Release Notes: Workplace Protect, Issue: 8/2016

Release Notes for Version 1.21

These release notes apply to the following products:

Workplace Protect 1.21 (local mode)

Workplace Protect 1.21 (managed mode)

Requires Workplace Manager 1.21 (or higher)

Important prerequisite

Ensure to have installed the latest Fujitsu drivers for Fingerprint and PalmSecure^TMand use the latest Windows Updates on your computers. For all LIFEBOOKs and STYLISTICs with O2Micro/Bayhub SmartCard Reader use the O2Micro driver OZ776 CCID SmartCard Reader with version 2.1.4.240. For other SmartCard Readers use drivers available on Fujitsu support pages.

Also ensure to have the latest BIOS version installed.

Supported models

Check in the Feature Finder if your computer model is supported by Workplace Protect:

(select model, select all features, -> User Security -> Workplace Protect)

http://www.fujitsu.com/fts/solutions/high-tech/solutions/workplace/manageability/feature-finder.html

Check in the download area http://support.ts.fujitsu.com if your system is in the list “Use in the following products” for Workplace Protect.

Supported operating systems

Windows 10 (64 bit) with installed KB3124262 on supported models

Windows 8.1 (32/64 bit) on supported models

Windows 7 SP1 (32/64 bit) with installed KB30339292 or KB3125574 on supported model

Uninstall Workplace Protect before migrating the operating system (also if you return from Windows 10 to an earlier operating system version (#22556)).

Recommendation

In local mode we recommend to allow also the password as fall back login method even if you prefer another more secure login method. This may help e.g. if you damage your smart card, you forget your external device or the internal device does not work for any reason. (#23576)

Workplace Embedded Tools (WET)

The BIOS based Workplace Embedded Tools Auto BIOS Update and Easy PC Protection require a licensed computer (The license must be ordered together with the computer).

Cooperation of Workplace Manager and Workplace Protect (managed mode)

Workplace Manager

V1.10

Workplace Manager

V1.11

Workplace Manager

V1.12

Workplace Manager

V1.15

Workplace Manager

V1.21

Workplace Protect V1.10

Not recommended

Workplace Protect V1.11

unsupported

Not recommended

Workplace Protect V1.12

unsupported

Not recommended

Workplace Protect V1.15

unsupported

Not recommended

Workplace Protect V1.21

unsupported

What is new in 1.21 vs. 1.20.0180 (April 2016)

New Functionality:

· Support of new systems

· Managed Mode support added

· Multi-Factor Authentication for Biometrics on computers without smart card using an additional Secret

· Windows 7 and Windows 8.1 Support

· Warning if unsupported system under Windows 10

· Inventory/Asset data sent to Workplace Manager

· New Password Safe Database Format

What is new in 1.21 vs. 1.15.0043 (September 2015)

New Functionality:

· Support of new systems

· Windows 10 (64bit) support (except Easy Restore)

· Multi-Factor Authentication for biometric login methods

o Biometrics on smart card (Finger- and/or PalmSecure^TM Template-On-Card)

o Biometrics with additional Secret (Finger, Palm, Face)

· Credential Provider “V2” for Win 8, 10

· Inventory/Asset data sent to Workplace Manager

· Enrolment during login no longer supported

· New Password Safe Database Format

Issues [Setup / Update]

Windows 7: Installation of Workplace Protect requires KB30339292 or KB3125574.

If none of these KBs is installed under Windows 7 (32 and 64bit) the setup performs a rollback and shows a message box (for loud installations) and creates an appropriate entry in the MSI log file for silent installations.

Windows 10: Installation of Workplace Protect requires KB3124262

If this KB is not installed under Windows 10 (64bit) main functionalities of Workplace Protect cannot be ensured. (https://support.microsoft.com/en-us/kb/3124262)

DeskView and Workplace Protect (#22955)

Not all version combinations of Workplace Protect and DeskView can coexist. The recommended way to use DeskView and Workplace Protect on one computer is:

· First install DeskView 6.70

· Afterwards install Workplace Protect 1.21

If you want to uninstall one of the two products, please uninstall both and afterwards install the still required product again.

