Intune + Microsoft 365 Defender Bluetooth Block & Exclusions

Heimdallr 266 Reputation points
2023-02-07T23:09:40.71+00:00

Hi All,

I am experimenting for a week now with Intune and Defender for endpoint security features and I find this to be really hard and inconsistent(there are lots of policies that kinda collide and cause problems and GUI solutions solve half of the problems really).

What I've achieved so far:

  • I've blocked removable storage, via OMA-URI
  • I've added exclusions via XMLs to unlock certain USB Sticks
  • In order to block all USB pluggable devices, other than external storage, I've created 2 policies via Administrative Templates: a) Allow installation of devices using drivers that match these device setup classes b) Prevent installation of devices not described by other policy settings Note: In the Allow one, I've added Class GUIDs from https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templates-restrict-usb#common-class-guids-to-allow-usb-devices So far, it seems nothing that is not a keyboard, wired headset, mouse and approved USB Sticks seem to work fine, that's great.

Now what about Bluetooth? I want to make sure that I can also prevent every type of Bluetooth to prevent data leakage(except for as above, any sort headsets mice, keyboards) I have no idea how to process this one to be honest. If I try to add GUIDs from https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist-usage-guide to any of above, it simply does nothing, I plug in my Jabra headset Bluetooth adapter and I got right in my face that it's blocked. If I use Endpoint Manager configuration profile>Device restrictions> Cellular and connectivity> And I for example disable all in Bluetooth add exclusions there from the link above, nothing happens. If I keep blocking all BT settings except First one, and keep the exclusions, also nothing happens.

Anyone have any Idea how to solve this, or what did I do wrong here? My general purpose is to make my environment fully secure so that only basic equipment to work (keyboard, mouse, headset, some USB Sticks) is working and I can toss in exclusions, I think I've either overcomplicated this and that's why the Bluetooth doesn't catch up, or I do something wrong, because other than these GUI there, I can't seem to understand how can I also block all BT that is not a group of commonly understood headsets, keyboards and so on.

Thanks!

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,417 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,931 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Crystal-MSFT 41,761 Reputation points Microsoft Vendor
    2023-02-08T05:24:55.19+00:00

    @Heimdallr, Thanks for posting in Q&A.

    For these Bluetooth devices, if we go to device Manager and find them check the properties, select details, can we get the class GUID of them.

    User's image

    If we can, we can add the class GUID to the allow installation list to see if it works.

    Hope it can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.