10-02-2019 02:06 PM
We've recently acquired 30-40 T580s and X1 Yogas and we previous had 10 or so T570s
We've purchased enough Thunderbolt docks (type 40AN) for all the above computers.
Any of the computers could end up being connected to any of the docks - staff are to be fully mobile
We don't wish to turn off the security prompt when a laptop is connected to a new Thunderbolt device/dock but we do wish to pre-authorize all of our known docks.
Is there a known tool/process/registry location that can be used to export the list of allowed docks for importing onto laptops?
This would very useful as more docks are introduced to the organization.
Any assistance is appreciated.
Solved! Go to Solution.
10-04-2019 07:15 AM
There is no tool to do this authorization...and since this is part of the Thunderbolt spec (Intel intellectual property), such a thing would have to have some involvement with Intel...
The other problem is that flashing the firmware of the dock itself...which you should be doing prior to deployment...can cause the system to see that reflashed dock as a "new" dock for the purposes of reauthorization after a flash operation. So you would have to do this whenever new firmware comes out.
That would mean you have two basic choices....
1. User training. You would have to explain to end users that for extra security, there is a permissions allow procedure they must follow when plugging into a dock. Screen shots can help with this, showing the icon to reauthorize, like these:
2. Or, you could turn off Thunderbolt security in the BIOS like you said...but wanted to avoid. Note this is primarily to defend against a malicious Thunderbolt device being plugged in...the "user permission" step is a barrier to having that malicious device function. However, you are at greater risk from a USB-A malicious device, which is vastly more common out there than a TBT malicious device. I've yet to see press reports of malicious Thunderbolt devices found in the "wild", so to speak. You will have to judge if this permissions defense against a statisically unlikely attack by a person trying to sneak in a malicious Thunderbolt device is worth it...
Also, there has been new Thunderbolt firmware for PC's AND the docks. Also, new Thunderbolt drivers. Make sure all THREE elements...thunderbolt firmware for the PC, thunderbolt firmware for the dock, and thunderbolt drivers for the PC...are ALL at most current levels. This is very important.
One other thing...if you connect monitors to the docks, third party conversion cables are not tested nor supported. Try to only use native connections to the ports on the docks.
Also, after connecting monitors, if you go into Device Manager > Monitors and see "Generic PnP" for the monitor type, that is a problem...be sure to download and apply the proper INF file for the monitor you connect...it should show the real name of the monitor, not Generic PnP.
10-04-2019 02:26 PM
Thank you - that was a lot of good information and good tips.
We have some discussion to do in the department. We'll have to verify that users (none of our staff are admins on their workstations) are able to authorize an attached Thunderbolt device and go from there.
I have a hard time believing Intel didn't think about this or maybe I'm missing something...
10-04-2019 03:30 PM
One more addition....to aid somewhat in your deployment efforts, be aware we now have SCCM driver packs for docks. You may want to glance at this page