Thunderbolt docking station installation currently blocked by GPO


Hello All,

Currently we have windows 10_1809 version and we want enable supporting Thunderbolt docking station. It’s currently blocking of PCICC_0C0A due to security reason(DMA attacks over Thunderbolt interfaces).  How we can enable it without any security risk?

My understanding summary to enable this is below :

– Enable Windows Defender Core isolation -> Memory Integrity

– Support Kernel DMA Protection.

– Remove the legacy Thunderbolt Mitigation from the GPO (blocking of PCICC_0C0A)




Answer ( 1 )


    If Understand correctly GPO won’t get applied until the provisioning process of SCCM TS is completed isn’t it ?

    So, in your scenario, the GPO is getting applied to the device after the OSD task sequence. Is that a correct understanding?

    To answer your questions, yes I think you already answered your own question:-D

    But it’s your organization’s security or cyber defense team to decide whether these settings are good for them or not.

    Best answer

Leave an answer

Sorry, you do not have permission to answer to this question .