Kernel DMA Protection in Windows 11 uses the system’s IOMMU (Input/Output Memory Management Unit) and driver-based DMA remapping to prevent external PCIe devices (such as Thunderbolt, USB4, CFexpress) from gaining unauthorized access to system memory, especially when a device is unattended, locked, or sleeping.
Key points relevant to physical attacks on sleeping/locked laptops:
- Threat model: drive‑by DMA attacks
PCIe hot‑plug ports (Thunderbolt, USB4, CFexpress) expose DMA‑capable devices that can read/write system memory without CPU involvement. An attacker can plug in a malicious device while the user is away and attempt to dump secrets (for example, BitLocker keys) or inject code to bypass the lock screen.
- How Windows 11 enforces memory access protection
Windows uses the IOMMU to isolate and control DMA:
- Only devices whose drivers are DMA remapping compatible (support memory isolation) are allowed to start and perform DMA to specific, remapped memory regions.
- Devices with DMA remapping‑incompatible drivers are blocked from starting and performing DMA while the screen is locked or before an authorized user signs in.
- Behavior when Kernel DMA Protection is enabled
When the feature is active:
- Compatible devices (with DMA remapping‑aware drivers):
- Are automatically enumerated and started.
- Can perform DMA, but only to memory regions assigned via the IOMMU, reducing the risk of arbitrary memory access.
- Incompatible devices (no DMA remapping support):
- Are blocked from starting if plugged in before sign‑in or while the screen is locked.
- After the user unlocks/signs in, the OS starts the driver and the device works normally until reboot or unplug.
- Once started, the device continues to function even if the user later locks the screen or signs out.
This means that if an attacker connects a new Thunderbolt/PCIe device to a locked or sleeping machine, and its driver is not DMA‑remapping aware, Windows will not start the device or allow DMA until an authorized user unlocks the system.
- Automatic enablement and platform requirements
- On systems that support Kernel DMA Protection, Windows enables it automatically, with no admin configuration required.
- It requires UEFI firmware support and IOMMU/virtualization enabled in firmware (for example, Intel VT‑d).
- It is available on Windows 11 Pro, Enterprise, Pro Education/SE, and Education editions.
- Interaction with other protections
- Kernel DMA Protection is a higher‑bar replacement for older BitLocker DMA countermeasures; when supported, those BitLocker DMA mitigations should be disabled in favor of Kernel DMA Protection.
- On supported Surface for Business devices, DMA protection is enabled by default and works alongside BitLocker, Secure Boot, and Windows Defender System Guard to mitigate cold boot and DMA‑based key theft.
- Admin controls and driver guidance
- IT admins can further tune behavior for DMA‑incompatible devices via MDM or Group Policy (for example, DMAGuard policy).
- Hardware/driver vendors can opt into DMA remapping so their PCIe device drivers are fully compatible with Kernel DMA Protection and can operate even when the screen is locked.
In practice, for the scenario described (stolen or unattended sleeping/locked laptop with a malicious Thunderbolt device attached), Kernel DMA Protection ensures that:
- The malicious device cannot simply enumerate and start with full DMA access while the system is locked.
- Only devices with properly isolated DMA mappings can access memory, significantly reducing the risk of memory key theft via external PCIe ports.
References: