-------------------------------------------------------------------------------- Embedded Security for HP ProtectTools V5.5.1 Release Notes -------------------------------------------------------------------------------- Contents: 1. Welcome 2. Installation 3. Embedded Security for HP ProtectTools Software 3.1 HP ProtectTools Security Module 3.2 Embedded Security Quick Initialization Wizard 3.3 Embedded Security Initialization Wizard 3.4 Embedded Security User Initialization Wizard 3.5 Embedded Security Migration Wizard 3.6 Embedded Security Backup Wizard 3.7 Embedded Security Password Reset Wizard 3.8 Embedded Security PKCS #12 Import Wizard 3.9 Embedded Security Certificate Viewer and Certificate Selection 3.10 Embedded Security Taskbar Notification Icon 3.11 Embedded Security Integration Services 3.12 Embedded Security Services 4. If you have questions 5. Release Info 5.1 Primary new Features 5.2 About this Release 5.3 Hardware and Software Platform Requirements 5.4 Version Information 5.5 TPM Embedded Security Chip Firmware Upgrade 5.6 Known Bugs and Limitations ================================================================================ 1. Welcome Welcome to the Embedded Security for HP ProtectTools Software V5.5.1. The Embedded Security for HP ProtectTools Software is required to use your TPM Embedded Security Chip. The Embedded Security for HP ProtectTools Software is a TCG-compliant security solution for PCs. For further information about TCG (Trusted Computing Group): https://www.trustedcomputinggroup.org 2. Installation The Embedded Security for HP ProtectTools Software installation - "Setup.exe" installs: - Embedded Security Help - HP ProtectTools Security Module - Embedded Security Quick Initialization Wizard - Embedded Security Initialization Wizard - Embedded Security User Initialization Wizard - Embedded Security Migration Wizard - Embedded Security Backup Wizard - Embedded Security Password Reset Wizard - Embedded Security PKCS #12 Import Wizard - Embedded Security Certificate Viewer and Certificate Selection - Embedded Security Taskbar Notification Icon - Embedded Security Integration Services * Microsoft® Outlook® Integration * Mozilla Firefox and Thunderbird Integration * Encrypted File System Integration * Personal Secure Drive * Policy Administration - Embedded Security Services * TSS (TCG Software Stack) Service Provider * TSS Core Service * TSS Device Driver Library Notes: To install this software, administrative rights are required. On systems with disabled TPM Embedded Security Chip and Physical Presence Interface support you can enable the TPM Embedded Security Chip via option "Prepare TPM Enrollment". This will allow you to initialize your platform later, without having to reboot your system again. Unattended Installation: Silent installation can be done by calling the setup.exe with the following command line parameters: - Installation for all users: setup.exe /s /v"/qn" Upgrade: The upgrade from older product versions is described in ReadmeUpgrade.txt. 3. Embedded Security for HP ProtectTools Software 3.1 HP ProtectTools Security Module With the HP ProtectTools Security Module, you can get various information about the TPM Embedded Security Chip of your system. Also, you are able to carry out several administrative tasks. This component is designed as a Control Panel Applet. It provides a central access point for administrating the Embedded Security for HP ProtectTools. 3.2 Embedded Security Quick Initialization Wizard The Embedded Security for HP ProtectTools Quick Initialization Wizard is intended for most users to quickly initialize the Embedded Security and User with default settings. These operations are needed to enable the Embedded Security for HP ProtectTools functionality and provide the basis for all further activities on the Embedded Security for HP ProtectTools. 3.3 Embedded Security Initialization Wizard The Embedded Security for HP ProtectTools Initialization Wizard is intended for expert users to initialize the Embedded Security and to configure Embedded Security Features (backup including Emergency Recovery, Password Reset, Enhanced Authentication). These operations are needed to enable the Embedded Security for HP ProtectTools functionality and provide the basis for all further activities on the Embedded Security for HP ProtectTools. 3.4 Embedded Security User Initialization Wizard The Embedded Security for HP ProtectTools User Initialization Wizard is intended for expert users to initialize the Embedded Security Users and to configure the user-specific features (secure e-mail, file and folder encryption with EFS and PSD, Enhanced Authentication). This wizard has to be started for each computer user, who is intended to use the personalized Embedded Security for HP ProtectTools Features (i.e., who will be Embedded Security for HP ProtectTools User). 