Pre boot data from earlier operating systems

Before setting up a newer Windows system you should clear the biometric Pre Boot Authentication (PBA) data in the BIOS by clearing the BIOS supervisor password.

PalmSecure™ Update from Workplace Protect versions less than v1.11

An improved PalmSecure™ SDK is integrated on systems supporting PalmSecure™. This SDK has an enhanced internal format of the enroled palm vein data. You have to re-enrol the palm vein data.

Operating system Update from Window 7 to Windows 8 / 10 requires new enrolment of biometric data for Palm Vein PBA (#19847)

Palm Vein Data for Pre Boot Authentication are different between Win7 and Win8/10. Therefore the data should be cleared before updating (disable PBA in WPP).

Otherwise the data can be cleared by removing the Bios Administrator Password. Afterwards the PBA can be configured on the new installation.

Encrypted Container: Before upgrading from Windows 8 to a higher Windows version

Before you run the Windows upgrade on a system with installed and configured Encrypted Container backup your files and then remove the container. After the operating system update create a new encrypted container.

Workplace Protect Setup with enabled Windows 10 Hyper-V

The required minimum version of the Fujitsu BIOS Gabi Driver (Fbiosdrv.sys) is 1.2.2.0. The Fujitsu driver installer DeskUpdate may still install the driver 1.2.0.0. In this case the setup will report an error.

Password Safe created with an older version (1.20 or earlier) which is no longer installed cannot be imported (#23864)

Workaround: Install the earlier version (e.g. 1.15) and import the old database. Then perform an update to the latest Workplace Protect.

Switch from local mode to managed mode (#23943)

Workaround: Uninstall local mode, then install managed mode.

Reboot after installation:

Workplace Protect installation requires two reboots to exchange the logon mechanism.

Issues [Operating System]

Workplace Protect and BitLocker

With enabled BitLocker on the system partition some BIOS related Workplace Protect Operations will not be possible. In this case you should suspend BitLocker in order to perform the required operation. (e.g. set/modify BIOS Passwords)

Operating System Migration with installed Workplace Protect is not recommended

After upgrade from Windows 8 to Windows 8.1 a repair installation of the Workplace Protect is needed

If you run the Windows upgrade on a system with installed and configured Workplace Protect, the application will not run correct afterwards

A repair installation of the product is required and configuration and Biometric data must be renewed

Windows 10: Lock Screen

From Windows 8 to Windows 10 the internal behavior of the LogonUI with the Windows Lock Screen has changed. Workplace Protect requires the Windows 10 Lock Screen to be disabled. Setup writes the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization]

"NoLockScreen"=dword:00000000

Do not overwrite this value by a domain policy.

Microsoft accounts (Live ID) (#23760, #13375, #23838)

Workplace Protect does not fully support Microsoft accounts for login. (see Whitepaper)

Logon to Systems with active Remote Desktop connection: Local Logon with Biometric data will not work

If a system is running a Remote Desktop session, a local login with biometric data (Fingerprint, Face Recognition or PalmSecure^TM) will not work.

A misleading error message like "Logon via Fingerprint is not allowed..." appears.

Windows 7 Logon: A click into the user name text box is required to logon with username and password

The logon with username and password may require a click into the user name textbox on Windows 7 although the user name textbox is focused.

Issues [General]

Authentication Level change

Workplace Protect defines the authentication levels for all users on a computer: One domain user can define it for all other users on this computer. (A local user can do this only with local administrator rights.) If you change the authentication level on a computer, there is a possibility that other users have not yet enroled the required data. Therefore Workplace Protect allows the password login, when the authentication level is changed and only biometrical logins are allowed. (Microsoft recommendation for Window 10: Always allow password login).

Workplace Protect will be closed when the workstation is locked or enters a sleep mode

To ensure the availability of the security devices, the application Workplace Protect will be closed when locking the workstation or when the workstation enters the Standby/Hibernate mode.

