Thunderbolt docking station installation currently blocked by GPO
Question
Hello All,
Currently we have windows 10_1809 version and we want enable supporting Thunderbolt docking station. It’s currently blocking of PCICC_0C0A due to security reason(DMA attacks over Thunderbolt interfaces). How we can enable it without any security risk?
My understanding summary to enable this is below :
– Enable Windows Defender Core isolation -> Memory Integrity
– Support Kernel DMA Protection.
– Remove the legacy Thunderbolt Mitigation from the GPO (blocking of PCICC_0C0A)
Thanks
Amit
Answer ( 1 )
If Understand correctly GPO won’t get applied until the provisioning process of SCCM TS is completed isn’t it ?
So, in your scenario, the GPO is getting applied to the device after the OSD task sequence. Is that a correct understanding?
To answer your questions, yes I think you already answered your own question:-D
But it’s your organization’s security or cyber defense team to decide whether these settings are good for them or not.