The Thunderbolt controller is a PCIe device which has Direct Memory Access (DMA) IO via PCIe, and it exposes the PCIe protocol externally through USB-C ports for a range of usages. This potentially allows access to system memory from a physical IO device that is being connected and utilizing the PCIe protocol. Kindly refer to some of these related guides: BitLocker Back Door – TPM Only: From stolen laptop to inside the company network, BitLocker Drive Encryption architecture and implementation types on Windows, and how to resolve this “Thunderbolt” application is not in use anymore and can be safely uninstalled. In this article, you will learn how to protect Thunderbolt ports in Windows.
In order to mitigate potential malicious access to system memory from an external PCIe device, there is a need for security protection that will prevent unauthorized Thunderbolt PCIe-based devices from connecting without user authorization.
For instance, preventing unauthorized user access when the device is locked which I will be showing you very shortly. You may want to read more on ways this can be achieved as discussed by Thunderbolt technologies. Windows Security
Windows is pretty very secure when you have the right hardware and firmware capabilities in place (newer hardware). During the boot process, we rely on security features implemented as part of the device hardware and firmware, including TPM and Secure Boot, and Trusted Boot (appropriate hardening). Newer devices have TPM and Secure Boot to mitigate any form of startup attack.
PCIe Native Control must be enabled in the system firmware. Please refer to these related guides for more information: How to enable Bitlocker Pre-Boot Authentication via the Group Policy, and When Should I Use TPM or TPM + PIN.There are a few different options to protect DMA (Thunderbolt) ports, such as the Thunderbolt3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt 3 ports enabled by default. This Kernel DMA Protection is available only for new systems as mentioned above, as it requires changes in the system firmware and/or BIOS.
Microsoft System Information Desktop App
You can use the Microsoft System Information desktop app (MSINFO32.exe) to quickly check if a device has Kernel DMA Protection enabled. To open the System Information window, type msinfo32 in the Windows search box and click on System Information to open it. This tool will display a comprehensive view of the hardware, system components, and software environment on the local computer which you can use to diagnose the device issues.
As you can see from the image below, we have the Kernel DMA Protection enabled on this device by default. Therefore, you do not need to do anything further to Protect Thunderbolt ports in Windows. But, this is not true for all devices as we will see very shortly.
The Thunderbolt driver (this driver) isn’t needed if running Windows 11 as the driver is included in the Windows 11* installation as at the time of writing this article. If you include a Thunderbolt DMA in your Deployment for Windows 11, you will be prompted to have it uninstalled as discussed in this link.
Kernel DMA protection is not enabled by default
But if your device does not have the Kernel DMA protection enabled by default as shown above, this guide is for you. Also, In this article, I will be showing you ways to enable Group Policy to disable new DMA devices when this computer is locked. This is not enabled by default, and it is your role as a system administrator to implement this. You can also use the following syntax in the command prompt to run the MSINFO32 command on your device or query a remote device for the system information as well. See the table below for the description.
msinfo32 [/pch] [/nfo <path>] [/report <path>] [/computer <computername>] [/showcategories] [/category <categoryID>] [/categories {+<categoryID>(+<categoryID>)|+all(-<categoryID>)}]| Parameter | Description |
|---|---|
| <path> | Specifies the file to be opened in the format C:\Folder1\File1.xxx, where C is the drive letter, Folder1 is the folder, File1 is the file name, and xxx is the file name extension.This file can be an .nfo, .xml, .txt, or .cab file. |
| <computername> | Specifies the name of the target or local computer. This can be a UNC name, an IP address, or a full computer name. |
| <categoryID> | Specifies the ID of the category item. You can obtain the category ID by using /showcategories. |
| /pch | Displays the System History view in the System Information tool. |
| /nfo | Saves the exported file as an .nfo file. If the file name that is specified in path does not end in an .nfo extension, the .nfo extension is automatically appended to the file name. |
| /report | Saves the file in path as a text file. The file name is saved exactly as it appears in path. The .txt extension is not appended to the file unless it is specified in path. |
| /computer | Starts the System Information tool for the specified remote computer. You must have the appropriate permissions to access the remote computer. |
| /showcategories | Starts the System Information tool with all available category IDs displayed, rather than displaying the friendly or localized names. For example, the Software Environment category is displayed as the SWEnv category. |
| /category | Starts System Information with the specified category selected. Use /showcategories to display a list of available category IDs. |
| /categories | Starts System Information with only the specified category or categories displayed. It also limits the output to the selected category or categories. Use /showcategories to display a list of available category IDs. |
| /? | Displays help at the command prompt. |
Thunderbolt (DMA) Kernel Protection Status
The Kernel DMA Protection provides higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining usability of external peripherals. During OS runtime, Direct Memory Access (DMA) attack is possible. Therefore, the DMA protection is paramount and part of Kernel DMA Protection which protects Bitlocker keys and other secrets stored in memory while the OS is running.
