New ThinkPad BIOS Settings for Thunderbolt 3

Many of the new Lenovo ThinkPads coming out in the first half of 2017 will carry a new Thunderbolt 3 port which is one port that supports both Thunderbolt and USB-C.  Lenovo will also offer a Thunderbolt dock which provides network, display, audio and USB ports for simplified cable management as well as a USB-C dock.

Most of the folks I know will probably first think "Can I PXE boot from the Thunderbolt dock to deploy an OS?" and the answer is "Yes... but..."

You see Thunderbolt devices have to be "approved" in order to be connected and by default this process requires user approval in the OS.  Obviously you can't do that if you're trying to PXE boot.  So in order to PXE boot there have to be some settings changed in the ThinkPad Setup program:
  1. Security Level = No Security
  2. Thunderbolt Device = Enabled
  3. USB Device = Enabled  
The last item could be confused with USB devices attached to the Thunderbolt dock.  However, this setting applies to any USB-C device plugged into the Thunderbolt 3 port.  This includes the USB-C dock as well so don't expect to PXE boot it with this setting set to Disabled.

Since these settings would have to be set manually (not as part of a PXE booted deployment task sequence) on each ThinkPad, it doesn't seem to be an ideal solution for deploying lots of ThinkPads.  

One way around this for large enterprise customers is to take advantage of Lenovo's Custom BIOS Settings service to have your ThinkPads arrive with these settings already in place.  Another option might be to leverage the USB-3 port and USB deployment media instead.
By far the most robust option is to use the internal NIC, either directly connected via RJ-45 port on select ThinkPads or through RJ-45 pass-through dongles.

Here are the settings that will be found on the new Thunderbolt 3 page in ThinkPad Setup:

Thunderbolt(TM) 3
• Wake by Thunderbolt(TM) 3
Values: Disabled, Enabled
Description: Enable or disable Wake Feature with Thunderbolt(TM) 3 Port. If you select Enabled, the
battery life during low power state may become shorter.
• Security level
Values: No Security, User Authorization, Secure Connect, Display Port and USB
Description: Security level selection.
• Thunderbolt(TM) device
Values: Disabled, Enabled
Description: Enable or disable pre-OS support for Thunderbolt(TM) devices attached to Thunderbolt (TM)
3 port. To use a device in pre-boot environment, authorize it in the OS or set security level to No Security.
To boot from a device, configure it in the Startup Boot menu.
• USB device
Values: Disabled, Enabled
Description: Enable or disable pre-OS support for USB devices attached to Thunderbolt (TM) 3 port. To
use a device in pre-boot environment, authorize it in the OS or set security level to No Security. To boot
from a device, configure it in the Startup Boot menu.
























Screen shot showing default settings. These would all be restored when using F9 - Setup Defaults  except for the Security Level due to its effect on the security posture of the device.

There is also another setting under the Config section that may be of interest if you use a dock to connect to an Ethernet network:  MAC address Pass Through.  This setting allows the dock to clone the MAC address from the internal NIC in case you need to manage devices by their MAC address and attach multiple laptops to the same dock.


Important side note:  The explanation of the BIOS settings listed above came from the ThinkPad User's Guide for one of the new models.  If you ever need more detail on a BIOS setting, go to support.lenovo.com and specify your product in question.  Then click on Documentation tab and check the box next to Installation and User's Guide.  Lenovo also has an HTML version of the guides now.