Scenario 6 - bitlocker – Lenovo ThinkVantage (Hardware Password Manager Deployment Guide) User Manual
Page 43
a completely different set of scan codes on another keyboard type. For example, consider the password
azw. On an English keyboard, the scan code representation is 0x1E, 0x2C, 0x11. However, on a German
keyboard, the scan code representation is 0x1E, 0x15, 0x11.
There are 3 keyboard types used to support different languages:
• French, Belgian
• German, Swiss, Hungary, Poland, Czechoslovakia, Slovenia, Slovakia
• All other languages
When deploying hardware passwords from the server, such as POP, SVP and HDP, the server converts the
ASCII text to scan codes based on the keyboard type of the target system. These passwords (represented
by scan codes) are sent to the client to be set in the hardware.
Changing keyboard types is not supported for manual entry of passwords. If a user wants to change
keyboard types, the best practice is to do this:
1. Deregister from Hardware Password Manager.
2. Change the keyboard.
3. Reregister in Hardware Password Manager.
Scenario 5 - Handling enrollment from multiple boot partitions
This scenario can occur when a user registers and enrolls on one boot partition (such as Vista), and wants to
enroll in Hardware Password Manager on a second boot partition (such as XP). In this case, the Hardware
Password Manager Client code should be installed in each boot partition. The user should register and enroll
in Hardware Password Manager from one boot partition. After being enrolled, Hardware Password Manager
functions normally in all boot partitions where the Hardware Password Manager Client code is installed
assuming the Windows login credentials are the same in all boot partitions. If the Windows login credentials
are different, the user will have to manually enter their Windows credentials in the Windows Gina/CP when
using boot partitions other than the one used to register in Hardware Password Manager.
Scenario 6 - BitLocker
BitLocker and Hardware Password Manager are compatible, which means a client enrolled in Hardware
Password Manager (for BIOS password protection - POP, SVP, HDPs) can further protect their data using
BitLocker (logical volume encryption). BitLocker enrollment and key retrieval is handled the same way as is
done today by customers (outside the scope of Hardware Password Manager).
The best practice when using both technologies is to enroll in Hardware Password Manager prior to enabling
BitLocker. If the user first enables BitLocker, then registers in Hardware Password Manager, the fact that
BIOS passwords are set will cause BitLocker to fail its integrity check (BIOS passwords are validated within
PCR1) and cause the BitLocker Recovery Mode to start. Hardware Password Manager will warn the user
of this issue during the registration flow if BitLocker is enabled. The user can choose to continue with the
registration or cancel at this point. If the user continues, then BitLocker Recovery Mode will be executed on
the next start since the integrity check on BIOS passwords (PCR1) will have failed.
Chapter 6
.
Scenarios
35