Afdrukken
login Account
Search

Limitations for Hardware Password Manager version 1.0

 

Select the symptom that best matches the problem you are experiencing:

Trying to un-enroll using a different intranet account than was used to enroll
HPM server does not detect when a system is deregistered offline (e.g. via BIOS setup)
No HPM single sign-on when using SafeGuard Easy or SafeGuard Enterprise (XP only)
Registering in HPM triggers Bitlocker recovery mode (Vista only)
The user is not notified at the completion of a "Deregister PC" remote action
Cannot set policy settings based on HPM groups
Cannot share HPM registered hard disks between systems
LTAPI.DLL not found error occurs during agent installation
HPM Single Sign-on fails when Windows policy requiring "CTRL+ALT+DEL" is enabled
Several files considered high risk by Antivirus software during client installation
All hard drive passwords (HDPs) are the same within a registered HPM system
Problems using blank passwords on Vista
User can deregister a system that they are not enrolled on
Client Application cannot detect changes to the Hardware Account password
HPM registration wizard does not prompt to set a Windows password if it is blank
Installation issues with SafeGuard Easy (SGE) and SafeGuard Enterprise (SGN) on Windows XP
Can not add full BIOS version into the BIOS version exclude list
Received the error message "PSI.DLL is missing"
Changing keyboard language after the system is registered in HPM is not supported
Can create two hardware accounts associated with one Windows account
Loss of network connectivity during registration may result in wrong status on server
Improper message when changing windows password after IT Administrator changes policy for sync'ing Windows and Hardware accounts.
 Maximum length for Intranet account credentials is 63 bytes each for the username and password

 

Symptom

The error message displayed does not clearly inform the user why the un-enroll failed.

When User A (enrolled using Intranet Account A) tries to un-enroll User B (enrolled using Intranet Account B), the error message displayed is "Your Administrator has not given you permission to access this system or one of the hard disks installed in this system". A more appropriate message would be something more along the lines of "You cannot un-enroll a User using a different intranet account than the one used to enroll that User".

Affected Software Level
  • HPM Client Application
Solution

None

Defect #: 1710

Back to top

 

Symptom

Systems that are deregistered offline still show up as registered in the ThinkManagement Console.

When a system is deregistered by disabling HPM in BIOS setup, the HPM server is not informed that the system was deregistered. Thus, the HPM server continues to show the system as registered. If the Administrator updates a policy setting or targets a remote action to the deregistered system, the status of the action will be left in a pending state until the system is re-registered in HPM. Then remote actions for systems are left in a pending state for long periods of time, that is an indication that the system may not be registered anymore - or has not been connected to the intranet for a long time.

Note: users cannot deregister in BIOS setup unless they are a member of the "Service Tech" or "Administrator" group (because the SVP is required and it is only released for Service Tech and Administrator users).

Affected Software Level
  • HPM Server
Solution

If the user re-registers the system after deregistering in BIOS setup, the server will sync back up with the client and will show the correct registration status. If the Administrator has retired that system and no longer expects it to be registered, they can delete the system out of the HPM server.

Defect #: 1749, 2172

Back to top

 

Symptom

On Windows XP, HPM single sign-on (auto-logon to Windows account) does not work when SafeGuard Easy or SafeGuard Enterprise is in use.

HPM single sign-on does not work on Windows XP because the SafeGuard Easy or SafeGuard Enterprise GINA is not aware of the HPM GINA. The order of installation does not affect this behavior either way.

Affected Software Level
  • HPM Client Application SafeGuard Easy or
  • SafeGuard Enterprise
Solution

None

Defect #: 2110

Back to top

 

Symptom

Bitlocker recovery mode is triggered if you register a system in HPM that has Bitlocker encryption in use.

If the user first enables BitLocker encryption, then registers in HPM, the fact that BIOS passwords are set will cause BitLocker to fail its integrity check (BIOS passwords are validated within PCR1) and cause the BitLocker Recovery Mode to start on the next boot.

