From ffef722259f60c556e12b122b93b88be25a83fd4 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 22 Jul 2024 17:54:13 -0400
Subject: [PATCH 01/20] Update passkeys documentation with information on
Bluetooth-restricted environments
---
.../identity-protection/passkeys/index.md | 24 +++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index 44f695a852..14a3589a9d 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -1,11 +1,11 @@
---
title: Support for passkeys in Windows
description: Learn about passkeys and how to use them on Windows devices.
-ms.collection:
+ms.collection:
- tier1
ms.topic: overview
ms.date: 11/07/2023
-appliesto:
+appliesto:
- ✅ Windows 11
- ✅ Windows 10
---
@@ -315,6 +315,26 @@ Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can use the Set
To provide feedback for passkeys, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passkey**.
+## Passkeys and Bluetooth-restricted environments
+
+For passkey cross-device authentication scenarios, both the Windows device and the mobile device must have Bluetooth enabled and connected to the Internet. This allows the user to authorize another device securely over Bluetooth without transferring or copying the passkey itself.
+
+Some organizations restrict the use of Bluetooth, preventing the use of passkeys. In this case, organizations can enable the use of passkeys by only allowing Bluetooth pairing with passkey\FIDO2 authenticators. To do so, use the [Bluetooth Policy CSP](../../../client-management/mdm/policy-csp-bluetooth.md)
+
+| OMA-URI | Data type | Value |
+|--|--|--|
+| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](../../../client-management/mdm/policy-csp-bluetooth.md#allowadvertising)|Integer|`0`
When set to `0`, the device won't send out advertisements.|
+| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode](../../../client-management/mdm/policy-csp-bluetooth.md#allowdiscoverablemode)|Integer|`0`
When set to `0`, other devices won't be able to detect the device.|
+| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing](../../../client-management/mdm/policy-csp-bluetooth.md#allowprepiaring)|Integer|`0`
Prevents specific bundled Bluetooth peripherals to automatically pair with the host device.|
+| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections](../../../client-management/mdm/policy-csp-bluetooth.md#allowpromptedproximalconnections)|Integer|`0`
Prevents users from using Swift Pair and other proximity-based scenarios.|
+| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList](../../../client-management/mdm/policy-csp-bluetooth.md#servicesallowedlist)|String|`{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service
- FIDO2 secure client-to-authenticator transport service|
+| `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs](../../../client-management/mdm/policy-csp-deviceinstallation.md#preventinstallationofmatchingdeviceids)|String|``
This configuration:
- disables the existing Bluetooth Personal Area Network (PAN) network adapter
- prevents the installation of the Bluetooth Network Adapter that can be used for network connectivity\tethering from a Bluetooth device and the endpoint|
+
+For more information see:
+
+- [FIDO CTAP 2.1 standard specification](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#ble-fido-service)
+- [Bluetooth Assigned Numbers document](https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Assigned_Numbers/out/en/Assigned_Numbers.pdf?v=1713387868258)
+
[FHUB]: feedback-hub:?tabid=2&newFeedback=true
From efdb164a8671399f12a5e33d0a1534501aa2e72c Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 23 Jul 2024 07:23:05 -0400
Subject: [PATCH 02/20] updates
---
.../identity-protection/passkeys/index.md | 23 +++++++++++++------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index 14a3589a9d..d023c4d13c 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -319,22 +319,31 @@ To provide feedback for passkeys, open [**Feedback Hub**][FHUB] and use the cate
For passkey cross-device authentication scenarios, both the Windows device and the mobile device must have Bluetooth enabled and connected to the Internet. This allows the user to authorize another device securely over Bluetooth without transferring or copying the passkey itself.
-Some organizations restrict the use of Bluetooth, preventing the use of passkeys. In this case, organizations can enable the use of passkeys by only allowing Bluetooth pairing with passkey\FIDO2 authenticators. To do so, use the [Bluetooth Policy CSP](../../../client-management/mdm/policy-csp-bluetooth.md)
+Some organizations restrict the use of Bluetooth, preventing the use of passkeys. In this case, organizations can enable the use of passkeys by only allowing Bluetooth pairing with passkey\FIDO2 authenticators. To do so, use the [Bluetooth Policy CSP](/windows/client-management/mdm/policy-csp-bluetooth.md)
| OMA-URI | Data type | Value |
|--|--|--|
-| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](../../../client-management/mdm/policy-csp-bluetooth.md#allowadvertising)|Integer|`0`
When set to `0`, the device won't send out advertisements.|
-| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode](../../../client-management/mdm/policy-csp-bluetooth.md#allowdiscoverablemode)|Integer|`0`
When set to `0`, other devices won't be able to detect the device.|
-| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing](../../../client-management/mdm/policy-csp-bluetooth.md#allowprepiaring)|Integer|`0`
Prevents specific bundled Bluetooth peripherals to automatically pair with the host device.|
-| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections](../../../client-management/mdm/policy-csp-bluetooth.md#allowpromptedproximalconnections)|Integer|`0`
Prevents users from using Swift Pair and other proximity-based scenarios.|
-| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList](../../../client-management/mdm/policy-csp-bluetooth.md#servicesallowedlist)|String|`{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service
- FIDO2 secure client-to-authenticator transport service|
-| `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs](../../../client-management/mdm/policy-csp-deviceinstallation.md#preventinstallationofmatchingdeviceids)|String|``
This configuration:
- disables the existing Bluetooth Personal Area Network (PAN) network adapter
- prevents the installation of the Bluetooth Network Adapter that can be used for network connectivity\tethering from a Bluetooth device and the endpoint|
+| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth.md#allowadvertising)|Integer|`0`
When set to `0`, the device won't send out advertisements.|
+| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode](/windows/client-management/mdm/policy-csp-bluetooth.md#allowdiscoverablemode)|Integer|`0`
When set to `0`, other devices won't be able to detect the device.|
+| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing](/windows/client-management/mdm/policy-csp-bluetooth.md#allowprepiaring)|Integer|`0`
Prevents specific bundled Bluetooth peripherals to automatically pair with the host device.|
+| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections](/windows/client-management/mdm/policy-csp-bluetooth.md#allowpromptedproximalconnections)|Integer|`0`
Prevents users from using Swift Pair and other proximity-based scenarios.|
+| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList](/windows/client-management/mdm/policy-csp-bluetooth.md#servicesallowedlist)|String|`{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service
- FIDO2 secure client-to-authenticator transport service|
+| `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs](/windows/client-management/mdm/policy-csp-deviceinstallation.md#preventinstallationofmatchingdeviceids)|String|``
This configuration:
- disables the existing Bluetooth Personal Area Network (PAN) network adapter
- prevents the installation of the Bluetooth Network Adapter that can be used for network connectivity\tethering from a Bluetooth device and the endpoint|
For more information see:
- [FIDO CTAP 2.1 standard specification](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#ble-fido-service)
- [Bluetooth Assigned Numbers document](https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Assigned_Numbers/out/en/Assigned_Numbers.pdf?v=1713387868258)
+| Setting |
+| ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth.md#allowadvertising) Data type: **Integer** Value:`0`
Details: When set to `0`, the device won't send out advertisements. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth.md#allowadvertising) Data type: **Integer** Value:`0`
Details: When set to `0`, the device won't send out advertisements. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth.md#allowadvertising) Data type: **Integer** Value:`0`
Details: When set to `0`, the device won't send out advertisements. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth.md#allowadvertising) Data type: **Integer** Value:`0`
