RE: T420s TPM - bitlocker and security

Similar Messages

• Bitlocker and KB2919355

  Hi all! I am seeing a problem regarding Bitlocker and the recent update to Windows 8.1 - KB 2919355. We are currently deploying windows 8.1 to our staff and we included the Volume Licensing version of the update in the image build. According to the KB article
  the Windows Update/WSUS version includes and additional patch for the Windows Update client that will be advertised even to systems that already have the VL version applied. This is fine and we approved the update in WSUS.
  These new laptops are encrypted with Bitlocker with recovery information backed up to Active Directory. Testing for this deployment was flawless and no issues were encountered with Bitlocker. However, when we apply the update 2919355 after a system is imaged
  and Bitlocker is enabled then on reboot we are presented with a Bitlocker Recovery screen.
  It seems that something regarding this update is causing the TPM validation check to go awry. The only way to fix each affected machine is to enter the recovery password, decrypt the drive and then re-encrypt. For now I have unapproved the update in WSUS
  since we are deploying the update in the image build and I believe this will fix our issue for the moment, but I would like to be able to approve this again in the future to ensure security compliance.
  Has anyone else experienced this issue with KB2919355? If so, is there something that can be done to prevent the Bitlocker recovery event? Thanks!

  Thanks for that input!
  I have same problems, having gone through the whole thing again and again since 10 days.
  I have uninstalled/disconnected all I can think of and as every time I still arrive on that unfinished install-> automatice repair -> fails -> reboot blocks on Bitlocker Recuperation keys!!
  It makes me think you could be right and it is (in my case) also a Bitlocker affaire.
  At the begin of april there was a sepate BL update as KB2934018, (of the approximate size of the whole .355 KB)which now seems inside the april, 16th KB2919355-64 (126.3). People have said this .4018 should be installed as the last of all ítems.  Today
  W. Dowload Center does not deliver this .4018 anymore, which makes me a bit scary to try install that.
  I will try to decrypt BL completely for a new try.

• Script to locate if systems has a TPM chip and it's status if it does.

  I am looking for a script that would scan AD for a list of computers and then query them to see if they have a TPM chip and then what the status of each one is.
  I have been looking around and so far haven't come across one. Any help would be really appreciated for this scripting noob.
  Edited: I also have SCCM and ConfigureSoft's ECM in my company, so maybe those could be leveraged to do this but i haven't found the way to do it yet either.

