From c52326b4439d1e93be50375d65ab8181a376c109 Mon Sep 17 00:00:00 2001
From: Justinha <Justinha@Microsoft.com>
Date: Wed, 12 Apr 2017 16:30:25 -0700
Subject: [PATCH] added new setting

---
 .../bitlocker-group-policy-settings.md        | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md
index 8f5aa0a1af..252b46ba59 100644
--- a/windows/keep-secure/bitlocker-group-policy-settings.md
+++ b/windows/keep-secure/bitlocker-group-policy-settings.md
@@ -37,6 +37,7 @@ The following policy settings can be used to determine how a BitLocker-protected
 -   [Require additional authentication at startup](#bkmk-unlockpol1)
 -   [Allow enhanced PINs for startup](#bkmk-unlockpol2)
 -   [Configure minimum PIN length for startup](#bkmk-unlockpol3)
+-   [Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)
 -   [Disallow standard users from changing the PIN or password](#bkmk-dpinchange)
 -   [Configure use of passwords for operating system drives](#bkmk-ospw)
 -   [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#bkmk-unlockpol4)
@@ -355,6 +356,24 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
 
 This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
 
+### Disable new DMA devices when this computer is locked
+
+This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows.
+
+|                    |                      |
+|--------------------|----------------------|
+| Policy description | This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. |
+| Introduced         | Windows 10, version 1703 |
+| Drive type         | Operating system drives  |
+| Policy path        | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+| Conflicts          | None                     |
+| When enabled       | Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. |
+| When disabled or not configured | DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|
+
+**Reference**
+
+This policy setting is only enforced when BitLocker or device encyption is enabled.
+
 ### <a href="" id="bkmk-dpinchange"></a>Disallow standard users from changing the PIN or password
 
 This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive.