TITLE: HP ProtectTools Embedded Security Upgrade VERSION: 2.0.2 DESCRIPTION: This Softpaq contains the HP ProtectTools Embedded Security Manager and Infineon TPM Driver for the desktop models below. - HP ProtectTools Embedded Security Drivers (version 1.60.0104.02) - HP ProtectTools Embedded Security Software (version 1.60.0115.12) Refer to important notes about upgrading to this version in the HOW TO USE section below. PURPOSE: Routine SOFTPAQ NUMBER: SP26149 SUPERSEDES: SP25624 EFFECTIVE DATE: January 23, 2004 CATEGORY: Software - Security SSM SUPPORTED: Yes PRODUCT TYPE(S): Desktops PRODUCT MODEL(S): HP Compaq Business Desktop d530 Convertible Minitower: All Models HP Compaq Business Desktop d530 Small Form Factor: All Models HP Compaq Business Desktop d530 ultra-slim desktop: All Models DEVICES SUPPORTED: HP Embedded Security Trusted Platform Module (TPM) daughter-card -- For Desktop and Small Form Factor models: Part Number 314581-001 (DD812AV) For Ultra-slim models: Part Number 012152-001 (DE315AV) OPERATING SYSTEM(S): Microsoft Windows 2000 Service Pack 2 or higher Microsoft Windows XP Professional LANGUAGE(S): English (US) French (FR) German (GR) Italian (IT) Japanese (JP) LA Spanish (LA) ENHANCEMENTS: - Personal Secure Drive and HP ProtectTools Embedded Security Software are integrated into one single setup software installation. - Adds ability to export the migration information of this Embedded Security to a file. - Includes TPM module Self-Test. - Removes timeout deadline for entering Basic User Key password during login and PSD creation. - Adds new option to move or copy to PSD when right clicking files and folders. - Migration tool to transfer (migrate) the users keys and the related credentials (USK, CSP keys, PKCS#11 keys, and Certificates) from one TPM system to another. - PKCS#11 support, which enables non-TCPA aware PKCS#11 based applications to use the protected storage functionality of TCPA for the protection of cryptographic keys. - Infineon TPM Cryptoki Token support for: *Netscape Mail for secure email with S/MIME (signed and encrypted) *SSL/TLS client authentication with the Netscape Navigator *Certificate enrollment via public CAs like Verisign, Thawte and TrustCenter with support for Netscape Communicator *Certificate enrollment via Netscape (Sun) Certificate Server based CA - Multi-language support *English *French *German *Italian *Japanese *Spanish - Provides better power events management support in the TPM driver. FIXES: - Removes shortcut left in the Start/Programs menu after installing SP25624 for German and French Language Operating Systems. KNOWN ISSUES: - Local PSD Sharing is no longer supported in this Version 2.0 update. (It was enabled in Version 1.5, in the superseded SoftPaq listed above.) - The Infineon RSA SecurID Token on first attempt at web access authentication may not work. A second try in the next minute always works. A similar behaviour was observed using the RSA SecurID Software Token without smart card access through PKCS#11. The reasons for this behaviour are likely to be timing constraints and a setting of the test configuration: RSA ACE Primary Server, RSA ACE Replica Server, and RSA ACE Agent Host User Initialization Wizard. - With new ownership, an already initialized user cannot be re-initialized directly, if restoration archive is not available. For workaround, see README.TXT file in the download directory. - Cannot decrypt/view encrypted files after restoration registering the same previously used EFS certificate. Workaround: reboot system after registering the EFS certificate. - After installing the policy template IFXPol and re-opening the policy editor again, My Computer will be opened instead of directly opening IFXPol. This happens in all languages except English. - Migration to second account on same platform : PSD error occurs. If two accounts are created on a target machine, and migration of the same “source” user is performed on it (import), there would be an error on the configuration of PSD for the second user. - (Japanese) Inconsistent Machine Policy added when IfxSpPol.adm is added Root cause: The policy incorrectly translated is "Allow Administrators to take ownership remotely". Meaning that the user who enables the policy "Allow to enter hibernation mode while processing important encryption" is in fact not enabling that policy, but instead enabling "Allow Administrators to take ownership remotely." PREREQUISITES: - BIOS ACPI plug and play support for the Platform Security Chip - An Infineon Platform Security Chip TPM SLD 9630TT1.1 enabled desktop PC (Firmware: Version 1.05 or higher) - Microsoft Office 2000 SR-1 or higher (for mail encryption) - Microsoft Office XP or higher (for mail encryption) - Netscape 7.0 or higher HOW TO USE: IMPORTANT NOTES: - To install the software in this SoftPaq, you must be logged in with Administrator privileges. - Before installing this version of HP ProtectTools Personal Secure Drive Software, it is recommended to perform the following backup steps (these steps allow the customer to recover the PSD and EFS encrypted documents files in the unlikely event they are lost due to a power loss or other error during the upgrade): - Copy all documents out of the PSD drives to another location until the installation of the new has been completed and activated. Please note when the files are copied from the PSD drive to another location the files are no longer encrypted by the PSD drive. - User needs to decrypt all Encrypted File System (EFS) files and Encrypted mail. - Exit the HP ProtectTools Embedded Security icon located in the task bar. - The image from HP comes with HP ProtectTools Personal Secure Drive software preloaded from HP. You must run the SETUP in order to install HP ProtectTools Personal Secure Drive software via the shortcut that is placed in START-->PROGRAMS. If the version has not been installed that comes on the image with the CPU, you may install the version that is contained in this Softpaq without having to install the version that comes with the image. To avoid installing the older version that came on the image please delete the "Setup HP ProtectTools Personal Secure Drive" shortcut in START-->PROGRAMS. - When using this release to update from Version 1.5 to 2.0, during the installation a dialog opens saying "... the TPM chip should be disabled after deinstallation." This also occurs when doing a silent installation. Root cause: Bug in Version 1.5. During a major upgrade the older version is automatically un-installed. The un-installation of Version 1.5 causes the dialog. Workaround: Silent un-installation of Version 1.5 before installing this Softpaq SP25624. - Repair installation does not ask for reboot. Workaround: Do reboot after doing manual repair. - If the user changes the “Language for non-Unicode programs” in Control Panel / Regional settings, the Setup will run in that language and the shortcuts in the Start menu are created in the same language. - During Repair/Modify through control panel applet, user will be confronted with a dialog asking to reboot (this is from the system not from the installation package). User should always press the Yes button to continue the installation. If the user presses NO button, modify/repair will not be done. 1. Download the SoftPaq to a directory on your hard drive and change to that directory. The file that is downloaded is a self-extracting executable with a filename based on the SoftPaq Number above. 2. From that drive and directory, execute the downloaded file and follow the on-screen instructions to unpack the files. 3. After the files have been unpacked, you may delete the self- extracting file downloaded in step 1. Copyright (c) 2004 Hewlett-Packard Development Company, L.P.