Issue with BitLocker/DMA setting in Windows 10 “Fall Creators Update” (v1709)

Update, 27 April 2018: The problem described in this post has been fixed in the April 2018 quality update.

Customers that deployed Microsoft’s security baseline for Windows 10 v1709 might have experienced device and component failures. The BitLocker GPO settings recommended in the Windows security configuration baselines for Windows 10 include enabling “Disable new DMA devices when this computer is locked” to defend against Direct Memory Access (DMA) attacks. That setting was first introduced in Windows 10 v1703 (also known as “Creators Update,” “Redstone 2,” or “RS2”) and is in our recommended baselines both for v1703 and Windows 10 v1709 (a.k.a., “Fall Creators Update,” “Redstone 3,” or “RS3”). Windows’ internal implementation underlying that Group Policy setting was modified for v1709 to strengthen its enforcement. However, the change inadvertently led to some device and component failures on v1709 that are described in KB article 4057300, including potential problems with network adapters, audio devices, and pointing devices.

The Group Policy setting is designed to improve the defense of BitLocker-protected systems from DMA-based attacks bypassing memory protections. It is intended to protect against external devices plugged into DMA ports, but a side effect of the current implementation affects device drivers controlling internal devices. Microsoft is aware of this issue and is actively working to address this via a Windows update.

While Microsoft is working on a solution, Windows 10 v1709 customers who are affected may revert the Group Policy setting to “Not Configured” or configure it to “Disabled” to alleviate this issue. This should be a temporary workaround until this issue is addressed in a Windows update.

Note: Removing this setting will not negatively impact systems that do not have external DMA ports (such as Thunderbolt™) including the Microsoft Surface Pro and a range of other OEM devices.  Please check with your OEM directly for specific details.

Comments (6)

  1. Aaron, would it be possible to indicate whether the status is still “working on a solution” or finally “solved”?
    If not, yet, be so kind to explain what other external ports apart from thunderbolt are at risk, when the policy is disabled.
    Thank you.

    [Aaron Margosis] We plan to publish a fix for RS3 (1709) in late April, assuming we don’t run into any quality issues that necessitate delaying.
    1. Aaron, thanks for replying. Just tested with 1803 (17133.1) on a system that had the problem with 1703 and it is gone. Am I right in assuming that the fix is already incorporated in 1803?

      [Aaron Margosis] Yes, that’s correct.
      1. Just replying to say thanks once more and of course to avoid confusion by correcting my previous comment – the system I tested on had the problem on 1709 of course, not on 1703.

  2. Mukund Rao says:

    Hi Team,

    I’m facing the same issue where after applying the Windows 1709 update my WIFI has stopped working and none of the devices are able to connect to the Wifi . Also My Desktop is unable to get internet connectivity . I have reformatted and done a clean install of windows 10 on my system but still the issue is persisting. The windows version is Version 10.0 Build 10240 . I’m unable to find the bit locker setting under group policy ( Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption. ) . This option doesn’t exist under GPEDIT.MSC . Is there any other way to solve this

    [Aaron Margosis] Build 10240 was the first Windows 10 release, a.k.a., v1507, a.k.a., “Threshold 1.” Version 1709 is build 16299. Which do you have?
    1. Mukund Rao says:

      Hi Aaron,

      After lot of troubleshooting finally i upgraded my Windows 10 Build to January 18, 2018—KB4073291 (OS Build 16299.201) and then updated my lenovo thinkcentre network drivers and chipset drivers . Post that i executed ” netsh winsock reset catalog ” which eventually solved the problem a. I did check the GPedit.msc settings which was set to ” Not Configured ” . Finally the 8 hour struggle came to an end 🙂 . For now i have completely disabled windows update and disabled the service itself . Is it safe to still update the system with windows updates ?? I’m being really skeptical now . Being an IT pro myself i have never encountered such an issue before . But thanks to your blog . Cheers

  3. Finally: Solution Win10 Cumulative Update KB4093105
    On April 23rd Microsoft published Cumulative Update KB4093105 for Windows 10. This Update resolves this Issue, Bitlocker-DMA Protection can be turned on again after applying this Update. Changelog is provided here:

Skip to main content