-------------------------------------------------------------------------------- HP ProtectTools Embedded Security Software V3.0.1 Release Notes -------------------------------------------------------------------------------- Contents: 1. Welcome 2. Installation 3. HP ProtectTools Embedded Security Software 3.1 HP ProtectTools Security Manager 3.2 Embedded Security Initialization Wizard 3.3 Embedded Security User Initialization Wizard 3.4 Embedded Security Migration Wizard 3.5 Embedded Security Backup Wizard 3.6 Embedded Security Status Indication Applet 3.7 Embedded Security Integration Services 3.8 Embedded Security Services 4. If you have questions 5. Release Info 5.1 About this Release 5.2 Hardware and Software Platform Requirements 5.3 Version Information 5.4 Embedded Security Chip Firmware Upgrade 5.5 Known Bugs and Limitations ================================================================================ 1. Welcome Welcome to HP ProtectTools Embedded Security Software. The HP ProtectTools Embedded Security Software is required to use your Embedded Security Chip. The HP ProtectTools Embedded Security Software is a TCG-compliant security solution for PCs. For further information about TCG (Trusted Computing Group): https://www.trustedcomputinggroup.org 2. Installation The HP ProtectTools Embedded Security Software installation - "Setup.exe" installs: - Embedded Security - Getting Started Guide - HP ProtectTools Security Manager - Embedded Security Platform Initialization Wizard - Embedded Security User Initialization Wizard - Embedded Security Migration Wizard - Embedded Security Backup Wizard - Embedded Security Status Indication Applet - Embedded Security Integration Services * Microsoft® Outlook® Integration * Netscape® Integration * Encrypted File System Integration * Personal Secure Drive * Policy Administration - Embedded Security Services * TCG TSS Service Provider * TCG TSS Core Service * TCG TSS Device Driver Library Note: To install this software administrative rights are required. Unattended Installation: Silent installation can be done by calling the setup.exe with following command line parameters: - Installation for all users: setup.exe /s /v"/qn" 3. HP ProtectTools Embedded Security Software 3.1 HP ProtectTools Security Manager The HP ProtectTools Security Manager allows you to change the settings of your initialized Embedded Security. 3.2 Embedded Security Initialization Wizard The Embedded Security Initialization wizard allows you to initially set up your Embedded Security in order to become an Embedded Security Owner. 3.3 Embedded Security User Initialization Wizard The Embedded Security User Initialization wizard allows you to initially set up an Embedded Security user in order to take advantage of the Embedded Security Integration Services. 3.4 Embedded Security Migration Wizard The Security Platform Migration wizard allows you to migrate your user keys and certificates from an Embedded Security to another Embedded Security. 3.5 Embedded Security Backup Wizard The Embedded Security Backup wizard allows you to backup your Embedded Security related credentials data. 3.6 Embedded Security Status Indication Applet The Embedded Security Status Indication applet provides general information about the actual state of the Embedded Security by displaying the appropriate information via an icon in the task notification area. 3.7 Embedded Security Integration Services The Cryptographic Provider enables you to take advantage of your Embedded Security Chip by applications utilizing the Microsoft Crypto-API. For instance you can - sign and encrypt e-mail using Microsoft® Outlook® or Microsoft® Outlook® Express - access web-sites over a secure, two-sided authenticated SSL connection using Microsoft Internet Explorer. - encrypt your files by providing a seamless integration into the Encrypted File System (EFS) of Microsoft® Windows® 2000 Professional and Microsoft® Windows® XP Professional. The PKCS#11 Provider enables you to take advantage of your Embedded Security Chip by applications utilizing the PKSC#11 Crypto-API. For instance you can - sign and encrypt e-mail using Netscape e-mail clients - access web-sites over a secure, two-sided authenticated SSL connection using Netscape web browsers 7.0 and 4.79. 3.8 Embedded Security Services The Embedded Security Services provides you with a TCG compliant software stack running on your system. The TCG Trusted Software Stack is built by the following modules: - TCG TSS Device Driver Library - TCG TSS Core Service - TCG TSS Service Provider The TCG Software Stack is an integral part of a TCG compliant platform, and provides functions that can be used by enhanced operating systems and applications. After installation it is recommended to check whether a firmware update is available. 4. If you have questions If you have any questions or problems, please contact your dealer first. Further information and support is available under http://hp.com 5. Release Info 5.1 About this Release This release contains the - Embedded Security - Getting Started Guide - HP ProtectTools Security Manager - Embedded Security Initialization Wizard - Embedded Security User Initialization Wizard - Embedded Security Migration Wizard - Embedded Security Backup Wizard - Embedded Security Status Indication Applet - Embedded Security Integration Services * Microsoft® Outlook® Integration * Netscape® Integration * Encrypted File System Integration (not supported under Windows XP Home) * Personal Secure Drive * Policy Administration - Embedded Security Services * TCG TSS Service Provider * TCG TSS Core Service * TCG TSS Device Driver Library to enable access to the Embedded Security Chip by application utilizing the interfaces as specified by - TCG - Microsoft® Crypto-API - PKCS#11 5.2 Hardware and Software Platform Requirements Operating Systems: - Microsoft Windows 2000 Professional ServicePack4 with Microsoft Internet Explorer 5 or higher - Microsoft Windows 2000 Server ServicePack4 with Microsoft Internet Explorer 5 or higher - Microsoft Windows XP Professional - Microsoft Windows XP Home HP: - HP ProtectTools Security Manager Microsoft Office: - Microsoft Office 2000 SR-1 or higher - Microsoft Office XP or higher Netscape: - Netscape web browsers 7.0 and 4.79 Hardware Requirements: A PC capable to run one of the mentioned operating systems and equipped with an Embedded Security Chip. 5.3 Version Information HP ProtectTools Embedded Security Software 3.0.1 5.4 Embedded Security Chip Firmware Upgrade After installation it is recommended to check whether a firmware update is available provided by http://hp.com 5.5 Known Bugs and Limitations 5.5.1 Firmware Limitations: The Firmware released with this version has implemented the functionality according to TCG Main Specification 1.1b (February 22, 2002) without: - Audit (section 8.12) - Maintenance (section 7.3) - Set Redirection (section 8.17) 5.5.2 Problems with Embedded Security Chip: In case an application using the Embedded Security Chip fails resetting the Embedded Security Chip may solve the problem. To reset the Embedded Security Chip shut down the PC (turn off the computer after the system has shut down) and start PC again. 