-------------------------------------------------------------------------------- HP Embedded Security for ProtectTools V4.5 Release Notes -------------------------------------------------------------------------------- Contents: 1. Welcome 2. Installation 3. HP Embedded Security for ProtectTools Software 3.1 HP ProtectTools Security Module 3.2 Embedded Security Initialization Wizard 3.3 Embedded Security User Initialization Wizard 3.4 Embedded Security Migration Wizard 3.5 Embedded Security Backup Wizard 3.6 Embedded Security Password Reset Wizard 3.7 Embedded Security PKCS #12 Import Wizard 3.8 Embedded Security Certificate Viewer and Certificate Selection 3.9 Embedded Security Taskbar Notification Icon 3.10 Embedded Security Integration Services 3.11 Embedded Security Services 4. If you have questions 5. Release Info 5.1 About this Release 5.2 Hardware and Software Platform Requirements 5.3 Version Information 5.4 TPM Embedded Security Chip Firmware Upgrade 5.5 Known Bugs and Limitations ================================================================================ 1. Welcome Welcome to the HP Embedded Security for ProtectTools Software 4.5. The HP Embedded Security for ProtectTools Software is required to use your TPM Embedded Security Chip. The HP Embedded Security for ProtectTools Software is a TCG-compliant security solution for PCs. For further information about TCG (Trusted Computing Group): https://www.trustedcomputinggroup.org 2. Installation The HP Embedded Security for ProtectTools Software installation - "Setup.exe" installs: - Embedded Security Help - HP ProtectTools Security Module - Embedded Security Initialization Wizard - Embedded Security User Initialization Wizard - Embedded Security Migration Wizard - Embedded Security Backup Wizard - Embedded Security Password Reset Wizard - Embedded Security PKCS #12 Import Wizard - Embedded Security Certificate Viewer and Certificate Selection - Embedded Security Taskbar Notification Icon - Embedded Security Integration Services * Microsoft® Outlook® Integration * Netscape® Integration * Encrypted File System Integration * Personal Secure Drive * Policy Administration - Embedded Security Services * TSS (TCG Software Stack) Service Provider * TSS Core Service * TSS Device Driver Library Note: To install this software, administrative rights are required. Unattended Installation: Silent installation can be done by calling the setup.exe with the following command line parameters: - Installation for all users: setup.exe /s /v"/qn" Upgrade: The upgrade from older product versions is described in ReadmeUpgrade.txt. 3. HP Embedded Security for ProtectTools Software 3.1 HP ProtectTools Security Module With the HP ProtectTools Security Module, you can get various information about the TPM Embedded Security Chip of your system. Also, you are able to carry out several administrative tasks. This component is designed as a Control Panel Applet. It provides a central access point for administrating the HP Embedded Security for ProtectTools. 3.2 Embedded Security Initialization Wizard The HP Embedded Security for ProtectTools Initialization Wizard is used to initialize the Embedded Security and to configure Embedded Security Features (backup including Emergency Recovery, Password Reset, Enhanced Authentication). These operations are needed to enable the HP Embedded Security for ProtectTools functionality and provide the basis for all further activities on the HP Embedded Security for ProtectTools. 3.3 Embedded Security User Initialization Wizard The HP Embedded Security for ProtectTools User Initialization Wizard is used to initialize the Embedded Security Users and to configure the user-specific features (secure e-mail, file and folder encryption with EFS and PSD, Enhanced Authentication). This wizard has to be started for each computer user, who is intended to use the personalized HP Embedded Security for ProtectTools Features (i.e., who will be HP Embedded Security for ProtectTools User). 3.4 Embedded Security Migration Wizard The HP Embedded Security for ProtectTools Migration Wizard is used to transfer HP Embedded Security for ProtectTools user-specific keys and certificates from one HP Embedded Security for ProtectTools to another in a secure way. 3.5 Embedded Security Backup Wizard The HP Embedded Security for ProtectTools Backup Wizard is used to perform the backup or restore operations of Embedded Security related data. These operations are needed to protect the data from accidental loss in case of an emergency. 3.6 Embedded Security Password Reset Wizard The HP Embedded Security for ProtectTools Password Reset Wizard is used to reset Basic User Passwords. Resetting a Basic User Password comprises administrative steps and user steps. The Password Reset Wizard contains both. 3.7 Embedded Security PKCS #12 Import Wizard The HP Embedded Security for ProtectTools PKCS #12 Import Wizard is used to import Personal Information Exchange files into the Embedded Security. 3.8 Embedded Security Certificate Viewer and Certificate Selection HP Embedded Security for ProtectTools Certificate Viewer and Certificate Selection are used to manage certificates. 3.9 Embedded Security Taskbar Notification Icon The Taskbar Notification Icon is a status-sensitive entry point for Embedded Security administrative tasks. Via this icon you can access the Taskbar Notification Menu. Furthermore, balloons and tool tips assist you with status-sensitive information. 3.10 Embedded Security Integration Services The Embedded Security Integration Services enable standard applications to use the TPM Embedded Security Chip functionality. This is possible for applications supporting the Microsoft Crypto-API or the PKCS #11 Crypto-API. The following Integration Service components are provided: - Infineon TPM Platform Cryptographic Provider (Platform CSP) - Infineon TPM Cryptographic Provider (User CSP, without AES support) - Infineon TPM RSA and AES Cryptographic Provider (User CSP, including AES support. Not available under Windows 2000.) - Infineon TPM PKCS #11 Provider (also called "TPM Cryptoki Token") 3.11 Embedded Security Services The Embedded Security Services provide you with a Trusted Computing Group (TCG) compliant software stack. The TCG Software Stack (TSS) is built by the following modules: - TSS (TCG Software Stack) Service Provider - TSS Core Service - TSS Device Driver Library The TCG Software Stack is an integral part of a TCG compliant platform, and provides functions that can be used by enhanced operating systems and applications. Recommendation: Contact your product support to check whether a firmware update for your TPM Embedded Security Chip is available. 