Change PIN of foreign smart Card

Change PIN of a third party smart card is not possible (like it is with MS generic) (#19397)

Login with smart card or biometric data on smart card (Multi-Factor Template-On-Card)

Due to timing issues while starting the smart card reader and service it may be necessary to remove and reinsert the smart card during the login process. This can be necessary, although the user is not asked to do that. (#22342)

Configuration of biometric Pre-Boot Authentication (PBA) for second user (#18968)

During configuration of PBA it is always required to use the “Manage PBA” button to send the biometric templates to the BIOS. Otherwise the user will not be accepted for PBA.

Preboot Authentication with Biometric device (Fingerprint, PalmSecure) is not configurable, although system does support it (#19847)

In the Preboot Authentication menu the tab Fingerprint or PalmSecure is not visible. This is caused by unfeasible biometric data written to the system BIOS. To clear that, enter BIOS setup menu, clear the supervisor password and set it again. Afterwards Preboot Authentication will be available.

Logon with smart card using Single Sign On (SSO) may not work after System restart or resume from Hibernate

If a system with activated SystemLock is restarted or resuming from Hibernate, the PIN is required during POST. Despite the PIN was entered once, it might be requested again for the Windows Logon.

Windows Lock after Hibernate or Sleep (sporadically)

The wake up of the biometric devices and the smart card reader after sleep and/or hibernate may take longer than expected or even fail. It may be necessary to remove and insert the smart card. If login with smart card should not be possible, login with your windows password.

Issues [Smart cards / RFID]

Multifactor Authentication (Template-On-Card) with contact smart cards

Depending on the free space on a smart card, it is possible to store up to 6 biometric templates (Palm veins or fingerprints on the supported CardOS 4.3 or 4.4 smart cards. Smart cards sold by Fujitsu starting March 2016, have a bigger area (32 kB) for biometric data than the smart cards before (16 kB). Average size of a palm vein (internal device) template is ~11 kB, average size of a fingerprint is ~ 5kB. These values may differ from user to user.

With RFID cards multifactor authentication (Template-On-Card) is not possible.

RFID under Windows 7 (#24096, #23751)

RFID cards do not work correctly under Windows 7 (-> continue using Workplace Protect 1.15)

Parallel use of RFID card and contact smart cards is not supported (#22452)

Using a smart card and an RFID card at the same time is not possible. Once the smart card is inserted, an RFID card will not be recognized properly.

After configuring a smart card it is possible to set RFID card as single Windows login method.

Smart card removal behaviour (#22433)

After removal of smart card it can take some seconds until the workstation is locked, although the flag to lock Workstation at smart card removal is set.

SystemLock not supported

SystemLock functions are not supported with Workplace Protect 1.21.

Issues [PalmSecure^TM]

Compatibility of Palm vein templates

Palm vein templates are specific to the PalmSecure^TM device model on which these templates were enroled. If you store palm vein data on a smart card and you want to use this smart card on another computer, this computer requires a compatible PalmSecure^TM device. All current built-in PalmSecure^TM sensors are compatible. External PalmSecure^TM devices have different template formats.

Pre Boot Authentication and single sign on and Multi Factor Authentication (Template-On-Card) (#24085)

PalmSecure^TM PBA activation may fail when using authentication level “Template-On-Card”. If you want to use biometric pre-boot authentication, configure this before using authentication level Template-On-Card”.

In this case Single sign on is disabled.

Issues [Encrypted Container]

Encrypted Container: Restrictions for creating Encrypted Container on a USB stick

An Encrypted Container can only be created on a NTFS formatted USB stick.

The Encrypted Container technology is based on VHD (virtual hard disk) format and requires a reliable high performance USB stick.

Windows 8.1 and higher: In order to delete an Encrypted Container volume, you have to start Workplace Protect with elevated rights. (#14689)

Mounted Encrypted Container may prevent access to SD card (#14884)

To get access to the SD card unmount the Encrypted Container temporarily.

