USB-C Thunderbolt Port no longer reading devices

[mostdcoa]

Describe the bug
Thunderbolt USB-C Port no longer recognizes devices on Dell Latitude 7490. Port still has power, but will not recognize connected devices such as USB-C removeable media, yubikeys, or cellular devices.

To Reproduce
Steps to reproduce the behavior:

1. run the sos-optimize-windows.ps1 script
2. usb-c devices are no longer recognized. Devices can still be charged with the port such as a cell phone
3. Device Manager shows Detection Verification and PCI to PCI Bridge driver erros and that the driver cannot be installed due to forbidden by system policy.

Expected behavior
USB-C Port should function as normal

Screenshots

Desktop (please complete the following information):

• OS: Windows 11 Enterprise
• Browser: N/A
• Version: 22

Additional context
Not sure if this is a DMA Protection or Autrun Issue. This policy was changed for the NSA policies but reverting these options didn't change anything.

[github-actions]

Message that will be displayed on users' first issue

[simeononsecurity]

Great documentation of the issue!

This is an intended configuration. Thunderbolt comes with vulnerabilities.
https://www.tenable.com/audits/items/CIS_MS_Windows_8.1_v2.4.0_Level_2_Bitlocker.audit:e4e937538159f22fa3a4e5bfe4a84e51

Usually undoing the GPOs applied won't undo the setting. You'll have to reenable it manually. By specifically setting the enabled value to true and removing or changing the device id's in there.

For instance on the target machine you want to fix you can open the local group policy editor

navigate to the following path

Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions

there should be two policies enabled there, leave them both enabled but open them up and remove the values stored in them. If they error out complaining there must be a value, replace the line with a bunch of random numbers. Be sure to keep any special chars in there. Reboot and hopefully that fixes it for you..

You can try this to remove the specific device id's however

# Remove the device ID from the list of restricted device IDs
$deviceID = "PCI\CC_0C0A"
$existingDeviceIDs = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions").DeviceIDRestrictions
$updatedDeviceIDs = $existingDeviceIDs -notlike "*$deviceID*"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions" -Name DeviceIDRestrictions -Value $updatedDeviceIDs

# Set the DenyDeviceIDsExist value to 1 to enable device installation restrictions
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions" -Name DenyDeviceIDsExist -Value 1

# Display the updated device ID restrictions
$updatedDeviceIDs

[mostdcoa]

Thanks, I was able to change the values for those two policies with random strings using the same format:
{0000e-123-1234-1234-000000}
and
PCI\00

Upon restart I was able to use the thunderbolt port.

I appreciate the quick response and your work on this project.

[simeononsecurity]

Thanks, I was able to change the values for those two policies with random strings using the same format: {0000e-123-1234-1234-000000} and PCI\00

Upon restart I was able to use the thunderbolt port.

I appreciate the quick response and your work on this project.

Glad it was resolved for you. I'll add this to the list of possible concerns in the readme.