Manual
Table Of Contents
- Preface
- Chapter 1. Overview
- Chapter 2. Installation
- Chapter 3. Working with Client Security Solution
- Chapter 4. Working with ThinkVantage Fingerprint Software
- Chapter 5. Working with Lenovo Fingerprint Software
- Chapter 6. Best Practices
- Deployment examples for installing Client Security Solution
- Switching Client Security Solution modes
- Corporate Active Directory rollout
- Standalone Install for CD or script files
- System Update
- System Migration Assistant
- Generating a certificate using key generation in the TPM
- Using USB fingerprint keyboards with 2008 ThinkPad notebook computer models (R400/R500/T400/T500/W500/X200/X301)
- Appendix A. Special considerations for using the Lenovo Fingerprint Keyboard with some ThinkPad notebook models
- Appendix B. Synchronizing password in Client Security Solution after the Windows password is reset
- Appendix C. Using Client Security Solution on a reinstalled Windows operating system
- Appendix D. Using the TPM on ThinkPad notebook computers
- Appendix E. Notices
- Glossary
Thefollowingdiagramprovidesthestructureforthemotherboardswap-takeownership:
Motherboard Swap - Take Ownership
Trusted Platform Module
Decrypted via derived AES Key
System Leaf Private Key
Store Leaf Private Key
System Leaf Public Key
Store Leaf Public Key
System Base Private Key
System Base Public Key
If Passphrase
loop n times
CSS Admin PW/PP
One-Way Hash
System Base AES
Protection Key
(derived via output
of hash algorithm)
Figure3.MotherboardSwap-TakeOwnership
Aseachuserlogsontothesystem,theUserBaseKeyisautomaticallydecryptedthroughtheUserBase
AESProtectionKeyderivedfromuserauthenticationandimportedtothenewSRKcreatedthroughthe
ClientSecuritySolutionAdministrator.Thefollowingdiagramprovidesthestructureforthemotherboard
swap-enrolluser:
Tologinaseconduserafterthechiphasbeenclearedorafteryoureplacethemotherboard,youmustlogin
asthemasteradministrator.Themasteradministratorwillbepromptedtorestorethekeys.Oncethekey
restorationhasbeencompleted,usePolicyManagertodisabletheClientSecurityWindowslogon.The
remaininguserswillbeabletorestoretheirrespectivekeys.Onceallsecondaryusershaverestoredtheir
keys,themasteradministratorcanenabletheClientSecuritySolutionWindowslogonfeature.
Thefollowingdiagramprovidesthestructureforthemotherboardswap-enrolluser:
Motherboard Swap - Enroll User
Trusted Platform Module
Decrypted via derived AES Key
Storage Root Private Key
Storage Root Public Key
User Leaf Private Key
User Leaf Public Key
Windows PW AES Key
PW Manager AES Key
User Base Private Key
User Base Public Key
If Passphrase
loop n times
User PW/PP
One-Way Hash
User Base AES
Protection Key
(derived via output
of hash algorithm)
Figure4.MotherboardSwap-EnrollUser
24ClientSecuritySolution8.3DeploymentGuide