  Hi,
  Here is a function I wrote to help identify the TPM and check its status.
  The problem is, most TPM's come from the fasctory turned OFF. If that is the case,
  Your computer will not know if it has one or not.
  Turning the TPM on requires at least one reboot and possibly two or three.
  I have a bunch of vbScripts I wrote that will check to see if the TPM is;
  1. Enabled
  2. Activated
  3. Owned
  Function ChkTPM {
  $NOW = (Get-Date)
  #check TPM version #. Must be 1.2
  $strComputer = "."
  $TPMOn = $False
  $colItems = Get-WmiObject -class Win32_Tpm -namespace "root\CIMV2\Security\MicrosoftTpm" -computername $strComputer
     foreach ($objItem In $colItems) {
       Write-Host "SpecVersion: $objItem.SpecVersion"
       $SpecVersion = [string]($objItem.SpecVersion)
   If ($SpecVersion -match "1.2") {
    Write-Host "TPM is version 1.2"
    Set-ItemProperty -path $path -name "TPM_Version" -Value "1.2"  | Out-Null
    Add-Content $strLogDirFile -Value ("$NOW  TPM is version 1.2")
   Else {
     Write-Host "TPM is NOT version 1.2."
    Set-ItemProperty -path $path -name "TPM_Version" -Value $SpecVersion | Out-Null
    Add-Content $strLogDirFile -Value ("$NOW TPM is NOT version 1.2")
    Break
  #Check if TPM is enabled and Activated
  $path="HKLM:\SOFTWARE\Medtronic\Encryption"
  $colItems = Get-WmiObject -class Win32_Tpm -namespace "root\CIMV2\Security\MicrosoftTpm" -computername $strComputer
  foreach ($objItem in $colItems) {
   $a = $objItem.IsEnabled()
   $b = $objItem.IsActivated()
   $c = $objItem.IsOwned()
   $TPMOn = $True 
   Set-ItemProperty -path $path -name  "TPM-On" -Value "True   $NOW "| Out-Null
    If ($a) {
      Write-Host "TPM Is Enabled:  $a"
     Set-ItemProperty -path $path -name "TPM_Enabled" -Value "True  $NOW "| Out-Null
     Add-Content $strLogDirFile -Value ("$NOW   TPM_Enabled True")
    Else {
     Set-ItemProperty -path $path -name "TPM_Enabled" -Value "False $NOW" | Out-Null
     Add-Content $strLogDirFile -Value ("$NOW   TPM_Enabled False")
    If ($b) {
      Write-Host "TPM Is Activated:  $b"
     Set-ItemProperty -path $path -name "TPM_Activated" -Value "True  $NOW" | Out-Null
     Add-Content $strLogDirFile -Value ("$NOW   TPM_Activated True")
    Else {
     Set-ItemProperty -path $path -name "TPM_Activated" -Value "False $NOW"  | Out-Null
     Add-Content $strLogDirFile -Value ("$NOW   TPM_Activated False")
    If ($c) {
      Write-Host "TPM Is Owned:  $c"
     Set-ItemProperty -path $path -name "TPM_Owned" -Value "True  $NOW" | Out-Null
     Add-Content $strLogDirFile -Value ("$NOW   TPM_Owned True")
    Else {
     Add-Content $strLogDirFile -Value ("$NOW   TPM_Owned False")
     Set-ItemProperty -path $path -name "TPM_Owned" -Value "False $NOW" | Out-Null
  If ($TPMOn = $False) {
      Add-Content $strLogDirFile -Value ("$NOW   Trusted Platform Module may be turned off")
   Write-Host "Trusted Platform Module may be turned off"
   Set-ItemProperty -path $path -name "TPM_Enabled" -Value "TPM Is Not Enabled in BIOS $NOW" | Out-Null
   Start-Sleep 5
   Break

• Difference between T420 4180-FB5 and 4180-BU5

  Can anyone help me understand the difference between the
  T420 4180-FB5
  and
  T420 4180-BU5
  Or point me toward a doc that outlines the different model variations?
  They both seem to have the same specs...what am I missing?
  Thank you. Sean
  Solved!
  Go to Solution.

  Hi,
  Here's what the "search by machine type-model" in SUPPORT has to say:
  ThinkPad T420 4180FB5
  i5-2540M(2.6GHz), 8GB RAM, 320GB 7200rpm HD, 14in 1600x900 LCD, Intel HD Graphics, CDRW/DVDRW, Intel 802.11agn wireless, WWAN option, Bluetooth, modem, 1Gb Ethernet, UltraNav, Secure Chip, Camera,6c Li-Ion, Win7 Pro 64
  ThinkPad T420 4180BU5
  i5-2520M(2.5GHz), 8GB RAM, 320GB 7200rpm HD, 14in 1600x900 LCD, Intel HD Graphics, CDRW/DVDRW, Intel 802.11agn wireless, WWAN option, Bluetooth, modem, 1Gb Ethernet, UltraNav, Secure Chip, Camera, 6c Li-Ion, Win7 Pro 64
  All I spot is the different CPU.
  Z.
  The large print: please read the Community Participation Rules before posting. Include as much information as possible: model, machine type, operating system, and a descriptive subject line. Do not include personal information: serial number, telephone number, email address, etc.  The fine print: I do not work for, nor do I speak for Lenovo. Unsolicited private messages will be ignored. ... GeezBlog
  English Community   Deutsche Community   Comunidad en Español   Русскоязычное Сообщество

