I recently got the question if it is possible to block transferring files using a Bluetooth connection between a Windows device and a mobile device. Although I think it’s better to protection your data files with a Data Loss Prevention solution, instead of trying to avoid your users to share data via whatever feature, it certainly is possible to block this.
With Microsoft Intune, we can manage a couple of settings related to Bluetooth. The related CSPs are listed in this Microsoft documentation. Among these settings is a setting to specify whether the device can send out Bluetooth advertisements or a setting to block Bluetooth pairing. But using these kinds of settings would also block usage of Bluetooth mice, or headphones.
We also have the setting ServicesAllowedList.
When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly defined Bluetooth profiles and services.
This means we can only allow certain Bluetooth services we need, like allowing mice/ keyboards and headphones to connect, but not allow Bluetooth file transfers.
The allowed services need to be specified by their Bluetooth service UUID. Luckily for us the CSP documentation for this is pretty good, as we have a ServicesAllowList usage guide;
The guide describes what the settings do, an example, and a link to the Service Discovery page on the Bluetooth SIG website, that contains a long list of Bluetooth UUIDs.
But the Microsoft documentation already lists much used UUIDs for Audio headsets;
And keyboards and mice.
And it shows the file transfer UUID, that we should not add to the allow list.
Configure the Intune configuration profile
Fortunately, we don’t need to use the CSP and a custom configuration profile anymore, we have other options these days. The Services Allowed List is available in a Settings Catalog profile and an Endpoint security (ASR) Device control policy.
I’ll show you in this example how to use a Device control profile to block Bluetooth file transfer.
First, we need to sign in to the Intune admin center.
- Browse to Endpoint Security, Attack surface reduction
- Click Create Policy
- Select Windows 10, Windows 11, and Windos Server as Platform
- Select Device Control as Profile type
- Click Create
- Enter a Name for the profile
- Enter a Description (optional)
- Click Next
Scroll down to the Bluetooth section.
Here we find the Services Allow List. We need to add every Bluetooth UUID to the list that we want to allow. One UUID per line as found in the documentation.
End-user experience
If we have a look at the end-user experience we will notice the following. I first configured it to only allow headsets in the Device control profile. And indeed I could connect my (good old) Sony headset and use it without any problems.
I could still add my Bluetooth mouse, but after pairing the mouse with the laptop it showed a driver error and the mouse didn’t work anymore.
After adding the mouse and keyboard UUIDs, I could use my mouse again.
I could still pair my Android device with my Windows 11 laptop.
And I could still start a file transfer from my Windows device to my mobile device.
I thought for a second, I could still transfer files via Bluetooth to my mobile device.
However, the file transfer did not complete.
Mission accomplished! File transfer via Bluetooth is blocked on my Windows device using Microsoft Intune.
Thanks for reading!