5.5.3 ATTENTION with the Cryptographic Provider: Taking Ownership by the Embedded Security Initialization wizard creates a new Storage Root Key. Usually you will setup an Embedded Security Owner only once for a specific Embedded Security Chip. Since all your public key certificates are bound to the Embedded Security Chip's Storage Root Key, you will no longer be able to use these certificates with a newly created Storage Root Key. 5.5.4 Emergency Recovery Archive availability: If Basic User Key cannot be loaded (for example as a result of clearing Embedded Security Chip Ownership and taking Ownership again) then Embedded Security User Initialization Wizard does not allow to proceed with user initialization. The correct step in this situation is to run Embedded Security Initialization Wizard and perform Emergency Recovery by calling the wizard with command line option: "SpTPMWz.exe /restore". If for some reason Emergency Recovery Archive is not available (for example it was lost or corrupted) then Basic User Key cannot be restored. To proceed with creation of a new Basic User Key in this situation Embedded Security User Initialization Wizard must be started with "/forceinit" or "-forceinit" Command line option: "SpUserWz.exe /forceinit". Note: new Basic User Key will be created and therefore all previously protected data will be lost. 5.5.5 Automatic authorization of destination computer for migration: Destination platform may be automatically authorized for migration of user keys and certificates with the help of "Browse..." button of the "Authorize..." dialog on the "Migration" page of the HP ProtectTools Security Manager. This feature has the following limitation: - in order to successfully authorize the destination platform the user account attempting to perform this operation on the source platform must have administrative privileges (be a member of Administrators group) for the destination platform. 5.5.6 EFS certificates are always self signed: During user security features configuration the Embedded Security Solution Software generates a new certificate for use with EFS file and folder encryption. Currently this certificate is always generated as self signed certificate even if your security policy is configured to request EFS certificate from online certificate authority (CA). Workaround: manually request EFS certificate protected by the Cryptographic Provider and install it on your platform (for specific procedure contact your system administrator). Then run Embedded Security User Initialization Wizard and select "Select..." on Encryption Certificate page. Select EFS certificate issued by your CA and proceed to finish security features configuration. 5.5.7 Migration of Embedded Security The migration process will install new user keys and certificates on the machine you are migrating to. You will need to configure Embedded Security Features for use with these new keys and certificates. WARNING: Migration process will also invalidate your existing Embedded Security keys and certificates installed on the machine you are migrating to. Your encrypted data may be lost as a result of this operation. Please decrypt your encrypted data before proceeding with migration or contact your system administrator for data recovery procedure. 5.5.8 Known Online Help Errors There are some known HTML Help errors. For example, Security Updates for Internet Explorer might cause problems (see Microsoft Security Bulletin MS03-048). These problems can be fixed with an HTML Help Update (see Microsoft Knowledge Base Article 811630). Furthermore links to other help files might work only if all concerned help files are on the local hard disk. For more information please search the Microsoft Knowledge Base's "Support & Troubleshooting" category for "HTML Help". 5.5.9 Delayed Write message at upgrade from version 1.5 If you upgrade Embedded Security Solution Software from version 1.5 and have a Personal Secure Drive activated it may happen that you get a "Delayed Write" message popup. This is due to a bug in the version 1.5 of the Embedded Security Solution Software. Workaround: Before you upgrade, logoff and logon again without mounting any Personal Secure Drive. 5.5.10 No sharing of Personal Secure Drives after upgrade from version 1.5 Version 3.0.1 of Embedded Security Solution Software does not support sharing of Personal Secure Drives any more. If you are using version 1.5 and shared your Personal Secure Drive, these shares are removed after upgrading to version 3.0.1. 5.5.11 No support for saving Personal Secure Drive content to a CD data disc at Windows XP On XP Windows Explorer supports to write data directly to CD data discs with Joliet and ISO-9660 file systems. During the process of deleting a Personal Secure Drive it is not supported to select such a CD data disc for saving the content of the Personal Secure Drive. If you want to save the content of a Personal Secure Drive to a CD data disc use Windows Explorer directly before deleting the Personal Secure Drive. 5.5.12 Basic User Key password request for EFS operations has time limitation When requesting Basic User Key password for EFS related operations (e.g., opening an EFS encrypted file) the password request dialog has time limitation of 30 seconds. If password is not entered during 30 seconds interval then the password request dialog will be automatically canceled. This may affect user ability to enter very long password. To assist the user, the exact time remaining is displayed on the password dialog. This limitation does not exist for Basic User Key password request dialogs initiated by other applications.