Disable new DMA devices when this computer is locked

This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices, until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.


Supported on: At least Windows Server 2016, Windows 10 Version 1703
Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Microsoft\FVE
Value NameDisableExternalDMAUnderLock
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

volumeencryption.admx

Administrative Templates (Computers)

Administrative Templates (Users)