Since this feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard etc, preventing physical connections to such ports will also prevent DMA attacks.
To view the system information, please type msinfo.exe in the search window as discussed above or from the Command Line or PowerShell, type msinfo32 followed by any of the switches (syntax) we have discussed above. 
As you can see from the image below, the Kernel DMA Protection is not enabled by default, and it is vulnerable to DMA attacks which is a type of side channel attack in which an attacker can penetrate a computer or other device by exploiting the presence of high-speed expansion ports that permit direct memory access (DMA).
If you have BitLocker implemented in your environment, I would recommend that you enable Pre-boot authentication with a PIN to mitigate attack vectors for devices that use a bootable eDrive as this can enable attackers to capture the BitLocker encryption key during startup.
Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured.Ways to Protect Thunderbolt ports in Windows
A BIOS password is recommended for defence-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise. Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification standards for a highly secure Windows device.
1. Enable BIOS Password to Protect Thunderbolt Ports
The following steps require a BIOS password and should be implemented if the kernel DMA protection isn’t enabled.
- Admin Password: This is the password you must enter to access the computer’s BIOS settings and make changes. Prevents an unauthorized user from accessing the BIOS or making changes to settings in the BIOS.
- System (User) Password: This password must be entered in order to log on to your computer. It prevents an unauthorized user from using the computer. Without the user password, a user cannot enter the BIOS, access the One Time Boot (F12 menu), or boot the operating system.
- Internal HDD Password: This is the password that must be entered so that the BIOS can access the hard drive and proceed with booting the operating system. Prevents an unauthorized user from accessing the hard disk and booting into the operating system.
2. Set the Intel Thunderbolt Security in the BIOS
You must set the Intel Thunderbolt Security to User Authorization in BIOS settings as shown below. Kindly take a look at this guide to learn various Thunderbolt 3 Security Levels, and the USB-C port that supports Thunderbolt 3.
3. Group Policy to disable new DMA devices when this computer is locked
Additional DMA security may be added by deploying GPO policy settings. This setting isn’t configured by default. As you can see below, it isn’t enabled.
This policy setting allows you to block direct memory access (DMA) for all Thunderbolt hot-pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host Thunderbolt PCI ports.
Every time the user locks the device, DMA will be blocked on hot plug Thunderbolt PCI ports with no children devices, until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged or the system is rebooted or hibernated. This policy setting is only enforced when BitLocker or device encryption is enabled.
Some PCs may not be compatible with this policy if the system firmware enables DMA for newly attached Thunderbolt devices before exposing the new devices to Windows. You can also do this via MDM: DataProtection/AllowDirectMemoryAccess policy.
Let’s enable this setting in order to have our device protected. Double-click on the policy “Disable new DMA devices when the computer is locked” and click on Enable. Then click on Ok or Apply.
As you can see below, the policy has been enabled.
Apply the Policy immediately to protect Thunderbolt Ports
In order to apply the policy immediately, there is a need to run gpupdate. See these guides to learn more about GPUpdate Switches: GPUpdate vs GPUpdate force, and Group Policy GPUpdate Commands: GPUpdate, GPUpdate/force, LogOff, Boot, Wait, and Sync.
I hope you found this blog post helpful. Now, you have learned “Protect Thunderbolt ports in Windows”. If you have any questions, please let me know in the comment session