• Using BitLocker and File History

  I understand that Microsoft has posed restrictions on the use of File History on device encrypted with BitLocker. It seems not possible to use a Networked device but also a USB Harddisk seems not to be supported.
  Where can I find a complete overview under which circumstances File History will work? Are there additional policy settings that I could tweak? I don't mind that the history files are not encrypted. They sit on a tightly secured server that nobody else has
  access to.
  (cross-posted from
  http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/file-history-from-a-bitlocker-device)

  Hi,
  Actually, the screenshot above doesn't indicate that this issue is caused by Bitlocker, it mentioned something about EFS, network location and NTFS files system. but according to your description, I would suggest you temporarily turn off the bitlocker, and
  check if it is the root cause.
  We can also recorded log in Event Viewer to find more information about this issue, Event Viewer\Applications and Services Logs\Microsoft\Windows\File History-Core or File History-Engine.
  You can also manually check the copies of File History on the destination drive, and check the settings of File History\Advanced Settings, saved copies of files,  size of offline cache, keep saved versions.
  Yolanda Zhu
  TechNet Community Support

• I have forgotten my apple security questions, when I go to My Apple ID and click on password and security, there is no option to reset my security questions even though I have a rescue email adress, how do i reset my security question ?

  I have forgotten my security questions but when I click on My Apple ID and got to password and security, there is no option to rest my questions and/or send my self a rescue email, what do I do now ?

  You need to contact Apple. Click here, phone them, and ask for the Account Security team, or fill out and submit this form.
  (89174)

• Start up problems after Safari 3.1 and Security update

  Updated safari and security update last night.
  Safari downloaded and installed but there was an error downloading or installing the security update, I forgot.
  After I restarted everything booted up fine, but was stuck on "Starting Mac OS X" screen.
  Did a fsck and zap the pram, still stuck.
  Today I tried booting up in safe mode, stuck on the gray screen with the apple logo.
  Then I tried booting up from an external firewire dvd drive. Repaired permissions, repaired the disk, but it is still stuck on "Starting Mac OS X" screen. Help please...
  Thank you

  Ok i had a similar problem, with all the recent updates for Leopard, including the 10.5.2 combo update... the 12" PowerBook G4 kept getting stuck on the grey apple and spinning wheel... if it managed to get past this it would get stuck on the blue screen!!!
  The way i got around this, after trying all these other tips was: Archived & Installed 10.5; restarted, waited; downloaded 10.5.2 Combo update, installed; restarted, waited; waited; waited; after getting back to desktop, restarted, waited; then ran Software Update only installing one at a time, and after each install, restarted, waited; when all Software updates completed, proceeded with iLife updates etc... It took a while (still quicker than the 3 days of failed installs and updates) with a lot of waiting on the blue screen (5-20mins) but we got there in the end. Disks where checked with Leopard Disk Utility before and after, permissions where checked before and after completing all installs, also with a DW 4.1 optimization. Also note worthy is the RAM was upgraded from the initial 256Mb (!!!) with an extra Gb.

• Bursting with translation and security attributes?

