7 HP Client Manager for Remote
Deployment
Background
HP Trustworthy platforms equipped with a Trusted Platform Module (TPM) ship with the TPM
deactivated (default state). Enabling the TPM is an administrative option protected by HP BIOS-enforced
policies. The administrator must be present to enter BIOS configuration options (F10 options) to enable
the TPM. Furthermore, the Trusted Computing Group (TCG) specifications mandate that explicit human
(physical) presence must be established in order to activate a TPM. This mandate ensures that a user’s
privacy rights are respected (by providing an opt-in model for use) and that a rogue application, virus,
or Trojan horse does not enable the TPM for malicious use. The establishment of physical presence
and the requirement for an administrator’s local presence pose an interesting challenge for IT managers
trying to deploy this technology across a large enterprise.
Initialization
HP Client Manager (HPCM) provides a method of remotely enabling the TPM and taking ownership of
the TPM in the enterprise environment. This method does not require the physical presence of the IT
administrator, yet it still meets the TCG requirement.
HPCM allows the IT administrator to set certain BIOS options and then reboot the system to enable the
TPM on the remote system. During this reboot, the BIOS, by default, displays a prompt; in response,
the end user must press a key to prove physical presence, as specified by the TCG. The remote system
then continues to boot, and the script completes by taking ownership of the TPM on the system. During
this procedure, an emergency recovery archive and an emergency recovery token are created on a
location designated by the IT administrator.
HPCM does not execute the TPM user initialization on the remote system, since the user must be
allowed to choose the password. TPM user initialization must be performed by the end user of that
system.
Maintenance
HP Client Manager can be used to reset the user password remotely without the IT Administrator being
made aware of the user password. HPCM can also remotely recover the user credentials. Proper
administrator passwords must be supplied for both of these functions.
ENWW Background 21
To Next Page
Loading...
