Safeguard Fingerprint logon - Lenovo laptop(s)

I am having a real time attempting to get the fingerprint logon solution to work.  I'm attempting to utilize this with Lenovo laptops.

The first question I've got is - is it possible to not have Fingerprint software installed on the system, install Safeguard, and then later install Fingerprint software (the proper version of course)?  Will Safeguard pick it up and use it then?

Secondly, is it possible to have multiple users on the same laptop log into POA using Fingerprint?

Third, does Safeguard recognize multiple Fingerprints on the same fingerprint profile?

:2395
  • I hate to answer questions with questions, but:

    1)  What model Lenovo laptops are you using?

    2)  What version of the Thinkpad Fingerprint Software are you using?

    3)  Do you have Fingerprint option set in the Logon mode field of your Authentication Policy?

    We use Lenovo laptops exclusively at my company, and we've had pretty good luck with getting the fingerprint software working.  Our models were pretty old (T60/61), but once we got the fingerprint software upgraded to the proper version (we are using v5.8.2 b4462 for the Upek readers, and I'm not sure what version for the Authentic), it worked great.

    To answer your second and third question (and as always the Sophos guys will correct me if I'm wrong) but from my experience, it is possible to have multiple users log on to the POA using their fingerprints, and you can definitely register multiple fingerprints for each individual user.

    :2423
  • Well, it will be good to have the answers to the questions first. But neverless here are the answers of your questions:

    The first question I've got is - is it possible to not have Fingerprint software installed on the system, install Safeguard, and then later install Fingerprint software (the proper version of course)?  Will Safeguard pick it up and use it then?

    You have to follow the installation order which means: 1. Fingerprint software, 2. SafeGuard Easy (SGE)/SafeGuard Enterprise (SGE)

    Are you want to use it with SGN or SGE?

    Secondly, is it possible to have multiple users on the same laptop log into POA using Fingerprint?

    Yes

    Third, does Safeguard recognize multiple Fingerprints on the same fingerprint profile?

    Yes

    :2432
  • We have multiple Lenovo laptops in our enterprise - T400, T60, T61, X301.  The one I'm specifically working on right now is the X301.  I've not had any issues with any of the other models... but I've noticed that all the other models of Lenovo laptops use UPEK Fingerprint Software, while the X301 uses the Authentic Fingerprint Software.

    We are using Safeguard Enterprise in our workplace.

    I have updated the Fingerprint Software on each laptop I install SGE on to the latest version.  With UPEK I'm using v.5.8.5.6014, and with Authentic I'm using v.3.3.2.27.  Both should be higher than the required SGE versions according to my documentation.

    Yes, I do have Fingerprint set in the policy option for the Authentication policy.

    I was actually finally able to get it set up and installed on the X301 yesterday, but now I'm having a strange issue where the POA doesn't seem to want to register the fingerprint of the user.  Once the user registered their fingerprint in the software in windows, on a reboot the POA matches a fingerprint but doesn't find any login credentials associated with it, so you have to uncheck "log in to windows" (or whatever the checkbox is named) and then swipe the fingerprint on Windows Logon.  However - no matter how many times we do that POA doesn't seem to want to register the fingerprint with the user's login credentials.

    :2442

  • Cerebus06 wrote:

    I was actually finally able to get it set up and installed on the X301 yesterday, but now I'm having a strange issue where the POA doesn't seem to want to register the fingerprint of the user.  Once the user registered their fingerprint in the software in windows, on a reboot the POA matches a fingerprint but doesn't find any login credentials associated with it, so you have to uncheck "log in to windows" (or whatever the checkbox is named) and then swipe the fingerprint on Windows Logon.  However - no matter how many times we do that POA doesn't seem to want to register the fingerprint with the user's login credentials.


    Did the user have their fingerprints registered in the thinkpad software before SGN installation, or did they do it after?  I remember having a similar issue, and if I my memory serves me correctly, I deleted the users entire profile in the TFS software, and had them re-register.

    :2445
  • I didn't have him create the fingerprint profile and register it until after SGE was set up.

    However - one thing that did occur was that, when I uninstalled the older Authentic Fingerprint software version, it - for some reason - "could not" delete the fingerprint profile already set up.  I didn't think this would be an issue, but maybe that older fingerprint profile that was not deleted when the older version was removed is conflicting somehow?

