HP dc5750 - Microtower PC User Manual page 73

Software Impacted—
Short description
HP ProtectTools * General
—Unrestricted access or
uncontrolled administrator
privileges pose security
risk.
BIOS and OS Embedded
Security password are out
of synch.
Only one user can log on
to the system after TPM
preboot authentication is
enabled in BIOS.
User has to change PIN to
make TPM preboot work
after a TPM factory reset.
Power-on
authentication support
not set to default using
Embedded Security
Reset to Factory
Settings
Security Power-On
Authentication overlaps
BIOS Password during
boot sequence.
The BIOS asks for both
the old and new
passwords through
Computer Setup after
changing the Owner
password in Embedded
Security Windows
software.
ENWW
Details
Numerous risks are possible with
unrestricted access to the client PC:
●
deletion of PSD
● malicious modification of user
settings
●
disabling of security policies and
functions
If user does not validate a new password
as the BIOS Embedded Security
password, the BIOS Embedded Security
password reverts back to the original
embedded security password through
F10 BIOS.
The TPM BIOS PIN is associated with
the first user who initialize the user
setting. If a computer has multiple users,
the first user is, in essence, the
administrator. The first user will have to
give his TPM user PIN to other users to
use to log in.
User has to change PIN or create
another user to initialize his user setting
to make TPM BIOS authentication work
after reset. There is no option to make
TPM BIOS authentication work.
In Computer Setup, the Power-on
authentication support option is not
being reset to factory settings when
using the Embedded Security Device
option Reset to Factory Settings. By
default, Power-on authentication
support is set to Disable.
Power-On Authentication prompts the
user to log on to system using the TPM
password, but, if the user presses F10 to
access the BIOS, Read rights access
only is granted.
The BIOS asks for both the old and new
passwords through Computer Setup
after changing the Owner password in
Embedded Security Windows software.
Solution
Allow Security Manager to complete services loading
message (seen at top of Security Manager window) and
all plug-ins listed in left column. To avoid failure, allow
a reasonable time for these plug-ins to load.
Administrators are encouraged to follow "best
practices" in restricting end-user privileges and
restricting user access.
Unauthorized users should not be granted
administrative privileges.
This is functioning as designed; these passwords can
be re-synchronized by changing the OS Basic User
password and authenticating it at the BIOS Embedded
Security password prompt.
This is functioning as designed; HP recommends that
the customer's IT department follow good security
policies for rolling out their security solution and
ensuring that the BIOS administrator password is
configured by IT administrators for system level
protection.
This is as designed, the factory reset clears the Basic
User Key. The user must change his user PIN or create
a new user to re-initialize the Basic User Key.
The Reset to Factory Settings option disables
Embedded Security Device, which hides the other
Embedded Security options (including Power-on
authentication support). However, after re-enabling
Embedded Security Device, Power-on authentication
support remained enabled.
HP is working on a resolution, which will be provided in
future Web-based ROM SoftPaq offerings.
To be able to write to BIOS, the user must enter the
BIOS password instead of the TPM password at the
Power-on Authentication window.
This is as designed. This is due to the inability of the
BIOS to communicate with the TPM, once the operating
system is up and running, and to verify the TPM pass
phrase against the TPM key blob.
Miscellaneous 67