Details: When set to `0`, the device won't send out advertisements. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth.md#allowadvertising) Data type: **Integer** Value:`0`
Details: When set to `0`, the device won't send out advertisements. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth.md#allowadvertising) Data type: **Integer** Value:`0`
Details: When set to `0`, the device won't send out advertisements. |
+
[FHUB]: feedback-hub:?tabid=2&newFeedback=true
From ca939da78e60a2553d9c4d422562998f7d6a4d2b Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 23 Jul 2024 07:55:01 -0400
Subject: [PATCH 03/20] chore: Update passkeys documentation with
Bluetooth-restricted environments information
---
.../identity-protection/passkeys/index.md | 28 ++++++-------------
1 file changed, 8 insertions(+), 20 deletions(-)
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index d023c4d13c..98353e35aa 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -321,31 +321,19 @@ For passkey cross-device authentication scenarios, both the Windows device and t
Some organizations restrict the use of Bluetooth, preventing the use of passkeys. In this case, organizations can enable the use of passkeys by only allowing Bluetooth pairing with passkey\FIDO2 authenticators. To do so, use the [Bluetooth Policy CSP](/windows/client-management/mdm/policy-csp-bluetooth.md)
-| OMA-URI | Data type | Value |
-|--|--|--|
-| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth.md#allowadvertising)|Integer|`0`
When set to `0`, the device won't send out advertisements.|
-| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode](/windows/client-management/mdm/policy-csp-bluetooth.md#allowdiscoverablemode)|Integer|`0`
When set to `0`, other devices won't be able to detect the device.|
-| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing](/windows/client-management/mdm/policy-csp-bluetooth.md#allowprepiaring)|Integer|`0`
Prevents specific bundled Bluetooth peripherals to automatically pair with the host device.|
-| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections](/windows/client-management/mdm/policy-csp-bluetooth.md#allowpromptedproximalconnections)|Integer|`0`
Prevents users from using Swift Pair and other proximity-based scenarios.|
-| `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList](/windows/client-management/mdm/policy-csp-bluetooth.md#servicesallowedlist)|String|`{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service
- FIDO2 secure client-to-authenticator transport service|
-| `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs](/windows/client-management/mdm/policy-csp-deviceinstallation.md#preventinstallationofmatchingdeviceids)|String|``
This configuration:
- disables the existing Bluetooth Personal Area Network (PAN) network adapter
- prevents the installation of the Bluetooth Network Adapter that can be used for network connectivity\tethering from a Bluetooth device and the endpoint|
-
-For more information see:
-
-- [FIDO CTAP 2.1 standard specification](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#ble-fido-service)
-- [Bluetooth Assigned Numbers document](https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Assigned_Numbers/out/en/Assigned_Numbers.pdf?v=1713387868258)
-
| Setting |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth.md#allowadvertising) Data type: **Integer** Value:`0`
Details: When set to `0`, the device won't send out advertisements. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth.md#allowadvertising) Data type: **Integer** Value:`0`
Details: When set to `0`, the device won't send out advertisements. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth.md#allowadvertising) Data type: **Integer** Value:`0`
Details: When set to `0`, the device won't send out advertisements. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth.md#allowadvertising) Data type: **Integer** Value:`0`
Details: When set to `0`, the device won't send out advertisements. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth.md#allowadvertising) Data type: **Integer** Value:`0`
Details: When set to `0`, the device won't send out advertisements. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth.md#allowadvertising) Data type: **Integer** Value:`0`
Details: When set to `0`, the device won't send out advertisements. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth.md#allowadvertising) Data type: **Integer** Value:`0`
Details: When set to `0`, the device won't send out advertisements. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode](/windows/client-management/mdm/policy-csp-bluetooth.md#allowdiscoverablemode)Data type: **Integer** Value:`0`
Details: When set to `0`, other devices won't be able to detect the device. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing](/windows/client-management/mdm/policy-csp-bluetooth.md#allowprepiaring)Data type: **Integer** Value:`0`
Details: Prevents specific bundled Bluetooth peripherals to automatically pair with the host device. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections](/windows/client-management/mdm/policy-csp-bluetooth.md#allowpromptedproximalconnections) Data type: **Integer** Value:`0`
Details:Prevents users from using Swift Pair and other proximity-based scenarios. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList](/windows/client-management/mdm/policy-csp-bluetooth.md#servicesallowedlist) Data type: **String** Value:`{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Details: Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service
- FIDO2 secure client-to-authenticator transport service. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs](/windows/client-management/mdm/policy-csp-deviceinstallation.md#preventinstallationofmatchingdeviceids)Data type: **String** Value:`0`
Details: |`` This configuration:
- disables the existing Bluetooth Personal Area Network (PAN) network adapter
- prevents the installation of the Bluetooth Network Adapter that can be used for network connectivity\tethering from a Bluetooth device and the endpoint.
For more information see:
- [FIDO CTAP 2.1 standard specification][BT-1]
- [Bluetooth Assigned Numbers document][BT-2]|
[FHUB]: feedback-hub:?tabid=2&newFeedback=true
[KB-1]: https://support.microsoft.com/kb/5030310
[MSS-1]: ms-settings:savedpasskeys
+[BT-1]: https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#ble-fido-service
+[BT-2]: https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Assigned_Numbers/out/en/Assigned_Numbers.pdf?v=1713387868258
From 9140cfe0f40ec4671014ac358a8b9620dd492c06 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 23 Jul 2024 07:56:22 -0400
Subject: [PATCH 04/20] chore: Update passkeys documentation with
Bluetooth-restricted environments information
---
.../security/identity-protection/passkeys/index.md | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index 98353e35aa..9bde579ab5 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -323,12 +323,12 @@ Some organizations restrict the use of Bluetooth, preventing the use of passkeys
| Setting |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth.md#allowadvertising) Data type: **Integer** Value:`0`
Details: When set to `0`, the device won't send out advertisements. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode](/windows/client-management/mdm/policy-csp-bluetooth.md#allowdiscoverablemode)Data type: **Integer** Value:`0`
Details: When set to `0`, other devices won't be able to detect the device. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing](/windows/client-management/mdm/policy-csp-bluetooth.md#allowprepiaring)Data type: **Integer** Value:`0`
Details: Prevents specific bundled Bluetooth peripherals to automatically pair with the host device. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections](/windows/client-management/mdm/policy-csp-bluetooth.md#allowpromptedproximalconnections) Data type: **Integer** Value:`0`
Details:Prevents users from using Swift Pair and other proximity-based scenarios. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList](/windows/client-management/mdm/policy-csp-bluetooth.md#servicesallowedlist) Data type: **String** Value:`{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Details: Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service
- FIDO2 secure client-to-authenticator transport service. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs](/windows/client-management/mdm/policy-csp-deviceinstallation.md#preventinstallationofmatchingdeviceids)Data type: **String** Value:`0`
Details: |`` This configuration:
- disables the existing Bluetooth Personal Area Network (PAN) network adapter
- prevents the installation of the Bluetooth Network Adapter that can be used for network connectivity\tethering from a Bluetooth device and the endpoint.
