deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

edits from Aacer

Browse Source
This commit is contained in:
Justin Hall 2018-12-17 13:05:38 -08:00
parent d3f99a931c
commit 50ab7cb74b
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
windows/client-management/mdm/policy-csp-dmaguard.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10 ms.prod: w10
ms.technology: windows ms.technology: windows
author: MariciaAlforque author: MariciaAlforque
ms.date: 06/29/2018 ms.date: 12/17/2018
--- ---
# Policy CSP - DmaGuard # Policy CSP - DmaGuard
@ -65,7 +65,11 @@ ms.date: 06/29/2018
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing. This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that cannot be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, please check the Kernel DMA Protection field in the Summary page of MSINFO32.exe. This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing.
Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that cannot be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, please check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
> [!Note] > [!Note]
> This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices. > This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices.