How to block Bluetooth file transfer with Microsoft Intune

I recently got the question if it is possible to block transferring files using a Bluetooth connection between a Windows device and a mobile device. Although I think it’s better to protection your data files with a Data Loss Prevention solution, instead of trying to avoid your users to share data via whatever feature, it certainly is possible to block this.

With Microsoft Intune, we can manage a couple of settings related to Bluetooth. The related CSPs are listed in this Microsoft documentation. Among these settings is a setting to specify whether the device can send out Bluetooth advertisements or a setting to block Bluetooth pairing. But using these kinds of settings would also block usage of Bluetooth mice, or headphones.
We also have the setting ServicesAllowedList.
When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly defined Bluetooth profiles and services.

This means we can only allow certain Bluetooth services we need, like allowing mice/ keyboards and headphones to connect, but not allow Bluetooth file transfers.

The allowed services need to be specified by their Bluetooth service UUID. Luckily for us the CSP documentation for this is pretty good, as we have a ServicesAllowList usage guide;

The guide describes what the settings do, an example, and a link to the Service Discovery page on the Bluetooth SIG website, that contains a long list of Bluetooth UUIDs.

But the Microsoft documentation already lists much used UUIDs for Audio headsets;

And keyboards and mice.

And it shows the file transfer UUID, that we should not add to the allow list.

Image title

Your subtitle here

Configure the Intune configuration profile

Fortunately, we don’t need to use the CSP and a custom configuration profile anymore, we have other options these days. The Services Allowed List is available in a Settings Catalog profile and an Endpoint security (ASR) Device control policy.

I’ll show you in this example how to use a Device control profile to block Bluetooth file transfer.

First, we need to sign in to the Intune admin center.

  • Browse to Endpoint SecurityAttack surface reduction
  • Click Create Policy
  • Select Windows 10, Windows 11, and Windos Server as Platform
  • Select Device Control as Profile type
  • Click Create
  • Enter a Name for the profile
  • Enter a Description (optional)
  • Click Next

Scroll down to the Bluetooth section.
Here we find the Services Allow List. We need to add every Bluetooth UUID to the list that we want to allow. One UUID per line as found in the documentation.

End-user experience

If we have a look at the end-user experience we will notice the following. I first configured it to only allow headsets in the Device control profile. And indeed I could connect my (good old) Sony headset and use it without any problems.
I could still add my Bluetooth mouse, but after pairing the mouse with the laptop it showed a driver error and the mouse didn’t work anymore.

Image title

Your subtitle here

After adding the mouse and keyboard UUIDs, I could use my mouse again.

I could still pair my Android device with my Windows 11 laptop.

And I could still start a file transfer from my Windows device to my mobile device.

I thought for a second, I could still transfer files via Bluetooth to my mobile device.

However, the file transfer did not complete.

Mission accomplished! File transfer via Bluetooth is blocked on my Windows device using Microsoft Intune.

Thanks for reading!

Be the first to comment

Leave a Reply

Your email address will not be published.