Kernel DMA Protection

Jean Martin 20 Reputation points
2026-06-23T06:09:03.7866667+00:00

Our security team is worried about physical security attacks where someone steals a sleeping laptop and plugs a malicioUS Thunderbolt device into the port to dump memory keys. How does Kernel DMA Protection work in Windows 11 to block unauthorized direct memory access from external peripherals? Please help !!!!

Windows for business | Windows 365 Business
0 comments No comments

2 answers

Sort by: Most helpful
  1. VPHAN 38,520 Reputation points Independent Advisor
    2026-06-23T06:44:00.1966667+00:00

    Hi Jean Martin,

    Kernel DMA Protection secures Windows 11 against malicious external devices by using the system's IOMMU to isolate memory, preventing unauthorized access to sensitive data like BitLocker keys. To ensure this is active, administrators should verify that Virtualization-Based Security (VBS) is running in the msinfo32 system report and that the DMA Guard policy is correctly configured via the registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DmaGuard or Group Policy. Successful implementation requires compatible hardware, up-to-date UEFI firmware, and enabled Secure Boot to allow the Windows kernel to initialize mandatory memory isolation protocols.

    Hope this answer has brought you some useful information. If it did, please hit “accept answer”. Should you have any questions, feel free to leave a comment.

    VPHAN

    Was this answer helpful?

    0 comments No comments

  2. AI answer

    2026-06-23T06:09:24.7766667+00:00

    Kernel DMA Protection in Windows 11 uses the system’s IOMMU (Input/Output Memory Management Unit) and driver-based DMA remapping to prevent external PCIe devices (such as Thunderbolt, USB4, CFexpress) from gaining unauthorized access to system memory, especially when a device is unattended, locked, or sleeping.

    Key points relevant to physical attacks on sleeping/locked laptops:

    1. Threat model: drive‑by DMA attacks
      PCIe hot‑plug ports (Thunderbolt, USB4, CFexpress) expose DMA‑capable devices that can read/write system memory without CPU involvement. An attacker can plug in a malicious device while the user is away and attempt to dump secrets (for example, BitLocker keys) or inject code to bypass the lock screen.
    2. How Windows 11 enforces memory access protection
      Windows uses the IOMMU to isolate and control DMA:
      • Only devices whose drivers are DMA remapping compatible (support memory isolation) are allowed to start and perform DMA to specific, remapped memory regions.
      • Devices with DMA remapping‑incompatible drivers are blocked from starting and performing DMA while the screen is locked or before an authorized user signs in.
    3. Behavior when Kernel DMA Protection is enabled
      When the feature is active:
      • Compatible devices (with DMA remapping‑aware drivers):
        • Are automatically enumerated and started.
        • Can perform DMA, but only to memory regions assigned via the IOMMU, reducing the risk of arbitrary memory access.
      • Incompatible devices (no DMA remapping support):
        • Are blocked from starting if plugged in before sign‑in or while the screen is locked.
        • After the user unlocks/signs in, the OS starts the driver and the device works normally until reboot or unplug.
        • Once started, the device continues to function even if the user later locks the screen or signs out.
      This means that if an attacker connects a new Thunderbolt/PCIe device to a locked or sleeping machine, and its driver is not DMA‑remapping aware, Windows will not start the device or allow DMA until an authorized user unlocks the system.
    4. Automatic enablement and platform requirements
      • On systems that support Kernel DMA Protection, Windows enables it automatically, with no admin configuration required.
      • It requires UEFI firmware support and IOMMU/virtualization enabled in firmware (for example, Intel VT‑d).
      • It is available on Windows 11 Pro, Enterprise, Pro Education/SE, and Education editions.
    5. Interaction with other protections
      • Kernel DMA Protection is a higher‑bar replacement for older BitLocker DMA countermeasures; when supported, those BitLocker DMA mitigations should be disabled in favor of Kernel DMA Protection.
      • On supported Surface for Business devices, DMA protection is enabled by default and works alongside BitLocker, Secure Boot, and Windows Defender System Guard to mitigate cold boot and DMA‑based key theft.
    6. Admin controls and driver guidance
      • IT admins can further tune behavior for DMA‑incompatible devices via MDM or Group Policy (for example, DMAGuard policy).
      • Hardware/driver vendors can opt into DMA remapping so their PCIe device drivers are fully compatible with Kernel DMA Protection and can operate even when the screen is locked.

    In practice, for the scenario described (stolen or unattended sleeping/locked laptop with a malicious Thunderbolt device attached), Kernel DMA Protection ensures that:

    • The malicious device cannot simply enumerate and start with full DMA access while the system is locked.
    • Only devices with properly isolated DMA mappings can access memory, significantly reducing the risk of memory key theft via external PCIe ports.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.