Policy CSP - DmaGuard
✅ Windows SE
|✅ Windows 10, version 1809 [10.0.17763] and later|
Enumeration policy for external DMA-capable devices incompatible with DMA remapping. This policy only takes effect when Kernel DMA Protection is enabled and supported by the system. Note this policy doesn't apply to 1394, PCMCIA or ExpressCard devices.
This policy is intended to provide more security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices that are incompatible with DMA Remapping, device memory isolation and sandboxing.
Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that can't be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
Description framework properties:
|Property name||Property value|
|Access Type||Add, Delete, Get, Replace|
|0||Block all (Most restrictive).|
|1 (Default)||Only after log in/screen unlock.|
|2||Allow all (Least restrictive).|
Group policy mapping:
|Friendly Name||Enumeration policy for external devices incompatible with Kernel DMA Protection|
|Path||System > Kernel DMA Protection|
|Registry Key Name||Software\Policies\Microsoft\Windows\Kernel DMA Protection|
|ADMX File Name||DmaGuard.admx|
Submit and view feedback for