    The user profiles are different - ie, the windows user that is currently trying to get SGE to register the fingerprint isn't the same profile as the one the original fingerprint profile was created on (although the user himself is the same user).

    :2448
  • It is an issue, because the FP data between the two FP software version are not compatible. Please make sure that you delete all fingers after the update of the FP software and re-enroll them.

    :2454
  • Hi,

    i have the same problem.

    Before I updated to the SGN 5.50, the FP was running under Windows and in the POA on several computers (e.g. Lenovo T60, T61p, W500, X301, ...). But with the newer version, I don't get it running for an authentification with the FP in the POA (Windows Authentification with FP works great). I installed Windows XP or Windows 7 with all drivers and programs (also with the FP Software and driver; for Authentec 3.3.0.58 and for UPEK 5.9.2.5859), only then I installed SGN 5.50 and encrypt all HDD devices.

    But now (after the initial user alignment) I configured the FP. However it works only in Windows (the authentication with FP is allowed in SGN MC and the Pre-Desktopautehtification is activated in the BIOS).I tested it on several devices, but no one is accurate running? With the SGN 5.40 the installation wasn't easy, but it run.

    What am I doing wrong?

    Best Regards,

    Johannes

    :2975
  • HI,

    We're a new customer of SafeGuard Enterprise, and POA Fingerprint isn't working for us either. It's working fine for Windows though.

    Details:

    Client: Windows 7 Enterprise x32

    SafeGuard version: 5.50.0.116

    Laptop: Lenovo W500 (TYPE 4062-5TG)

    Biometric: AuthenTec Inc. AES2810

    Biometric Driver version: 8.6.0.13 (ATSwpWDF.sys)

    Lenovo Fingerprint software installer: 7wf161ww.exe

    Lenovo Fingerprint software version: 3.3.2.27

    Install order:

    1. Cleared fingerprint data and reset security chip in BIOS

    2. Installed OS and drivers

    3. Installed Lenovo fingerprint software

    4. Enrolled fingerprints

    5. Tested successfully

    6. Installed SafeGuard Enterprise

    7. Rebooted

    8. Installed SafeGuard config

    9. Rebooted

    :3018
  • After raising a support ticket with Sophos I was told the Authentec version I'm using is not yet supported.

    FYI...

    Quote "Lenovo Fingerprint for AuthenTec versions 3.2.x are the only supported versions This has been raised as a deffect - DEF58676: Lenovo: No Fingerprint possible in POA with Authentec 3.3.2.27 (ItemID: 58676)"

    NB: From my understanding this would be mean that Windows 7 is not fully support for the Authentec chip as yet as Lenovo released version 3.3.x for Windows 7.

    :3049

  • RL wrote:

    After raising a support ticket with Sophos I was told the Authentec version I'm using is not yet supported.

    FYI...

    Quote "Lenovo Fingerprint for AuthenTec versions 3.2.x are the only supported versions This has been raised as a deffect - DEF58676: Lenovo: No Fingerprint possible in POA with Authentec 3.3.2.27 (ItemID: 58676)"

    NB: From my understanding this would be mean that Windows 7 is not fully support for the Authentec chip as yet as Lenovo released version 3.3.x for Windows 7.


    Hi RL,

    Thank you for your very informative post and including the response from Sophos Support regarding the Lenovo FPR and SGN POA.

    In the event that anyone else needs to check the Lenovo FPRs supported by SGN click here.

    :3054

  • Johannes wrote:

    Hi,

    i have the same problem.

    Before I updated to the SGN 5.50, the FP was running under Windows and in the POA on several computers (e.g. Lenovo T60, T61p, W500, X301, ...). But with the newer version, I don't get it running for an authentification with the FP in the POA (Windows Authentification with FP works great). I installed Windows XP or Windows 7 with all drivers and programs (also with the FP Software and driver; for Authentec 3.3.0.58 and for UPEK 5.9.2.5859), only then I installed SGN 5.50 and encrypt all HDD devices.

    But now (after the initial user alignment) I configured the FP. However it works only in Windows (the authentication with FP is allowed in SGN MC and the Pre-Desktopautehtification is activated in the BIOS).I tested it on several devices, but no one is accurate running? With the SGN 5.40 the installation wasn't easy, but it run.

    What am I doing wrong?