Affected Software Level
  • HPM Client Application
Solution

Enroll in HPM prior to enabling Bitlocker encryption.

Defect #: 2170

Back to top

 

Symptom

When a "Deregister PC" remote action completes, the user is not notified that the operation completed successfully

No prompt that system deregistered successfully after deregister operation completes. With regard to remote actions, the design of the HPM client-server relationship is such that the server is the driver of all operations and the client has no idea what operation the server is actually doing. The client simply requests "process remote actions" and some time later the server returns a "completion" return code. What happens in between is completely up to the server and the client has NO clue what operations (if any) are being processed. Thus, the only options are to display a message ALWAYS (even if no remote actions exist) indicating some remote operation completed, or to NEVER display a message. Given remote actions are Admin initiated operations (which may or may not require User interaction), it is best to NEVER display a message rather than always displaying a message.

Affected Software Level
  • HPM Client Application
Solution

None.

Defect #: 2180

Back to top

 

Symptom

The Administrator cannot customize policy settings based on users groups.

The LANDesk server currently allows the Administrator assign different roles for a specific HPM group. However, the Administrator cannot customize policy settings for a specific HPM group (e.g. common passwords, client policy settings, emergency admin account, etc). HPM policy settings are applied globally (to all registered systems/users).

Affected Software Level
  • HPM Server
Solution

None.

Defect #: 2182

Back to top

 

 

Symptom

If user moves a hard disk from one HPM registered system to another, User Login will not work since the new system does not know the password for the hard disk.

Hard disks with passwords set cannot be shared between registered systems. For the first release, hard disk passwords are handled as follows:

  1. To allow for consistency between desktop and mobile, all HDPs are the same within a given system (even though mobile BIOS could support different HDPs within a system).
  2. HDPs are different for each system (unless a common HDP is set via policy).
  3. Assuming #1 and #2 are true, it is impossible to share a HDD on different registered systems (since the assumption is the HDP is common between all drives on system A and when moving it to system B, the HDP stored in the vault differs).
Affected Software Level
  • HPM Server
Solution

Only systems can be shared between users through the Admin Console (not HDDs). Thus, if the user wants to share a drive between 2 or more systems, the recommendation is to remove the HDP on that drive (manually through BIOS setup) or remove the drive when initially registering so that an HDP is not set for that drive.

Defect #: 2199

Back to top

 

Symptom

HPM client installation fails.

When installing the HPM client, the installation fails with "LTAPI.DLL not found" when firewall software is active.

Affected Software Level
  • HPM Client Application
Solution

As documented in the LANDesk Installation guide, disable

Defect #: 2307

Back to top

 

 

Symptom

When the "Do not require CTRL+ALT+DEL" Windows policy is disabled, HPM single sign-on to Windows will not occur - user is required to enter their Windows credentials.

Single sign-on to Windows will not work if the Windows policy setting is enabled that requires the user to "Press Ctrl+Alt+Del" to login. This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. When this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows (unless they are using a smart card for Windows logon).

  • Default on domain-computers:Disabled.
  • Default on stand-alone computers: Enabled.
Affected Software Level
  • HPM Client Application
Solution

Enable the "Do not require Ctrl+Alt+Delete" Windows policy.

Defect #: 2355

Back to top

 

Symptom

Receive Antivirus messages during client installation.

The client agent must be installed with Antivirus & Firewalls disabled. Once installed, these can be re-enabled. This is documented in the LANDesk User's Guide as an installation requirement.

Affected Software Level
  • HPM Client Application
Solution

Disable Antivirus and Firewall protection during client agent installation.

Defect #: 2382

Back to top

 

Symptom

All hard drive passwords (HDPs) are the same within a registered HPM system. However, the passwords will differ between systems where policy is set for the HPM server to generate the passwords (e.g. non-common HDPs).

