Windows-itpro-docs: Programmatic way to check the Kernel DMA protection status?

@derekharkin . I will give you easy way, after checking in my laptop
type the following commands in cmd with admin rights
msinfo32.exe /report C:\system.txt
and wait two minutes, then type the command
notepad.exe C:\system.txt
find Kernel DMA protection in system.txt

@derekharkin - Thank you for submitting feedback.

From our understanding, the issue you raised has been answered by @RAJU2529 so we will close this issue.

Thank you for your contribution to make the docs better! Much appreciated!

Not really, the offerred solution is not a programattic way to check.
I was hoping for something like a registry path or a wmi query

Hi All. I see this is closed but the referenced page still does not show any wmi query or reg value that indicates whether kernel dma protection is enabled or disabled. Since kernel dma protection is preferred over the other bitlocker countermeasures, how are we supposed to programatically determine if kernel dma protection is not available and therefore enable the other bitlocker workarounds?

This PowerShell script can be used to find out if the DMA Protection is ON \ OFF.
The Script will show this by emitting True \ False for On \ Off respectively.

# bootDMAProtection check
$bootDMAProtectionCheck =
@"
  namespace SystemInfo
    {
      using System;
      using System.Runtime.InteropServices;

      public static class NativeMethods
      {
        internal enum SYSTEM_DMA_GUARD_POLICY_INFORMATION : int
        {
            /// </summary>
            SystemDmaGuardPolicyInformation = 202
        }

        [DllImport("ntdll.dll")]
        internal static extern Int32 NtQuerySystemInformation(
          SYSTEM_DMA_GUARD_POLICY_INFORMATION SystemDmaGuardPolicyInformation,
          IntPtr SystemInformation,
          Int32 SystemInformationLength,
          out Int32 ReturnLength);

        public static byte BootDmaCheck() {
          Int32 result;
          Int32 SystemInformationLength = 1;
          IntPtr SystemInformation = Marshal.AllocHGlobal(SystemInformationLength);
          Int32 ReturnLength;

          result = NativeMethods.NtQuerySystemInformation(
                    NativeMethods.SYSTEM_DMA_GUARD_POLICY_INFORMATION.SystemDmaGuardPolicyInformation,
                    SystemInformation,
                    SystemInformationLength,
                    out ReturnLength);

          if (result == 0) {
            byte info = Marshal.ReadByte(SystemInformation, 0);
            return info;
          }

          return 0;
        }
      }
    }
"@

Add-Type -TypeDefinition $bootDMAProtectionCheck

# returns true or false depending on whether Kernel DMA Protection is on or off
$bootDMAProtection = ([SystemInfo.NativeMethods]::BootDmaCheck()) -ne 0
$bootDMAProtection

Hey @SharmaKartikay
Thanks for the script. Do you know if this is equivalent to DeviceGuardAvailableSecurityProperties = DMAProtection that is returned with get-computerInfo in windows powershell? DMAProtection was an available security property in all the systems we tested where kernel dma protection = On in msinfo32. We have been using this get-computerInfo property to set an environment variable that determines if additional bitlocker countermeasure gpo is applied.

Hey @bigben386 do you mean these:-

No its not equivalent instead is a superset of Kernel DMA Protection seen on MSINFO32. DMA Protection is possible from Hardware in two flavors :-

1. Thunderbolt Security Settings allowing SL0 - SL03 Refer this. These devices may or may not have separate DMA Protection feature on the BIOS Firmware.
2. DMA protection is a separate feature on Device BIOS Firmware which can be turned ON\OFF which is represented as Kernel DMA Protection in MSINFO32.

Note turning off the second option on the devices will result in PCR 7 Binding Not Possible on these devices and hence Bitlocker PCR validation profile to fallback to 0,2,4,11