HP ProtectTools password guidelines - White Paper
6
Exceptions
Windows Input Method Editor (IME) is not supported
WARNING
When HP ProtectTools is deployed, passwords entered with
Windows IME will be rejected.
Windows features an IME that allows a user to compose thousands of complex characters and symbols,
such as the many Japanese or Chinese characters, using a standard keyboard. IME is an OS
component that extends the capability of the keyboard, but it is not a supported keyboard layout that
can be used to enter a password at the Preboot Security or Drive Encryption login screens. Therefore,
any password typed with an IME is rejected by the ProtectTools password filtering logic.
For example, in some Japanese installations of Windows XP, the default IME is called “Microsoft IME
Standard 2002.”
1
Because this IME is not a keyboard layout that can be used during the password
prompt at the Preboot Security or Drive Encryption login screens, the password typed with this IME in
Windows is rejected by ProtectTools. The solution is to switch to a supported keyboard layout, such as
Microsoft® IME for Japanese (despite its IME designation) or the Japanese keyboard layout itself, both
of which translate to keyboard layout 00000411. Another IME that actually translates to keyboard
layout 00000411 is the “Office 2007 IME” for Japanese
2
.
Password changes using different keyboard layouts
There are potential issues if a user initially sets up a password using one keyboard layout and then
changes the password using a different keyboard layout. In general, the password filtering logic
attempts to determine the user‟s current keyboard layout and uses this keyboard layout to update the
password token information in both the Preboot Security and Drive Encryption authentication domains.
If the user enters a character that exists on the latter keyboard but not on the former, the password
change will be accepted in Drive Encryption but it will be rejected in the BIOS.
A simple solution to this problem is to remove the user in question from HP ProtectTools by running the
HP ProtectTools Administrative Console. After ensuring that the desired keyboard layout is selected in
the OS, add the user again through the Administrative Console. This allows the Preboot Security and
Drive Encryption authentication domains to store the desired keyboard layout, and allows passwords
that are typed on the stored keyboard layout to be properly typed at the login screens for either
domain.
Another potential issue is the use of different keyboard layouts that can produce similar characters. For
example, both the U.S. International keyboard layout (20409) and the Latin American keyboard layout
(80A) can produce the character é although different keystroke sequences might be used. If a password
is initially set with the Latin American keyboard layout, the Latin American keyboard layout is set in the
BIOS, even if the password is subsequently changed using the U.S. International keyboard layout.
1
This name is different from the “Common Name in Microsoft Windows Vista” shown in Table 1 because Windows maps some
IMEs to a keyboard layout. In such cases, the IME is supported by HP ProtectTools because the underlying keyboard layout is
defined, as designated by the Code (hex) column in Table 1.
2
The use of the terms “IME” and “Input Method Editor” by Microsoft or a third party can be confusing because the input method
could be a keyboard layout instead of an IME. However, the software always looks at the hexadecimal code representation to
determine if an IME maps to a supported keyboard layout. Thus, if an IME maps to a supported keyboard layout, HP
ProtectTools can support the configuration.