How are you blocking Wi-Fi/Bluetooth across HP fleets in enterprise without constant hardware ID maintenance?

Posted by charanreddy234@reddit | sysadmin | View on Reddit | 33 comments

Hi everyone,

I’m working on a requirement in our environment where we need to block Wi-Fi and Bluetooth on HP machines only, while making sure normal wired Ethernet/network adapters continue working without issues.

We manage the machines through Active Directory / Group Policy, and I’m trying to figure out the best long-term/enterprise-friendly way to do this.

We want to:

Disable/block Wi-Fi
Disable/block Bluetooth
Keep wired NIC/Ethernet working normally
Make the solution scalable across HP models
Avoid too much manual maintenance if possible

From what I’ve learned so far, blocking by hardware ID seems very accurate, but it only works if you know every Wi-Fi/Bluetooth hardware ID in the environment.

That becomes difficult because HP devices can have different wireless chipsets/vendors depending on model (Intel, Realtek, Qualcomm, MediaTek, etc.), and new/future HP models may introduce new IDs.

1. Blocking by hardware ID via GPO
Using:

Prevent installation of devices that match any of these device IDs

Examples:

PCI\VEN_8086&DEV_02F0
PCI\VEN_8086&DEV_7AF0

Concern:
Seems effective, but maintenance-heavy if we have to keep updating IDs for every model/new hardware.

2. Using class/compatible ID like PCI\CC_0280
My understanding is this may catch many wireless/“other network controller” devices.

Concern:
Not sure if this is reliable enough or if it may miss devices / affect unintended ones.

3. Blocking Bluetooth via class GUID
Using:

{e0cbf06c-cd8b-4647-bb8a-263b43f0f974}

This seems easier/more straightforward for Bluetooth.

4. Disabling WLAN/Bluetooth services
Like:

WLAN AutoConfig
Bluetooth Support Service

Concern:
Feels more like a workaround since the device still exists and could potentially be re-enabled.

5. BIOS/UEFI disabling
said no to this approch.

My Question

For those who manage HP fleets in enterprise:

What’s the best real-world approach you use to block Wi-Fi/Bluetooth with the strongest coverage and least maintenance?

Specifically:

Is hardware ID blocking the only truly reliable GPO method?
Has anyone had success using PCI\CC_0280 broadly for Wi-Fi?
How do you handle future/new HP models without constantly updating GPO?
What layered approach would you recommend for the strongest enforcement?
and WMI filter based on manufacture works? example -- WMI Filter for HP devices only
SELECT * FROM Win32_ComputerSystem
WHERE Manufacturer LIKE "%HP%"
OR Manufacturer LIKE "%Hewlett-Packard%"

Looking for practical advice from people who’ve implemented this in production.

Thanks in advance.

[-]

OinkyConfidence@reddit

My brother in Christ, if you're writing this long of a Reddit post for disabling WiFi & Bluetooth, just open up the laptops and remove the WiFi/Bluetooth adapter. It's one small removable card inside the laptop.

Or disable in BIOS.

[-]

charanreddy234@reddit (OP)

Honestly they said no to these methods and looking to achieve it by group policy method from active directory. That's where we stuck now.

[-]

BrainWaveCC@reddit

That's not how group policy works.

If you want to force all HP machines into one OU tree, then have fun with that.

[-]

viral-architect@reddit

Use WMI filters and remove authenticated users from the ACL, add an AD security group made up of the machines to block. New HPs get added to that GPO group.

[-]

sryan2k1@reddit

You can filter any GPO with WMI. It would be trivial to apply this to only specific manufacturers or models.

[-]

Frothyleet@reddit

I am not sure GPO is the right answer for the OP, but not sure what you are talking about here. No reason you couldn't use WMI filtering on your GPOs to scope them to the target machines, rather than managing it with OU structure.

[-]

randomman87@reddit

Who said no? Your job as the admin to tell them feasible ways to do this. You could even email your HP rep and have them confirm BIOS is the way to do this.

[-]

skylinesora@reddit

Yes it’s his job as an admin to tell them feasible ways to do it but if management wants to do it via software means, then so be it

[-]

Flaky-Gear-1370@reddit

lol this so obviously an ai post - look at the responses who starts sentences with things like “honestly”

Anyway use the bios management tools to do it on mass

[-]

trueg50@reddit

Seriously, the super weird bolding and layout is 100% AI. Anytime I see that I walk away.

[-]

TinderSubThrowAway@reddit

Why? Why do you need to block wifi and bluetooth?

[-]

burundilapp@reddit

Powershell deployed by GPO, get the Powershell to talk to Windows to get the Wifi and Bluetooth adapters and then disable those hardware devices. In theory should work for any device you choose to run the script on but you could put limits in the script itself and just fire it at everything.

[-]

trueppp@reddit

Buy PC's without Wifi/Bluetooth or just physically remove the card.

[-]

charanreddy234@reddit (OP)

Fair point, and I agree that removing the hardware / buying systems without Wi-Fi/Bluetooth would be the cleanest and most foolproof option.

In our case though, the machines are already deployed, so I’m trying to figure out the best scalable way to handle it through policy/software controls.

Have you seen any reliable approach in enterprise using GPO when physical removal isn’t practical?

[-]

pdp10@reddit

In our case though, the machines are already deployed, so I’m trying to figure out the best scalable way to handle it through policy/software controls.

You should have mentioned this secret requirement in your already-lengthy post.

[-]

charanreddy234@reddit (OP)

Sorry about that

[-]

GhostandVodka@reddit

Don't be sorry of course they are already deployed. That is why you are here. These fucking autists man.

