Issue with BitLocker/DMA setting in Windows 10 “Fall Creators Update” (v1709)

  • Article

Update, 27 April 2018: The problem described in this post has been fixed in the April 2018 quality update.

Customers that deployed Microsoft’s security baseline for Windows 10 v1709 might have experienced device and component failures. The BitLocker GPO settings recommended in the Windows security configuration baselines for Windows 10 include enabling “Disable new DMA devices when this computer is locked” to defend against Direct Memory Access (DMA) attacks. That setting was first introduced in Windows 10 v1703 (also known as “Creators Update,” “Redstone 2,” or “RS2”) and is in our recommended baselines both for v1703 and Windows 10 v1709 (a.k.a., “Fall Creators Update,” “Redstone 3,” or “RS3”). Windows’ internal implementation underlying that Group Policy setting was modified for v1709 to strengthen its enforcement. However, the change inadvertently led to some device and component failures on v1709 that are described in KB article 4057300, including potential problems with network adapters, audio devices, and pointing devices.

The Group Policy setting is designed to improve the defense of BitLocker-protected systems from DMA-based attacks bypassing memory protections. It is intended to protect against external devices plugged into DMA ports, but a side effect of the current implementation affects device drivers controlling internal devices. Microsoft is aware of this issue and is actively working to address this via a Windows update.

While Microsoft is working on a solution, Windows 10 v1709 customers who are affected may revert the Group Policy setting to “Not Configured” or configure it to “Disabled” to alleviate this issue. This should be a temporary workaround until this issue is addressed in a Windows update.

Note: Removing this setting will not negatively impact systems that do not have external DMA ports (such as Thunderbolt™) including the Microsoft Surface Pro and a range of other OEM devices.  Please check with your OEM directly for specific details.

Comments

  • Anonymous
    March 20, 2018
    Aaron, would it be possible to indicate whether the status is still "working on a solution" or finally "solved"?If not, yet, be so kind to explain what other external ports apart from thunderbolt are at risk, when the policy is disabled.Thank you.[Aaron Margosis] We plan to publish a fix for RS3 (1709) in late April, assuming we don't run into any quality issues that necessitate delaying.
    • Anonymous
      April 04, 2018
      Aaron, thanks for replying. Just tested with 1803 (17133.1) on a system that had the problem with 1703 and it is gone. Am I right in assuming that the fix is already incorporated in 1803?[Aaron Margosis] Yes, that's correct.
      • Anonymous
        April 06, 2018
        Just replying to say thanks once more and of course to avoid confusion by correcting my previous comment - the system I tested on had the problem on 1709 of course, not on 1703.
  • Anonymous
    April 14, 2018
    The comment has been removed
    • Anonymous
      April 15, 2018
      Hi Aaron,After lot of troubleshooting finally i upgraded my Windows 10 Build to January 18, 2018—KB4073291 (OS Build 16299.201) and then updated my lenovo thinkcentre network drivers and chipset drivers . Post that i executed " netsh winsock reset catalog " which eventually solved the problem a. I did check the GPedit.msc settings which was set to " Not Configured " . Finally the 8 hour struggle came to an end :) . For now i have completely disabled windows update and disabled the service itself . Is it safe to still update the system with windows updates ?? I'm being really skeptical now . Being an IT pro myself i have never encountered such an issue before . But thanks to your blog . Cheers
  • Anonymous
    April 25, 2018
    Finally: Solution Win10 Cumulative Update KB4093105On April 23rd Microsoft published Cumulative Update KB4093105 for Windows 10. This Update resolves this Issue, Bitlocker-DMA Protection can be turned on again after applying this Update. Changelog is provided here: https://support.microsoft.com/en-us/help/4093105/windows-10-update-kb4093105