Blog Post

Intune Customer Success
5 MIN READ

Managing Microsoft Teams Rooms with Intune

Intune_Support_Team's avatar
Intune_Support_Team
Silver Contributor
Dec 16, 2019
We’ve heard a few questions recently from customers looking for guidance how to manage your Microsoft Teams Rooms devices with Intune. This post answers a few of the frequently asked questions and pr...
Updated Dec 01, 2023
Version 12.0
marcchampoux's avatar
marcchampoux
Copper Contributor
May 25, 2021

Hi everybody,

 

We've deployed a lot of Team Room Systems where I work and encountered the dreaded "autologon" issue. I opened a ticket with MS Support but didn't get any help. I am posting my experience here and the solution in case it helps someone out there.

 

 

First, some background about our Team Room Systems (you can then decide if you are in a similar environment)...

 

- All our Team Room Systems are domain joined to our Active Directory. This also creates an object for them in Azure AD and it enrolls the computer account of the room in InTune.

- All of them have a GPO applied to them that pushes the "AdminAutoLogon" and all the other appropriate settings to make sure the rooms start correctly and autologin with the "Skype" user account after their daily reboots.

- Keep in mind that we also use InTune to manage mobile devices and some Windows 10 devices (this becomes important later).

 

 

The issue...

 

As many others have experienced with their Team Room Systems, the "autologon" feature did not work or stopped working for unknown reasons.

 

For us, if we looked on the affected Team Room Systems, we could see the warning "The autologon setting has been removed because the EAS policy is set" message in Event Viewer -> Applications and Services Logs\Microsoft\Windows\Authentication\Operations.

 

And if we looked in the Registry, under "HKLM\SYSTEM\CurrentControlSet\Control\EAS", there was a "Policies" folder with a value of "5" in it.

 

If we deleted the "HKLM\SYSTEM\CurrentControlSet\Control\EAS\Policies" registry folder (and MDM sub-folder) and rebooted the room, the problem was temporarily resolved... but something was adding back the "Policies" folder and settings in the registry during the course of the day and the problem would just come back the next day.

 

 

The root cause...

 

1 word: InTune.

 

But to be more specific... 3 words: something in InTune.

 

I did a lot of research and I discovered that something in InTune was pushing a very specific registry key down to the Team Room Systems (more on that in the "solutions" below).

 

Unfortunately, I looked like a mad man at all our InTune compliance policies and settings that we push down and I could not find the exact InTune Compliance Policy or InTune Configuration Profile that was pushing down the "DeviceLock" features that you will read about in the next section... so let's jump to the solution...

 

 

The solution to my problem (and hopefully yours)...

 

Part 1 - Check if this solution applies to you...

 

  1. Log into your Team Room System and open up the Registry Editor.
  2. Go to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\"
  3. There will be a folder with a GUID under the "Accounts" key: make a note of the GUID that is shown there. That is your "EnrollmentID". It's some sort of magical GUID that links that specific machine to your InTune subscription. Note that the EnrollmentID is unique per machine.
  4. Go to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers" and locate the folder under that key that has the same GUID as your EnrollmentID.
  5. Under the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\[ENROLLMENTID]\default\Device\" check to see if you have a "DeviceLock" folder.
  6. If you have a "DeviceLock" folder, check to see if you have keys like "DevicePasswordEnabled", "AllowSimpleDevicePassword", etc...
  7. IF you have those keys then this solution should apply to you...

 

So, if you see the keys mentioned in Step 6, try the following...

 

Part 2 - Exclude the Team Room System(s) from InTune...

 

  1. Create a security group in AD or in Azure AD (do as appropriate in your environment) and call it "Team Room Systems - InTune Exclusion" (or whatever you want).
  2. In that new security group, put all the computer accounts of your Team Room Systems.
  3. Now, log into InTune.
  4. Go to "Devices -> Compliance Policies".
  5. In each Windows 10 Compliance Policy listed there, add the group you created with the room as an Exclusion to the policy (it's in the "Assignment" section of the policy).
  6. Once you have modified all your Windows 10 Compliance Policies, go to "Devices -> Configuration Profiles".
  7. In each Windows 10 Configuration Profile listed there, add the group you created with the rooms as an Exclusion to the profile.

 

Part 3 - Clean up the Team Room System(s) registry...

 

The "catch-22" with InTune is that not all settings that are pushed down to the registry are deleted or "reverted" when a machine is excluded from InTune... so you need to do some manual cleanup in this case.

 

  1. Log into your Team Room System.
  2. First, let's "sync" the changes from InTune by going to "Start -> Settings -> Accounts -> Access work or School".
  3. Click on the "Connect to [CompanyName Azure AD] and then click on "Info".
  4. In the "Managed by CompanyName screen", scroll down and click on "Sync".
  5. Wait for the sync to finish.
  6. Now for the fun part: open up the Registry Editor.
  7. Go to the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EAS" key.
  8. Under the "EAS" key, delete the "Policies" folder (and MDM sub-folder if it exists).
  9. Go to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\"
  10. There will be a folder with a GUID under that "Accounts" key: make a note of the GUID that is shown there. That's your "EnrollmentID".
  11. Go to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers" and locate the folder under that key that has the same GUID as your EnrollmentID.
  12. Under the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\[ENROLLMENTID]\default\Device\" go to the "DeviceLock" folder.
  13. Delete all the keys in the "DeviceLock" folder: keys like "DevicePasswordEnabled", "AllowSimpleDevicePassword", "AlphanumericDevicePasswordRequired" should be deleted. Seriously, feel free to delete all the keys in there.
  14. Now, this is important, go to the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock" registry folder.
  15. This is where the settings from each Policy Provider are copied into and this indicates which settings are currently active! So, you need to delete all the keys you find in there... for example "DevicePasswordEnabled", "DevicePasswordEnabled_ProviderSet", "DevicePasswordEnabled_WinningProvider",  "AllowSimpleDevicePassword", "AllowSimpleDevicePassword_ProviderSet", etc, etc... there might a bunch of keys in there to delete so have fun deleting them all.
  16. Once your "spring cleanup" of the registry is done, open a command prompt in admin mode.
  17. Issue a good ol' GPUPDATE /FORCE to ensure that the "AdminAutoLogon" and other settings that are supposed to be pushed by your GPO are applied to your domain joined Team Room System and are set correctly.
  18. If you want to be paranoid, go back to the Registry Editor and then go to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"... and verify that "AdminAutoLogon" is set to "1" and that the "DefaultUserName" user name is set to "Skype" as it should be (as per your GPO).
  19. When you are ready, close everything and reboot the Team Room System.
  20. Finally, over the next few days, monitor the room to make sure the "Auto Logon" thing works correctly.

 

As I said, this is what "fixed" it for me... hopefully, this will help someone, somewhere or at least give you a clue that will point you in the right direction... and good luck!

 

Marc