Policy CSP - Bluetooth
AllowAdvertising
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowAdvertising
Specifies whether the device can send out Bluetooth advertisements. If this isn't set or it's deleted, the default value of 1 (Allow) is used. Most restricted value is 0.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
Allowed values:
| Value | Description |
|---|---|
| 0 | Not allowed. When set to 0, the device won't send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement isn't received by the peripheral. |
| 1 (Default) | Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral. |
AllowDiscoverableMode
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowDiscoverableMode
Specifies whether other Bluetooth-enabled devices can discover the device. If this isn't set or it's deleted, the default value of 1 (Allow) is used. Most restricted value is 0.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
Allowed values:
| Value | Description |
|---|---|
| 0 | Not allowed. When set to 0, other devices won't be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you can't see the name of the device. |
| 1 (Default) | Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it. |
AllowPrepairing
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowPrepairing
Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
Allowed values:
| Value | Description |
|---|---|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
AllowPromptedProximalConnections
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowPromptedProximalConnections
This policy allows the IT admin to block users on these managed devices from using Swift Pair and other proximity based scenarios.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
Allowed values:
| Value | Description |
|---|---|
| 0 | Disallow. Block users on these managed devices from using Swift Pair and other proximity based scenarios. |
| 1 (Default) | Allow. Allow users on these managed devices to use Swift Pair and other proximity based scenarios. |
LocalDeviceName
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/Bluetooth/LocalDeviceName
Sets the local Bluetooth device name. If this is set, the value that it's set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified. If this policy isn't set or it's deleted, the default local radio name is used.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
ServicesAllowedList
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/Bluetooth/ServicesAllowedList
Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7. CAA-436. C-8. BF0-78. CD0FFBD4AF}. The default value is an empty string. For more information, see ServicesAllowedList usage guide.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: ;) |
SetMinimumEncryptionKeySize
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041] and later |
./Device/Vendor/MSFT/Policy/Config/Bluetooth/SetMinimumEncryptionKeySize
There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [1-16] |
| Default Value | 0 |
ServicesAllowedList usage guide
When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly defined Bluetooth profiles and services. It's an allowed list, enabling admins to still allow custom Bluetooth profiles that aren't defined by the Bluetooth Special Interests Group (SIG).
- Disabling a service shall block incoming and outgoing connections for such services
- Disabling a service shall not publish an SDP record containing the service being blocked
- Disabling a service shall not allow SDP to expose a record for a blocked service
- Disabling a service shall log when a service is blocked for auditing purposes
- Disabling a service shall take effect upon reload of the stack or system reboot
To define which profiles and services are allowed, enter the semicolon delimited profile or service Universally Unique Identifiers (UUID). To get a profile UUID, refer to the Service Discovery page on the Bluetooth SIG website.
These UUIDs all use the same base UUID with the profile identifiers added to the beginning of the base UUID.
Here are some examples:
Example of how to enable Hands Free Profile (HFP):
BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB
| UUID name | Protocol specification | UUID |
|---|---|---|
| HFP(Hands Free Profile) | Hands-Free Profile (HFP) * | 0x111E |
Footnote: * Used as both Service Class Identifier and Profile Identifier.
Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000111E-0000-1000-8000-00805F9B34FB
Allow Audio Headsets (Voice):
| Profile | Reasoning | UUID |
|---|---|---|
| HFP (Hands Free Profile) | For voice-enabled headsets | 0x111E |
| Generic Audio Service | Generic audio service | 0x1203 |
| Headset Service Class | For older voice-enabled headsets | 0x1108 |
| PnP Information | Used to identify devices occasionally | 0x1200 |
If you only want Bluetooth headsets, the UUIDs to include are: {0000111E-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}.
Allow Audio Headsets and Speakers (Voice & Music):
| Profile | Reasoning | UUID |
|---|---|---|
| HFP (Hands Free Profile) | For voice enabled headsets | 0x111E |
| A2DP Source (Advance Audio Distribution) | For streaming to Bluetooth speakers | 0x110B |
| Generic Audio Service | Generic service used by Bluetooth | 0x1203 |
| Headset Service Class | For older voice-enabled headsets | 0x1108 |
| AV Remote Control Target Service | For controlling audio remotely | 0x110C |
| AV Remote Control Service | For controlling audio remotely | 0x110E |
| AV Remote Control Controller Service | For controlling audio remotely | 0x110F |
| PnP Information | Used to identify devices occasionally | 0x1200 |
{0000111E-0000-1000-8000-00805F9B34FB};{0000110B-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{0000110C-0000-1000-8000-00805F9B34FB};{0000110E-0000-1000-8000-00805F9B34FB};{0000110F-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB};
Classic Keyboards and Mice:
| Profile | Reasoning | UUID |
|---|---|---|
| HID (Human Interface Device) | For classic BR/EDR keyboards and mice | 0x1124 |
| PnP Information | Used to identify devices occasionally | 0x1200 |
{00001124-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB};
LE Keyboards and Mice:
| Profile | Reasoning | UUID |
|---|---|---|
| Generic Access Attribute | For the LE Protocol | 0x1801 |
| HID Over GATT * | For LE keyboards and mice | 0x1812 |
| GAP (Generic Access Profile) | Generic service used by Bluetooth | 0x1800 |
| DID (Device ID) | Generic service used by Bluetooth | 0x180A |
| Scan Parameters | Generic service used by Bluetooth | 0x1813 |
Footnote: * The Surface pen uses the HID over GATT profile
{00001801-0000-1000-8000-00805F9B34FB};{00001812-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
Allow File Transfer:
| Profile | Reasoning | UUID |
|---|---|---|
| OBEX Object Push (OPP) | For file transfer | 0x1105 |
| Object Exchange (OBEX) | Protocol for file transfer | 0x0008 |
| PnP Information | Used to identify devices occasionally | 0x1200 |
{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}
Disabling file transfer shall have the following effects:
- Fsquirt shall not allow sending of files
- Fsquirt shall not allow receiving of files
- Fsquirt shall display error message informing user of policy preventing file transfer
- 3rd-party apps shall not be permitted to send or receive files using MSFT Bluetooth API
Related articles
Feedback
Binnenkort beschikbaar: In de loop van 2024 zullen we GitHub Issues geleidelijk uitfaseren als het feedbackmechanisme voor inhoud. Het wordt vervangen door een nieuw feedbacksysteem. Zie voor meer informatie: https://aka.ms/ContentUserFeedback.
Feedback verzenden en weergeven voor