USB-C and Thunderbolt Docking Stations Not Recognized by the Computer

A USB-C or Thunderbolt docking station does not work with the attached computer.

The issue can be caused by possible Group Policy settings in Windows.

USB-C and Thunderbolt Docking Stations

An issue where several computers are unable to recognize USB-C or Thunderbolt docks. If you check Device Manager, you see a yellow exclamation mark (bang), and get a message if you try to automatically search for drivers on the device with Device Manager.

Group Policy Setting

This is caused by a Group Policy (GPO) setting in the Windows image. The security policy is preventing USB-C and Thunderbolt devices and drivers from being installed. This was likely in the custom Windows image due to a previous vulnerability in Thunderbolt 1 & 2 that is no longer present in Thunderbolt 3 devices.

Dell is not able to provide specific Windows imaging assistance but if the Windows administrator is familiar with the GPOs. Review the following information in the link from Microsoft, and they can adjust their custom Windows image accordingly.
Blocking the SBP-2 Driver and Thunderbolt Controllers to Reduce 1394 DMA and Thunderbolt DMA Threats to BitLocker

Thunderbolt Docking Stations Not Initializing at the Login Screen When on a Domain

Peripherals like a keyboard and mouse connected using USB to a Thunderbolt Dock may work in BIOS, do not work at the login screen, but work after login.

Affected Platforms:

• Dell Thunderbolt Dock TB15
• Dell Thunderbolt Dock TB16
• Dell Precision Dual USB-C Thunderbolt Dock - TB18DC
• Dell Thunderbolt Dock - WD19TB
• Dell Thunderbolt Dock - WD19TBS

Kernel Direct Memory Access (DMA) Protection

The new Kernel DMA Protection that is active in Windows does not let Thunderbolt docking stations initialize before booting into the Operating System (OS). This is working as designed.

Companies or individuals using a Domain login to push group policies may see this issue. This is due to group policies not being pushed to the computer before the User logs in.

Group Policy Change

To fix this behavior, the group policy must be changed to allow the docking station to initialize at the login screen.

Additional Information:

• Policy CSP - DmaGuard

An example of the settings in Intune:
 

The USB and NIC Ports Do Not Work on the Dock Until You Log in to Windows

Do you have BitLocker installed? Are your group policies now set to mitigate DMA attacks (BitLocker Direct Memory Access (DMA) Counter Measures)? If you do, then the USB ports and the NIC connector on the Dock may not work. When you log in to the Windows operating system, the issue goes away.

Solution

This is the expected behavior of this specific group policy. These laptops are designed to use the Kernel DMA protection.

We do not store any GUIDs or device IDs. These can be easily spoofed. That means you cannot trust them. Every time that you lock the screen, or reboot the system, and a device is connected, you must log in to allow this device to work.

For more information, please see the following documentation from Microsoft:

• Kernel DMA Protection

If you have an issue, and, the Group Policy should not be used. You can replace it by setting the:

• Policy CSP - DmaGuard

Recommended Articles

Here are some recommended articles related to this topic that might be of interest to you.

• How to Install or Update the Thunderbolt Controller Driver and Firmware Using Dell Command | Update on Dell Computers
• How to Connect and Set Up a Docking Station With a Dell Laptop
• Guide to Thunderbolt 3
• Frequently Asked Questions (FAQs) about the Thunderbolt port on a Dell Computer