3.5 Embedded Security Migration Wizard The Embedded Security for HP ProtectTools Migration Wizard is used to transfer Embedded Security for HP ProtectTools user-specific keys and certificates from one Embedded Security for HP ProtectTools to another in a secure way. 3.6 Embedded Security Backup Wizard The Embedded Security for HP ProtectTools Backup Wizard is used to perform the backup or restore operations of Embedded Security related data. These operations are needed to protect the data from accidental loss in case of an emergency. 3.7 Embedded Security Password Reset Wizard The Embedded Security for HP ProtectTools Password Reset Wizard is used to reset Basic User Passwords. Resetting a Basic User Password comprises administrative steps and user steps. The Password Reset Wizard contains both. 3.8 Embedded Security PKCS #12 Import Wizard The Embedded Security for HP ProtectTools PKCS #12 Import Wizard is used to import Personal Information Exchange files into the Embedded Security. 3.9 Embedded Security Certificate Viewer and Certificate Selection Embedded Security for HP ProtectTools Certificate Viewer and Certificate Selection are used to manage certificates. 3.10 Embedded Security Taskbar Notification Icon The Taskbar Notification Icon is a status-sensitive entry point for Embedded Security administrative tasks. Via this icon you can access the Taskbar Notification Menu. Furthermore, balloons and tool tips assist you with status-sensitive information. 3.11 Embedded Security Integration Services The Embedded Security Integration Services enable standard applications to use the TPM Embedded Security Chip functionality. This is possible for applications supporting the Microsoft Crypto-API or the PKCS #11 Crypto-API. The following Integration Service components are provided: - Infineon TPM Platform Cryptographic Provider (Platform CSP) - Infineon TPM Cryptographic Provider (User CSP, without AES support) - Infineon TPM Strong Cryptographic Provider (Strong User CSP, without AES support) - Infineon TPM RSA and AES Cryptographic Provider (User CSP, including AES support. Not available under Windows 2000.) - Infineon TPM PKCS #11 Provider (also called "TPM Cryptoki Token") - Infineon TPM Key Storage Provider (KSP) 3.12 Embedded Security Services The Embedded Security Services provide you with a Trusted Computing Group (TCG) compliant software stack. The TCG Software Stack (TSS) is built by the following modules: - TSS (TCG Software Stack) Service Provider - TSS Core Service - TSS Device Driver Library The TCG Software Stack is an integral part of a TCG compliant platform, and provides functions that can be used by enhanced operating systems and applications. Recommendation: Contact your product support to check whether a firmware update for your TPM Embedded Security Chip is available. 4. If you have questions If you have any questions or problems, please contact your dealer first. Further information and support is available under http://www.hp.com 5. Release Info 5.1 Primary new Features This release includes the following primary new features: - Embedded Security Quick Initialization Wizard - Owner Password File Support - Support of multiple Personal Secure Drives per user - Support of Personal Secure Drive restoration also without PSD settings and credentials 5.2 About this Release This release contains the following components to enable access to the TPM Embedded Security Chip by application (utilizing the interfaces as specified by TCG, Microsoft® Crypto-API and PKCS #11): - Embedded Security Help - HP ProtectTools Security Module - Embedded Security Quick Initailization Wizard - Embedded Security Initialization Wizard - Embedded Security User Initialization Wizard - Embedded Security Migration Wizard - Embedded Security Backup Wizard - Embedded Security Password Reset Wizard - Embedded Security PKCS #12 Import Wizard - Embedded Security Certificate Viewer and Certificate Selection - Embedded Security Taskbar Notification Icon - Embedded Security Integration Services * Microsoft® Outlook® Integration * Mozilla Firefox and Thunderbird Integration * Encrypted File System Integration (not supported under Windows XP Home) * Personal Secure Drive * Policy Administration - Embedded Security Services * TSS (TCG Software Stack) Service Provider * TSS Core Service * TSS Device Driver Library 5.3 Hardware and Software Platform Requirements Operating Systems (only for 32-bit product version): - Microsoft Windows XP Professional Service Pack 2 - Microsoft Windows XP Home Edition