Issues [Biometry]

Face Recognition: Other application uses camera

All face recognition functions need exclusive access to the camera. If other applications use the camera, functions like “session lock” or “create face model” will not work.

Advanced Face Recognition (#21696)

Eye blink detection of Workplace Protect requires a well illuminated face. If this cannot be ensured, please deactivate eye blink detection.

Do not use Face Recognition as the only authentication method.

Fingerprint: WBF limitation for Guest and Built-in Administrator accounts

The WBF (Windows Biometric Framework) does not permit fingerprint enrolments for Guest or Built-in Administrator accounts on

Windows 8.x (and Windows 10) for Authentec fingerprint sensors

Windows 7, 8.x, 10 for Validity/Synaptics fingerprint sensors

Fingerprint: Poor Quality for enrolment on STYLISTIC systems with Validity Sensor

The placement and implementation of pattern evaluation often prevent problem-free usage of the device. This may result in repeated occurrence of a biometric device error.

Biometric Single-Sign-On (SSO)

Biometric SSO sometimes does not work correctly after sleep, hibernate, restart or shutdown (#23962, #24027, #24076). Second registration of Fingerprint/Palm vein is necessary to login to Windows.

Release Notes for Version 1.21

What is new in 1.21 vs. 1.20.0180 (April 2016)

New Functionality:

· Support of new systems

· Managed Mode support added

· Multi-Factor Authentication for Biometrics on computers without smart card using an additional Secret

· Windows 7 and Windows 8.1 Support

· Warning if unsupported system under Windows 10

· Inventory/Asset data sent to Workplace Manager

· New Password Safe Database Format

What is new in 1.21 vs. 1.15.0043 (September 2015)

New Functionality:

· Support of new systems

· Windows 10 (64bit) support (except Easy Restore)

· Multi-Factor Authentication for biometric login methods

o Biometrics on smart card (Finger- and/or PalmSecureTM Template-On-Card)

o Biometrics with additional Secret (Finger, Palm, Face)

· Credential Provider “V2” for Win 8, 10

· Inventory/Asset data sent to Workplace Manager

· Enrolment during login no longer supported

· New Password Safe Database Format

Issues [Setup / Update]

Windows 7: Installation of Workplace Protect requires KB30339292 or KB3125574.

If none of these KBs is installed under Windows 7 (32 and 64bit) the setup performs a rollback and shows a message box (for loud installations) and creates an appropriate entry in the MSI log file for silent installations.

Windows 10: Installation of Workplace Protect requires KB3124262

If this KB is not installed under Windows 10 (64bit) main functionalities of Workplace Protect cannot be ensured. (https://support.microsoft.com/en-us/kb/3124262)

DeskView and Workplace Protect (#22955)

Not all version combinations of Workplace Protect and DeskView can coexist. The recommended way to use DeskView and Workplace Protect on one computer is:

· First install DeskView 6.70

· Afterwards install Workplace Protect 1.21

If you want to uninstall one of the two products, please uninstall both and afterwards install the still required product again.

Pre boot data from earlier operating systems

Before setting up a newer Windows system you should clear the biometric Pre Boot Authentication (PBA) data in the BIOS by clearing the BIOS supervisor password.

PalmSecure™ Update from Workplace Protect versions less than v1.11

An improved PalmSecure™ SDK is integrated on systems supporting PalmSecure™. This SDK has an enhanced internal format of the enroled palm vein data. You have to re-enrol the palm vein data.

Operating system Update from Window 7 to Windows 8 / 10 requires new enrolment of biometric data for Palm Vein PBA (#19847)

Palm Vein Data for Pre Boot Authentication are different between Win7 and Win8/10. Therefore the data should be cleared before updating (disable PBA in WPP).

Otherwise the data can be cleared by removing the Bios Administrator Password. Afterwards the PBA can be configured on the new installation.

