01-18-2018 04:46 AM
We have disabled the 'Flash BIOS Updating by End-Users' setting in all ThinkPad laptops in our organization, becuase we don't want activities with high risk to be performed by end users,
Recently 1 remote user with ThinkPad T440P received a popup window to install drivers updates through the Lenovo System Update utility, the System Update tried to update the BIOS and asked the user for the BIOS Supervisor password, the user tried to type his domain password 3 times and eventually he received a message that "Supervisor Password retry count exceeded. You have to reboot the system and try again.",
The problem is that after the user reboot, the laptop shows a message of "0199: System Security - Security password retry count exceeded. Press F1 to enter setup",
And the laptop doesn't alllow the user to boot at all without entering the Supervisor password, this is a problem becuase remote users will not be able to boot, and obviously we can't provide the password for users,
I see that in T460 there is a BIOS setting of "Password Count Exceeded Error" which can be disabled to prevent this behaviour, so the laptop will not require to type the supervisor password in such case,
But the T440P do not have this setting to prevent this behavior,
My question is, what could be done to configure T440P laptops not to require to type the supervisor password in such cases, as this have serious impact on remote users who can't boot their laptops at all,
01-18-2018 07:18 AM
I don't think there is any solution for this on T440p except to uninstall System Update or else manage your own update repository to exclude BIOS updates. Your end users will never be able to install BIOS update so it makes sense to manage the system such that users aren't presented with updates that are impossible to install due to the settings that you deployed.
01-18-2018 07:40 AM
Thank you for your answer,
Is there a way to configure the System Update utility so it will not try to install BIOS updates at all?
No, the only way to do this is to create your own update repository and don't put any BIOS updates in it.
Was this BIOS update initiated automatically? Or did the user manually run System Update and select it?
If your main concern is about System Update automatically installing "critical" updates (such as recent BIOS updates with security fixes), you can disable this. Not sure if this would help your situation or not.
01-18-2018 08:20 AM
01-18-2018 08:54 AM
The 0199 error is the indication that some software is "hacking" at the supervisor password with too many bad guesses. So the system locks until an admin is able to check what is going on. In your case, you know why this happened so there's no mystery. If it was some malware trying to crack the password, without the 0199 error you would never know about it. Malware cannot sit at the PC and try to enter the BIOS manually, so 0199 error is not needed for that case. So that is the explanation about the behavior. Newer ThinkPads added the BIOS entry to turn off the 0199 error but it was not retrofit to older ThinkPads like T440p. I believe this was added starting with T450 generation.