Disable new DMA devices when this computer is lockedID: oval:org.secpod.oval:def:81255 | Date: (C)2022-06-06 (M)2023-12-12 |
Class: COMPLIANCE | Family: windows |
This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. The recommended state for this setting is: Enabled.
Note: Some PCs may not be compatible with this policy if the system firmware enables DMA for newly attached Thunderbolt devices before exposing the new devices to Windows.
Fix:
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Disable new DMA devices when this computer is locked
(2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE!DisableExternalDMAUnderLock
Platform: |
Microsoft Windows Server 2022 |