For more information see:
- [FIDO CTAP 2.1 standard specification][BT-1]
- [Bluetooth Assigned Numbers document][BT-2]|
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth#allowadvertising) Data type: **Integer** Value:`0`
Details: When set to `0`, the device won't send out advertisements. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode](/windows/client-management/mdm/policy-csp-bluetooth#allowdiscoverablemode)Data type: **Integer** Value:`0`
Details: When set to `0`, other devices won't be able to detect the device. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing](/windows/client-management/mdm/policy-csp-bluetooth#allowprepiaring)Data type: **Integer** Value:`0`
Details: Prevents specific bundled Bluetooth peripherals to automatically pair with the host device. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections](/windows/client-management/mdm/policy-csp-bluetooth#allowpromptedproximalconnections) Data type: **Integer** Value:`0`
Details:Prevents users from using Swift Pair and other proximity-based scenarios. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList](/windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist) Data type: **String** Value:`{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Details: Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service
- FIDO2 secure client-to-authenticator transport service. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs](/windows/client-management/mdm/policy-csp-deviceinstallation#preventinstallationofmatchingdeviceids)Data type: **String** Value:`0`
Details: |`` This configuration:
- disables the existing Bluetooth Personal Area Network (PAN) network adapter
- prevents the installation of the Bluetooth Network Adapter that can be used for network connectivity\tethering from a Bluetooth device and the endpoint.
For more information see:
- [FIDO CTAP 2.1 standard specification][BT-1]
- [Bluetooth Assigned Numbers document][BT-2]|
From 7b436722f47915fd734b28749cc9e58573721133 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 23 Jul 2024 08:04:56 -0400
Subject: [PATCH 05/20] chore: Update passkeys documentation with
Bluetooth-restricted environments information
---
windows/security/identity-protection/passkeys/index.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index 9bde579ab5..7c11a4de1d 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -327,8 +327,8 @@ Some organizations restrict the use of Bluetooth, preventing the use of passkeys
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode](/windows/client-management/mdm/policy-csp-bluetooth#allowdiscoverablemode)Data type: **Integer** Value:`0`
Details: When set to `0`, other devices won't be able to detect the device. |
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing](/windows/client-management/mdm/policy-csp-bluetooth#allowprepiaring)Data type: **Integer** Value:`0`
Details: Prevents specific bundled Bluetooth peripherals to automatically pair with the host device. |
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections](/windows/client-management/mdm/policy-csp-bluetooth#allowpromptedproximalconnections) Data type: **Integer** Value:`0`
Details:Prevents users from using Swift Pair and other proximity-based scenarios. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList](/windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist) Data type: **String** Value:`{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Details: Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service
- FIDO2 secure client-to-authenticator transport service. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs](/windows/client-management/mdm/policy-csp-deviceinstallation#preventinstallationofmatchingdeviceids)Data type: **String** Value:`0`
Details: |`` This configuration:
- disables the existing Bluetooth Personal Area Network (PAN) network adapter
- prevents the installation of the Bluetooth Network Adapter that can be used for network connectivity\tethering from a Bluetooth device and the endpoint.
For more information see:
- [FIDO CTAP 2.1 standard specification][BT-1]
- [Bluetooth Assigned Numbers document][BT-2]|
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList](/windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist) Data type: **String** Value:`{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service
- FIDO2 secure client-to-authenticator transport service. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs](/windows/client-management/mdm/policy-csp-deviceinstallation#preventinstallationofmatchingdeviceids)Data type: **String** Value:``
This configuration:
- disables the existing Bluetooth Personal Area Network (PAN) network adapter
- prevents the installation of the Bluetooth Network Adapter that can be used for network connectivity\tethering from a Bluetooth device and the endpoint.
For more information see:
- [FIDO CTAP 2.1 standard specification][BT-1]
- [Bluetooth Assigned Numbers document][BT-2]|
From b4728ccb73f979f2a20cc3db3dfa92eb780b391c Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 23 Jul 2024 11:00:36 -0400
Subject: [PATCH 06/20] chore: Update passkeys documentation with Bluetooth
service and profile information
---
windows/security/identity-protection/passkeys/index.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index 7c11a4de1d..deaf3a8a2c 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -327,8 +327,8 @@ Some organizations restrict the use of Bluetooth, preventing the use of passkeys
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode](/windows/client-management/mdm/policy-csp-bluetooth#allowdiscoverablemode)Data type: **Integer** Value:`0`
Details: When set to `0`, other devices won't be able to detect the device. |
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing](/windows/client-management/mdm/policy-csp-bluetooth#allowprepiaring)Data type: **Integer** Value:`0`
Details: Prevents specific bundled Bluetooth peripherals to automatically pair with the host device. |
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections](/windows/client-management/mdm/policy-csp-bluetooth#allowpromptedproximalconnections) Data type: **Integer** Value:`0`
Details:Prevents users from using Swift Pair and other proximity-based scenarios. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList](/windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist) Data type: **String** Value:`{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service
- FIDO2 secure client-to-authenticator transport service. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs](/windows/client-management/mdm/policy-csp-deviceinstallation#preventinstallationofmatchingdeviceids)Data type: **String** Value:``
This configuration:
- disables the existing Bluetooth Personal Area Network (PAN) network adapter
- prevents the installation of the Bluetooth Network Adapter that can be used for network connectivity\tethering from a Bluetooth device and the endpoint.
For more information see:
- [FIDO CTAP 2.1 standard specification][BT-1]
- [Bluetooth Assigned Numbers document][BT-2]|
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList](/windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist) Data type: **String** Value:`{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service (`0000fffd-0000-1000-8000-00805f9b34fb`)
- FIDO2 secure client-to-authenticator transport service (`0000FFF9-0000-1000-8000-00805F9B34FB`) |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs](/windows/client-management/mdm/policy-csp-deviceinstallation#preventinstallationofmatchingdeviceids)Data type: **String** Value:``
This configuration disables the existing Bluetooth Personal Area Network (PAN) network adapter, preventing the installation of the Bluetooth Network Adapter that can be used for network connectivity or tethering.
For more information see:
- [FIDO CTAP 2.1 standard specification][BT-1]
- [Bluetooth Assigned Numbers document][BT-2]|
From 5f64481ef078c2fa4c1e9fa508a3f210d18b1114 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 23 Jul 2024 11:19:13 -0400
Subject: [PATCH 07/20] chore: Update passkeys documentation with Bluetooth
service and profile information
---
.../identity-protection/passkeys/index.md | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index deaf3a8a2c..d7565dd71a 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -319,21 +319,21 @@ To provide feedback for passkeys, open [**Feedback Hub**][FHUB] and use the cate
For passkey cross-device authentication scenarios, both the Windows device and the mobile device must have Bluetooth enabled and connected to the Internet. This allows the user to authorize another device securely over Bluetooth without transferring or copying the passkey itself.