Service Pack 2 - Microsoft Windows XP Media Center Edition 2005 - Microsoft Windows XP Tablet PC Edition 2005 - Microsoft Windows Server 2003 Service Pack 1 or higher - Microsoft Windows Vista Operating Systems (only for 64-bit product version): - Microsoft Windows XP Professional x64 Edition Service Pack 1 (AMD64) - Microsoft Windows Server 2003 x64 Edition (AMD64) - Microsoft Windows Vista Microsoft Office: - Microsoft Office 2000 SR-1 or higher - Microsoft Office XP - Microsoft Office 2003 - Microsoft Office 2007 Mozilla: - Mozilla Firefox and Thunderbird 2.0.0.6 HP ProtectTools Security Manager Hardware Requirements: - A PC capable to run one of the mentioned operating systems and equipped with a TPM Embedded Security Chip. 5.4 Version Information Embedded Security for HP ProtectTools V5.5.1 5.5 TPM Embedded Security Chip Firmware Upgrade After installation, it is recommended to check whether a firmware update is available provided by http://www.hp.com 5.6 Known Bugs and Limitations 5.6.1 Problems with the TPM Embedded Security Chip In case an application using the TPM Embedded Security Chip fails, resetting the TPM Embedded Security Chip may solve the problem. To reset the TPM Embedded Security Chip, shut down the PC (turn off the computer after the system has shut down) and start the PC again. 5.6.2 Known Online Help Error After installation of Microsoft security updates, the Embedded Security Help may not function correctly when the .chm file is opened from a remote location. Further information is available in the Microsoft Knowledge Base, e.g. in Microsoft Security Bulletin MS05-026 and in Microsoft Knowledge Base Article 896358. 5.6.3 No support for saving Personal Secure Drive content to a CD data disc at Windows XP and Vista On Windows XP and Vista, Explorer supports to write data directly to CD data discs with Joliet and ISO-9660 file systems. During the process of deleting a Personal Secure Drive, it is not supported to select such a CD data disc for saving the content of the Personal Secure Drive. If you want to save the content of a Personal Secure Drive to a CD data disc, use Windows Explorer directly before deleting the Personal Secure Drive. 5.6.4 Personal Secure Drive and Windows XP System Restore If you enabled System Restore please note that Personal Secure Drive is like any other drive on your computer monitored by System Restore. To ensure that System Restore is working properly with your Personal Secure Drive consider the following: a) Personal Secure Drive with a size up to 200 MB You need to install Microsoft Hotfix WindowsXP-KB888402-x86-xxx.exe (where xxx is the language specific version). This hotfix is only available for Windows XP SP2 via Microsoft support (http://support.microsoft.com). Please refer to KB888402. If you do not install this hotfix, System Restore Points are deleted every time you load your PSD drive. b) Personal Secure Drive with a size bigger than 200 MB Personal Secure Drive bigger than 200 MB will be handled as every other drive which is of "local disk" type. To ensure that System Restore is working properly please consider the disk space requirements of System Restore. Following these requirements leave at least 80 MB free disk space on a Personal Secure Drive. 5.6.5 Personal Secure Drive and Microsoft Volume Shadow Copy Service (VSS) Personal Secure Drive does currently not support Microsoft VSS, nor the services which depend on VSS. If you observe problems with VSS or any dependant service, then make sure that no Personal Secure Drive is loaded while utilizing VSS. 5.6.6 Timeout in user authentication for WLAN client connection You need to authenticate to establish a WLAN client connection. Embedded Security User Authentication is displayed. Please authenticate within 30 seconds. Else the WLAN client connection might fail. To enable the WLAN client connection after a timeout, click "Repair" in the WLAN connection's context menu. You do not need to logoff, logon and authenticate again in this case. 5.6.7 Possible user authentication problem in "Run as" mode Under certain circumstances, an internal error will be returned when the user authentication dialog is expected. This error might occur if all of the following conditions are met: - The program requiring the user authentication (e.g. User Initialization Wizard) was started in "Run as" mode. - A certain version of the software "PGP" is installed, e.g. V9.04. - There was no preceding user authentication in the current logon session. 5.6.8 Dictionary Attack behavior after upgrade from version 4.0 On Infineon TPM Embedded Security Chip 1.2 systems which have been upgraded from Embedded Security for HP ProtectTools Software 4.0 the dictionary attack behavior has to be explicitly initialized by performing a defense level reset. Please start the Embedded Security Initialization Wizard SpTPMWz.exe with the command line parameter -resetattack or /resetattack. Else the dictionary attack behavior is not as described in the online help. For example, the Embedded Security is not temporarily disabled after multiple wrong authentication attempts. 5.6.9 Changing the system time may cause unexpected behavior Rolling back the system time may cause unexpected behavior of the Embedded Security for HP ProtectTools software. Restarting the system will correct this behavior. 5.6.10 Embedded Security User Initialization may fail Under certain circumstances, an error message will be shown at the first Embedded Security User Initialization during EFS/PSD feature configuration ("An internal error occurred. An unexpected error occurred."). To work around that problem, open User Initialization Wizard again, configure EFS/PSD anew with a new created certificate -or- use/create another user account. 5.6.11 Performing Emergency Recovery from a given Backup Archive more than once has the following restriction Users which were not selected to be restored during Emergency Recovery and users which were selected but did not complete the restoration process cannot be selected during subsequent restorations. Create a copy of the backup archive to circumvent this. 5.6.12 Setup Repair Mode under restricted administrative account in Windows Vista Users with restricted administrative account in Windows Vista will get an error message stating "Installation of Embedded Security Software requires administrative permissions" while trying to repair the Embedded Security for HP ProtectTools Solution software through Control Panel, and the setup will abort. Please start setup repair mode by clicking on setup.exe in the CD-image. 5.6.13 Operating System upgrade to Windows Vista If you currently have a lower TPM Professional Package than V5.0 installed on your system, then you cannot directly upgrade the operating system to Windows Vista. First you need to upgrade your Embedded Security for HP ProtectTools to this version and then the operating system to Windows Vista. 5.6.14 Policies are not displayed correctly after upgrade If you upgrade from an operating system that does not support group policy (e.g. Windows Media Center, Windows XP Home) to an operating system that supports group policy (e.g. Windows Vista Ultimate, Windows Vista Business), policies are not displayed as expected. To work around this problem, uninstall and freshly install the Embedded Security for HP ProtectTools Software after operating system upgrade. 5.6.15 Embedded Security Integration Services not registered any more after Operating System Upgrade In some special Operating System Upgrade scenarios, parts of Embedded Security Integration Services might not be registered any more (for example after an upgrade from Windows Vista Home Basic 64-bit Edition to Windows Vista Ultimate 64-bit Edition). As a consequence, features like file and folder encryption with EFS and PSD might not work as expected any more. To resolve this, run setup repair mode by clicking on setup.exe in the CD-image. 5.6.16 Installation and Uninstallation of required prerequisite software Please note that the Embedded Security for HP ProtectTools Software requires certain prerequisite software (e.g. Microsoft Visual Studio C++ 2005 SP1 Redistributable Package). The setup installs all prerequisite software which is not yet installed on your computer. If you try to install this prerequisite software without administrative rights, the installation might fail and display some inexpressive error message. Please do not uninstall any prerequisite software, as long as Embedded Security for HP ProtectTools Software is installed. Else you might not be able to use or uninstall Embedded Security for HP ProtectTools Software any more. Note that the prerequisite software is not automatically uninstalled if the main software installation fails. 5.6.17 Installation on not recommended operating systems It is not recommended to install Embedded Security for HP ProtectTools Software on certain operating systems (e.g. Windows 2000 with Service Pack 4 or Windows XP without Service Pack 2 or higher), since the software has been optimized for newer operating system versions. A corresponding message is displayed at the beginning of the installation. If prerequisite software must be installed on your system before the main setup starts (see chapter "Installation and Uninstallation of required prerequisite software"), this warning will only be displayed after the prerequisite installation.