diff --git a/devices/surface/dma-protect.md b/devices/surface/dma-protect.md new file mode 100644 index 0000000000..68e0409bb6 --- /dev/null +++ b/devices/surface/dma-protect.md @@ -0,0 +1,26 @@ +--- +title: Surface DMA Protection +description: This article describes DMA protection on compatible Surface devices +ms.prod: w10 +ms.mktglfcycl: manage +ms.localizationpriority: medium +ms.sitesec: library +author: coveminer +ms.author: greglin +ms.topic: article +ms.date: 6/10/2020 +ms.reviewer: carlol +manager: laurawi +audience: itpro +--- +# DMA Protection on Surface devices + +Direct Memory Access (DMA) protection is designed to mitigate potential security vulnerabilities associated with using removable SSDs or external storage devices. Newer Surface devices come with DMA Protection enabled by default. These include Surface Pro 7, Surface Laptop 3, and Surface Pro X. To check the presence of DMA protection feature on your device, open System Information (**Start** > **msinfo32.exe**), as shown in the figure below. + +![System information showing DMA Protection enabled](images/systeminfodma.png) + +If a Surface removable SSD is tampered with, the device will shutoff power. The resulting reboot causes UEFI to wipe memory, to erase any residual data. + +On devices that do not support Kernel DMA Protection, IT admins can: + +- [Block DMA until a user signs in](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) diff --git a/devices/surface/images/systeminfodma.png b/devices/surface/images/systeminfodma.png new file mode 100644 index 0000000000..46c86e9dd6 Binary files /dev/null and b/devices/surface/images/systeminfodma.png differ diff --git a/devices/surface/surface-manage-dfci-guide.md b/devices/surface/surface-manage-dfci-guide.md index e1df0dc226..d9b08bd9e4 100644 --- a/devices/surface/surface-manage-dfci-guide.md +++ b/devices/surface/surface-manage-dfci-guide.md @@ -31,7 +31,7 @@ Until now, managing firmware required enrolling devices into Surface Enterprise Now with newly integrated UEFI firmware management capabilities in Microsoft Intune, the ability to lock down hardware is simplified and easier to use with new features for provisioning, security, and streamlined updating all in a single console, now unified as [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). The following figure shows UEFI settings viewed directly on the device (left) and viewed in the Endpoint Manager console (right). -![UEFI settings shown on device (left) and in the Endpoint Manager console (right) ](images/uefidfci.png) +![UEFI settings shown on device (left) and in the Endpoint Manager console (right)](images/uefidfci.png) Crucially, DFCI enables zero touch management, eliminating the need for manual interaction by IT admins. DFCI is deployed via Windows Autopilot using the device profiles capability in Intune. A device profile allows you to add and configure settings which can then be deployed to devices enrolled in management within your organization. Once the device receives the device profile, the features and settings are applied automatically. Examples of common device profiles include Email, Device restrictions, VPN, Wi-Fi, and Administrative templates. DFCI is simply an additional device profile that enables you to manage UEFI configuration settings from the cloud without having to maintain on-premises infrastructure.