These release
notes apply to the following products:
Workplace Protect 1.21 (local mode)
Workplace Protect 1.21 (managed mode)
Requires Workplace Manager 1.21 (or higher)
Important prerequisite
Ensure to
have installed the latest Fujitsu drivers for Fingerprint and PalmSecureTM
and use the latest Windows Updates on your computers. For all LIFEBOOKs
and STYLISTICs with O2Micro/Bayhub SmartCard Reader use the O2Micro driver
OZ776 CCID SmartCard Reader with version 2.1.4.240. For other SmartCard Readers
use drivers available on Fujitsu support pages.
Also ensure
to have the latest BIOS version installed.
Supported models
Check in the
Feature Finder if your computer model is supported by Workplace Protect:
(select
model, select all features, -> User Security -> Workplace Protect)
http://www.fujitsu.com/fts/solutions/high-tech/solutions/workplace/manageability/feature-finder.html
or
Check in the
download area http://support.ts.fujitsu.com if your system
is in the list “Use in the following products” for Workplace Protect.
Supported operating systems
Windows 10 (64 bit) with installed
KB3124262 on supported models
Windows 8.1 (32/64 bit) on supported
models
Windows 7 SP1 (32/64 bit) with
installed KB30339292 or KB3125574 on supported model
Uninstall
Workplace Protect before migrating the operating system (also if you return
from Windows 10 to an earlier operating system version (#22556)).
Recommendation
In local
mode we recommend to allow also the password as fall back login method even if
you prefer another more secure login method. This may help e.g. if you damage
your smart card, you forget your external device or the internal device does
not work for any reason. (#23576)
Workplace Embedded Tools (WET)
The BIOS
based Workplace Embedded Tools Auto BIOS Update and Easy PC
Protection require a licensed computer (The license must be ordered
together with the computer).
Cooperation of Workplace Manager and
Workplace Protect (managed mode)
|
Workplace Manager
V1.10
|
Workplace Manager
V1.11
|
Workplace Manager
V1.12
|
Workplace Manager
V1.15
|
Workplace Manager
V1.21
|
Workplace Protect V1.10
|
OK
|
Not recommended
|
Not recommended
|
Not recommended
|
Not recommended
|
Workplace Protect V1.11
|
unsupported
|
OK
|
OK
|
OK
|
Not recommended
|
Workplace Protect V1.12
|
unsupported
|
unsupported
|
OK
|
OK
|
Not recommended
|
Workplace Protect V1.15
|
unsupported
|
unsupported
|
unsupported
|
OK
|
Not recommended
|
Workplace Protect V1.21
|
unsupported
|
unsupported
|
unsupported
|
unsupported
|
OK
|
What is new in 1.21 vs. 1.20.0180 (April
2016)
New
Functionality:
· Support
of new systems
· Managed
Mode support added
· Multi-Factor
Authentication for Biometrics on computers without smart card using an
additional Secret
·
Windows
7 and Windows 8.1 Support
·
Warning
if unsupported system under Windows 10
· Inventory/Asset
data sent to Workplace Manager
·
New Password Safe Database Format
What is new in 1.21 vs. 1.15.0043
(September 2015)
New
Functionality:
·
Support
of new systems
·
Windows
10 (64bit) support (except Easy Restore)
·
Multi-Factor
Authentication for biometric login methods
o
Biometrics
on smart card (Finger- and/or PalmSecureTM Template-On-Card)
o
Biometrics
with additional Secret (Finger, Palm, Face)
·
Credential
Provider “V2” for Win 8, 10
·
Inventory/Asset
data sent to Workplace Manager
·
Enrolment
during login no longer supported
·
New Password Safe Database Format
Issues [Setup / Update]
Windows
7: Installation of Workplace Protect requires KB30339292 or KB3125574.
If none of these KBs is installed under
Windows 7 (32 and 64bit) the setup performs a rollback and shows a message box
(for loud installations) and creates an appropriate entry in the MSI log file
for silent installations.
Windows 10: Installation of
Workplace Protect requires KB3124262
If this KB is not installed under Windows
10 (64bit) main functionalities of Workplace Protect cannot be ensured. (https://support.microsoft.com/en-us/kb/3124262)
DeskView
and Workplace Protect (#22955)
Not all version
combinations of Workplace Protect and DeskView can coexist. The recommended way
to use DeskView and Workplace Protect on one computer is:
·
First
install DeskView 6.70
·
Afterwards
install Workplace Protect 1.21
If you want to
uninstall one of the two products, please uninstall both and afterwards install
the still required product again.
Pre
boot data from earlier operating systems
Before setting up a newer Windows system you
should clear the biometric Pre Boot Authentication (PBA) data in the BIOS by
clearing the BIOS supervisor password.
