Title

Bluetooth must be turned off unless approved by the organization. (Cat II impact)

Discussion

If not configured properly, Bluetooth may allow rogue devices to communicate with a system. If a rogue device is paired with a system, there is potential for sensitive information to be compromised.

Check Content

This is NA if the system does not have Bluetooth. Verify the Bluetooth radio is turned off unless approved by the organization. If it is not, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\PolicyManager\current\device\Connectivity\ Value Name: AllowBluetooth Value Type: REG_DWORD Value: 0x00000000 (0) Approval must be documented with the ISSO.

Fix Text

Turn off Bluetooth radios not organizationally approved. For systems managed by Intune, apply the DOD Windows 11 STIG Settings Catalog (or equivalent Intune policy) found in the Intune policy package available on cyber.mil. Steps to create an Intune policy: 1. Sign in to the Intune admin center >> Devices >> Configuration >> Create >> New Policy. 2. Platform: Windows 10 and later. Profile type: Settings Catalog, then click "Create". 3. Basics: Provide a Name and Description of the profile, then click "Next". 4. Configuration settings: Click "+ Add settings" and search for connectivity under the Settings picker. Under the Connectivity category, check the box next to Allow Bluetooth setting. Choose the first option, "Disallow Bluetooth", then click "Next". 5. Scope tags: (optional), then click "Next". 6. Assignments: Assign the policy to Entra security groups that contain the target users or devices, then click "Next". 7. Review + create: Review the deployment summary, then click "Create".

Additional Identifiers

Rule ID: SV-253291r1153422_rule

Vulnerability ID: V-253291

Group Title: SRG-OS-000095-GPOS-00049

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.