scenario, the user has already enrolled for
pre-boot fingerprint authentication but has manually cleared the POP and HDP (as requested in the
previous scenario). The system starts and the user can enroll with Hardware Password Manager.
However, the next time the user starts the system and swipes their finger, the BIOS program retrieves
the old password or passwords from the fingerprint device and determines that they are not valid. The
BIOS program then prompts for user login credentials. If the user is validated with their hardware
account, the hardware passwords are retrieved from the system hardware account by the BIOS program
and the passwords are validated. If they are confirmed, the new passwords are stored in the fingerprint
device automatically.

Safe Guard Easy/Safe Guard Enterprise compatibility

In environments where the Safe Guard Easy/Safe Guard Enterprise utility is used, the Hardware Password
Manager client must be installed after the Safe Guard Easy/Safe Guard Enterprise utility.

There is also a limitation where the Hardware Password Manager single sign-on feature does not work when
the Safe Guard Easy/Safe Guard Enterprise utility is installed. Thus, the user is not automatically logged into
the Windows operating system when the user performs a normal Hardware Password Manager user login.

One-touch registration

As an administrator, you can register your systems with Hardware Password Manager to protect them from
unauthorized users during the deployment and distribution process. This is accomplished by allowing an
administrator to pre-register all of their systems in the Hardware Password Manager server with a common
local administrator account. This process requires a single manual step (one-touch) to complete, which is
required to prevent denial of service attacks.

26

Hardware Password Manager Deployment Guide