The HPM server will generate the same HDPs for all hard disks attached to a machine during registration (in order to comply with desktop BIOS capabilities).
Note: The MHDP & UHDP may differ for a drive, but all MHDPs will be the same and all UHDP will be the same across attached drives within a system.

Affected Software Level
  • HPM Client Application
Solution

None

Defect #: 2389

Back to top

 

Symptom

When changing your Windows password to a blank password after registering in HPM, the HPM client application does not think the user is registered and prompts the user to enroll again.

Blank passwords cause problems on Vista due to limitations with the CAPI implementation in Vista for more details on this matter see:
http://support.microsoft.com/default.aspx/kb/309408

Once this problem occurs, even if the user tries to change their password back to a non-blank value, the situation does not repair itself (user will still be prompted to enroll). The user must deregister (via BIOS setup) and reregister.

Affected Software Level
  • HPM Client Application
Solution

Set Windows policy to NOT allow blank Windows passwords. If there is a strong desire to allow blank Windows passwords, Vista SP2 includes a fix that resolves this problem.

Defect #: 2488

Back to top

 

Symptom

A user can perform a Intranet Login and choose to deregister (remove hardware passwords) a system in which they are not enrolled.

When a system is registered via the "one-touch" registration process (only an emergency admin account is created), the user can perform an Intranet Login and see the "Deregister PC" option. Ideally, this option would not be visible by default as it allows a secured PC to be deregistered before any users enroll.

Affected Software Level
  • HPM Client Application
Solution

Administrator can disable the "Deregister PC" from the BIOS menu as a policy setting in the Admin Console. Doing this will prevent the user from seeing the "Deregister PC" option.

Defect #: 2622

Back to top

 

Symptom

When policy dictates that Hardware Account and Windows credentials are to be kept in sync, a change to the Vault password via the Intranet Login menu is not detected by the Client application.

The Client Portal cannot update the Windows password as a result of changes to the Vault password. This is because the Client Portal cannot accurately or securely monitor changes to the Vault password once Windows boots (e.g. Client can only know if a password change occurred, but not what the password change actually is). Note: If the user changes their Windows password, the Client application will prompt the user to update their Vault password on the next Windows login.

Affected Software Level
  • HPM Client Application
Solution

Administrators can prevent this from happening if they disable the "Change Hardware Account password" policy setting (BIOS menu setting).

Defect #: 2659

Back to top

 

Symptom

HPM registration wizard does not prompt to set a Windows password if it is blank.

Since HPM requires a Windows password in order to register, it is expected that the HPM client would prompt to set a Windows password if one is not set. Instead, the HPM client just doesn't allow the user to click "Next" if their Windows password is blank.

Affected Software Level
  • HPM Client Application
Solution

User should have a Windows password set prior to registering in HPM.

Defect #: 2797

Back to top

 

Symptom

SGE or SGN installation fails if HPM client is installed.

If installing SGN or SGE on Windows XP when the HPM client is installed, an error is displayed indicating the Lenovo GINA is active and the installation fails.

Affected Software Level
  • HPM Client Application
  • SafeGuard Easy or SafeGuard Enterprise
Solution

Uninstall the HPM client, reboot the system, install SGE or SGN, reboot again, then reinstall the HPM client.

Defect #: 2855

Back to top

 

Symptom

When entering the BIOS version into the BIOS version exclude list for ThinkCentre system, the last character of the BIOS version cannot be entered into the text box in the Admin Console.

The problem is because the HPM server supports a maximum of 8 characters for the BIOS version. ThinkCentre systems have a 9 character BIOS version. This is not likely to pose a problem since exact matches are not required (first 8 characters are matched regardless of the 9th character).

Affected Software Level
  • HPM Server
Solution

None

Defect #: 2889

Back to top

 

Symptom

The error message "PSI.DLL is missing" is displayed if the client agent was not installed correctly.

Affected Software Level
  • HPM Client Application
Solution

Uninstall the client agent, reboot, then reinstall the client agent. Make sure the Hardware Password Manager checkbox is selected when installing the client agent if you wish to use HPM on that system).

