From 11a57840a4337162b4544b7aa46551cf94a708dc Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 22 Oct 2020 15:21:10 -0700 Subject: [PATCH] Corrected indentation --- .../kernel-dma-protection-for-thunderbolt.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index dac9d8ce02..836d7916f5 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -82,20 +82,24 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if ### Using System information 1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar. + 2. Check the value of **Kernel DMA Protection**. + ![Kernel DMA protection in System Information](bitlocker/images/kernel-dma-protection.png) + 3. If the current state of **Kernel DMA Protection** is OFF and **Hyper-V - Virtualization Enabled in Firmware** is NO: + - Reboot into BIOS settings - Turn on Intel Virtualization Technology. - Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md). - Reboot system into Windows 10. ->[!NOTE] -> **Hyper-V - Virtualization Enabled in Firmware** is NOT shown when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is shown because this means that **Hyper-V - Virtualization Enabled in Firmware** is YES and the **Hyper-V** Windows feature is enabled. Enabling both is needed to enable **Kernel DMA Protection** even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-kernel-dma-protection). + >[!NOTE] + > **Hyper-V - Virtualization Enabled in Firmware** is NOT shown when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is shown because this means that **Hyper-V - Virtualization Enabled in Firmware** is YES and the **Hyper-V** Windows feature is enabled. Enabling both is needed to enable **Kernel DMA Protection** even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-kernel-dma-protection). 4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. -For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. + For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. ## Frequently asked questions