The load and execution of devices for the DMA based technologies Thunderbolt and IEEE1394 (Firewire) can be blocked via GPO (see Microsoft KB2516445)
Since Windows 10 Enterprise security technology can mitigate the risk by enabling virtualization-based security with DMA protection (see here), it would be great if the GPO only applies on systems not meeting the required secure configuration or losing the secure configuration.
Windows 10 is tracking the required and available configuration in WMI: root: root\Microsoft\Windows\DeviceGuard; class: Win32_DeviceGuard; properties: AvailableSecurityProperties (see Microsoft Deploy Device Guard: enable virtualization-based security)
But the value is stored in an array, so it can’t be used in a WMI-filter for GPOs.
For the moment, I have no solution that would be able to detect a change in the secure configuration and block the devices in the short frequency of GPO background refresh.