cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
amirda
Fanfold Paper
Posts: 7
Location: US
Views: 418
Message 1 of 6

laptops getting locked after wrong BIOS login attempts

Hi All,

 

We have disabled the 'Flash BIOS Updating by End-Users' setting in all ThinkPad laptops in our organization, becuase we don't want activities with high risk to be performed by end users,

 

Recently 1 remote user with ThinkPad T440P received a popup window to install drivers updates through the Lenovo System Update utility, the System Update tried to update the BIOS and asked the user for the BIOS Supervisor password, the user tried to type his domain password 3 times and eventually he received a message that "Supervisor Password retry count exceeded. You have to reboot the system and try again.",

The problem is that after the user reboot, the laptop shows a message of "0199: System Security - Security password retry count exceeded. Press F1 to enter setup",
And the laptop doesn't alllow the user to boot at all without entering the Supervisor password, this is a problem becuase remote users will not be able to boot, and obviously we can't provide the password for users,

 

I see that in T460 there is a BIOS setting of "Password Count Exceeded Error" which can be disabled to prevent this behaviour, so the laptop will not require to type the supervisor password in such case,

But the T440P do not have this setting to prevent this behavior,

My question is, what could be done to configure T440P laptops not to require to type the supervisor password in such cases, as this have serious impact on remote users who can't boot their laptops at all, 

 

Please advise,

 

Thanks,

Lenovo Staff
Lenovo Staff
Posts: 4,423
Location: NC
Views: 380
Message 2 of 6

Re: laptops getting locked after wrong BIOS login attempts

I don't think there is any solution for this on T440p except to uninstall System Update or else manage your own update repository to exclude BIOS updates.  Your end users will never be able to install BIOS update so it makes sense to manage the system such that users aren't presented with updates that are impossible to install due to the settings that you deployed.

amirda
Fanfold Paper
Posts: 7
Location: US
Views: 375
Message 3 of 6

Re: laptops getting locked after wrong BIOS login attempts

Thank you for your answer,

Is there a way to configure the System Update utility so it will not try to install BIOS updates at all?
Lenovo Staff
Lenovo Staff
Posts: 4,423
Location: NC
Views: 373
Message 4 of 6

Re: laptops getting locked after wrong BIOS login attempts


amirda wrote:
Thank you for your answer,

Is there a way to configure the System Update utility so it will not try to install BIOS updates at all?

No, the only way to do this is to create your own update repository and don't put any BIOS updates in it.

Was this BIOS update initiated automatically?  Or did the user manually run System Update and select it?

If your main concern is about System Update automatically installing "critical" updates (such as recent BIOS updates with security fixes), you can disable this.  Not sure if this would help your situation or not.

amirda
Fanfold Paper
Posts: 7
Location: US
Views: 358
Message 5 of 6

Re: laptops getting locked after wrong BIOS login attempts

Thank you for your answer,
I understand that it happened due to the System Update utility, which prompted the user to install updates,

the strange thing is that if users trying from T440P to enter the BIOS manually, with multiple wrong login passwords, the computer just turned off after 3 attempts and the users are not getting locked with the 0199 error,

the computer is only get's locked if trying to update the BIOS from the Windows,

Is there any explanation, why only when trying to update the BIOS locks up the computer this way?

Is it an expected behavior?
Lenovo Staff
Lenovo Staff
Posts: 4,423
Location: NC
Views: 351
Message 6 of 6

Re: laptops getting locked after wrong BIOS login attempts

The 0199 error is the indication that some software is "hacking" at the supervisor password with too many bad guesses.  So the system locks until an admin is able to check what is going on.  In your case, you know why this happened so there's no mystery.  If it was some malware trying to crack the password, without the 0199 error you would never know about it.  Malware cannot sit at the PC and try to enter the BIOS manually, so 0199 error is not needed for that case.  So that is the explanation about the behavior.  Newer ThinkPads added the BIOS entry to turn off the 0199 error but it was not retrofit to older ThinkPads like T440p.  I believe this was added starting with T450 generation.  

Top Kudoed Authors