deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update bitlocker-countermeasures.md

Browse Source 
Added link to Intel Thunderbolt Security documentation for systems that do not support Kernel DMA Protection
This commit is contained in:
AaDake
2018-10-23 11:54:48 -07:00
committed by GitHub
parent 9eb1fc40dc
commit 7f0b632430
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
View File

@ -98,7 +98,7 @@ It requires direct ethernet connectivity to an enterprise Windows Deployment Ser
There are a few different options to protect DMA ports, such as Thunderbolt™3.
Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default.
This kernel DMA protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.
This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.
You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled:
@ -107,7 +107,7 @@ You can use the System Information desktop app (MSINFO32) to check if a device h
If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
1. Require a password for BIOS changes
2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings
2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Please refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf)
3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607):
- MDM: [DataProtection/AllowDirectMemoryAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy
@ -188,4 +188,4 @@ For secure administrative workstations, Microsoft recommends TPM with PIN protec
- [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d)
- [BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings)
- [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
- [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)