[-]

cmorgasm@reddit

If you're using Intune, HP Connect directly integrates with it and would allow you to disable them from the BIOS, it would make the changes via a remediation script. If not using Intune, HP has tools available, I can't recall the name currently, that would let you script out BIOS changes.

[-]

xCharg@reddit

Write a script that disabled WiFi adapter and Bluetooth adapter, test on few then deploy on everything. That has to be a couple lines worth of powershell.

[-]

EconomyArmy@reddit

For wifi 1. Have you used this GPO? Computer Configuration -> Administrative Templates -> Network -> Windows Connection Manager. Enable the policy and select 3=Prevent Wi-Fi when on Ethernet. 2. Why not put a wifi profile GPO to force machine to join restricted SSID which is empty?

For blocking device ID(VID/PID)

1.what if user plugging other USB wifi /Bluetooth dongle ?

[-]

randomman87@reddit

Disable in BIOS/UEFi with HP CMSL. Setting name may vary slightly between generations so be careful. You can use the CMSL and whatever endpoint system you have to initially pull a report of all available settings before pushing a config out.

[-]

Furki1907@reddit

Funny how this is not top upvoted - only clean way to do it, works flawlessly for us.

[-]

sryan2k1@reddit

Are you a MSP? This is a massive XY problem, but anyway turn it off in the BIOS/UEFI with the HP tools so it can be scriptable. For Dell this would be CCTK, but for HP I don't know what their tooling is like.

[-]

Frothyleet@reddit

Disable it in the BIOS. HP will have tools to do this.

[-]

Careful-Criticism645@reddit

Why on HP machines only?

[-]

charanreddy234@reddit (OP)

I don't know why only hp .maybe some requirement that wifi and bluetooth should disabled via group policies.

[-]

Frothyleet@reddit

You should figure out the "why" of the request, for most every request you get, because sometimes the "why" reveals that you have an XY problem and there are better solutions.

[-]

alraffa218@reddit

How many machines are we talking here? Are all the machines part of domain or you might have workgroup or byod devices also in future.

Respond back with the responses in DM, and will be able to help you out probably with a solution.

[-]

charanreddy234@reddit (OP)

We have a large number of HP machines already joined to the domain and spread across different OUs.

What I’m trying to do is block Wi-Fi and Bluetooth through GPO, and use a WMI filter so the policy only targets HP devices.

The main challenge I’m stuck on is Wi-Fi blocking.

My concern is:

If I block using broader class IDs, it may end up affecting other devices/components as well.
If I block using device/hardware IDs, each hp machine/model may have different wireless adapter IDs, which means I would need to maintain a list of all current IDs plus future ones as new hardware gets introduced.

Trying to figure out the most practical/scalable way to handle this without creating gaps or excessive maintenance.

[-]

Emkkusof_88@reddit

Can you bend a rules of the BIOS restriction so you will use GPO but actually run the script to disable devices on BIOS level? You have asked to do this with GPO and you did? Kind of...

I looked my old PDQ tasks how that has been done on Probooks and Elitebooks. You may need to add something like "get-computerinfo | Select-Object CsManufacturer" to get computer manufacturer resolved. Another option to use WMI filter with GPO.

Create folder:
c: 
cd\ 
md BiosSilent
copy stuff to C:\BiosSilent
Run commands: 
cd\
cd BiosSilent
BiosConfigUtility64.exe /nspwdfile:"" /cspwdfile:"c:\biossilent\Biospwd.bin" BiosConfigUtility64.exe /set:"c:\biossilent\bios_config.txt" 
BiosConfigUtility64.exe /nspwdfile:"c:\biossilent\Biospwd.bin" 
Remove files: 
c: 
cd\ 
rd /S /Q BiosSilent\.

That bios_config.txt file contains text below. As you can see, you can pretty accurate disable or enable any device. Then you use same tool to add bios password so nobody will enable devices again.

BIOSConfig 1.0
;
; HP EliteBook 850 G6
;
Prompt for Admin authentication on F9 (Boot Menu)
*Disable
Enable
Prompt for Admin authentication on F11 (System Recovery)
Disable
*Enable
Prompt for Admin authentication on F12 (Network Boot)
*Disable
Enable
Prompt for Admin authentication on Capsule Update
*Disable
Enable
Bluetooth
Disable
*Enable
Wireless Network Device (WLAN)
Disable
*Enable
Mobile Network Device (WWAN) and GPS Combo Device
Disable
*Enable
LAN / WWAN Auto Switching
Disable
*Enable
LAN / WLAN Auto Switching
Disable
*Enable
Audio Device
Disable
*Enable
Embedded LAN controller
Disable
*Enable
Microphone
Disable
*Enable
Internal Speakers
Disable
*Enable
Integrated Camera
Disable
*Enable
Fingerprint Device
Disable
*Enable
Restrict USB Devices
*Allow all USB Devices
Allow only keyboard and mouse
Allow all but storage devices and hubs
Docking USB Ports
Disable
*Enable
Smart Card
Disable
*Enable

[-]

pdp10@reddit

You haven't mentioned anything but the software side. For instance, are these all sitting in a classroom? Do the users have administrative rights?

Seems to me that firmware disabling is the easiest option if you have physical access to these. Certainly easier than pulling the WiFi/Bluetooth M.2 cards, which could be the next-best option. And you haven't mentioning just removing the driver.

It seems to me that you have some hidden requirements or some assumptions that it should be done in software.

[-]

rickAUS@reddit

Couldn't you just disable the wlansrv and bthserv services? Can definitely do that with GPO

[-]

JerikkaDawn@reddit

They said no to the correct answer.