12 Replies Latest reply on Oct 9, 2018 1:27 PM by Stacy19001

    Pre-Approve Thunderbolt 3 Devices?

    Stacy19001

      I'm looking for a way to turn off the approval notice when connecting new Thunderbolt 3 devices to Windows 10 machines. We are currently testing Lenovo Thinkpads (T480s) with Thunderbolt 3. When connecting the Lenovo TB3 dock for the first time, the Thunderbolt software requires approval for the device on initial connection. Most of our users do not have local admin credentials so my team has to setup each TB3 dock with our Active Directory local admin accounts. This appear to happen for each TB3 port, not just the laptop in general.

       

      Here is what we've found out so far. We are aware that the BIOS has an option to change the TB3 security level from "User Authorization" to "No Security". If you select "No Security", then connecting a new TB3 dock is possible without local admin rights. But, the Thunderbolt software will popup a message "Device was approved during boot, but is not part of the current approved devices list." You can tell Windows 10 to stop the notification, but we want to just be able to pre-approve TB3 devices without any notifications. We believe the "No Security" option is actually for using TB3 devices during pre-boot (Example: PXE booting). Although, the T480s also has a BIOS option for TB3 support during pre-boot. Yes, seems redundant.

       

      In the past, one of our remote users could just dock to a standard docking station at a guest cube and off they went. With this setup of the T480s and TB3 dock, we can't do that right now. If they try and connect to that TB3 dock for the first time, then it's going to bring up UAC for admin rights. Although, we also are testing the Lenovo Ultra dock and it uses the TB3 port on the T480s. It appears the Ultra dock uses Alt-Mode and not TB3 for external devices.

       

      Questions:

             1. Is there a way to get around the UAC for approving a new TB3 device without changing the BIOS setting to "No Security"?

             2. Is there a setting in the Thunderbolt software to ungray the approval options for TB3 devices without needing UAC?

        • 1. Re: Pre-Approve Thunderbolt 3 Devices?
          Intel Corporation
          This message was posted on behalf of Intel Corporation

          Hello Stacy19001
           
          Thank you for joining the Intel® community.
           
          Allow me to share with you that upon reviewing the information that you have mentioned and the testing that you have performed this behavior seems to be related to the Original Equipment Manufacturer (OEM) system configuration and the Operating System (OS) notifications in this case I recommend contacting the OEM and OS providers.
           
          Bear in mind that Thunderbolt™ is a system ingredient that is customized by each OEM differently on their platforms. Intel provides firmware and driver updates directly to OEMs but, it is up to each OEM to perform validation testing.

          Regards,
          Leonardo C.
          Intel Customer Support Technician
          Under Contract to Intel Corporation
           

          • 2. Re: Pre-Approve Thunderbolt 3 Devices?
            Stacy19001

            Leonardo,

             

            I disagree with your statement that Thunderbolt is customized per OEM. This has to do with the Thunderbolt software requiring local admin rights. Most large companies do not allow users to have local admin rights. When you connect a Thunderbolt device for the first time, the Thunderbolt software (Not Windows 10) is requiring local admin rights, not to install the Thunderbolt as it is already installed onto Windows 10. The local admin rights are needed to "approve" newly connected devices and then you can tell the Thunderbolt software to always approve the device. Any other Thunderbolt devices will also need to be approved for the first time. We also have HP Thunderbolt 3 capable devices and they perform the exact same behavior as the Lenovo devices. Now this may be an industry standard for all OEM's, but we do not use the OEM image. We use SCCM to distribute Windows 10 Enterprise similar to most large-scale companies. The Thunderbolt software is already on our Windows 10 image. The Thunderbolt Secure Connect software seems to be universal in that it requires local admin rights to connect a new device.

             

            That is my question: In the Thunderbolt software, is there any way to disable the need for local admin rights to "approve" newly connected devices for the first time?

             

            Thank you for your reply Leonardo.

            • 3. Re: Pre-Approve Thunderbolt 3 Devices?
              Intel Corporation
              This message was posted on behalf of Intel Corporation

              Hello Stacy19001

              Thank you for the information.

              Upon reviewing the information that you have shared with us I noticed that your Windows® 10 image comes with the Thunderbolt software. In this case, to confirm which actions can be customized on the software, I recommend contacting Microsoft® to confirm this information.  
               


              Regards,
              Leonardo C.
              Intel Customer Support Technician
              Under Contract to Intel Corporation
               

              • 4. Re: Pre-Approve Thunderbolt 3 Devices?
                Stacy19001

                Leonardo,

                 

                I will contact Microsoft, but I am still not understanding how they are going to help considering the Intel software is what is asking for local admin rights, not Windows 10. There are no options inside the software to approve attached devices without local admin rights.Please see attached screenshot. I'm OK with that, I would just like to know if the software was developed this way by design.

                 

                1.     The Intel Thunderbolt Software clearly says "In order to approve them for use "this application" must be run with administrative privileges.

                2.     Verified Publisher: Intel Client Connectivity Division.

                3.     Getting to the Approve Thunderbolt Devices screen requires elevated credentials in order to select "Always Connect".

                4.     This is the exact same process for the following machines.

                     a.     HP EliteBook 840 G5 with HP Thunderbolt Dock G2.

                     b.     Lenovo ThinkPad T480s with Lenovo ThinkPad Thunderbolt 3 Dock.

                     c.     Dell Latitude 5480 with the Dell TB16 Thunderbolt Dock.

