March 27, 2024
Update: Add {0000111F-0000-1000-8000-00805F9B34FB} for certain Polycom Bluetooth devices.
I recently got a request to see if it was possible to disable Bluetooth file transfer without disabling Bluetooth (because that would be bad) using Configuration Manager. Challenge accepted! First things first, read up on the Bluetooth Policy CSP to see if it is possible and what all is involved. Second, do a search on the internet to see if someone else has already solved this problem. After searching and searching, the only thing that I found was blogs that regurgitated the docs on how to completely disable Bluetooth. That was a non-started with all of the Bluetooth devices today.
Back to the policy to see if I could create a PowerShell script that could be used in a Configuration Item and Configuration Baseline. In the CSP, there is a setting called ServicesAllowedList. This default for this setting is an empty string and it means that everything is allowed. However, once a value is defined, then whatever is in that value is allowed and everything else is blocked. These services are in the form of a UUID.
In my searches, I had found some suggestions of using AppLocker to block the executable that is used for Bluetooth file transfer called Fsquirt. However, from the searches, it appears that this might not block file transfers from 3rd-party apps that use the Microsoft Bluetooth API. There are two services, called OBEX Object Push (OPP) (which is for file transfer) and Object Exchange (OBEX) (which is the protocol used for file transfer), that when disabled should block any Bluetooth file transfer.
This left 14 UUIDs that needed to be set for the value in order for other Bluetooth devices to continue to work. Using a little bit of PowerShell running as SYSTEM (this setting can only be set as SYSTEM, running as Admin is not enough), we can check to see that this value is set correctly and set it if it is not.
In ConfigMgr, create new CI. Be sure to select “This configuration item contains application settings”:
On the Detection Methods step, enter the following PowerShell. This will be used to determine if the system has Bluetooth. It could also be modified to be used for exceptions.
#Detect Bluetooth Devices
$BluetoothDevices = Get-WmiObject 'Win32_PnPEntity' | Where-Object {$_.Caption -like '*Bluetooth*'}
if ($BluetoothDevices) {
Write-Output "Bluetooth Device(s) Detected"
}
On the Settings step, click the New button to create a new Setting. Give it the name Bluetooth File Transfer – Disable.
For the Discovery script, use the following PowerShell. This contains the 14 UUIDs that are to be allowed:
#Disable Bluetooth File Transfer
#Discovery Script
#22.10.15
$Compliance = "Compliant"
$TargetServicesAllowedList = "{0000111E-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB};{0000110B-0000-1000-8000-00805F9B34FB};{0000110C-0000-1000-8000-00805F9B34FB};{0000110E-0000-1000-8000-00805F9B34FB};{0000110F-0000-1000-8000-00805F9B34FB};{00001124-0000-1000-8000-00805F9B34FB};{00001801-0000-1000-8000-00805F9B34FB};{00001812-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}"
$CurrentServicesAllowedList = (Get-CimInstance -Namespace 'root\cimv2\mdm\dmmap' -Query 'Select * from MDM_Policy_Result01_Bluetooth02').ServicesAllowedList
if ($CurrentServicesAllowedList -ne $TargetServicesAllowedList)
{
$Compliance = "Non-compliant"
}
$ComplianceFor the Remediation script, use the following PowerShell.
#Disable Bluetooth File Transfer
#Remediation Script
#22.10.15
$Compliance = "Compliant"
$TargetServicesAllowedList = "{0000111E-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB};{0000110B-0000-1000-8000-00805F9B34FB};{0000110C-0000-1000-8000-00805F9B34FB};{0000110E-0000-1000-8000-00805F9B34FB};{0000110F-0000-1000-8000-00805F9B34FB};{00001124-0000-1000-8000-00805F9B34FB};{00001801-0000-1000-8000-00805F9B34FB};{00001812-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}"
$CurrentServicesAllowedList = (Get-CimInstance -Namespace 'root\cimv2\mdm\dmmap' -Query 'Select * from MDM_Policy_Result01_Bluetooth02').ServicesAllowedList
if ($CurrentServicesAllowedList -ne $TargetServicesAllowedList)
{
$Compliance = "Non-compliant"
}
if ($Compliance = "Non-compliant") {
#Check for Instance
$BluetoothPolicy = Get-CimInstance -Namespace 'root\cimv2\mdm\dmmap' -Query 'Select * from MDM_Policy_Config01_Bluetooth02'
#Turn off Bluetooth file transfer
#If Bluetooth policy exists then set ServicesAllowedList
if ($BluetoothPolicy)
{
$Result = Set-CimInstance -InputObject $BluetoothPolicy -Property @{ParentID="./Vendor/MSFT/Policy/Config";InstanceID="Bluetooth";ServicesAllowedList=$TargetServicesAllowedList}
}
#If Bluetooth policy does not exist then create it and set ServicesAllowedList
else {
$Result = New-CimInstance -Namespace 'root\cimv2\mdm\dmmap' -ClassName 'MDM_Policy_Config01_Bluetooth02' -Property @{ParentID="./Vendor/MSFT/Policy/Config";InstanceID="Bluetooth";ServicesAllowedList=$TargetServicesAllowedList}
}
}
Exit $Result.ReturnValueNOTE: If you might be wondering why I double check for compliance again in the remediation script is because there is a bug in CM that we have hit twice now after upgrades. The remediation script will just randomly run on systems. This created a mess when our site balancing script decided to run causing tens of thousands of clients to re-assign their site (which the discovery script has a very controlled fashion for doing so but the remediation did not have the logic). Now we include this for any major changes just to be safe.
Create a Compliance Rule using the following settings:
Finish creating the CI and then create a Baseline. Be sure to change the Purpose to Optional. This way if a device that is targeted does not have Bluetooth, it will just not be applicable.
Create a test collection and deploy the Baseline.
An easy way to test this is to pair two Windows systems. On Windows, open up the Bluetooth & other devices menu in Settings and click on Add Bluetooth or other device.
On the Add a device window, select Bluetooth – Mice, keyboards, pens, or audio and other kinds of Bluetooth devices.
Find the device you want to pair. In my case, I am using my Surface Book.
Once the connection is successful, back in the Bluetooth & other devices menu, click on the Send or receive files via Bluetooth link.
Test a file transfer to see if it is working correctly by clicking Send files.
Select the device you would like to send the file to.
Choose a file.
And the result should be a successful file transfer.
Add the device to the collection that was set up earlier for the Baseline deployment and make sure it shows up under the Configuration Manager Properties under the Configurations tab and that it has been evaluated and is compliant.
Click the View Report button and it should show that setting has been remediated.
Repeat the test above and this time it should say that the transfer was not completed and that file transfer is disabled by policy.
Keep in mind that this setting will persist even if the device is no longer targeted with the Bluetooth File Transfer – Disable Baseline. In the links above, I have also created a CI and Baseline that will enable file transfer again by clearing the ServicesAllowedList value. Be sure to test this in your environment with the various Bluetooth devices that are used to ensure there are no issues. In the testing that I have done, everything has continued to work, and I am able to pair/use Bluetooth devices. If you do run into any issues, please leave a comment below. Also, open up a support case with the vendor as they might have their own GUID that can be added.
Originally posted on https://miketerrill.net/
Mike's Tech Blog 