-Some organizations restrict the use of Bluetooth, preventing the use of passkeys. In this case, organizations can enable the use of passkeys by only allowing Bluetooth pairing with passkey\FIDO2 authenticators. To do so, use the [Bluetooth Policy CSP](/windows/client-management/mdm/policy-csp-bluetooth.md)
+Some organizations restrict the use of Bluetooth, preventing the use of passkeys. In this case, organizations can enable the use of passkeys by only allowing Bluetooth pairing with passkey\FIDO2 authenticators. To do so, use the [Bluetooth Policy CSP](/windows/client-management/mdm/policy-csp-bluetooth)
| Setting |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth#allowadvertising) Data type: **Integer** Value:`0`
Details: When set to `0`, the device won't send out advertisements. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode](/windows/client-management/mdm/policy-csp-bluetooth#allowdiscoverablemode)Data type: **Integer** Value:`0`
Details: When set to `0`, other devices won't be able to detect the device. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing](/windows/client-management/mdm/policy-csp-bluetooth#allowprepiaring)Data type: **Integer** Value:`0`
Details: Prevents specific bundled Bluetooth peripherals to automatically pair with the host device. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections](/windows/client-management/mdm/policy-csp-bluetooth#allowpromptedproximalconnections) Data type: **Integer** Value:`0`
Details:Prevents users from using Swift Pair and other proximity-based scenarios. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList](/windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist) Data type: **String** Value:`{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service (`0000fffd-0000-1000-8000-00805f9b34fb`)
- FIDO2 secure client-to-authenticator transport service (`0000FFF9-0000-1000-8000-00805F9B34FB`) |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs](/windows/client-management/mdm/policy-csp-deviceinstallation#preventinstallationofmatchingdeviceids)Data type: **String** Value:``
This configuration disables the existing Bluetooth Personal Area Network (PAN) network adapter, preventing the installation of the Bluetooth Network Adapter that can be used for network connectivity or tethering.
For more information see:
- [FIDO CTAP 2.1 standard specification][BT-1]
- [Bluetooth Assigned Numbers document][BT-2]|
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth#allowadvertising) Data type: **Integer** Value:`0`
When set to `0`, the device won't send out advertisements.|
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode](/windows/client-management/mdm/policy-csp-bluetooth#allowdiscoverablemode)Data type: **Integer** Value:`0`
When set to `0`, other devices won't be able to detect the device. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing](/windows/client-management/mdm/policy-csp-bluetooth#allowprepiaring)Data type: **Integer** Value:`0`
Prevents specific bundled Bluetooth peripherals to automatically pair with the host device. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections](/windows/client-management/mdm/policy-csp-bluetooth#allowpromptedproximalconnections) Data type: **Integer** Value:`0`
Prevents users from using Swift Pair and other proximity-based scenarios.|
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList](/windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist) Data type: **String** Value:`{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service (`0000fffd-0000-1000-8000-00805f9b34fb`)
- FIDO2 secure client-to-authenticator transport service (`0000FFF9-0000-1000-8000-00805F9B34FB`)
For more information see [FIDO CTAP 2.1 standard specification][BT-1] and [Bluetooth Assigned Numbers document][BT-2]. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs](/windows/client-management/mdm/policy-csp-deviceinstallation#preventinstallationofmatchingdeviceids)Data type: **String** Value:``
This configuration disables the existing Bluetooth Personal Area Network (PAN) network adapter, preventing the installation of the Bluetooth Network Adapter that can be used for network connectivity or tethering.|
+[BT-1]: https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#ble-fido-service
+[BT-2]: https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Assigned_Numbers/out/en/Assigned_Numbers.pdf?v=1713387868258
[FHUB]: feedback-hub:?tabid=2&newFeedback=true
[KB-1]: https://support.microsoft.com/kb/5030310
[MSS-1]: ms-settings:savedpasskeys
-[BT-1]: https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#ble-fido-service
-[BT-2]: https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Assigned_Numbers/out/en/Assigned_Numbers.pdf?v=1713387868258
From 1b67de0714a5a235fbd001cdaeade7979a7ba8fa Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 23 Jul 2024 11:29:52 -0400
Subject: [PATCH 08/20] chore: Update passkeys documentation with corrected
link to Intune custom settings configuration
---
.../credential-guard/configure.md | 2 +-
.../identity-protection/passkeys/index.md | 38 +++++++++++++------
2 files changed, 27 insertions(+), 13 deletions(-)
diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
index fee6dbbc20..b965f14e38 100644
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -404,4 +404,4 @@ bcdedit /set vsmlaunchtype off
[CSP-1]: /windows/client-management/mdm/policy-csp-deviceguard#enablevirtualizationbasedsecurity
-[INT-1]: /mem/intune/configuration/settings-catalog
+[INT-1]: /mem/intune/configuration/custom-settings-configure
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index d7565dd71a..9424603d81 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -311,24 +311,28 @@ Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can use the Set
> [!NOTE]
> Some passkeys for *login.microsoft.com* can't be deleted, as they're used with Microsoft Entra ID and/or Microsoft Account for signing in to the device and Microsoft services.
-## :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
-
-To provide feedback for passkeys, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passkey**.
-
-## Passkeys and Bluetooth-restricted environments
+## Passkeys in Bluetooth-restricted environments
For passkey cross-device authentication scenarios, both the Windows device and the mobile device must have Bluetooth enabled and connected to the Internet. This allows the user to authorize another device securely over Bluetooth without transferring or copying the passkey itself.
-Some organizations restrict the use of Bluetooth, preventing the use of passkeys. In this case, organizations can enable the use of passkeys by only allowing Bluetooth pairing with passkey\FIDO2 authenticators. To do so, use the [Bluetooth Policy CSP](/windows/client-management/mdm/policy-csp-bluetooth)
+Some organizations restrict the use of Bluetooth, preventing the use of passkeys. In this case, organizations can enable the use of passkeys by only allowing Bluetooth pairing with passkey\FIDO2 authenticators. To do so, use the [Bluetooth Policy CSP](/windows/client-management/mdm/policy-csp-bluetooth) and the [deviceinstallation policy CSP]/windows/client-management/mdm/policy-csp-deviceinstallation).
+
+The following table provides an example of CSP settings to allow passkeys in a Bluetooth-restricted environment:
| Setting |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising](/windows/client-management/mdm/policy-csp-bluetooth#allowadvertising) Data type: **Integer** Value:`0`
When set to `0`, the device won't send out advertisements.|
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode](/windows/client-management/mdm/policy-csp-bluetooth#allowdiscoverablemode)Data type: **Integer** Value:`0`
When set to `0`, other devices won't be able to detect the device. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing](/windows/client-management/mdm/policy-csp-bluetooth#allowprepiaring)Data type: **Integer** Value:`0`
Prevents specific bundled Bluetooth peripherals to automatically pair with the host device. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections](/windows/client-management/mdm/policy-csp-bluetooth#allowpromptedproximalconnections) Data type: **Integer** Value:`0`
Prevents users from using Swift Pair and other proximity-based scenarios.|
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList](/windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist) Data type: **String** Value:`{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service (`0000fffd-0000-1000-8000-00805f9b34fb`)
- FIDO2 secure client-to-authenticator transport service (`0000FFF9-0000-1000-8000-00805F9B34FB`)
For more information see [FIDO CTAP 2.1 standard specification][BT-1] and [Bluetooth Assigned Numbers document][BT-2]. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs](/windows/client-management/mdm/policy-csp-deviceinstallation#preventinstallationofmatchingdeviceids)Data type: **String** Value:``
This configuration disables the existing Bluetooth Personal Area Network (PAN) network adapter, preventing the installation of the Bluetooth Network Adapter that can be used for network connectivity or tethering.|
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising][CSP-1] Data type: **Integer** Value:`0`
When set to `0`, the device won't send out advertisements.|
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode][CSP-2] Data type: **Integer** Value:`0`
When set to `0`, other devices won't be able to detect the device. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing][CSP-3]Data type: **Integer** Value:`0`
Prevents specific bundled Bluetooth peripherals to automatically pair with the host device. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections][CSP-4] Data type: **Integer** Value:`0`
Prevents users from using Swift Pair and other proximity-based scenarios.|
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList][CSP-5] Data type: **String** Value:`{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service (`0000fffd-0000-1000-8000-00805f9b34fb`)
- FIDO2 secure client-to-authenticator transport service (`0000FFF9-0000-1000-8000-00805F9B34FB`)
For more information see [FIDO CTAP 2.1 standard specification][BT-1] and [Bluetooth Assigned Numbers document][BT-2]. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs][CSP-6]Data type: **String** Value:``
This configuration disables the existing Bluetooth Personal Area Network (PAN) network adapter, preventing the installation of the Bluetooth Network Adapter that can be used for network connectivity or tethering.|
+
+To configure devices with Microsoft Intune, [you can use a Settings catalog policy][INT-1] or a [custom policy][INT-2].