    Best Regards,

    Johannes


    I found that, after upgrading to 5.5, I had the same problem on the Lenovo R400 and T410 laptops.  I was able to fix it by hitting Shift+F5 (NOT Shift+F7 as mentioned in KB Article 63147) at the Sophos Copyright Screen (if you do it right, you should see a message that the "Alternate USB" has been activated.  The fingerprint enabled POA showed right up at that point.  Once you get past the POA, it will prompt you to save the settings changes - make sure you do so unless you want your users to have to press Shift+F5 everytime they boot!

    BTW, I was able to get the fingerprint reader working without regard to install order - one of the laptops has the fingerprint software installed AFTER Safeguard, one had the fingerprint software installed BEFORE safeguard went down.

    FYI - KB Article 107781 says that the "Alternative USB kernel" (the option the Shift+F5 controls) is ENABLED by default, but that appears to have changed in 5.5, as all of the machines I've installed 5.5 on have the "Alternative USB kernel" DISABLED

    :3200
  • Hi Visitant,

    i has tested it for one week ago, by hitting SHIFT+F5, but it doesn't work on all Lenovo devices.

    Here i can read in my FP datas, but i get the message that  "no FP datas are available".

    I has problems with Lenovo T61p (UPEK), Lenovo X200T (AuthenTec) and Lenovo T410s (AuthenTec).

    Other models in our enterprise are not testet. Current it  runns great on Lenovo R500.

    BR,

    Johannes

    :3221
  • Hi all,

    Hopefully this will provide a bit more clarity...

    SGN 5.50.1 (which is scheduled for mid August) is supposed to provide support for the following Lenovo fingerprint software versions:

    1)      UPEK: 5.8.5.6014

    2)      Authentec: 3.3.2.27

    The latest version of the UPEK chip fingerprint software from Lenovo is 5.9.x. However if you look at the download link on the Lenovo website for the 5.9.x software, there is an advisory stating that users of SGN 5.50 and Windows 7 should use version 5.8.5.6014 which is a Vista package. I've tested this package with Windows 7 and whilst it doesn't cause any harm to the system, and fingerprint works okay, it's still not supported from Sophos and fingerprint POA doesn't work.

    Thus the reason I'm waiting for SGN 5.50.1.

    As a side note I also requested that LSH (Local Self Help) works with fingerprint activated policies too - seeing as fingerprint isn't working for a lot of customers we have to fall back to password authentication.  Unfortunately when fingerprint authentication is enabled on a policy Local Self Help stops working. (This is by design). Not good when the users forget their passwords and the Servicedesk is closed.

    I understand that no-one forgets their fingerprint but until Sophos can guarantee 100% that fingerprint will work and that it wont fall back to password authentication then there is a clear need for LSH with fingerprint authentication. Not a well thought out design if you ask me ;)

    I've been advised that Local Self Help will work with fingerprint enabled policies in the next major release of SGN. Let's wait and see eh.

    How many days until Mid August? ;)

    :3796
  • Hi,

    I just spent 2 days trying to make fingerprint logon in POA work, and no success. It works fine for Windows login, but I am not getting the fingerprint logon screen in POA despite having Fingerprint enabled as logon mode through policy. My setup:

    Notebook Lenovo R500

    Lenovo Fingerprint software 3.3.2.27 (can't go to a lower version because that one does not work with the reader on Win7)

    reader AuthenTec AES2810 (driver 8.6.0.13)

    SafeGuard Enterprise 5.50.0

    Logon mode in the policy User ID/Password; Fingerprint

    Windows 7 (32)

    Fingerprints enrolled, login to Windows using fingerprints works, it just does not work in POA. Is this really a bug in SafeGuard, or am I doing something wrong? Can anyone advise, please, why this is not working - why the fingerprint logon screen does not show up in POA?

    Thanks.

    PS: Yes, I really agree with "As a side note I also requested that LSH (Local Self Help) works with fingerprint activated policies too - seeing as fingerprint isn't working for a lot of customers we have to fall back to password authentication.  Unfortunately when fingerprint authentication is enabled on a policy Local Self Help stops working. (This is by design). Not good when the users forget their passwords and the Servicedesk is closed."

    LSH should be available. With so many different PC configurations, fingerprints are pain, they more often fail than work.

    :4330
  • Acording to this list: http://www.sophos.com/support/knowledgebase/article/108789.html the reader/laptop is supported so should work. At POA, no windows drivers are used so the problem must be related to something else unless the fingerprint DB that the lenovo software uses is not compatible with SGN 5.50.

    Matt

    :4337