Defect #: 2895

Back to top

 

Symptom

Changing keyboard language after the system is registered in HPM is not supported.

If the user changes the keyboard language after the system has been registered in HPM, the User Login or Intranet Login in BIOS may fail. This is because the scan code mappings for the keyboard changed. When this occurs, the passwords entered in BIOS may no longer match the expected passwords to unlock the system.

Affected Software Level
  • HPM Client Application
Solution

Change the keyboard settings back to the original language, deregister the system (either through BIOS setup or the Intranet Login menu in BIOS), change the keyboard settings to the new language, then reregister the system.

Defect #: 2905

Back to top

 

Symptom

This problem occurs when restoring a system from a backup that was taken prior to registering in HPM. When enrolling in HPM, the user's Windows credentials are stored in secure storage within the Windows CAPI keystore. Furthermore, the association between the Windows credential and the Intranet account is maintained.

When restoring a system to a point prior to the user being enrolled in HPM, the CAPI keystore can be lost (since it is stored in the Windows registry) - which means the Windows credentials and associations with the Intranet account are lost even though the system is actually registered. In this case, the client application will continue to prompt you to enroll (if policy indicates to do so). Furthermore, if you try to enroll and you specify the same Intranet Account as you previously used to enroll, the client application will fail indicating you already enrolled. If you were to enroll again using a different Intranet Account, the client application will allow the enroll to complete - now you will have two hardware accounts associated with the same Windows account (which is not recommended).

Affected Software Level
  • HPM Client Application
Solution

To prevent this problem from occurring, make sure your backup is taken AFTER the system is registered in HPM (e.g. when using Rescue and Recovery or any backup tool that performs a full disk backup). If you have already restored your system (e.g. lost your CAPI keystore), deregister and reregister in HPM.

Defect #: 2927 & 3042

Back to top

 

Symptom

When registering in HPM, if network connectivity is lost during the suspend/resume operation and the user logs off before network connectivity resumes, the client application completes the registration process normally. However, the HPM server shows that the PC failed to register.

Problem occurs because the client application is unable to report the successful completion of registration to the HPM server.

Affected Software Level
  • HPM Server
Solution

Deregister and reregister in HPM.

Defect #: 2932

Back to top

 

Symptom

Received the "Hardware account does not exist" message when updating your Windows password.

This problem occurs under the following conditions:

  1. Server policy is set to not sync Windows and Hardware accounts.
  2. User registers with a Hardware Account name that differs from their Windows username.
  3. The IT Administrator changes server policy to force Windows and Hardware accounts to be sync'ed.
  4. User later changes their Windows password.
  5. The next time the user logs into Windows, the client application notifies the user that their Hardware Account needs to be updated to reflect their new Windows password.
  6. User is prompted for intranet credentials to authenticate with A/D before updating the hardware account.
  7. Client application displays a message indicating the hardware account does not exist. This is because the user's windows username does not match the hardware account name (it is expected to match based on the current policy setting).
Affected Software Level
  • HPM Client Application
  • HPM Server
Solution

If this problem occurs, the recommendation is to deregister and register in HPM.

To prevent this problem from occurring, the IT Administrator should decide on the desired policy setting for sync'ing Windows and Intranet account credentials and stick with it (do not change after users have registered).

Defect #: 2976

Back to top

 

Symptom

Receive "Incorrect username or password specified." message when the Intranet username and/or password are correct and is greater than 63 characters in length.

BIOS allows a maximum 64 byte username and password (including null termination) to be entered when performing an Intranet Login (e.g. 63 characters each for the username and password). Thus, the client application must enforce the same restriction for consistency.

Affected Software Level
  • HPM Client Application
Solution

Set A/D policy to limit Intranet usernames and passwords to maximum 63 characters in length.

Defect #: 2994

Back to top

  • Alias ID: MIGR-72504
  • Document ID: HT002006
  • Last Updated :17-6-2014
  • (c) 2014 Lenovo