+
+## :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
+
+To provide feedback for passkeys, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passkey**.
@@ -337,3 +341,13 @@ Some organizations restrict the use of Bluetooth, preventing the use of passkeys
[FHUB]: feedback-hub:?tabid=2&newFeedback=true
[KB-1]: https://support.microsoft.com/kb/5030310
[MSS-1]: ms-settings:savedpasskeys
+
+[INT-1]: /mem/intune/configuration/settings-catalog
+[INT-2]: /mem/intune/configuration/custom-settings-configure
+
+[CSP-1]: /windows/client-management/mdm/policy-csp-bluetooth#allowadvertising
+[CSP-2]: /windows/client-management/mdm/policy-csp-bluetooth#allowdiscoverablemode
+[CSP-3]: /windows/client-management/mdm/policy-csp-bluetooth#allowprepairing
+[CSP-4]: /windows/client-management/mdm/policy-csp-bluetooth#allowpromptedproximalconnections
+[CSP-5]: /windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist
+[CSP-6]: /windows/client-management/mdm/policy-csp-deviceinstallation#preventinstallationofmatchingdeviceids
From 57aec2a6b9a0c9b980e1f877affc30f29cd10820 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 23 Jul 2024 11:39:16 -0400
Subject: [PATCH 09/20] chore: Update passkeys documentation with
Bluetooth-restricted environments information
---
.../security/identity-protection/passkeys/index.md | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index 9424603d81..73a940d66e 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -315,18 +315,18 @@ Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can use the Set
For passkey cross-device authentication scenarios, both the Windows device and the mobile device must have Bluetooth enabled and connected to the Internet. This allows the user to authorize another device securely over Bluetooth without transferring or copying the passkey itself.
-Some organizations restrict the use of Bluetooth, preventing the use of passkeys. In this case, organizations can enable the use of passkeys by only allowing Bluetooth pairing with passkey\FIDO2 authenticators. To do so, use the [Bluetooth Policy CSP](/windows/client-management/mdm/policy-csp-bluetooth) and the [deviceinstallation policy CSP]/windows/client-management/mdm/policy-csp-deviceinstallation).
+Some organizations restrict the use of Bluetooth, preventing the use of passkeys. In this case, organizations can enable the use of passkeys by only allowing Bluetooth pairing with passkey\FIDO2 authenticators. To do so, use the [Bluetooth Policy CSP][CSP-8] and the [DeviceInstallation Policy CSP][CSP-7].
The following table provides an example of CSP settings to allow passkeys in a Bluetooth-restricted environment:
| Setting |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising][CSP-1] Data type: **Integer** Value:`0`
When set to `0`, the device won't send out advertisements.|
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode][CSP-2] Data type: **Integer** Value:`0`
When set to `0`, other devices won't be able to detect the device. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing][CSP-3]Data type: **Integer** Value:`0`
Prevents specific bundled Bluetooth peripherals to automatically pair with the host device. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections][CSP-4] Data type: **Integer** Value:`0`
Prevents users from using Swift Pair and other proximity-based scenarios.|
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising][CSP-1] Data type: **Integer** Value:`0`
When set to `0`, the device won't send out advertisements.|
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode][CSP-2] Data type: **Integer** Value:`0`
When set to `0`, other devices won't be able to detect the device. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing][CSP-3]Data type: **Integer** Value:`0`
Prevents specific bundled Bluetooth peripherals to automatically pair with the host device. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections][CSP-4] Data type: **Integer** Value:`0`
Prevents users from using Swift Pair and other proximity-based scenarios.|
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList][CSP-5] Data type: **String** Value:`{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service (`0000fffd-0000-1000-8000-00805f9b34fb`)
- FIDO2 secure client-to-authenticator transport service (`0000FFF9-0000-1000-8000-00805F9B34FB`)
For more information see [FIDO CTAP 2.1 standard specification][BT-1] and [Bluetooth Assigned Numbers document][BT-2]. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs][CSP-6]Data type: **String** Value:``
This configuration disables the existing Bluetooth Personal Area Network (PAN) network adapter, preventing the installation of the Bluetooth Network Adapter that can be used for network connectivity or tethering.|
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs][CSP-6]Data type: **String** Value:``
This configuration disables the existing Bluetooth Personal Area Network (PAN) network adapter, preventing the installation of the Bluetooth Network Adapter that can be used for network connectivity or tethering.|
To configure devices with Microsoft Intune, [you can use a Settings catalog policy][INT-1] or a [custom policy][INT-2].
