Automatically block DMA based devices to be loaded if the system is not securely configured

The load and execution of devices for the DMA based technologies Thunderbolt and IEEE1394 (Firewire) can be blocked via GPO (see Microsoft KB2516445)


Since Windows 10 Enterprise security technology can mitigate the risk by enabling virtualization-based security with DMA protection (see here), it would be great if the GPO only applies on systems not meeting the required secure configuration or losing the secure configuration.

Windows 10 is tracking the required and available configuration in WMI: root: root\Microsoft\Windows\DeviceGuard; class:  Win32_DeviceGuard; properties: AvailableSecurityProperties (see Microsoft Deploy Device Guard: enable virtualization-based security)
But the value is stored in an array, so it can’t be used in a WMI-filter for GPOs.

For the moment, I have no solution that would be able to detect a change in the secure configuration and block the devices in the short frequency of GPO background refresh.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s