cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
tcutrav
Paper Tape
Posts: 2
Registered: ‎10-02-2019
Location: CA
Views: 256
Message 1 of 4

50 Thunderbolt 3 Docks for T570,T580 and X1 Yoga | How to have all docks allowed for all laptops

We've recently acquired 30-40 T580s and X1 Yogas and we previous had 10 or so T570s

We've purchased enough Thunderbolt docks (type 40AN) for all the above computers.

Any of the computers could end up being connected to any of the docks - staff are to be fully mobile

 

We don't wish to turn off the security prompt when a laptop is connected to a new Thunderbolt device/dock but we do wish to pre-authorize all of our known docks.

 

Is there a known tool/process/registry location that can be used to export the list of allowed docks for importing onto laptops?

This would very useful as more docks are introduced to the organization.

 

Any assistance is appreciated.

 

 

Highlighted
Lenovo Employee rbkirk
Lenovo Employee
Posts: 813
Registered: ‎02-20-2009
Location: US
Views: 177
Message 2 of 4

Re: 50 Thunderbolt 3 Docks for T570,T580 and X1 Yoga | How to have all docks allowed for all laptops

There is no tool to do this authorization...and since this is part of the Thunderbolt spec (Intel intellectual property), such a thing would have to have some involvement with Intel...

 

The other problem is that flashing the firmware of the dock itself...which you should be doing prior to deployment...can cause the system to see that reflashed dock as a "new" dock for the purposes of reauthorization after a flash operation. So you would have to do this whenever new firmware comes out.

 

That would mean you have two basic choices....

 

1. User training. You would have to explain to end users that for extra security, there is a permissions allow procedure they must follow when plugging into a dock. Screen shots can help with this, showing the icon to reauthorize, like these:

Thunderbolt icon.jpgThunderbolt menu.jpgThunderbolt always approve message.jpg

 

2. Or, you could turn off Thunderbolt security in the BIOS like you said...but wanted to avoid. Note this is primarily to defend against a malicious Thunderbolt device being plugged in...the "user permission" step is a barrier to having that malicious device function. However, you are at greater risk from a USB-A malicious device, which is vastly more common out there than a TBT malicious device. I've yet to see press reports of malicious Thunderbolt devices found in the "wild", so to speak. You will have to judge if this permissions defense against a statisically unlikely attack by a person trying to sneak in a malicious Thunderbolt device is worth it...

 

Also, there has been new Thunderbolt firmware for PC's AND the docks. Also, new Thunderbolt drivers. Make sure all THREE elements...thunderbolt firmware for the PC, thunderbolt firmware for the dock, and thunderbolt drivers for the PC...are ALL at most current levels. This is very important.

 

One other thing...if you connect monitors to the docks, third party conversion cables are not tested nor supported. Try to only use native connections to the ports on the docks.

 

Also, after connecting monitors, if you go into Device Manager > Monitors and see "Generic PnP" for the monitor type, that is a problem...be sure to download and apply the proper INF file for the monitor you connect...it should show the real name of the monitor, not Generic PnP.

tcutrav
Paper Tape
Posts: 2
Registered: ‎10-02-2019
Location: CA
Views: 156
Message 3 of 4

Re: 50 Thunderbolt 3 Docks for T570,T580 and X1 Yoga | How to have all docks allowed for all laptops

Hello rbkirk,

 

Thank you - that was a lot of good information and good tips.

We have some discussion to do in the department.  We'll have to verify that users (none of our staff are admins on their workstations) are able to authorize an attached Thunderbolt device and go from there.

 

I have a hard time believing Intel didn't think about this or maybe I'm missing something...

Lenovo Employee rbkirk
Lenovo Employee
Posts: 813
Registered: ‎02-20-2009
Location: US
Views: 150
Message 4 of 4

Re: 50 Thunderbolt 3 Docks for T570,T580 and X1 Yoga | How to have all docks allowed for all laptops

One more addition....to aid somewhat in your deployment efforts, be aware we now have SCCM driver packs for docks. You may want to glance at this page

https://download.lenovo.com/cdrt/wp/usb-docks.html

 

 

 

Check out current deals!


Shop current deals

Top Kudoed Authors