Manual
Table Of Contents
- Preface
- Chapter 1. Overview
- Chapter 2. Installation
- Chapter 3. Working with Client Security Solution
- Chapter 4. Working with ThinkVantage Fingerprint Software
- Chapter 5. Working with Lenovo Fingerprint Software
- Chapter 6. Best Practices
- Deployment examples for installing Client Security Solution
- Switching Client Security Solution modes
- Corporate Active Directory rollout
- Standalone Install for CD or script files
- System Update
- System Migration Assistant
- Generating a certificate using key generation in the TPM
- Using USB fingerprint keyboards with 2008 ThinkPad notebook computer models (R400/R500/T400/T500/W500/X200/X301)
- Appendix A. Special considerations for using the Lenovo Fingerprint Keyboard with some ThinkPad notebook models
- Appendix B. Synchronizing password in Client Security Solution after the Windows password is reset
- Appendix C. Using Client Security Solution on a reinstalled Windows operating system
- Appendix D. Using the TPM on ThinkPad notebook computers
- Appendix E. Notices
- Glossary
AppendixD.UsingtheTPMonThinkPadnotebookcomputers
ThemainusecasefortheTPMistheBitLockerfeaturethatisincludedwithcertainversionsoftheMicrosoft
WindowsVistaandWindows7operatingsystems.Thisappendixprovidesanswerstothefollowing
frequentlyaskedquestionswhendeployingBitLockerinWindowsenvironments.
•“HowtodeployBitLockerremotely?”onpage73
•“HowdoesTPMlockoutwork?”onpage73
HowtodeployBitLockerremotely?
UsingthestandardWindowstoolstoactivatetheTPM,suchasthemanage-bde.exeleortheTPMcontrol
panel,requiresacompleteshutdownofthecomputer.Then,whenyouturnonthecomputeragain,you
mustpressakeytoconrmtheaction.ThistypeofinteractionmakesitimpossibletodeployBitLockerina
remoteandunattendedway.
TherearetwodistinctstatustypesrelatedtotheTPM:EnabledandActivated.AnenabledTPMisnot
necessarilyactivated,justlikeanactivatedTPMisnotnecessarilyenabled.TheTPMmustbeenabledand
activatedbeforeusingBitLocker.ThinkPadnotebookcomputersarealwaysshippedwiththeTPMinthe
enabledanddeactivatedstatus.Therefore,youshouldsettheTPMstatustoactivatedtodeployBitLocker
successfully.
Since2008,ThinkPadnotebookcomputershaveprovidedWindowsManagementInstrumentation(WMI)to
changeanyBIOSsetting(includingtheactivatedstatusoftheTPM).WMIcanbescriptedandexecuted
remotely,anddoesnotrequireanyphysicalinteractionwiththecomputer.
TochangetheBIOSsetting,dothefollowing:
1.GototheWebsiteathttp://support.lenovo.com/en_US/detail.page?LegacyDocID=MIGR-68488.
2.ClickSampleScriptsforBIOSDeploymentGuidetodownloadthescript.ziple.Thenextractthe
ziple.
3.Typecscript.exeSetCong.vbsSecurityChipActiveintheCommandPromptwindowtoexecute
theSetCong.vbsle.IfyouareusingtheBIOSsupervisorpassword,typecscript.exe
SetCongPassword.vbsSecurityChipActiveintheCommandPromptwindowtoexecutethe
SetCongPassword.vbsleinstead.
4.Restartthecomputertwice.TherstrestartchangestheBIOSsetting,andthesecondrestartmakes
thenewBIOSsettingtakeeffect.
Note:TheaboveprocedureactivatesonlytheTPMoncomputerswheretheTPMalreadyisenabled(for
example,modelsinthefactorydefaultstatus).IfyouhavedisabledtheTPMbyusingWindowstools,
suchasthemanage-bde.exeleortheTPMcontrolpanel,youmustre-enabletheTPMrstbyusingthe
samemethodthatwasusedtodisableit.
HowdoesTPMlockoutwork?
OneofthecoresecurityfeaturesoftheTPMistoprevent“hammering,”thatis,theattempttoguess
TPMpasswordsinanautomatedway.EachTPMimplementsananti-hammeringmethod,andwhenan
attackisdetected,theTPMenterslockoutmodewhichmeansthatfurtherpasswordguessesareignored
untilthelockoutmodeends.However,theTrustedComputingGroup(theorganizationthatdenesTPM
behavior)failedtodeneastandardforTPMlockout,soeachTPMmanufacturerhasdevelopeditsown
implementationforlockout.LenovohasusedTPMsfromthefollowingfourdifferentvendors:
©CopyrightLenovo2008,2011
73