Today I will explore how to Allow Direct Memory Access for Data Protection Through Intune Policy Settings Catalog. Direct Memory Access (DMA) allows data transfer without requiring the CPU. A DMA controller moves data between memory and a device, allowing drivers to transfer data directly.
Direct Memory Access (DMA) allows devices like disk drives and graphics cards to transfer data directly to a computer’s memory. DMA help the CPU to handle multiple operations simultaneously, improving overall system efficiency.
The Allow DMA policy blocks direct memory access on hot-pluggable PCI ports until a user logs into Windows. When locked, DMA keeps on disabled for empty ports. This policy applies only with BitLocker Device Encryption enabled at a strict setting of 0.
In this blog post, I will provide step-by-step guidance for enabling Allow Direct Memory Access using the Intune Policy Settings Catalogue.
Table of Contents
Windows CSP Details – AllowDirectMemoryAccess Policy
The CSP policy in Windows allows administrators to set configurations on Windows 10 and newer devices using MDM tools like Intune. It controls access to the self-service password reset (SSPR) feature, which can appear on the Windows sign-in screen for Microsoft Entra accounts (formerly AAD). The following screenshots shows the CSP details of this policy.
./Device/Vendor/MSFT/Policy/Config/DataProtection/AllowDirectMemoryAccess
Description framework properties are shown under the table.
| Property Name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
- Free Intune Training 2024 For Device Management Admins
- Windows AutoPilot Step-by-Step Admin Guide To Provision Windows 10 11 Devices
- Enhanced Data Protection Available for Windows 11 Pro and Enterprise Editions
How to Allow Direct Memory Access for Data Protection Through Intune Policy Settings Catalog
Allow Direct Memory Access policy lets you block direct memory access (DMA) for all hot-pluggable PCI ports until a user logs into Windows. After logging in, Windows will find and list the PCI devices connected to the hot-plug ports. Each time the user locks the machine, DMA will be blocked on the hot-plug ports that do not have child devices until the user logs in again.
Devices that were already recognized when the machine was unlocked will keep working until they are unplugged. This policy only applies when BitLocker Device Encryption is turned on, with the strictest setting being 0.
Enable Allow Direct Memory Access
To create enable Allow Direct Memory Access configuration policy for data protection through Intune you should follow the steps below. + New Policy is the first step. To do that sign in to the Microsoft Intune Admin Center using your administrator credentials.
- Go to Devices > Windows >Configuration > Create > +New Policy
After clicking +New Policy, a new window will open where we must enter the platform and the profile type of the policy from the drop-down arrow.
- Platform: Windows 10 and later
- Profile Type: Settings catalog
After selcting platform and ptofile type, click to Create button. Then we will enter into a new window where several tabs are arranged.
Under the Basics tab, we must type the name of the configuration policy. Here, I named the policy Allow Direct Memory Access. In the Description box, we can briefly describe the policy details.
- This policy is created to enable Allow Direct Memory Access for data protection.
- Click Next
Next is Configuration Settings. Here we can include the necessary settings by choosing which settings to configure using the settings catalog. Click on + Add settings to browse or search the catalog for the settings you want to configure.
- Click on + Add settings
+ Add Settings navigate to you in a new Settings Picker page. Here you can search for your settings with the key word and click the Search button. +Add filter option helps to access the settings easily. You can see the Browse by category as Data Protection.
- Select the check option and close the Settings picker page to retune the Configuration Settings
Once we return to the Configuration Settings, we can enable or disable settings based on our preferences. Use the toggle button to do these settings. Then, click the Next button.
Next window is Scope tags. Use Intune scope tags to give admins a filtered view of securable objects, assisting with their tasks. It is Default settings. If your tenant has custom scope tags, you can select them with your policy needs.
- Click to Next
Here, we entered into Assigmnets. This is the are the final step to create a policy on Microsoft Intune. This helps to select gropus for assigning the configuration policies. I select HTMD – Test Computers group. Follow the steps given below to assign a group.
- Click Add Groups
- Select a device group under the Included Groups option.
- Hit to Select
You can see the selected group is in the Assignments tab as shwon in the below screenshot. Click Next to continue the process.
Note: User and device groups cannot be mixed when excluding groups.
This is the first monitory step in this process. The Review + Create tab helps you manage your settings. This page summarizes your policy and allows you to check each section. After you have reviewed all the steps with carefully, click the Create button. You will receive a notification that your policy has been created successfully.
Enable Allow Direct Memory Access Monitoring
After receiveing the notification, you can review the policy on the Intune Portal.
- Go to Devices, then Configuration.
- Use the search bar to find your policy
- Click on the policy to view its details.
When clicking on th Policy, another window will appear and you can see the elaburated view of the policy details. Clicking View Report option will display the Device’s name, Logged-in user’s name, check-in status, Filter, and the last report modification time.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.