After installing Thunderbolt (TB) driver software to any TB accessory – for example docking stations – there is a need to authorize each TB device for security reasons. When a new device is connected, this dialog pops-up:
Which would be fine, but to approve the device, you need local administrator’s rights on the machine, which might be an issue in corporate environment.
To fix this, or at least workaround this, I see two approaches here:
- OS Level Fix
Before you install the Thunderbolt drivers/software, create this registry value:
This allows “normal” users to connect TB devices with no security warning, automatically approving them.
If you already installed the TB software, then this will not work. You will have to uninstall it completely, fix the registry value above and then install the TB software again.
- BIOS Level Fix
This method is a bit more complex and usually BIOS manufacturer dependent.
Basically, then doing this manually, in Security section in BIOS there should be a section for Thunderbolt settings.
Manual setting aside, there is also a way to automate this, for example when deploying the machines via SCCM’s task sequence. You basically create a package or add command-line steps to the task sequence, depending on your machine manufacturer.
Using Dell’s HAPI & CCTK tool (can be downloaded from the vendor’s site), including the software manual.
On the downloaded package, you run following commands (or create a script):
::Copy the content of the CCTK package to C:\Dell
xcopy.exe “*.*” “C:\Dell\CCTK\” /E /C /I /Q /H /R /Y /S
::Set BIOS password – set to your BIOS password, or create a new one – REQUIRED!
::Set TB security level in BIOS
“C:\Dell\CCTK\CCTK.exe” –thunderboltsecuritylevel=nosecurity –valsetuppwd=Password1
::Remove BIOS password (not needed)
DCC\x86_64\cctk.exe –setuppwd= –valsetuppwd=Password1!
::After a machinerestart, the TB security level will be set
Using HP’s BiosConfigUtility.exe (again, can be downloaded from the vendor’s site)
1. First, extract BIOS settings dump from the machine to text file. This step might not be required for all models, but I have noticed that on some older models and BIOS versions, these settings have slightly different names – so you might need to extract the right ones.
2. Edit the text file to contain only the options we want to change and rename it to (for example) BIOS.repset. The asterisk here signifies what option we want to set in machine’s BIOS.
On newer HP devices, you will need to create two such files:
BIOS1.repset that contains
Require BIOS PW to change TBT SL
BIOS2.repset that contains
Thunderbolt Security Level
*PCIe and DisplayPort – No Security
PCIe and DisplayPort – User Authorization
PCIe and DisplayPort – Secure Connect
DisplayPort and USB
3. Then create a package with the utility and your .repset files. In the task sequence, create a step that (1) applies the config file and (2) restarts the machine:
Note that when two repset files are used, you need to apply the first one, restart the machine, apply the second one and restart the machine again.
Even Lenovo has a method to do this, but it requires no external application. It can be accomplished via WMI queries or a combination with Powershell.