@@ -351,3 +351,5 @@ To provide feedback for passkeys, open [**Feedback Hub**][FHUB] and use the cate
[CSP-4]: /windows/client-management/mdm/policy-csp-bluetooth#allowpromptedproximalconnections
[CSP-5]: /windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist
[CSP-6]: /windows/client-management/mdm/policy-csp-deviceinstallation#preventinstallationofmatchingdeviceids
+[CSP-7]: /windows/client-management/mdm/policy-csp-deviceinstallation
+[CSP-8]: /windows/client-management/mdm/policy-csp-bluetooth
From 01c555674f5c146353c15f5f4ad45d61175c6675 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 23 Jul 2024 11:48:42 -0400
Subject: [PATCH 10/20] chore: Update passkeys documentation with
Bluetooth-restricted environments information
---
.../identity-protection/passkeys/index.md | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index 73a940d66e..c8a205a479 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -319,14 +319,14 @@ Some organizations restrict the use of Bluetooth, preventing the use of passkeys
The following table provides an example of CSP settings to allow passkeys in a Bluetooth-restricted environment:
-| Setting |
-| ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising][CSP-1] Data type: **Integer** Value:`0`
When set to `0`, the device won't send out advertisements.|
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode][CSP-2] Data type: **Integer** Value:`0`
When set to `0`, other devices won't be able to detect the device. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing][CSP-3]Data type: **Integer** Value:`0`
Prevents specific bundled Bluetooth peripherals to automatically pair with the host device. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections][CSP-4] Data type: **Integer** Value:`0`
Prevents users from using Swift Pair and other proximity-based scenarios.|
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList][CSP-5] Data type: **String** Value:`{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service (`0000fffd-0000-1000-8000-00805f9b34fb`)
- FIDO2 secure client-to-authenticator transport service (`0000FFF9-0000-1000-8000-00805F9B34FB`)
For more information see [FIDO CTAP 2.1 standard specification][BT-1] and [Bluetooth Assigned Numbers document][BT-2]. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs][CSP-6]Data type: **String** Value:``
This configuration disables the existing Bluetooth Personal Area Network (PAN) network adapter, preventing the installation of the Bluetooth Network Adapter that can be used for network connectivity or tethering.|
+| Setting |
+|--|
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising][CSP-1] Data type: **Integer** Value: `0`
When set to `0`, the device won't send out advertisements. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode][CSP-2] Data type: **Integer** Value: `0`
When set to `0`, other devices won't be able to detect the device. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing][CSP-3]Data type: **Integer** Value: `0`
Prevents specific bundled Bluetooth peripherals to automatically pair with the host device. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections][CSP-4] Data type: **Integer** Value: `0`
Prevents users from using Swift Pair and other proximity-based scenarios. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList][CSP-5] Data type: **String** Value: `{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service (`0000fffd-0000-1000-8000-00805f9b34fb`)
- FIDO2 secure client-to-authenticator transport service (`0000FFF9-0000-1000-8000-00805F9B34FB`)
For more information see [FIDO CTAP 2.1 standard specification][BT-1] and [Bluetooth Assigned Numbers document][BT-2]. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs][CSP-6]Data type: **String** Value: ``
This configuration disables the existing Bluetooth Personal Area Network (PAN) network adapter, preventing the installation of the Bluetooth Network Adapter that can be used for network connectivity or tethering. |
To configure devices with Microsoft Intune, [you can use a Settings catalog policy][INT-1] or a [custom policy][INT-2].
From 1a42a18297412af6e1aa940bd306fbec0eee6ef3 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 23 Jul 2024 12:13:02 -0400
Subject: [PATCH 11/20] chore: Update passkeys documentation with improved
Bluetooth-restricted environments information
---
windows/security/identity-protection/passkeys/index.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index c8a205a479..7b800e3e5e 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -315,7 +315,9 @@ Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can use the Set
For passkey cross-device authentication scenarios, both the Windows device and the mobile device must have Bluetooth enabled and connected to the Internet. This allows the user to authorize another device securely over Bluetooth without transferring or copying the passkey itself.
-Some organizations restrict the use of Bluetooth, preventing the use of passkeys. In this case, organizations can enable the use of passkeys by only allowing Bluetooth pairing with passkey\FIDO2 authenticators. To do so, use the [Bluetooth Policy CSP][CSP-8] and the [DeviceInstallation Policy CSP][CSP-7].
+Some organizations restrict Bluetooth usage, which includes the use of passkeys. In such cases, organizations can allow passkeys by permitting Bluetooth pairing exclusively with passkey-enabled FIDO2 authenticators.
+
+To limit the use of Bluetooth to only passkey use cases, use the [Bluetooth Policy CSP][CSP-8] and the [DeviceInstallation Policy CSP][CSP-7].
The following table provides an example of CSP settings to allow passkeys in a Bluetooth-restricted environment:
From 106690c1d3328c85b7f81569762f09400864615e Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 23 Jul 2024 12:18:25 -0400
Subject: [PATCH 12/20] chore: Exclude aditisrivastava07 from contributors list
---
windows/security/docfx.json | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 2e3135282a..c7db837e59 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -55,6 +55,7 @@
},
"titleSuffix": "Windows Security",
"contributors_to_exclude": [
+ "aditisrivastava07",
"alekyaj",
"alexbuckgit",
"American-Dipper",
From 9e588119463800b1916860a5519c17be61cc4a69 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 23 Jul 2024 14:09:10 -0400
Subject: [PATCH 13/20] chore: Update passkeys documentation with improved
Bluetooth-restricted environments information
---
windows/security/identity-protection/passkeys/index.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index 7b800e3e5e..7dbd0f3728 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -325,7 +325,7 @@ The following table provides an example of CSP settings to allow passkeys in a B
|--|
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising][CSP-1] Data type: **Integer** Value: `0`
When set to `0`, the device won't send out advertisements. |
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode][CSP-2] Data type: **Integer** Value: `0`
When set to `0`, other devices won't be able to detect the device. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing][CSP-3]Data type: **Integer** Value: `0`
Prevents specific bundled Bluetooth peripherals to automatically pair with the host device. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing][CSP-3]Data type: **Integer** Value: `0`
Prevents specific bundled Bluetooth peripherals from automatically pairing with the host device. |
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections][CSP-4] Data type: **Integer** Value: `0`
Prevents users from using Swift Pair and other proximity-based scenarios. |
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList][CSP-5] Data type: **String** Value: `{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service (`0000fffd-0000-1000-8000-00805f9b34fb`)
- FIDO2 secure client-to-authenticator transport service (`0000FFF9-0000-1000-8000-00805F9B34FB`)
For more information see [FIDO CTAP 2.1 standard specification][BT-1] and [Bluetooth Assigned Numbers document][BT-2]. |
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs][CSP-6]Data type: **String** Value: ``
This configuration disables the existing Bluetooth Personal Area Network (PAN) network adapter, preventing the installation of the Bluetooth Network Adapter that can be used for network connectivity or tethering. |
From 0a35e14fba67f75c069a0e476739df5a410030d4 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 20 Aug 2024 15:18:05 -0400
Subject: [PATCH 14/20] updates
---
.../identity-protection/passkeys/index.md | 40 ++++++++++++++++++-
1 file changed, 39 insertions(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index 7dbd0f3728..1a4f6ac578 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -319,6 +319,15 @@ Some organizations restrict Bluetooth usage, which includes the use of passkeys.
To limit the use of Bluetooth to only passkey use cases, use the [Bluetooth Policy CSP][CSP-8] and the [DeviceInstallation Policy CSP][CSP-7].
+To configure your devices you can use:
+
+- Microsoft Intune/MDM
+- PowerShell
+
+[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+
The following table provides an example of CSP settings to allow passkeys in a Bluetooth-restricted environment:
| Setting |
@@ -332,6 +341,35 @@ The following table provides an example of CSP settings to allow passkeys in a B
To configure devices with Microsoft Intune, [you can use a Settings catalog policy][INT-1] or a [custom policy][INT-2].
+#### [:::image type="icon" source="../../images/icons/powershell.svg" border="false"::: **PowerShell**](#tab/powershell)
+
+```powershell
+# Bluetooth configuration
+$namespaceName = "root\cimv2\mdm\dmmap"
+$className = "MDM_Policy_Config01_Bluetooth02"
+New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{
+ ParentID="./Vendor/MSFT/Policy/Config";
+ InstanceID="Bluetooth";
+ AllowDiscoverableMode=0;
+ AllowAdvertising=0;
+ AllowPrepairing=0;
+ AllowPromptedProximalConnections=0;
+ ServicesAllowedList="{0000FFF9-0000-1000-8000-00805F9B34FB};{0000FFFD-0000-1000-8000-00805F9B34FB}"
+}
+
+
+# Device installation configuration
+$namespaceName = "root\cimv2\mdm\dmmap"
+$className = "MDM_Policy_Config01_DeviceInstallation02"
+New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{
+ ParentID="./Vendor/MSFT/Policy/Config";
+ InstanceID="DeviceInstallation";
+ PreventInstallationOfMatchingDeviceIDs=']]>'
+}
+```
+
+---
+
## :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
To provide feedback for passkeys, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passkey**.
