Here is a post on how to configure the Thunderbolt Software to not require admin rights when connecting a new Thunderbolt device.
Creds: Thanks to Jim Hamby (@TheJimHamby) for providing the screen shots.
Disclaimer: Allowing normal users to authorize the thunderbolt connection is obviously less secure than requiring administrator approval, but it really has to usable too 🙂
Background
If you ever tried to secure the setup of a new HP ZBook 200W Thunderbolt 3 Dock, you quickly learn that a normal user cannot connect to the docking station without being and admin. This is what the user will get, and as you can see, connecting the device requires admin privileges:
Admin rights required to connect the device.
The BIOS setup
The above dialog is being shown when BIOS is setup to require Thunderbolt security level is set to User Level Authorization. This is how it looks on HP BIOS:
The HP BIOS setup, Thunderbolt Security Level.
Fixing the problem
To allow normal users to authorize the thunderbolt device, do the following:
1. Uninstall the Thunderbolt Software and restart the machine
2. Add the following registry key to the machine
HKLM\SYSTEM\CurrentControlSet\Services\ThunderboltService\TbtServiceSettings
"ApprovalLevel"=dword:00000001
3. Reinstall the Thunderbolt software. If using the SP74500 files, you can use the below command to do it silent:
msiexec /i setup.msi /q
Tip: Always check the HP SoftPaq CVA for info about setup unattended switches. Btw CVA means "Compaq Value Add", has been around for a while 🙂
/ Johan
I had trouble with this setting on PCs that are not managed with Group Policy. If windows already has Thunderbolt drivers installed, then only the Thunderbolt service has write access on this setting. So you must adjust the ACL using the SYSTEM account. and Set-Acl wouldn't do it. I had to use .Net methods.