                • 5. Re: Pre-Approve Thunderbolt 3 Devices?
                  Intel Corporation
                  This message was posted on behalf of Intel Corporation

                  Hello Stacy19001

                   Please bear in mind that Intel® provides the Thunderbolt™ hardware and firmware to each of the OEMs, then they will configure the device according to their system preference, due to of this I would recommend verifying this behavior with them.
                   
                  Regards,
                  Leonardo C.
                  Intel Customer Support Technician
                  Under Contract to Intel Corporation
                   

                  • 6. Re: Pre-Approve Thunderbolt 3 Devices?
                    bgleich

                    Hello,

                     

                    i have exact the same problem as Stacy19001.

                    We currently search a way to approve a docking station without adminrights.

                     

                    On my research i have noticed the following entry in the ReleaseNotes of the Thunderbolt Software, which is properply the solution for this problem:

                     

                    Added support for NonAdmin mode through installer switch. Run setup.msi

                    NONADMIN=1 when installing the Thunderbolt SW package in order to allow user

                    without administrator privileges to approve devices.

                     

                    and

                     

                    Added support for NonAdmin mode through INF install mode. This option is not

                    enabled by default and need customized INF/CAT files. Please contact your

                    Thunderbolt support team for more information

                     

                    In our environment we use the INF-Installer. So can you please tell me where i can get the customized INF/CAT-Files?

                    Or how i can contact the Thunderbolt support team?

                    • 7. Re: Pre-Approve Thunderbolt 3 Devices?
                      Intel Corporation
                      This message was posted on behalf of Intel Corporation

                      Hello bgleich
                       
                      Thank you for posting in the Intel® community.
                       
                      In this case, to get the customized INF/CAT-Files I would recommend contacting the Original Equipment Manufacturer OEM because they would personalize the driver for each system built.
                       

                      Regards,
                      Leonardo C.
                      Intel Customer Support Technician
                      Under Contract to Intel Corporation
                       

                      • 8. Re: Pre-Approve Thunderbolt 3 Devices?
                        bgleich

                        Hello Leonardo,

                         

                        i spoke with Lenovo about this topic, and it seems that Intel only has given Informations about the MSI-Installer to the OEMs.

                        They could not give me any informations about the special INF-Files

                        • 9. Re: Pre-Approve Thunderbolt 3 Devices?
                          Stacy19001

                          Thank you for your feedback bgleich. I've given up trying to explain to Leonardo that the Intel Secure Connect software is NOT OEM specific. It behaves identically with Lenovo, HP and Dell platforms. We have all three platforms that we are testing. There is nothing specific that the OEM's or Microsoft do to the software. You came across great documentation that proves that the elevated credential level of the Intel Secure Connect software was built-in by Intel and has nothing to do with the OEM's. The OEM's may create their own executable for the software like HP creating a Softpaq, but nothing is done to the actual software as far as admin credentials to approve Thunderbolt devices. I think at this point all we are going to receive is "Please contact Microsoft or your OEM manufacturer".

                           

                          Thanks for the info about the command-line switch bgleich for turning off admin mode.

                          • 10. Re: Pre-Approve Thunderbolt 3 Devices?
                            bgleich

                            Hi stacy19001,

                             

                            as the support from Intel and the OEM is not as helpful as aspected, i have analysed the MSI-Installer.

                            The NONADMIN=1 switch has only one effect. It creates the following Regkey (DWord):

                             

                            HKLM\SYSTEM\CurrentControlSet\Services\ThunderboltService\TbtServiceSettings\ApprovalLevel

                            with the Value 1

                             

                            After setting this Regkey manuel and reboot the testclient, the User can approve Thunderbolt 3 Devices without Adminrights.

                            There is only one problem. This Regkey is protected and only the User "ThunderboltService" has write access.

                            So you have to set the regkey bevor installing the software, or manipulate the security of this regkey.

                            • 11. Re: Pre-Approve Thunderbolt 3 Devices?
                              Intel Corporation
                              This message was posted on behalf of Intel Corporation

                              Hello all 

                              Thank you for the information.

                              As mentioned previously this is OEM depended, in this support channel we provide assistance with the Intel® processor, Intel® NUCs, Intel Graphics, Intel® compute stick, Intel® compute card. However, let me look for more information on the case. I will be posting back when news becomes available.
                               
                              Hope this helps.
                               
                              Regards,
                              Leonardo C.
                              Intel Customer Support Technician
                              Under Contract to Intel Corporation
                               

                              • 12. Re: Pre-Approve Thunderbolt 3 Devices?
                                Stacy19001

                                I was able to extract the Intel Thunderbolt software from the HP Softpaq using 7-zip.

                                 

                                There is absolutely nothing specific that mentions HP in the EULA or otherwise. It is all Intel, 100%. All HP did was package it as a Softpaq. I ran the MSI installer as bgleich suggested (msiexec.exe /i setup.msi NOADMIN=1 /q). It installed exactly as bgleich suggested. I was able to select how to connect and approve the Thunderbolt dock without local admin credentials.

                                 

                                The Regkey for device approval was also present and selected as value 1.

                                 

                                We use SCCM so I will add this installer to the task sequence with the no admin switch.

                                 

                                I also found out that the Thunderbolt software may not be in Windows 10, but on a flash drive embedded on the Thunderbolt dock.