Mokymas
Policy CSP - DmaGuard
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1809 [10.0.17763] and later |
Device
./Device/Vendor/MSFT/Policy/Config/DmaGuard/DeviceEnumerationPolicy
Enumeration policy for external DMA-capable devices incompatible with DMA remapping. This policy only takes effect when Kernel DMA Protection is enabled and supported by the system. Note this policy doesn't apply to 1394, PCMCIA or ExpressCard devices.
This policy is intended to provide more security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices that are incompatible with DMA Remapping, device memory isolation and sandboxing.
Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
This policy requires a system reboot to take effect.
This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that can't be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
Allowed values:
| Value | Description |
|---|---|
| 0 | Block all (Most restrictive). |
| 1 (Default) | Only after log in/screen unlock. |
| 2 | Allow all (Least restrictive). |
Group policy mapping:
| Name | Value |
|---|---|
| Name | DmaGuardEnumerationPolicy |
| Friendly Name | Enumeration policy for external devices incompatible with Kernel DMA Protection |
| Location | Computer Configuration |
| Path | System > Kernel DMA Protection |
| Registry Key Name | Software\Policies\Microsoft\Windows\Kernel DMA Protection |
| ADMX File Name | DmaGuard.admx |
Papildomi ištekliai
Dokumentacija
-
Devices not working before you log on a computer that is running Windows 10 - Windows Client
Addresses an issue in which a device isn't working before a logon in Windows 10. For example, wireless doesn't connect until a user logon.
-
Kernel DMA Protection (Memory Access Protection) for OEMs
Provides guidance on what an OEM should do to enable Kernel DMA Protection
-
Learn how Kernel DMA Protection protects Windows devices against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices.
-
Enable DMA Remapping for Device Drivers - Windows drivers
Enable and opt-into Direct Memory Access(DMA) remapping to ensure compatibility with Kernel DMA Protection and DMAGuard policies.