How to Disable Bluetooth on Windows using Intune

Photo of author
Jatin Makhija
0

In an enterprise environment, if users are not using certain operating system functionality, the system should be blocked or disabled to reduce the attack surface.

Bluetooth connections can potentially be vulnerable to hacking and unauthorized access. Disabling Bluetooth when you’re not actively using it reduces the risk of someone trying to exploit vulnerabilities in Bluetooth protocols to gain access to your device or data.

You can easily disable Bluetooth by creating a device configuration profile and using a setting from the settings catalog called Allow Bluetooth under the Connectivity Category.

Bluetooth is not disabled on the devices by default, and to disable using Intune, you need to set Allow Bluetooth value to below:

Disable Bluetooth – The radio in the Bluetooth control panel will be greyed out, and the user will not be able to turn Bluetooth on

Disable Bluetooth - The radio in the Bluetooth control panel will be greted out and the user will not be able to turn Bluetooth on
Disable Bluetooth – The radio in the Bluetooth control panel will be greyed out and the user will not be able to turn Bluetooth on

You can learn more about this setting by visiting the link Allow Bluetooth OMA-URI, which offers additional information. The screenshot below shows the Operating system versions/editions supported by this policy setting.

Please note that there is a red cross sign next to the User under the Scope column. That means it is a device-based policy setting. Targeting this policy to an Azure AD group containing devices is best.

AllowBluetooth OMA-URI configuration setting for Windows 10/11
AllowBluetooth OMA-URI configuration setting for Windows 10/11

STEP 1 – Create a Device Configuration Profile

To create a device configuration profile, follow the below steps:

  • Sign in to the Intune admin center.
  • Click on Devices Configuration > Create > New Policy.
  • Platform: Windows 10 and later.
  • Profile type: Settings Catalog.

Basics

Provide a Name and Description of the profile. For Example:

  • Name: Disable Bluetooth on Windows 10/11 devices
  • Description: This Intune policy will disable Bluetooth on Windows 10/11 devices.

Configuration settings

Click on + Add settings and search for connectivity under the Settings picker. Under the Connectivity category, you will find an Allow Bluetooth setting. Select it to add it to the Configuration settings page.

You will get the below three options for the Allow Bluetooth setting. As we have to disable Bluetooth, we will choose the first option, Disable Bluetooth.

  1. Disable Bluetooth, The radio in the Bluetooth control panel will be greyed out and the user will not be able to turn Bluetooth on.
  2. Reserved, The radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
  3. Allow Bluetooth, The radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.

Assignments

You should first test whether this device configuration profile works correctly before implementing it on all other users devices. Therefore, you can create an Entra security group and add test devices to it.

Once the testing is completed successfully, you can expand the list of devices and Include business users. If you require to cover all Intune-managed devices, you could also click on + Add all devices.

Review + Create

Review the device configuration profile details on the Review + Create tab and click Create.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

STEP 2 – Monitoring Deployment Progress

To monitor the deployment progress of a Device configuration profile, follow the below steps:

  • Sign in to the Intune admin center.
  • Click on “Devices” and then select Configuration.
  • Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
  • Click on “View report” to access more detailed information.

End-user Experience

Once this policy has been successfully applied to target devices, Bluetooth will be disabled for all users. Users will also not be able to switch it on. I have captured before and after screenshots to show you the policy effect on the device:

Before disabling Bluetooth on a Windows 11 device.

After disabling Bluetooth on a Windows 11 device

Other Bluetooth settings available on Intune admin center

Not only can you enable or disable Bluetooth on Windows 10/11 devices using Intune, but you can also configure additional settings related to Bluetooth. To find these extra Bluetooth options within the Intune admin center, use the settings picker and search for Bluetooth. Then, click on the Bluetooth category.

Additional bluetooth settings on Intune admin center
Additional Bluetooth settings on Intune admin center

Please find more details about each setting in the table below:

Bluetooth Setting NameDescription
Allow AdvertisingSpecifies whether the device can send out Bluetooth advertisements. If this is not set or it is deleted, the default value of 1 (Allow) is used. The most restricted value is 0.
Allow Discoverable ModeSpecifies whether other Bluetooth-enabled devices can discover the device. If this is not set or it is deleted, the default value of 1 (Allow) is used. Most restricted value is 0.
Allow PrepairingThis policy allows IT administrators to block users on these managed devices from using Swift Pair and other proximity-based scenarios.
Allow Prompted Proximal ConnectionsWhen pairing Bluetooth devices, multiple levels of encryption strength are used. This policy helps prevent weaker devices from being used cryptographically in high-security environments.
Local Device NameThis policy allows IT administrators to block users on these managed devices from using Swift Pair and other proximity-based scenarios.
Services Allowed ListSet a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. The default value is an empty string. For more information, see ServicesAllowedList usage guide.
Set Minimum Encryption Key SizeSpecifies whether other Bluetooth-enabled devices can discover the device. If this is not set or it is deleted, the default value of 1 (Allow) is used. The most restricted value is 0.
You can read more about each policy setting here: Bluetooth Policy CSP

FAQs

Where can I find logs related to Device Configuration Profile?

For checking the logs related to a device configuration profile deployment via Intune, you can follow the below steps:

– Press the Windows key + R to open the Run dialog box
– Type eventvwr and press Enter to open Event Viewer.
– Go to Application and Services logs > Microsoft > Windows > Devicemanagement-Enterprise-Diagnostics-Provider > Admin folder.
– Search for Event ID 813 or 814 and go through the logs to find the one related to this deployment. [Please refer to the below screenshot showing Event ID 813 Information]

Event ID 813 shows that Allow Bluetooth setting has been implemented successfully

Leave a Comment

Comprehensive Step-by-Step Guides: SetUp/Troubleshooting/Configuring Solutions for Intune, Microsoft 365, Windows 365, PowerShell, Windows, Azure, and other Cloud Technologies.

About the author
Contact Us
Privacy Policies
Comment Policies
Cookie Policies

Enter your email address to subscribe to this blog and receive notifications of new posts by email.