  Hi folks,
  I've been lurking on the forum for a while and despite not always finding a solution, existing threads normally pointed me in the right direction - so thanks :)
  I'm working on EBS 11.5.10 with the latest Bi-Publisher 5.6.3 (5472959) and bursting (5968876) patches installed.
  I have successfully done the following individual AR Invoice Bi-Publisher tasks:
  1. translated an invoice RTF template by attaching an xliff file to the data definition,
  2. applied security attributes to the template to restrict updates on the resulting PDF,
  3. burst a custom AR invoice print and emailed the resultant pdf's.
  The PDF generated by the combined Invoice print correctly applies the translation and security attributes; however when I run the "XML Publisher Report Bursting Program" to the XML file the resultant burst PDF's do not apply the translation or security attributes. I assume this a limitation of bursting control files? If so, is this on the list of future enhancements to Bi-Publisher?
  Here's an example of my control file document entry, I have included locale and pdf-security entries - these don't cause an error but equally don't generate the desired result (p.s. I know I'm emailing on a PRI filter - it's just a test):
  <xapi:document output-type="pdf" delivery="att_email">
  <xapi:template type="rtf"
  location="/usr/tmp/xxxINVOICE3.rtf"
  locale="fr-US"
  pdf-security="true" pdf-encryption-level="1" pdf-permissions-password="xxxxxx"
  filter=".//G_INVOICE_HEADER[PRINTING_OPTION='PRI']" >
  </xapi:template>
  </xapi:document>
  Thanks
  Dave

  =================
  ==Properties Idea's
  =================
  You would have happened to try applying the security stuff in the application for your template? Try that and see if the pdf properties get set.
  If that doesn't work your left with two options:
  1. create a java concurrent program and set the properties manually.
  2. Log a tar.
  =================
  ==local idea's
  =================
  Are you sure you don't have to create template config for the locale? i suspect that's why it's not applying the xliff translation. Also, your NLS_LANG needs to be set to FRENCH for the approriate template to be applied. If your logged-in as english your french format template will not be applied, neither will the translation. As an example you can query vl table and you'll only get american (us) but if you alter your session you'll get the translation for that language when your query the table.
  location="xdo://xxxAR.xxx_XML_PRINT.fr.US"
  try it out and see if that works. Note: This will only work if your session NLS_LANG is set to FRENCH.

• How to Set up HTTPOnly and SECURE FLAG for session cookies

  Hi All,
  To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
  I have found the below solutions.
  For setting up the HTTPOnly for the session cookies.
  1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
       this.sessioncookie.httponly = true;
  For setting up the secure flag for the session cookies.
  2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
       this.sessioncookie.secure = "true"
  Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
  <cfapplication setclientcookies="false" sessionmanagement="true" name="test">
  <cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
    <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
    <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
  </cfif>
  But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
  Your timely help is well appreciated.
  Thanks in advance.

  BKBK wrote:
  Abdul L Koyappayil wrote:
  BKBK wrote:
  You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
  I couldnt understand this. I mean how are you relating this with my question.
  When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
       If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
  Name:
  JSESSIONID
  Content:
  782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
  Domain:
  xyz.abc.pqr.com
  Path:
  Send for:
  Any kind of connection
  Accessible to script:
  No (HttpOnly)
  Created:
  Wednesday, September 3, 2014 2:25:10 AM
  Expires:
  When the browsing session ends
  BKBK wrote:
  2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
  Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
       I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
  BKBK wrote:
  3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
  It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
       I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea??

• HT2534 My friend created me an itunes store account with his credit card , his credit card is about to expire and they are asking me to re-enter the credit card and security card number .... I don't have these numbers ... How can i create new itunes accou

  My friend created me an itunes store account with his credit card , his credit card is about to expire and they are asking me to re-enter the credit card and security card number .... I don't have these numbers ... How can i create new itunes account without credit card?????

  Why do you need to create a new account?
  Just change the payment method.
  http://support.apple.com/kb/ht1918

• I forgot the answers for the security questions and when I try to change them (My Apple ID - Manage your account - Password and Security) I'm asked to answer the exact questions I'm Trying to change because I don't remember the answers. How can I do it?

  I forgot the answers for the security questions and when I try to change them (My Apple ID -> Manage your account -> Password and Security) I'm asked to answer the exact questions I'm trying to change because I don't remember the answers. How can I do it?

  Can't you try the email option instead?