4. If you have questions If you have any questions or problems, please contact your dealer first. Further information and support is available under http://www.hp.com 5. Release Info 5.1 About this Release This release contains the following components to enable access to the TPM Embedded Security Chip by application (utilizing the interfaces as specified by TCG, Microsoft® Crypto-API and PKCS#11): - Embedded Security Help - HP ProtectTools Security Module - Embedded Security Initialization Wizard - Embedded Security User Initialization Wizard - Embedded Security Migration Wizard - Embedded Security Backup Wizard - Embedded Security Password Reset Wizard - Embedded Security PKCS #12 Import Wizard - Embedded Security Certificate Viewer and Certificate Selection - Embedded Security Taskbar Notification Icon - Embedded Security Integration Services * Microsoft® Outlook® Integration * Netscape® Integration * Encrypted File System Integration (not supported under Windows XP Home) * Personal Secure Drive * Policy Administration - Embedded Security Services * TSS (TCG Software Stack) Service Provider * TSS Core Service * TSS Device Driver Library 5.2 Hardware and Software Platform Requirements Operating Systems: - Microsoft Windows XP Professional Service Pack 2 - Microsoft Windows XP Home Edition Service Pack 2 - Microsoft Windows XP Media Center Edition 2005 - Microsoft Windows XP Tablet PC Edition 2005 - Microsoft Windows Server 2003 Service Pack 1 - Microsoft Windows 2000 Professional Service Pack 4 with Microsoft Internet Explorer 5 or higher Microsoft Office: - Microsoft Office 2000 SR-1 or higher - Microsoft Office XP - Microsoft Office 2003 Netscape: - Netscape Communicator 7.2 and 4.79 HP ProtectTools Security Manager Hardware Requirements: - A PC capable to run one of the mentioned operating systems and equipped with a TPM Embedded Security Chip. 5.3 Version Information HP Embedded Security for ProtectTools V4.5 5.4 TPM Embedded Security Chip Firmware Upgrade After installation, it is recommended to check whether a firmware update is available provided by http://www.hp.com 5.5 Known Bugs and Limitations 5.5.1 Problems with the TPM Embedded Security Chip: In case an application using the TPM Embedded Security Chip fails, resetting the TPM Embedded Security Chip may solve the problem. To reset the TPM Embedded Security Chip, shut down the PC (turn off the computer after the system has shut down) and start the PC again. 5.5.2 Known Online Help Error After installation of Microsoft security updates, the Embedded Security Help may not function correctly when the .chm file is opened from a remote location. Further information is available in the Microsoft Knowledge Base, e.g. in Microsoft Security Bulletin MS05-026 and in Microsoft Knowledge Base Article 896358. 5.5.3 No support for saving Personal Secure Drive content to a CD data disc at Windows XP On XP Windows, Explorer supports to write data directly to CD data discs with Joliet and ISO-9660 file systems. During the process of deleting a Personal Secure Drive, it is not supported to select such a CD data disc for saving the content of the Personal Secure Drive. If you want to save the content of a Personal Secure Drive to a CD data disc, use Windows Explorer directly before deleting the Personal Secure Drive. 5.5.4 Personal Secure Drive and Windows XP System Restore If you enabled System Restore please note that Personal Secure Drive is like any other drive on your computer monitored by System Restore. To ensure that System Restore is working properly with your Personal Secure Drive consider the following: a) Personal Secure Drive with a size up to 200 MB You need to install Microsoft Hotfix WindowsXP-KB888402-x86-xxx.exe (where xxx is the language specific version). This hotfix is only available for Windows XP SP2 via Microsoft support (http://support.microsoft.com). Please refer to KB888402. If you do not install this Hotfix, System Restore Points are deleted every time you load your PSD drive. b) Personal Secure Drives with a size bigger than 200 MB Personal Secure Drives bigger than 200 MB will be handled as every other drive which is of "local disk" type. To ensure that System Restore is working properly please consider the disk space requirements of System Restore. Following these requirements leave at least 80 MB free disk space on a Personal Secure Drive. 5.5.5 Timeout in user authentication for WLAN client connection You need to authenticate to establish a WLAN client connection. Embedded Security User Authentication is displayed. Please authenticate within 30 seconds. Else the WLAN client connection might fail. To enable the WLAN client connection after a timeout, click "Repair" in the WLAN connection's context menu. You do not need to logoff, logon and authenticate again in this case. 5.5.6 Possible user authentication problem in "Run as" mode Under certain circumstances, an internal error will be returned when the user authentication dialog is expected. This error might occur if all of the following conditions are met: - The program requiring the user authentication (e.g. User Initialization Wizard) was started in "Run as" mode. - A certain version of the software "PGP" is installed, e.g. V8.1. - There was no preceding user authentication in the current logon session. 5.5.7 Dictionary Attack behavior after upgrade from version 4.0 On Infineon TPM Embedded Security Chip 1.2 systems which have been upgraded from HP Embedded Security for ProtectTools Software 4.0 the dictionary attack behavior has to be explicitly initialized by performing a defense level reset. Please start the Embedded Security Initialization Wizard SpTPMWz.exe with the command line parameter -resetattack or /resetattack. Else the dictionary attack behavior is not as described in the online help. For example, the Embedded Security is not temporarily disabled after multiple wrong authentication attempts.