I am seeing the same exact issue with BCU 4.x and EliteBook 840 G5s. I have physically seen that if you go into BIOS Setup and uncheck "Require BIOS PW to change TBT SL" the Thunderbolt Security Level will then have the No Security option available to it. 

The challenge is that even if you restore BIOS defaults the menu will still be populated, it seems to clearly be a BIOS bug that then gets exposed via the BCU.

Even if you change the Require setting to disable with the BCU prior to attempting to set the Thunderbolt Security Level you still get the same error.

We were facing the same issue on a customer's fleet of HP ProBook 830 G5, and this is how we managed to solve it.

Indeed, the option for Thunderbolt Security Level to be set to PCIe and DisplayPort - No Security is not available in the BIOS unless also Require BIOS PW to change TBT SL is set to Disable.

As you also faced, we attempted to set Require BIOS PW to change TBT SL to Disable but we also observed that the appropriate option for Thunderbolt Security Level i.e. PCIe and DisplayPort - No Security did not become immediately available.

However, what we discovered was that if you set Require BIOS PW to change TBT SL to Disable using BiosConfigUtility64 and then reboot the appropriate option PCIe and DisplayPort - No Security becomes available!

Thus in order to disable Thunderbolt security with BiosConfigUtility, the following steps need to be taken:

1. Set Require BIOS PW to change TBT SL to Disable using BiosConfigUtility64

2. Reboot.

3. Set Thunderbolt Security Level to PCIe and DisplayPort - No Security using BiosConfigUtility64

4. Reboot.

In practice, to accomplish the above, we used GPO to deploy the files discussed below, a shutdown script like this:

C:\LC24\BiosConfig\BiosConfigUtility64.exe /set:"C:\LC24\BiosConfig\disable-thunderbolt-security.txt"

And we used a configuration file (disable-thunderbolt-security.txt) that included both options like this: https://pastebin.com/4Exnenkz

This means that whenever the machine is shutdown, all the settings will attempt to be applied. If Require BIOS PW to change TBT SL is set to Enable, only part of the configuration will apply, but on the second subsequent shutdown, the rest of the options will work, thus the setting is properly disabled after two reboots.

It's annoying to require 2 reboots for this, but at least we were able to make this work fairly reasonably across the customer's fleet of laptops like this. Over time, machines will reboot at least twice, and if any user requires this to work quicker than this, helpdesk only needs to tell the end user to reboot a couple of times until it works.

HiPv2b, 

I forgot my password so haven't had a chance to just say , thank you!!

This is honestly saved me so many hours of work and something that works reasonably well albeit with a restart is a big win in my book!

Thank you!