How to Disable Bluetooth on Windows using Intune

In an Enterprise environment, If users are not using certain functionality of the operating system, it should be blocked or disabled to reduce the attack surface.

Bluetooth connections can potentially be vulnerable to hacking and unauthorized access. Disabling Bluetooth when you’re not actively using it reduces the risk of someone trying to exploit vulnerabilities in Bluetooth protocols to gain access to your device or data.

You can easily disable Bluetooth by creating a device configuration profile and using a setting from settings catalog called “Allow Bluetooth” under Connectivity Category.

Bluetooth is not disabled on the devices by default and to disable using Intune, you need to set “Allow Bluetooth” value to below:

Disable Bluetooth – The radio in the Bluetooth control panel will be greyed out and the user will not be able to turn Bluetooth on

Disable Bluetooth - The radio in the Bluetooth control panel will be greted out and the user will not be able to turn Bluetooth on
Disable Bluetooth – The radio in the Bluetooth control panel will be greted out and the user will not be able to turn Bluetooth on

You can learn more about this setting by visiting the link Allow Bluetooth OMA-URI which offers additional information about it. Below screenshot shows the Operating system versions/editions supported by this policy setting.

Please note that there is a red cross sign next to the User under the Scope column. That means it is a device-based policy setting. It’s best if you target this policy to an Azure AD group containing devices.

AllowBluetooth OMA-URI configuration setting for Windows 10/11
AllowBluetooth OMA-URI configuration setting for Windows 10/11

STEP 1 – Create a Device Configuration Profile

To create a device configuration profile, follow below steps:

  • Login on Microsoft Intune admin center
  • Click on Devices Configuration profiles
  • Click on + Create profile
  • Platform: Windows 10 and later
  • Profile type: Settings Catalog

Basics

Provide a Name and Description of the profile. For Example:

  • Name: Disable Bluetooth on Windows 10/11 devices
  • Description: This Intune policy will disable Bluetooth on Windows 10/11 devices.

Configuration settings

Click on + Add settings and then search for “connectivity” under Settings picker. You will find a setting called “Allow Bluetooth” under Connectivity category. Select it to add it on Configuration settings page.

You will get below three options for “Allow Bluetooth” setting. As we have to disable Bluetooth, we will be going with Disable Bluetooth option.

  • Disable Bluetooth, The radio in the Bluetooth control panel will be greyed out and the user will not be able to turn Bluetooth on
  • Reserved, The radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
  • Allow Bluetooth, The radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.

Assignments

It is recommended to first test if this device configuration profile is working fine before implementing it on all other user’s devices. Therefore, you can create an Entra ID group and add test devices to this group.

Once the testing is completed successfully, you can expand the list of devices and Include business users as well. If your requirement is to cover all Intune-managed devices, you could also click on + Add all devices.

Review + Create

On Review + Create tab, review the device configuration profile details and click on Create.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync either from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.

STEP 2 – Monitoring Deployment Progress

To monitor the deployment progress of a Device configuration profile, follow below steps:

  • Sign in to the Microsoft Intune admin center.
  • Click on “Devices” and then select “Configuration profiles
  • Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
  • Click on “View report” to access more detailed information.

End-user Experience

Once this policy has been successfully applied to target devices, Bluetooth will be disabled for all users. Users will also not be able to switch it on. I have captured before and after screenshots to show you the policy effect on the device:

Before disabling Bluetooth on a Windows 11 device.

After disabling Bluetooth on a Windows 11 device

Other Bluetooth settings available on Intune admin center

Not only you can enable or disable Bluetooth on Windows 10/11 devices using Intune you can also configure additional settings related to Bluetooth. To find these extra Bluetooth options within the Intune admin center, simply use the settings picker and search for “bluetooth” Then, click on the Bluetooth category.

Additional bluetooth settings on Intune admin center
Additional Bluetooth settings on Intune admin center

Please find more details about each setting in the below table:

Bluetooth Setting NameDescription
Allow AdvertisingSpecifies whether the device can send out Bluetooth advertisements. If this is not set or it is deleted, the default value of 1 (Allow) is used. The most restricted value is 0.
Allow Discoverable ModeSpecifies whether other Bluetooth-enabled devices can discover the device. If this is not set or it is deleted, the default value of 1 (Allow) is used. Most restricted value is 0.
Allow PrepairingSpecifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device.
Allow Prompted Proximal ConnectionsThis policy allows the IT admin to block users on these managed devices from using Swift Pair and other proximity based scenarios.
Local Device NameSets the local Bluetooth device name. If this is set, the value that it is set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified. If this policy is not set or it is deleted, the default local radio name is used.
Services Allowed ListSet a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. The default value is an empty string. For more information, see ServicesAllowedList usage guide.
Set Minimum Encryption Key SizeThere are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments.
You can read more about each policy setting here: Bluetooth Policy CSP

FAQs

Where can I find logs related to Device Configuration Profile?

For checking the logs related to a device configuration profile deployment via Intune, you can follow below steps:

– Press Windows key + R to open Run dialog box
– Type eventvwr and press Enter to open Event Viewer.
– Go to Application and Services logs > Microsoft > Windows > Devicemanagement-Enterprise-Diagnostics-Provider > Admin folder.
– Search for Event ID 813 or 814 and go through the logs to find the one related to this deployment. [Please refer to below screenshot showing Event ID 813 Information]

Event ID 813 shows that “Allow Bluetooth” setting has been implemented successfully

Leave a Comment