Bluetooth must be turned off unless approved by the organization.

STIG ID: WN10-00-000210  |  SRG: SRG-OS-000095-GPOS-00049 |  Severity: medium (CAT II)  |  CCI: CCI-000381 |  Vulnerability Id: V-220734

Vulnerability Discussion

If not configured properly, Bluetooth may allow rogue devices to communicate with a system. If a rogue device is paired with a system, there is potential for sensitive information to be compromised.

Check

This is NA if the system does not have Bluetooth.

Verify the Bluetooth radio is turned off unless approved by the organization. If it is not, this is a finding.

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\PolicyManager\current\device\Connectivity\

Value Name: AllowBluetooth

Value Type: REG_DWORD
Value: 0x00000000 (0)

Approval must be documented with the ISSO.

Fix

Turn off Bluetooth radios not organizationally approved.

For systems managed by Intune, apply the DOD Windows 10 STIG Settings Catalog (or equivalent Intune policy) found in the Intune policy package available on cyber.mil.
Steps to create an Intune policy:
1. Sign in to the Intune admin center >> Devices >> Configuration >> Create >> New Policy.
2. Platform: Windows 10 and later. Profile type: Settings Catalog, then click "Create".
3. Basics: Provide a Name and Description of the profile, then click "Next".
4. Configuration settings: Click "+ Add settings" and search for connectivity under the Settings picker. Under the Connectivity category, check the box next to Allow Bluetooth setting. Choose the first option, Disallow Bluetooth, then click "Next".
5. Scope tags: (optional), then click "Next".
6. Assignments: Assign the policy to Entra security groups that contain the target users or devices, then click "Next".
7. Review + create: Review the deployment summary, then click "Create".
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.