This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. The recommended state for this setting is: Enabled. Note: Some PCs may not be compatible with this policy if the system firmware enables DMA for newly attached Thunderbolt devices before exposing the new devices to Windows. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Disable new DMA devices when this computer is locked (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE!DisableExternalDMAUnderLock