From 7f0b6324305b36207d26fe00c9bb72ffd5bc1168 Mon Sep 17 00:00:00 2001
From: AaDake <41165107+AaDake@users.noreply.github.com>
Date: Tue, 23 Oct 2018 11:54:48 -0700
Subject: [PATCH] Update bitlocker-countermeasures.md

Added link to Intel Thunderbolt Security documentation for systems that do not support Kernel DMA Protection
---
 .../bitlocker/bitlocker-countermeasures.md                  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index 91d9c277db..d4ebe56664 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -98,7 +98,7 @@ It requires direct ethernet connectivity to an enterprise Windows Deployment Ser
 
 There are a few different options to protect DMA ports, such as Thunderbolt™3. 
 Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. 
-This kernel DMA protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS. 
+This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.  
 
 You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled: 
 
@@ -107,7 +107,7 @@ You can use the System Information desktop app (MSINFO32) to check if a device h
 If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
 
 1.	Require a password for BIOS changes 
-2.	Intel Thunderbolt Security must be set to User Authorization in BIOS settings
+2.	Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Please refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf)
 3.	Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607):
 
     - MDM: [DataProtection/AllowDirectMemoryAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy 
@@ -188,4 +188,4 @@ For secure administrative workstations, Microsoft recommends TPM with PIN protec
 
 - [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d)
 - [BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings)
-- [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
\ No newline at end of file
+- [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)