PalmSecure™
Update from Workplace Protect versions less than v1.11
An improved PalmSecure™ SDK is integrated
on systems supporting PalmSecure™. This SDK has an enhanced internal format of
the enroled palm vein data. You have to re-enrol the palm vein data.
Operating
system Update from Window 7 to Windows 8 / 10 requires new enrolment of
biometric data for Palm Vein PBA (#19847)
Palm Vein Data for
Pre Boot Authentication are different between Win7 and Win8/10. Therefore the
data should be cleared before updating (disable PBA in WPP).
Otherwise the data
can be cleared by removing the Bios Administrator Password. Afterwards the PBA
can be configured on the new installation.
Encrypted
Container: Before upgrading from Windows 8 to a higher Windows
version
Before you run the
Windows upgrade on a system with installed and configured Encrypted Container
backup your files and then remove the container. After the operating system
update create a new encrypted container.
Workplace Protect Setup with
enabled Windows 10 Hyper-V
The required minimum version of the Fujitsu
BIOS Gabi Driver (Fbiosdrv.sys) is 1.2.2.0. The Fujitsu driver installer DeskUpdate
may still install the driver 1.2.0.0. In this case the setup will report an
error.
Password
Safe created with an older version (1.20 or earlier) which is no longer
installed cannot be imported (#23864)
Workaround: Install the earlier version (e.g.
1.15) and import the old database. Then perform an update to the latest
Workplace Protect.
Switch
from local mode to managed mode (#23943)
Workaround:
Uninstall local mode, then install managed mode.
Reboot
after installation:
Workplace Protect
installation requires two reboots to exchange the logon mechanism.
Issues [Operating System]
Workplace
Protect and BitLocker
With enabled BitLocker on the system
partition some BIOS related Workplace Protect Operations will not be possible.
In this case you should suspend BitLocker in order to perform the required
operation. (e.g. set/modify BIOS Passwords)
Operating
System Migration with installed Workplace Protect is not recommended
After
upgrade from Windows 8 to Windows 8.1 a repair installation of the Workplace
Protect is needed
If you run the
Windows upgrade on a system with installed and configured Workplace Protect,
the application will not run correct afterwards
A repair
installation of the product is required and configuration and Biometric data
must be renewed
Windows 10: Lock Screen
From Windows 8 to Windows 10 the internal
behavior of the LogonUI with the Windows Lock Screen has changed. Workplace
Protect requires the Windows 10 Lock Screen to be disabled. Setup writes the
following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization]
"NoLockScreen"=dword:00000000
Do not overwrite this value by a domain
policy.
Microsoft
accounts (Live ID) (#23760, #13375, #23838)
Workplace Protect does
not fully support Microsoft accounts for login. (see Whitepaper)
Logon
to Systems with active Remote Desktop connection: Local Logon with Biometric
data will not work
If a system is
running a Remote Desktop session, a local login with biometric data
(Fingerprint, Face Recognition or PalmSecureTM) will
not work.
A misleading error
message like "Logon via Fingerprint is not allowed..." appears.
Windows 7 Logon: A click into the user name text box is
required to logon with username and password
The logon with
username and password may require a click into the user name textbox on Windows
7 although the user name textbox is focused.
Issues [General]
Authentication
Level change
Workplace Protect defines the
authentication levels for all users on a computer: One domain user can define
it for all other users on this computer. (A local user can do this only with
local administrator rights.) If you change the authentication level on a
computer, there is a possibility that other users have not yet enroled the
required data. Therefore Workplace Protect allows the password login, when the
authentication level is changed and only biometrical logins are allowed.
(Microsoft recommendation for Window 10: Always allow password login).
Workplace
Protect will be closed when the workstation is locked or enters a sleep mode
To ensure the availability of the security
devices, the application Workplace Protect will be closed when locking the
workstation or when the workstation enters the Standby/Hibernate mode.
Change PIN of foreign smart
Card
Change PIN of a
third party smart card is not possible (like it is with MS generic) (#19397)
Login with smart card or
biometric data on smart card (Multi-Factor Template-On-Card)
Due to timing issues
while starting the smart card reader and service it may be necessary to remove
and reinsert the smart card during the login process. This can be necessary,
although the user is not asked to do that. (#22342)
Configuration
of biometric Pre-Boot Authentication (PBA) for second user (#18968)
During configuration of PBA it is always
required to use the “Manage PBA” button to send the biometric templates to the
BIOS. Otherwise the user will not be accepted for PBA.
Preboot Authentication
with Biometric device (Fingerprint, PalmSecure) is not configurable, although
system does support it (#19847)
In the Preboot Authentication menu
the tab Fingerprint or PalmSecure is not visible. This is caused by unfeasible
biometric data written to the system BIOS. To clear that, enter BIOS setup
menu, clear the supervisor password and set it again. Afterwards Preboot
Authentication will be available.
Logon
with smart card using Single Sign On (SSO) may not work after System restart or
resume from Hibernate
If a system with
activated SystemLock is restarted or resuming from Hibernate, the PIN is
required during POST. Despite the PIN was entered once, it might be requested
again for the Windows Logon.
Windows Lock after Hibernate
or Sleep (sporadically)
The wake up of the biometric devices and
the smart card reader after sleep and/or hibernate may take longer than
expected or even fail. It may be necessary to remove and insert the smart card.
If login with smart card should not be possible, login with your windows
password.
Issues [Smart cards / RFID]
Multifactor
Authentication (Template-On-Card) with contact smart cards
Depending on the free space on a smart
card, it is possible to store up to 6 biometric templates (Palm veins or fingerprints
on the supported CardOS 4.3 or 4.4 smart cards. Smart cards sold by Fujitsu
starting March 2016, have a bigger area (32 kB) for biometric data than the
smart cards before (16 kB). Average size of a palm vein (internal device)
template is ~11 kB, average size of a fingerprint is ~ 5kB. These values may
differ from user to user.
With
RFID cards multifactor authentication (Template-On-Card) is not possible.
RFID
under Windows 7 (#24096, #23751)
RFID cards do not work correctly under
Windows 7 (-> continue using Workplace Protect 1.15)
Parallel use of RFID card
and contact smart cards is not supported (#22452)
Using a smart card and an RFID card at the
same time is not possible. Once the smart card is inserted, an RFID card will
not be recognized properly.
After configuring a smart card it is
possible to set RFID card as single Windows login method.
Smart card
removal behaviour (#22433)
After removal of smart card it can
take some seconds until the workstation is locked, although the flag to lock
Workstation at smart card removal is set.
SystemLock
not supported
SystemLock functions are not supported with
Workplace Protect 1.21.
Issues [PalmSecureTM]
Compatibility
of Palm vein templates
Palm vein templates are specific to the PalmSecureTM
device model on which these templates were enroled. If you store palm vein data
on a smart card and you want to use this smart card on another computer, this
computer requires a compatible PalmSecureTM device. All current
built-in PalmSecureTM sensors are compatible. External PalmSecureTM
devices have different template formats.
Pre
Boot Authentication and single sign on and Multi Factor Authentication
(Template-On-Card) (#24085)
PalmSecureTM PBA activation may
fail when using authentication level “Template-On-Card”. If you want to use
biometric pre-boot authentication, configure this before using authentication
level Template-On-Card”.
In this case Single sign on is disabled.
Issues [Encrypted Container]
Encrypted
Container: Restrictions for creating Encrypted Container on a USB stick
An Encrypted
Container can only be created on a NTFS formatted USB stick.
The Encrypted
Container technology is based on VHD (virtual hard disk) format and requires a
reliable high performance USB stick.
Windows 8.1 and
higher: In order to delete an Encrypted Container volume, you have to start
Workplace Protect with elevated rights. (#14689)
Mounted
Encrypted Container may prevent access to SD card (#14884)
To get access to the
SD card unmount the Encrypted Container temporarily.
Issues [Biometry]
Face
Recognition: Other application uses camera
All face recognition
functions need exclusive access to the camera. If other applications use the
camera, functions like “session lock” or “create face model” will not work.
Advanced Face Recognition
(#21696)
Eye blink detection of Workplace Protect
requires a well illuminated face. If this cannot be ensured, please deactivate
eye blink detection.
Do not use Face Recognition as the only authentication
method.
Fingerprint:
WBF limitation for Guest and Built-in Administrator accounts
The WBF (Windows Biometric Framework) does
not permit fingerprint enrolments for Guest or Built-in Administrator accounts
on
Windows 8.x (and
Windows 10) for Authentec fingerprint sensors
Windows 7, 8.x, 10
for Validity/Synaptics fingerprint sensors
Fingerprint:
Poor Quality for enrolment on STYLISTIC systems with Validity Sensor
The placement and
implementation of pattern evaluation often prevent problem-free usage of the
device. This may result in repeated occurrence of a biometric device error.
Biometric Single-Sign-On
(SSO)
Biometric SSO
sometimes does not work correctly after sleep, hibernate, restart or shutdown
(#23962, #24027, #24076). Second registration of Fingerprint/Palm vein is
necessary to login to Windows.
Issues [Computer Model]
Setting
Hard Disk Password does not work on some LIFEBOOKs (#19493, #24090)
Workplace Protect
shows error message: “Undefined error occurred. Code: 107”
Setting
Hard Disk Password does not work on Skylake Desktops (ESPRIMO D/P/Q/X xx6)
(#19669, #19493)
Workplace Protect
shows error message: “Undefined error occurred. Code: 107”
Fingerprint
Pre-Boot Authentication cannot be activated on older LIFEBOOKs (released before
2012) (#19018)