Copyright Lenovo; Chapter 5. Deployment; Fingerprint Integration - Lenovo ThinkCentre M58 Deployment Manual

Chapter 5. Deployment

This chapter contains additional deployment information for using Hardware Password Manager devices with
Hardware Password Manager. It is written for the administrator who will manage devices with the Hardware
Password Manager server and configure these devices with other. This guide includes the following sections:
• "Fingerprint integration" on page 25
• "Safe Guard Easy/Safe Guard Enterprise compatibility" on page 26
• "One-touch registration" on page 26

Fingerprint integration

Hardware Password Manager is fully compatible with the Lenovo preferred fingerprint software (Authentec
and UPEK). For Windows XP
installed without the Hardware Password Manager GINA. Doing so will allow the user to perform single
sign-on into Windows using their fingerprints. To install the Hardware Password Manager client application
without the GINA, use the following install command:
HPMClientInstall.exe /vNOGINA=1
Furthermore, the order of enrollment is important when using Hardware Password Manager with the
fingerprint software. First register in Hardware Password Manager to set hardware passwords. Then enroll
your fingerprints for pre-boot access using the fingerprint software. When your fingerprints are enrolled
for the first time, shut down and restart the computer. When you swipe your fingerprint, the user login will
prompt you to enter your credentials and log in to the desktop. After restarting the computer for the second
time, swipe your fingerprint, and the BIOS will release the actual hardware passwords. From this point on
you will be able to single-sign-on to Windows with just a swipe of the finger at pre-boot.
If you see the fingerprint enrollment wizard and the Hardware Password Manager registration wizard
displayed at the same time after you log into Windows, proceed first to the Hardware Password Manager
registration wizard. However, if you enroll your fingerprints first and have not already set hardware
passwords, you can still synchronize your fingerprints with the Hardware Password Manager account.
Launch the fingerprint software and enable pre-boot authentication and single sign-on. Then follow the
instructions below:
If you are creating an image, you can use the following steps in your image to suppress the fingerprint
enrollment wizard until the system is registered with the Hardware Password Manager :
1. Disable the Fingerprint Enrollment wizard on startup by setting the following values to 0. Authentec:
HKEY_CURRENT_USER\Software\Authentic Biometric Suite\bFingerprintSoftwareStartUp
UPEK:
HKEY_CURRENT_USER\Software\Protector Suite\Control Center\1.0\ShowOnStartup
2. Create a script that enables the Fingerprint Enrollment wizard if the system is registered in Hardware
Password Manager and the current user is enrolled in Hardware Password Manager. A utility is provided
in the Hardware Password Manager program folder that IT administrators can use to obtain registration
and enrollment status within a script.The script interface is defined as follows:
• Utility Name: cmp_util.exe
• Prerequisite: psadd.sys device driver, cmp_server_dll.dll
• Usage: cmp_util.exe<command> where <command> is one of the following:
– supported* - returns whether the utility is supported on the current system
– registered - returns whether the current system is registered in the utility
© Copyright Lenovo 2010
®
clients, it is recommended that the Hardware Password Manager client is
25