• [Request] Move Windows Control Panel applet from "System and Security" to "Programs"

  The "Flash Player (32-bit)" Windows Control Panel applet should be  moved from "System and Security" to "Programs" where the Java applet is.
  Vote: https://bugbase.adobe.com/index.cfm?event=bug&id=2953107
  Thanks

  njb,
  Why not just run the ThinkVantage System Update and let it install as usual. You can also "un-check" those drivers that you don't want to install.
  *Non Lenovo employee*
  I have a Y2P (i5) ... Feel free to ping me if you want me to test some applications with your Y2P if you have the same model. I don't mind keep doing recovery on it if needed .... =)

• System and security control panel

  Could someone with a W520 take a screenshot of the lenovo apps in their "system and security" section of control panel please. I am doing a ground up install from bare windows 7 to get rid of the preloaded SQL server 2005 and adding back the programe I want.
  Just want to seee what came preloaded.
  Thanks

  njb,
  Why not just run the ThinkVantage System Update and let it install as usual. You can also "un-check" those drivers that you don't want to install.
  *Non Lenovo employee*
  I have a Y2P (i5) ... Feel free to ping me if you want me to test some applications with your Y2P if you have the same model. I don't mind keep doing recovery on it if needed .... =)

• "logon time" between USR41 and security audit log

  Dear colleagues,
  I got a following question from customer for security audit reason.
  > 'Logon date' and 'Logon time' values stored in table  USR41 are exactly same as
  > logon history of Security Audit Log(Tr-cd:SM20)?
  Table:USR41 saves 'logon date' and 'logon time' when user logs on to SAP System from SAP GUI.
  And the Security Audit Log(Tr-cd:SM20) can save user's logon history;
  at the time when user logged on, the security audit log is recorded .
  I tried to check SAP GUI logon program:SAPMSYST several ways, however,
  I could not check it because the program is protected even for read access.
  I want to know about specification of "logon time" between USR41 and security audit log,
  or about how to look into the program:SAPMSYST and debug it.
  Thank you.
  Best Regards.

  Hi,
  If you configure Security Audit you can achieve your goals...
  1-Audit the employees how access the screens, tables, data...etc
  Answer : Option 1 & 3
  2-Audit all changes by all users to the data
  Answer : Option 1 & 3
  3-Keep the data up to one month
  Answer: No such settings, but you can define maximum log size.
  4-Log retention period can be defined.
  Answer: No !.. but you can define maximum log size.
  SM19/SM20 Options:
  1-Dialog logon
  You can check how many users logged in and at what time
  2-RFC login/call
  Same as above you can check RFC logins
  3-Transaction/report start
  You can see which report or transaction are executed and at what time
  (It will help you to analyise unauthorized data change. Transactions/report can give you an idea, what data has been changed. So you can see who changed the data)
  4-User master change
  (You can see user master changes log with this option)
  5-System/Other events
  (System error can be logged using this option)
  Hope, it clear the things...
  Regards.
  Rajesh Narkhede

• I have used a Seagate external hard drive for my Mac desktop. It is malfunctioning. Can I disconnect and depend on iCloud to keep my documents, music, and photos backed up safe and secure? I use the Cloud for phone, pad and desktop.

  Can I expect iCloud to safely back up and secure my documents, music and pictures? I am using Cloud on phone, pad, and desktop. Have depended on external hard drive in the past. It is malfunctioning. Will the Cloud replace it for storage and safety?

  Time Machine in itself, without an external drive may well be good for instances where you accidentally delete documents that you later require. However in the event of a hard drive failure, if Time Machine backup is kept on the same drive as the original items, it will not be much use to you.
  In my opinion, it is vitally important that you have an external drive for backup, whether you use Time Machine or a another backup solution is entirely up to you.
  My situation is slightly unusual, I have four hard drives in my computer and multiple arrays of hard drive enclosures with multiple hard drives within them (in total I have 40 TB of storage). As a result of this I tend to employ more than one backup procedure, I use Time Machine to backup some items and a utility called tri-backup to backup other items. I also keep two backups of everything.
  Time Machine is free, it's included with your operating system, I wonder if you mean time capsule.