Blog: Lenovo

One of our information security auditors recently had the motherboard on his laptop replaced to fix the "shutdown on its own" issue he'd been having for a while.  When he got the laptop back, his BIOS level fingerprint logins (to unlock the hard drive and BitLocker key) were no longer working.  Also, the x64 VMware machine he uses for audits would no longer boot.  The VM issue was pretty clear.  The CPU virtualization setting in the BIOS was disabled and needed to be turned back on.  The fingerprint issues, however, took a little more digging to figure out.  Eventually we realized the TPM on the new motherboard was not activated.  Once we activated and initialized the TPM, then turned BitLocker off and back on (without decryption), all the pre-boot login information unlocked by the fingerprint started working again.


 

You assume, that both Microsoft and Lenovo will create a restore point before applying updates to your computer. I did… and it cost me dearly!  I had to rebuild my machine from scratch!  Restore points require disk storage, and there is a screen (see below) where the amount of the disk to be used for restore points is specified.  In my case the amount was set to “0” (zero), and then when the Lenovo updater tries to create a restore point, it failed. There was no warning that it failed! [more]


 

I have been issuing new laptops to users and everyone seems to be having the same problem with the Lenovo Fingerprint Reader and Windows logon.   After installing the finger print reader software, I noticed a link to an article for users that were trying to logon to a domain using their fingerprint.

To enable the Windows or domain biometric settings in Control Panel, do the following:

  1. Click Start > Control Panel > Hardware and Sound > Biometric Devices > Change biometric settings. The Change biometric settings window is displayed.
  2. Select Biometrics on.
  3. Select Allow users to log on to Windows using their fingerprints.
  4. Select Allow users to log on to a domain using their fingerprints if the check box is available.
  5. Click Save Changes to save your configuration.
  6. Log off from the Windows operating system.
  7. You will be able to use your fingerprints the next time you log in to the domain.

Here is a link to the Lenovo article: http://support.lenovo.com/en_US/research/hints-or-tips/detail.page?&DocID=HT051327


 

Upon receiving my new Lenovo ThinkPad laptop, I set up fingerprint authorization through the Lenovo software.  After ensuring all my fingerprints were scanned properly, I rebooted the machine.   I tried to the use my fingerprint to login and the light flashed green.  Unfortunately, the machine wouldn’t proceed any farther in the process.

It appears you have to go into Windows 7 itself and enable ‘Domain Login’ under the Windows Biometric section in order to actually allow domain authorization.  Otherwise, the software will just let you access local accounts.


 

I am having trouble with my machine overheating. I found two useful tools to look at the temperature on the cores of the processor.  The programs are: 

RealTemp - This program will monitor the temperature on each of the cores (for any modern Intel processor) and also periodically log the results to a file.

Tpfancontrol - This is a program specifically for ThinkPads which shows the temperature and allows you to control the fan speed somewhat. It does show the fan speed and how it changes as the temperature on the cores change.


 

There was a conflict between the Lenovo fingerprint software and PGP whole disk encryption on T400s and T500s.  If the Lenovo fingerprint software is installed, using your domain password at the PGP boot prompt didn't work and you could lock yourself out.  You'd have to use a one time password to boot.
Under Windows 7, fingerprint drivers are native and, if you enable the fingerprint reader and enroll your fingerprints, it works fine with PGP WDE.


 

Several of us have noticed that when we shutdown our laptops that the OS seems to stop but the fans do not stop. This is especially harmful when you then put the laptop in a bag and later retrieve it to find it extremely hot.  It turns out that there is a problem with Windows 7 when using Bitlocker that exhibits this problem. The details can be found at http://support.microsoft.com/kb/975496.  Lenovo has published this patch on the System Update site for the T400.

This is also an issue with Windows Server 2008.


 

I upgraded from Vista to Windows 7 about three weeks ago.  I decrypted my PGP encrypted drive before the upgrade and, after the upgrade, PGP recognized my disk wasn’t encrypted and prompted me to encrypt my drive.  I started the encryption process but wound up pausing the process because of slow performance, intending to resume it after hours.  I installed some Windows and Lenovo (ThinkDamage…probably my 2nd mistake) updates which required a reboot.  After the reboot, PGP started trying to install itself and produced this error message…

"You cannot upgrade or remove PGP while a whole disk is processing. Installation terminated." [more]

I was unable to access the PGP console in order to resume the encryption, decrypt, etc.  An attempt to uninstall PGP produced the same error.  This was not good since I was scheduled to leave town on an audit within 24 hours and thought I might have to abandon the upgrade to Windows 7, restore a backup and re-encrypt the old Vista image before I left town.

A coworker suggested I log a ticket with PGP.  After doing so, I was poking around their site, searching for various terms from the error message and stumbled across a reference to a command line command.  About that same time, I received an auto-response from PGP which included several links, the last of which (https://pgp.custhelp.com/app/answers/detail/a_id/1850) led me to information about the same command line command, pgpwde.

Here is the relevant section from the page above:

SECTION 2 - PGPWDE Command Line

The following commands will help diagnose and decrypt the disk. Other commands can be listed by typing pgpwde --help.

  1. To begin working with the PGPWDE interface open a command prompt and change to the PGP installation directory (default directory shown) C:\Program Files\PGP Corporation\PGP desktop.
  2. To list all installed hard disks in the system type: pgpwde --enum. Entering this command will give us a list of disks with numbers we will use in the next few steps.
  3. Now type pgpwde --status --disk 1. Substitute the PGP WDE disk number listed in the previous step for the number 1 in the command if different. The output of this command will tell us whether the disk is still encrypted.
    • If the disk is not encrypted, "Disk 1 is not instrumented by bootguard" will be the output.
    • If the disk is encrypted, the output will display:
      • "Disk 1 is instrumented by Bootguard."
      • The total number of sectors.
      • A Highwater value (number of sectors encrypted).
      • Whether the current key is valid.
  4. Type pgpwde --list-user --disk 1. This will tell us the user information contained on the disk. This will help in multi-user environments to determine which user passphrase was used to implement WDE.
  5. Type pgpwde --decrypt --disk 1 --passphrase {mypasswordhere}. This will start the decryption process. To view progress, type the status command listed in step 3 and note the Highwater number, this number will get smaller and smaller as the number of sectors encrypted decreases.

This command line command allowed me to decrypt the partially encrypted disk.  I then uninstalled PGP to be safe, reinstalled PGP and encrypted my disk without further incident.


 

One of our employees had a Lenovo ThinkPad T60 laptop that had the nifty "feature" where he could not boot into Windows without having the laptop plugged into power. In addition, when he removed power from the laptop, the system would hang. My testing was able to narrow that down further to where if the laptop was not plugged into external power AND there was no live Ethernet cable plugged into the NIC, these symptoms would arise. After updating drivers and the BIOS and checking the ThinkVantage Power Management settings, I found a setting in the driver advanced properties called "Deep Smart Power Down". The way this feature was intended to work is to save battery power when there is no active cable plugged into the NIC. Unfortunately, what usually happens is that the system locks up during the "hot-swap" remove session that Windows sees when DSPD runs. Disabling this setting resolves the problem quite nicely and everything is running off of battery like it's supposed to. [more]

http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-63677