Allowing normal users to connect to a new Thunderbolt docking station

Here is a post on how to configure the Thunderbolt Software to not require admin rights when connecting a new Thunderbolt device.

Creds: Thanks to Jim Hamby (@TheJimHamby) for providing the screen shots.

Disclaimer: Allowing normal users to authorize the thunderbolt connection is obviously less secure than requiring administrator approval, but it really has to usable too 🙂

Background

If you ever tried to secure the setup of a new HP ZBook 200W Thunderbolt 3 Dock, you quickly learn that a normal user cannot connect to the docking station without being and admin. This is what the user will get, and as you can see, connecting the device requires admin privileges:

Bk29S4LU
Admin rights required to connect the device.

The BIOS setup

The above dialog is being shown when BIOS is setup to require Thunderbolt security level is set to User Level Authorization. This is how it looks on HP BIOS:

RWu2n2rV
The HP BIOS setup, Thunderbolt Security Level.

Fixing the problem

To allow normal users to authorize the thunderbolt device, do the following:

1. Uninstall the Thunderbolt Software and restart the machine

2. Add the following registry key to the machine

HKLM\SYSTEM\CurrentControlSet\Services\ThunderboltService\TbtServiceSettings
"ApprovalLevel"=dword:00000001

3. Reinstall the Thunderbolt software. If using the SP74500 files, you can use the below command to do it silent:

msiexec /i setup.msi /q

Tip: Always check the HP SoftPaq CVA for info about setup unattended switches. Btw CVA means "Compaq Value Add", has been around for a while 🙂

/ Johan

About the author

Johan Arwidmark

5 1 vote
Article Rating
Subscribe
Notify of
guest
1 Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
John Tracy
John Tracy
1 year ago

I had trouble with this setting on PCs that are not managed with Group Policy. If windows already has Thunderbolt drivers installed, then only the Thunderbolt service has write access on this setting. So you must adjust the ACL using the SYSTEM account. and Set-Acl wouldn't do it. I had to use .Net methods.


>