How To Enable Kernel DMA Protection | BIOS Fix For Windows

Kernel DMA Protection runs automatically on supported Windows hardware. When it’s OFF, enabling it requires UEFI BIOS changes — IOMMU and DMA support — not Windows Settings.

Kernel DMA Protection is a Windows security feature that blocks external devices from directly accessing system memory. Getting the toggle to show ON means understanding how to enable Kernel DMA Protection at the firmware level — the Windows switch in Core Isolation only lets you disable it. This guide covers the exact BIOS settings to change, the system requirements your hardware must meet, and why the option stays grayed out on some machines.

What Is Kernel DMA Protection?

Kernel DMA Protection prevents external peripherals — Thunderbolt docks, USB devices, and M.2 drives — from accessing system memory without explicit permission. It works by routing all DMA requests through the system’s IOMMU, which enforces access boundaries at the kernel level.

The feature ships with Windows 10 (Release 1809 and newer) and every edition of Windows 11. It requires UEFI firmware; Legacy BIOS systems cannot support it regardless of the Windows version installed.

Is Kernel DMA Protection Already Running On Your PC?

Most Windows PCs manufactured in the last few years have this feature enabled out of the box. Checking the current state takes under a minute.

Press Windows + I to open Settings, then go to Privacy & Security > Windows Security > Open Windows Security. Select Device Security > Core Isolation Details > Memory Access Protection. The Kernel DMA Protection line shows either ON or OFF.

If it reads ON, the feature is active and no further action is needed. If it reads OFF, the underlying hardware support is missing or disabled — the next section covers the fix.

Enable Kernel DMA Protection When BIOS Settings Hide The Option

When Windows reports it as OFF, the solution lives in the UEFI BIOS. The toggle inside Windows Security can only disable the feature — it cannot turn it on when the hardware layer is inactive.

Before touching BIOS settings, open System Information (search for msinfo32) and check the BIOS Mode entry. If it says “Legacy,” the system cannot run Kernel DMA Protection. The machine must use UEFI firmware.

Enter The UEFI BIOS

Restart the PC and press the BIOS setup key during startup — typically F2, F10, DEL, or F12. The exact key varies by manufacturer (Dell, HP, Lenovo, and ASUS all use different keys; check the on-screen prompt or the PC manual).

Enable The Required Settings

Navigate to the Security tab or Advanced CPU Settings. Look for each of these options and set them to Enabled:

  • Kernel DMA Protection — sometimes labeled OS Kernel DMA Support
  • Intel Virtualization Technology for I/O (VT-d) — on Intel systems
  • IOMMU — on AMD systems

On some Dell machines the setting appears as Enable OS Kernel DMA Support under the Security tab. If nothing is found under Security, check the Advanced or CPU Configuration submenu.

Save And Verify

Press F10 to save changes and exit. After Windows restarts, return to Memory Access Protection in Windows Security. Kernel DMA Protection should now read ON.

To confirm, open System Information (msinfo32) and find Kernel DMA Protection under System Summary. A value of Enabled means the feature is active at both the firmware and OS levels.

The Most Common Reason DMA Protection Stays OFF

When enabling the BIOS settings above doesn’t change the Windows status, the cause is almost always one of these:

Mistake Why It Fails How To Fix It
Relying on the Windows toggle The Core Isolation switch only disables the feature; it can’t enable hardware support Use the BIOS settings, not Windows Settings
Enabling DMA protection but not VT-d or IOMMU Kernel DMA Protection requires IOMMU to function; VT-d or AMD-Vi must be active Enable both Kernel DMA Protection and VT-d (Intel) or IOMMU (AMD)
Legacy BIOS mode The feature requires UEFI firmware; Legacy BIOS lacks the necessary DMA remapping hardware layer Switch to UEFI mode (may require Windows reinstall)
Checking the wrong BIOS tab Manufacturers place DMA settings under Security, Advanced, or CPU Configuration — rarely all three Search each tab systematically; consult the motherboard manual
BIOS reset after boot failure Some boards revert to defaults after a failed boot, disabling the changes Re-enter BIOS and confirm settings are saved
Setting the option to Disabled Some BIOS layouts use counterintuitive labels; “OS Kernel DMA Support” set to Disabled blocks the feature Read the option label carefully; set to Enabled
CPU or chipset lacks IOMMU support Intel pre-Tiger Lake and AMD pre-Zen 3 may not support the required IOMMU features Check CPU specifications; older hardware cannot enable this feature

Microsoft’s official Kernel DMA Protection documentation confirms that Virtualization-Based Security (VBS) is not required for the feature to work. The only hard requirements are UEFI firmware and an enabled IOMMU.

Can Enabling DMA Protection Cause Problems?

In most cases the feature runs silently with no visible impact. Two situations can create complications:

Driver conflicts. Enabling Kernel DMA Protection may cause Windows to block drivers that don’t support DMA remapping. If a device stops working after enabling the feature, update its driver from the manufacturer’s site before attempting a workaround.

Anti-cheat software in games. Games like Valorant and PUBG use kernel-level anti-cheat systems that can conflict with DMA protection when drivers are incompatible. The fix is updating system drivers, not disabling the security feature.

Component Requirement Notes
Operating System Windows 10 1809+, Windows 11 all editions Home, Pro, Enterprise all supported
Firmware UEFI only Legacy BIOS cannot provide DMA remapping
Intel CPU Tiger Lake (11th-gen) or newer with VT-d enabled VT-d must be turned on in BIOS
AMD CPU Zen 3 or newer with IOMMU enabled IOMMU must be turned on in BIOS
Virtualization-Based Security Not required VBS is independent of DMA protection
IOMMU technology Intel VT-d or AMD-Vi Controls memory access mapping at the chipset level
Protected ports Thunderbolt 3 or 4, USB 3.x+, NVMe M.2 External device DMA is blocked when the feature is active

Group Policy For IT: Block Incompatible Devices

Enterprise administrators can enforce strict DMA protection across managed devices. The relevant policy lives under Computer Configuration > Administrative Templates > System > Kernel DMA Protection in the Group Policy Editor. Setting the Enumeration policy for external devices incompatible with Kernel DMA Protection to Block All prevents any device without DMA remapping support from enumerating on the system.

The DmaGuard.admx template is included with Windows 10 Release 1809 and Server 2019 Administrative Templates. On older systems the policy path may not appear.

Verifying Kernel DMA Protection Is Active

After making changes, run through these checks to confirm everything is working:

  • Windows Security shows Kernel DMA Protection as ON
  • System Information (msinfo32) lists Kernel DMA Protection as Enabled
  • Thunderbolt and USB devices function normally
  • Games and apps launch without driver-related errors

If the feature still reads OFF after enabling VT-d, IOMMU, and Kernel DMA Support in UEFI, the hardware likely does not support the feature at the chipset level — no further software change can enable it.

References & Sources

Please use a real email you check. If it's fake or mistyped, your message won't reach us and we can't reply — wrong addresses are rejected automatically.