Issue with BitLocker/DMA setting in Windows 10 “Fall Creators Update” (v1709)


Customers that deployed Microsoft’s security baseline for Windows 10 v1709 might have experienced device and component failures. The BitLocker GPO settings recommended in the Windows security configuration baselines for Windows 10 include enabling “Disable new DMA devices when this computer is locked” to defend against Direct Memory Access (DMA) attacks. That setting was first introduced in Windows 10 v1703 (also known as “Creators Update,” “Redstone 2,” or “RS2”) and is in our recommended baselines both for v1703 and Windows 10 v1709 (a.k.a., “Fall Creators Update,” “Redstone 3,” or “RS3”). Windows’ internal implementation underlying that Group Policy setting was modified for v1709 to strengthen its enforcement. However, the change inadvertently led to some device and component failures on v1709 that are described in KB article 4057300, including potential problems with network adapters, audio devices, and pointing devices.

The Group Policy setting is designed to improve the defense of BitLocker-protected systems from DMA-based attacks bypassing memory protections. It is intended to protect against external devices plugged into DMA ports, but a side effect of the current implementation affects device drivers controlling internal devices. Microsoft is aware of this issue and is actively working to address this via a Windows update.

While Microsoft is working on a solution, Windows 10 v1709 customers who are affected may revert the Group Policy setting to “Not Configured” or configure it to “Disabled” to alleviate this issue. This should be a temporary workaround until this issue is addressed in a Windows update.

Note: Removing this setting will not negatively impact systems that do not have external DMA ports (such as Thunderbolt™) including the Microsoft Surface Pro and a range of other OEM devices.  Please check with your OEM directly for specific details.


Comments (0)

Skip to main content