@@ -354,4 +392,4 @@ To provide feedback for passkeys, open [**Feedback Hub**][FHUB] and use the cate
[CSP-5]: /windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist
[CSP-6]: /windows/client-management/mdm/policy-csp-deviceinstallation#preventinstallationofmatchingdeviceids
[CSP-7]: /windows/client-management/mdm/policy-csp-deviceinstallation
-[CSP-8]: /windows/client-management/mdm/policy-csp-bluetooth
+[CSP-8]: /windows/client-management/mdm/policy-csp-bluetooth
\ No newline at end of file
From dc04f2f0812582d4484197dbfeaf460952e6a008 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 20 Aug 2024 15:37:42 -0400
Subject: [PATCH 15/20] added script
---
.../identity-protection/passkeys/index.md | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index 1a4f6ac578..c809cd6dec 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -319,16 +319,14 @@ Some organizations restrict Bluetooth usage, which includes the use of passkeys.
To limit the use of Bluetooth to only passkey use cases, use the [Bluetooth Policy CSP][CSP-8] and the [DeviceInstallation Policy CSP][CSP-7].
-To configure your devices you can use:
-
-- Microsoft Intune/MDM
-- PowerShell
+>[!NOTE]
+>Once the settings are applied, if you try to pair a device vua Bluetooth, it will initailly pair and immediately disconnect. The Bluetooth device is blocked from loading and not availabe from Settings nor Device Manager.
[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
-#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
-The following table provides an example of CSP settings to allow passkeys in a Bluetooth-restricted environment:
+The following table contains a list of CSP settings to allow passkeys in a Bluetooth-restricted environment:
| Setting |
|--|
@@ -339,10 +337,12 @@ The following table provides an example of CSP settings to allow passkeys in a B
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList][CSP-5] Data type: **String** Value: `{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service (`0000fffd-0000-1000-8000-00805f9b34fb`)
- FIDO2 secure client-to-authenticator transport service (`0000FFF9-0000-1000-8000-00805F9B34FB`)
For more information see [FIDO CTAP 2.1 standard specification][BT-1] and [Bluetooth Assigned Numbers document][BT-2]. |
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs][CSP-6]Data type: **String** Value: ``
This configuration disables the existing Bluetooth Personal Area Network (PAN) network adapter, preventing the installation of the Bluetooth Network Adapter that can be used for network connectivity or tethering. |
-To configure devices with Microsoft Intune, [you can use a Settings catalog policy][INT-1] or a [custom policy][INT-2].
+To configure devices with Microsoft Intune, [you can use a custom policy][INT-2].
#### [:::image type="icon" source="../../images/icons/powershell.svg" border="false"::: **PowerShell**](#tab/powershell)
+[!INCLUDE [powershell-wmi-bridge-1](../../../../includes/configure/powershell-wmi-bridge-1.md)]
+
```powershell
# Bluetooth configuration
$namespaceName = "root\cimv2\mdm\dmmap"
@@ -368,6 +368,8 @@ New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{
}
```
+[!INCLUDE [powershell-wmi-bridge-2](../../../../includes/configure/powershell-wmi-bridge-2.md)]
+
---
## :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
@@ -382,7 +384,6 @@ To provide feedback for passkeys, open [**Feedback Hub**][FHUB] and use the cate
[KB-1]: https://support.microsoft.com/kb/5030310
[MSS-1]: ms-settings:savedpasskeys
-[INT-1]: /mem/intune/configuration/settings-catalog
[INT-2]: /mem/intune/configuration/custom-settings-configure
[CSP-1]: /windows/client-management/mdm/policy-csp-bluetooth#allowadvertising
From 6e16381ccdb1565c253a76e4317da4a7ac914015 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 20 Aug 2024 15:47:03 -0400
Subject: [PATCH 16/20] chore: Update passkey configuration documentation for
Bluetooth restrictions
---
windows/security/identity-protection/passkeys/index.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index c809cd6dec..9377e559e6 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -319,14 +319,13 @@ Some organizations restrict Bluetooth usage, which includes the use of passkeys.
To limit the use of Bluetooth to only passkey use cases, use the [Bluetooth Policy CSP][CSP-8] and the [DeviceInstallation Policy CSP][CSP-7].
->[!NOTE]
->Once the settings are applied, if you try to pair a device vua Bluetooth, it will initailly pair and immediately disconnect. The Bluetooth device is blocked from loading and not availabe from Settings nor Device Manager.
+### Device configuration
[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
-The following table contains a list of CSP settings to allow passkeys in a Bluetooth-restricted environment:
+To configure devices with Microsoft Intune, [you can use a custom policy][INT-2] with these settings:
| Setting |
|--|
@@ -337,8 +336,6 @@ The following table contains a list of CSP settings to allow passkeys in a Bluet
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList][CSP-5] Data type: **String** Value: `{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service (`0000fffd-0000-1000-8000-00805f9b34fb`)
- FIDO2 secure client-to-authenticator transport service (`0000FFF9-0000-1000-8000-00805F9B34FB`)
For more information see [FIDO CTAP 2.1 standard specification][BT-1] and [Bluetooth Assigned Numbers document][BT-2]. |
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs][CSP-6]Data type: **String** Value: ``
This configuration disables the existing Bluetooth Personal Area Network (PAN) network adapter, preventing the installation of the Bluetooth Network Adapter that can be used for network connectivity or tethering. |
-To configure devices with Microsoft Intune, [you can use a custom policy][INT-2].
-
#### [:::image type="icon" source="../../images/icons/powershell.svg" border="false"::: **PowerShell**](#tab/powershell)
[!INCLUDE [powershell-wmi-bridge-1](../../../../includes/configure/powershell-wmi-bridge-1.md)]
@@ -372,6 +369,9 @@ New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{
---
+>[!NOTE]
+>Once the settings are applied, if you try to pair a device vua Bluetooth, it will initailly pair and immediately disconnect. The Bluetooth device is blocked from loading and not availabe from Settings nor Device Manager.
+
## :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
To provide feedback for passkeys, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passkey**.
From fcfe5ebe1ad0b9ac32529414c1140c0b28bd773c Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 20 Aug 2024 16:00:44 -0400
Subject: [PATCH 17/20] chore: Update passkey configuration documentation for
Bluetooth restrictions
---
includes/configure/tab-intro.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/includes/configure/tab-intro.md b/includes/configure/tab-intro.md
index c9c293a8c5..31046b2203 100644
--- a/includes/configure/tab-intro.md
+++ b/includes/configure/tab-intro.md
@@ -1,9 +1,9 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/15/2023
+ms.date: 08/20/2024
ms.topic: include
ms.service: windows-client
---
-The following instructions provide details how to configure your devices. Select the option that best suits your needs.
\ No newline at end of file
+The following instructions provide details about how to configure your devices. Select the option that best suits your needs.
\ No newline at end of file
From b7c781ad0bd15ee815131c9e127e03bd14b5154c Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 20 Aug 2024 16:03:07 -0400
Subject: [PATCH 18/20] chore: Update passkey configuration documentation for
Bluetooth restrictions
---
windows/security/identity-protection/passkeys/index.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index 9377e559e6..2cf7429c80 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -370,7 +370,7 @@ New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{
---
>[!NOTE]
->Once the settings are applied, if you try to pair a device vua Bluetooth, it will initailly pair and immediately disconnect. The Bluetooth device is blocked from loading and not availabe from Settings nor Device Manager.
+>Once the settings are applied, if you try to pair a device via Bluetooth, it will initailly pair and immediately disconnect. The Bluetooth device is blocked from loading and not availabe from Settings nor Device Manager.
## :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
From c9ac8c5d4e6b30858af03ed8a42a078027713f5b Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 22 Aug 2024 11:32:38 -0400
Subject: [PATCH 19/20] Acrolinx
---
windows/security/docfx.json | 5 ++---
.../identity-protection/passkeys/index.md | 16 ++++++++--------
2 files changed, 10 insertions(+), 11 deletions(-)
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 63f4cd80a9..4981ff2978 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -65,6 +65,7 @@
"dstrome2",
"garycentric",
"jborsecnik",
+ "padmagit77",
"rjagiewich",
"rmca14",
"shdyas",
@@ -73,9 +74,7 @@
"traya1",
"v-dihans",
"v-stchambers",
- "v-stsavell",
- "padmagit77",
- "aditisrivastava07"
+ "v-stsavell"
],
"searchScope": [
"Windows 10"
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index 2cf7429c80..be6abe05f7 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -31,7 +31,7 @@ FIDO protocols prioritize user privacy, as they're designed to prevent online se
### Passkeys compared to passwords
-Passkeys have several advantages over passwords, including their ease of use and intuitive nature. Unlike passwords, passkeys are easy to create, don't need to be remembered, and don't need to be safeguarded. Additionally, passkeys are unique to each website or application, preventing their reuse. They're highly secure because they're only stored on the user's devices, with the service only storing public keys. Passkeys are designed to prevent attackers to guess or obtain them, which helps to make them resistant to phishing attempts where the attacker may try to trick the user into revealing the private key. Passkeys are enforced by the browsers or operating systems to only be used for the appropriate service, rather than relying on human verification. Finally, passkeys provide cross-device and cross-platform authentication, meaning that a passkey from one device can be used to sign in on another device.
+Passkeys have several advantages over passwords, including their ease of use and intuitive nature. Unlike passwords, passkeys are easy to create, don't need to be remembered, and don't need to be safeguarded. Additionally, passkeys are unique to each website or application, preventing their reuse. They're highly secure because they're only stored on the user's devices, with the service only storing public keys. Passkeys are designed to prevent attackers to guess or obtain them, which helps to make them resistant to phishing attempts where the attacker might try to trick the user into revealing the private key. Passkeys are enforced by the browsers or operating systems to only be used for the appropriate service, rather than relying on human verification. Finally, passkeys provide cross-device and cross-platform authentication, meaning that a passkey from one device can be used to sign in on another device.
[!INCLUDE [passkey](../../../../includes/licensing/passkeys.md)]
@@ -113,7 +113,7 @@ Pick one of the following options to learn how to save a passkey, based on where
:::row:::
:::column span="4":::
- 4. Select your linked device name (e.g. **Pixel**) > **Next**
+ 4. Select your linked device name (for example, **Pixel**) > **Next**
:::column-end:::
:::row-end:::
:::row:::
@@ -241,7 +241,7 @@ Pick one of the following options to learn how to use a passkey, based on where
:::row:::
:::column span="4":::
- 4. Select your linked device name (e.g. **Pixel**) > **Next**
+ 4. Select your linked device name (for example, **Pixel**) > **Next**
:::column-end:::
:::row-end:::
:::row:::
@@ -329,12 +329,12 @@ To configure devices with Microsoft Intune, [you can use a custom policy][INT-2]
| Setting |
|--|
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising][CSP-1] Data type: **Integer** Value: `0`
When set to `0`, the device won't send out advertisements. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode][CSP-2] Data type: **Integer** Value: `0`
When set to `0`, other devices won't be able to detect the device. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowAdvertising][CSP-1] Data type: **Integer** Value: `0`
When set to `0`, the device doesn't send out advertisements. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowDiscoverableMode][CSP-2] Data type: **Integer** Value: `0`
When set to `0`, other devices can't detect the device. |
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPrepairing][CSP-3]Data type: **Integer** Value: `0`
Prevents specific bundled Bluetooth peripherals from automatically pairing with the host device. |
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[AllowPromptedProximalConnections][CSP-4] Data type: **Integer** Value: `0`
Prevents users from using Swift Pair and other proximity-based scenarios. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList][CSP-5] Data type: **String** Value: `{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service (`0000fffd-0000-1000-8000-00805f9b34fb`)
- FIDO2 secure client-to-authenticator transport service (`0000FFF9-0000-1000-8000-00805F9B34FB`)
For more information see [FIDO CTAP 2.1 standard specification][BT-1] and [Bluetooth Assigned Numbers document][BT-2]. |
-| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs][CSP-6]Data type: **String** Value: ``
This configuration disables the existing Bluetooth Personal Area Network (PAN) network adapter, preventing the installation of the Bluetooth Network Adapter that can be used for network connectivity or tethering. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList][CSP-5] Data type: **String** Value: `{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service (`0000fffd-0000-1000-8000-00805f9b34fb`)
- FIDO2 secure client-to-authenticator transport service (`0000FFF9-0000-1000-8000-00805F9B34FB`)
For more information, see [FIDO CTAP 2.1 standard specification][BT-1] and [Bluetooth Assigned Numbers document][BT-2]. |
+| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs][CSP-6]Data type: **String** Value: ``
Disables the existing Bluetooth Personal Area Network (PAN) network adapter, preventing the installation of the Bluetooth Network Adapter that can be used for network connectivity or tethering. |
#### [:::image type="icon" source="../../images/icons/powershell.svg" border="false"::: **PowerShell**](#tab/powershell)
@@ -370,7 +370,7 @@ New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{
---
>[!NOTE]
->Once the settings are applied, if you try to pair a device via Bluetooth, it will initailly pair and immediately disconnect. The Bluetooth device is blocked from loading and not availabe from Settings nor Device Manager.
+>Once the settings are applied, if you try to pair a device via Bluetooth, it will initially pair and immediately disconnect. The Bluetooth device is blocked from loading and not available from Settings nor Device Manager.
## :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
From f024459293b01c7b8fd2b6dc31ccd613ffbdd1c2 Mon Sep 17 00:00:00 2001
From: Padma Jayaraman
Date: Thu, 22 Aug 2024 22:54:00 +0530
Subject: [PATCH 20/20] Update docfx.json
Removed 2 v dash IDs that were not required
---
windows/security/docfx.json | 2 --
1 file changed, 2 deletions(-)
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 4981ff2978..1a7808e2b1 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -72,8 +72,6 @@
"Stacyrch140",
"tiburd",
"traya1",
- "v-dihans",
- "v-stchambers",
"v-stsavell"
],
"searchScope": [