cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
amirda
Fanfold Paper
Posts: 7
Registered: ‎08-06-2017
Location: US
Views: 807
Message 1 of 11

laptops getting locked after wrong BIOS login attempts

Hi All,

 

We have disabled the 'Flash BIOS Updating by End-Users' setting in all ThinkPad laptops in our organization, becuase we don't want activities with high risk to be performed by end users,

 

Recently 1 remote user with ThinkPad T440P received a popup window to install drivers updates through the Lenovo System Update utility, the System Update tried to update the BIOS and asked the user for the BIOS Supervisor password, the user tried to type his domain password 3 times and eventually he received a message that "Supervisor Password retry count exceeded. You have to reboot the system and try again.",

The problem is that after the user reboot, the laptop shows a message of "0199: System Security - Security password retry count exceeded. Press F1 to enter setup",
And the laptop doesn't alllow the user to boot at all without entering the Supervisor password, this is a problem becuase remote users will not be able to boot, and obviously we can't provide the password for users,

 

I see that in T460 there is a BIOS setting of "Password Count Exceeded Error" which can be disabled to prevent this behaviour, so the laptop will not require to type the supervisor password in such case,

But the T440P do not have this setting to prevent this behavior,

My question is, what could be done to configure T440P laptops not to require to type the supervisor password in such cases, as this have serious impact on remote users who can't boot their laptops at all, 

 

Please advise,

 

Thanks,

Lenovo Staff
Lenovo Staff
Posts: 4,714
Registered: ‎10-29-2009
Location: NC
Views: 769
Message 2 of 11

Re: laptops getting locked after wrong BIOS login attempts

I don't think there is any solution for this on T440p except to uninstall System Update or else manage your own update repository to exclude BIOS updates.  Your end users will never be able to install BIOS update so it makes sense to manage the system such that users aren't presented with updates that are impossible to install due to the settings that you deployed.

amirda
Fanfold Paper
Posts: 7
Registered: ‎08-06-2017
Location: US
Views: 764
Message 3 of 11

Re: laptops getting locked after wrong BIOS login attempts

Thank you for your answer,

Is there a way to configure the System Update utility so it will not try to install BIOS updates at all?
Lenovo Staff
Lenovo Staff
Posts: 4,714
Registered: ‎10-29-2009
Location: NC
Views: 762
Message 4 of 11

Re: laptops getting locked after wrong BIOS login attempts


@amirda wrote:
Thank you for your answer,

Is there a way to configure the System Update utility so it will not try to install BIOS updates at all?

No, the only way to do this is to create your own update repository and don't put any BIOS updates in it.

Was this BIOS update initiated automatically?  Or did the user manually run System Update and select it?

If your main concern is about System Update automatically installing "critical" updates (such as recent BIOS updates with security fixes), you can disable this.  Not sure if this would help your situation or not.

amirda
Fanfold Paper
Posts: 7
Registered: ‎08-06-2017
Location: US
Views: 747
Message 5 of 11

Re: laptops getting locked after wrong BIOS login attempts

Thank you for your answer,
I understand that it happened due to the System Update utility, which prompted the user to install updates,

the strange thing is that if users trying from T440P to enter the BIOS manually, with multiple wrong login passwords, the computer just turned off after 3 attempts and the users are not getting locked with the 0199 error,

the computer is only get's locked if trying to update the BIOS from the Windows,

Is there any explanation, why only when trying to update the BIOS locks up the computer this way?

Is it an expected behavior?
Lenovo Staff
Lenovo Staff
Posts: 4,714
Registered: ‎10-29-2009
Location: NC
Views: 740
Message 6 of 11

Re: laptops getting locked after wrong BIOS login attempts

The 0199 error is the indication that some software is "hacking" at the supervisor password with too many bad guesses.  So the system locks until an admin is able to check what is going on.  In your case, you know why this happened so there's no mystery.  If it was some malware trying to crack the password, without the 0199 error you would never know about it.  Malware cannot sit at the PC and try to enter the BIOS manually, so 0199 error is not needed for that case.  So that is the explanation about the behavior.  Newer ThinkPads added the BIOS entry to turn off the 0199 error but it was not retrofit to older ThinkPads like T440p.  I believe this was added starting with T450 generation.  

DONALDSONKD
Fanfold Paper
Posts: 13
Registered: ‎03-02-2015
Location: US
Views: 247
Message 7 of 11

Re: laptops getting locked after wrong BIOS login attempts

Similar experience here with T470s:  testing with bios password then tried to SCCM image machine. Was not watching during image but would appear some update being applied triggered the bios pwd request and kept retrying until I got the 199 error.  Now when I boot, I get the 199 error, am prompted to F1 into setup and then get screen as attached.  Have tried entering the password as I typed it into my pwd manager (and several different variations of same) and I just get three tries, then a "stop" hand icon and the machine shuts down.  Is this just a motherboard replacement at this point?IMG_0615.JPG

Lenovo Staff
Lenovo Staff
Posts: 4,714
Registered: ‎10-29-2009
Location: NC
Views: 236
Message 8 of 11

Re: laptops getting locked after wrong BIOS login attempts


@DONALDSONKD wrote:

Similar experience here with T470s:  testing with bios password then tried to SCCM image machine. Was not watching during image but would appear some update being applied triggered the bios pwd request and kept retrying until I got the 199 error.  Now when I boot, I get the 199 error, am prompted to F1 into setup and then get screen as attached.  Have tried entering the password as I typed it into my pwd manager (and several different variations of same) and I just get three tries, then a "stop" hand icon and the machine shuts down.  Is this just a motherboard replacement at this point?


This part (in red) confused me.  What password manager are you talking about?  The prompt in your screenshot is asking for the BIOS supervisor password and there are only 2 ways to set that:

1.  within BIOS setup itself

2.  using a WMI script to change the password that was previously set within BIOS setup

 

If you don't know the supervisor password, then the only option is to replace the motherboard.

DONALDSONKD
Fanfold Paper
Posts: 13
Registered: ‎03-02-2015
Location: US
Views: 212
Message 9 of 11

Re: laptops getting locked after wrong BIOS login attempts

Sorry for any confusion.  Meaning:  When I set the password in the bios, I typed it into my password management utility on a separate computer and saved it.  I then rebooted the machine where I had set the pwd and successfully tested the pwd, so I believe that I'm using the correct pwd.

 

Are you able to comment on the picture I sent?  I've not seen that particular screen before or heard of it being referenced anywhere.  Would like to try to confirm that the "expected" input there is the bios pwd.

Lenovo Staff
Lenovo Staff
Posts: 4,714
Registered: ‎10-29-2009
Location: NC
Views: 209
Message 10 of 11

Re: laptops getting locked after wrong BIOS login attempts

The picture you sent means that BIOS needs the supervisor password to continue.  It's a normal picture to see after getting locked out due to too many wrong password guesses.  I guess you see the 0199 error, press F1 to continue, and then see that picture, right?

Top Kudoed Authors