After installing Thunderbolt (TB) driver software to any TB accessory – for example docking stations – there is a need to authorize each TB device for security reasons. When a new device is connected, this dialog pops-up:

Thunderbolt Security pop-up dialog

Which would be fine, but to approve the device, you need local administrator’s rights on the machine, which might be an issue in corporate environment.

To fix this, or at least workaround this, I see two approaches here:

  • OS Level Fix

Before you install the Thunderbolt drivers/software, create this registry value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ThunderboltService\TbtServiceSettings
“ApprovalLevel”=dword:00000001

This allows “normal” users to connect TB devices with no security warning, automatically approving them.
If you already installed the TB software, then this will not work. You will have to uninstall it completely, fix the registry value above and then install the TB software again.

  • BIOS Level Fix

This method is a bit more complex and usually BIOS manufacturer dependent.
Basically, then doing this manually, in Security section in BIOS there should be a section for Thunderbolt settings.

Example of Dell’s TB BIOS settings

Manual setting aside, there is also a way to automate this, for example when deploying the machines via SCCM’s task sequence. You basically create a package or add command-line steps to the task sequence, depending on your machine manufacturer.

  • Dell

Using Dell’s HAPI & CCTK tool (can be downloaded from the vendor’s site), including the software manual.
On the downloaded package, you run following commands (or create a script):

::Copy the content of the CCTK package to C:\Dell 
xcopy.exe “*.*” “C:\Dell\CCTK\” /E /C /I /Q /H /R /Y /S 
::Set BIOS password – set to your BIOS password, or create a new one – REQUIRED! 
“C:\Dell\CCTK\CCTK.exe” –setuppwd=Password1 
::Set TB security level in BIOS 
“C:\Dell\CCTK\CCTK.exe” –thunderboltsecuritylevel=nosecurity –valsetuppwd=Password1 
::Remove BIOS password (not needed) 
DCC\x86_64\cctk.exe –setuppwd= –valsetuppwd=Password1! 
::After a machinerestart, the TB security level will be set

  • HP

Using HP’s BiosConfigUtility.exe (again, can be downloaded from the vendor’s site) 

1. First, extract BIOS settings dump from the machine to text file. This step might not be required for all models, but I have noticed that on some older models and BIOS versions, these settings have slightly different names – so you might need to extract the right ones.

BiosConfigUtility.exe /GetConfig:settingsdump.txt 

2. Edit the text file to contain only the options we want to change and rename it to (for example) BIOS.repset. The asterisk here signifies what option we want to set in machine’s BIOS.
On newer HP devices, you will need to create two such files: 
BIOS1.repset that contains 
BIOSConfig 1.0 
 
Require BIOS PW to change TBT SL 
*Disable 
Enable 

BIOS2.repset that contains 
BIOSConfig 1.0 
 
Thunderbolt Security Level 
*PCIe and DisplayPort – No Security 
PCIe and DisplayPort – User Authorization 
PCIe and DisplayPort – Secure Connect 
DisplayPort and USB 

3. Then create a package with the utility and your .repset files. In the task sequence, create a step that (1) applies the config file and (2) restarts the machine: 

BiosConfigUtility.exe /SetConfig:BIOS.REPSET 
Note that when two repset files are used, you need to apply the first one, restart the machine, apply the second one and restart the machine again.

  • Lenovo

Even Lenovo has a method to do this, but it requires no external application. It can be accomplished via WMI queries or a combination with Powershell.