Encrypted Container: Before upgrading from Windows 8 to a higher Windows version

Before you run the Windows upgrade on a system with installed and configured Encrypted Container backup your files and then remove the container. After the operating system update create a new encrypted container.

Workplace Protect Setup with enabled Windows 10 Hyper-V

The required minimum version of the Fujitsu BIOS Gabi Driver (Fbiosdrv.sys) is 1.2.2.0. The Fujitsu driver installer DeskUpdate may still install the driver 1.2.0.0. In this case the setup will report an error.

Password Safe created with an older version (1.20 or earlier) which is no longer installed cannot be imported (#23864)

Workaround: Install the earlier version (e.g. 1.15) and import the old database. Then perform an update to the latest Workplace Protect.

Switch from local mode to managed mode (#23943)

Workaround: Uninstall local mode, then install managed mode.

Reboot after installation:

Workplace Protect installation requires two reboots to exchange the logon mechanism.

Issues [Operating System]

Workplace Protect and BitLocker

With enabled BitLocker on the system partition some BIOS related Workplace Protect Operations will not be possible. In this case you should suspend BitLocker in order to perform the required operation. (e.g. set/modify BIOS Passwords)

Operating System Migration with installed Workplace Protect is not recommended

After upgrade from Windows 8 to Windows 8.1 a repair installation of the Workplace Protect is needed

If you run the Windows upgrade on a system with installed and configured Workplace Protect, the application will not run correct afterwards

A repair installation of the product is required and configuration and Biometric data must be renewed

Windows 10: Lock Screen

From Windows 8 to Windows 10 the internal behavior of the LogonUI with the Windows Lock Screen has changed. Workplace Protect requires the Windows 10 Lock Screen to be disabled. Setup writes the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization]

"NoLockScreen"=dword:00000000

Do not overwrite this value by a domain policy.

Microsoft accounts (Live ID) (#23760, #13375, #23838)

Workplace Protect does not fully support Microsoft accounts for login. (see Whitepaper)

Logon to Systems with active Remote Desktop connection: Local Logon with Biometric data will not work

If a system is running a Remote Desktop session, a local login with biometric data (Fingerprint, Face Recognition or PalmSecureTM) will not work.

A misleading error message like "Logon via Fingerprint is not allowed..." appears.

Windows 7 Logon: A click into the user name text box is required to logon with username and password

The logon with username and password may require a click into the user name textbox on Windows 7 although the user name textbox is focused.

Issues [General]

Authentication Level change

Workplace Protect will be closed when the workstation is locked or enters a sleep mode

To ensure the availability of the security devices, the application Workplace Protect will be closed when locking the workstation or when the workstation enters the Standby/Hibernate mode.

Change PIN of foreign smart Card

Change PIN of a third party smart card is not possible (like it is with MS generic) (#19397)

Login with smart card or biometric data on smart card (Multi-Factor Template-On-Card)

Due to timing issues while starting the smart card reader and service it may be necessary to remove and reinsert the smart card during the login process. This can be necessary, although the user is not asked to do that. (#22342)

Configuration of biometric Pre-Boot Authentication (PBA) for second user (#18968)

During configuration of PBA it is always required to use the “Manage PBA” button to send the biometric templates to the BIOS. Otherwise the user will not be accepted for PBA.

Logon with smart card using Single Sign On (SSO) may not work after System restart or resume from Hibernate

If a system with activated SystemLock is restarted or resuming from Hibernate, the PIN is required during POST. Despite the PIN was entered once, it might be requested again for the Windows Logon.

Windows Lock after Hibernate or Sleep (sporadically)

o Biometrics on smart card (Finger- and/or PalmSecure^TM Template-On-Card)

If a system is running a Remote Desktop session, a local login with biometric data (Fingerprint, Face Recognition or PalmSecure^TM) will not work.

Issues [PalmSecure^TM]

PalmSecure^TM PBA activation may fail when using authentication level “Template-On-Card”. If you want to use biometric pre-boot authentication, configure this before using authentication level Template-On-Card”.