Bluetooth must be turned off unless approved by the organization.

Documentable No

Rule ID SV-253291r1153422_rule

CCI References

CCI-000381

Discussion

If not configured properly, Bluetooth may allow rogue devices to communicate with a system. If a rogue device is paired with a system, there is potential for sensitive information to be compromised.

Check Procedure

This is NA if the system does not have Bluetooth.

Verify the Bluetooth radio is turned off unless approved by the organization. If it is not, this is a finding.

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\PolicyManager\current\device\Connectivity\

Value Name: AllowBluetooth

Value Type: REG_DWORD
Value: 0x00000000 (0)

Approval must be documented with the ISSO.

Fix Action

Turn off Bluetooth radios not organizationally approved.

For systems managed by Intune, apply the DOD Windows 11 STIG Settings Catalog (or equivalent Intune policy) found in the Intune policy package available on cyber.mil.
Steps to create an Intune policy:
1. Sign in to the Intune admin center >> Devices >> Configuration >> Create >> New Policy.
2. Platform: Windows 10 and later. Profile type: Settings Catalog, then click "Create".
3. Basics: Provide a Name and Description of the profile, then click "Next".
4. Configuration settings: Click "+ Add settings" and search for connectivity under the Settings picker. Under the Connectivity category, check the box next to Allow Bluetooth setting. Choose the first option, "Disallow Bluetooth", then click "Next".
5. Scope tags: (optional), then click "Next".
6. Assignments: Assign the policy to Entra security groups that contain the target users or devices, then click "Next".
7. Review + create: Review the deployment summary, then click "Create".