3.3 KiB
title, description, ms.author, ms.topic, ms.prod, ms.technology, author, ms.localizationpriority, ms.date, ms.reviewer, manager
| title | description | ms.author | ms.topic | ms.prod | ms.technology | author | ms.localizationpriority | ms.date | ms.reviewer | manager |
|---|---|---|---|---|---|---|---|---|---|---|
| Policy CSP - DmaGuard | Learn how to use the Policy CSP - DmaGuard setting to provide more security against external DMA capable devices. | vinpa | article | w10 | windows | vinaypamnani-msft | medium | 09/27/2019 | aaroncz |
Policy CSP - DmaGuard
DmaGuard policies
DmaGuard/DeviceEnumerationPolicy
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | Yes | Yes |
| Windows SE | No | Yes |
| Business | Yes | Yes |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
This policy is intended to provide more security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices that are incompatible with DMA Remapping, device memory isolation and sandboxing.
Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that can't be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
Note
This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices.
The following are the supported values:
0 - Block all (Most restrictive): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will never be allowed to start and perform DMA at any time.
1 - Only after log in/screen unlock (Default): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will only be enumerated after the user unlocks the screen.
2 - Allow all (Least restrictive): All external DMA capable PCIe devices will be enumerated at any time
ADMX Info:
- GP Friendly name: Enumeration policy for external devices incompatible with Kernel DMA Protection
- GP name: DmaGuardEnumerationPolicy
- GP path: System/Kernel DMA Protection
- GP ADMX file name: dmaguard.admx