From dc04f2f0812582d4484197dbfeaf460952e6a008 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 20 Aug 2024 15:37:42 -0400
Subject: [PATCH] added script
---
.../identity-protection/passkeys/index.md | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index 1a4f6ac578..c809cd6dec 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -319,16 +319,14 @@ Some organizations restrict Bluetooth usage, which includes the use of passkeys.
To limit the use of Bluetooth to only passkey use cases, use the [Bluetooth Policy CSP][CSP-8] and the [DeviceInstallation Policy CSP][CSP-7].
-To configure your devices you can use:
-
-- Microsoft Intune/MDM
-- PowerShell
+>[!NOTE]
+>Once the settings are applied, if you try to pair a device vua Bluetooth, it will initailly pair and immediately disconnect. The Bluetooth device is blocked from loading and not availabe from Settings nor Device Manager.
[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
-#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
-The following table provides an example of CSP settings to allow passkeys in a Bluetooth-restricted environment:
+The following table contains a list of CSP settings to allow passkeys in a Bluetooth-restricted environment:
| Setting |
|--|
@@ -339,10 +337,12 @@ The following table provides an example of CSP settings to allow passkeys in a B
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Bluetooth/`[ServicesAllowedList][CSP-5] Data type: **String** Value: `{0000FFFD-0000-1000-8000-00805F9B34FB};{0000FFF9-0000-1000-8000-00805F9B34FB}`
Set a list of allowable Bluetooth services and profiles:
- FIDO Alliance Universal Second Factor Authenticator service (`0000fffd-0000-1000-8000-00805f9b34fb`)
- FIDO2 secure client-to-authenticator transport service (`0000FFF9-0000-1000-8000-00805F9B34FB`)
For more information see [FIDO CTAP 2.1 standard specification][BT-1] and [Bluetooth Assigned Numbers document][BT-2]. |
| OMA-URI: `./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/`[PreventInstallationOfMatchingDeviceIDs][CSP-6]Data type: **String** Value: ``
This configuration disables the existing Bluetooth Personal Area Network (PAN) network adapter, preventing the installation of the Bluetooth Network Adapter that can be used for network connectivity or tethering. |
-To configure devices with Microsoft Intune, [you can use a Settings catalog policy][INT-1] or a [custom policy][INT-2].
+To configure devices with Microsoft Intune, [you can use a custom policy][INT-2].
#### [:::image type="icon" source="../../images/icons/powershell.svg" border="false"::: **PowerShell**](#tab/powershell)
+[!INCLUDE [powershell-wmi-bridge-1](../../../../includes/configure/powershell-wmi-bridge-1.md)]
+
```powershell
# Bluetooth configuration
$namespaceName = "root\cimv2\mdm\dmmap"
@@ -368,6 +368,8 @@ New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{
}
```
+[!INCLUDE [powershell-wmi-bridge-2](../../../../includes/configure/powershell-wmi-bridge-2.md)]
+
---
## :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
@@ -382,7 +384,6 @@ To provide feedback for passkeys, open [**Feedback Hub**][FHUB] and use the cate
[KB-1]: https://support.microsoft.com/kb/5030310
[MSS-1]: ms-settings:savedpasskeys
-[INT-1]: /mem/intune/configuration/settings-catalog
[INT-2]: /mem/intune/configuration/custom-settings-configure
[CSP-1]: /windows/client-management/mdm/policy-csp-bluetooth#allowadvertising