Enrolling Microsoft Teams Rooms on Windows devices with Microsoft Endpoint Manager
Published Mar 03 2022 02:30 PM 28.2K Views

By Lothar Zeitler – Senior Program Manager | Microsoft Endpoint Manager – Intune

 

This article covers some methods to help enroll and configure Windows-based Microsoft Teams Rooms devices with Microsoft Endpoint Manager - Intune. Teams Rooms comes with a specially configured Windows 10 image supplied by the original equipment manufacturer (OEM). Successful installation and deployment of Teams Rooms requires preparation, such as account provisioning and a device deployment and enrollment strategy. For detailed information to help you plan your Teams Rooms deployments, see Deployment overview - Microsoft Teams Rooms.

 

Note: Microsoft Teams devices can be managed in the Teams admin center or in Microsoft Teams Rooms Managed Services. Mobile device management (MDM) enrollment is not part of the default installation process for Teams devices. Windows Autopilot enrollment is not supported.

 

Teams Rooms Intune enrollment methods

There are two methods for enrolling Teams Rooms Windows devices in Intune. Our recommended method is to use bulk enrollment, which allows you to also set up the device in shared device mode. For detailed instructions, see Bulk enrollment for Windows devices and the blog post Bulk join a Windows device to Azure AD and Microsoft Endpoint Manager using a provisioning package.

 

The other method is to use a Teams resource or DEM account to enroll the device in Intune. Please note that these steps must be done manually, and you will need to give passwords to local technicians. Additionally, keep in mind that a Teams resource account will have privileges on Exchange (read/write calendar, browse/search in the GAL), Teams (chats, call, meeting, etc.), as well as read in Azure AD.

 

From a license perspective, everything you need to register the device in Azure Active Directory (Azure AD) and enroll it in Intune is already covered by the Microsoft Teams Rooms licenses.

 

 

Microsoft Teams Rooms Standard

Microsoft Teams Rooms Premium

Microsoft Teams

Phone System

Audio Conferencing

Microsoft Intune

Azure Active Directory P1

Worldwide Availability

Channel Availability

EA, EAS, CSP,
Web Direct

EA, EAS, CSP,
Web Direct

Managed Services

 

 

Refer to the Microsoft Teams documentation for specific availability details and limits: Teams Meeting Room Licensing Update.

 

Onboard existing, unenrolled Teams Rooms 

Your organization might already have unmanaged Teams Rooms Windows devices in operation that are set up with local user accounts. The local account is used to perform an automated sign in to Windows, while the Teams app on these devices is using the Azure AD Teams resource account to sign in. However, the Teams Rooms device isn’t registered with Azure AD or Intune.

 

There are two options for registering and enrolling these devices. The first option is to use a resource account to register and enroll the device. The second and preferred option is to create a provisioning package with Windows Configuration Designer and apply this to a Teams Rooms device. This will restart the device and apply the settings (for example, a computer name), and join it to Azure AD.

 

Before we get started, let’s ensure that we have a dynamic group in Azure AD that adds all the Teams Rooms devices. This helps to identify which devices to apply Teams Rooms-related settings and policies to, and will handle them as a group, separate from other Windows devices.

 

To learn more about Teams device enrollment and policies, see the blog post Managing Microsoft Teams Rooms with Intune.

 

In our example scenario, we use a naming convention to include “MTR” to help identify Teams Rooms. Then, in the rule we use the name as the criteria and create a rule to add every computer containing “MTR” to the group.

 

Screenshot showing a dynamic membership rule with the following rule syntax: (device.displayName -contains "MTR").Screenshot showing a dynamic membership rule with the following rule syntax: (device.displayName -contains "MTR").

 

Check if the computer name follows a standard. There is no name generation for Teams Rooms devices that are installed only as “workgroup” computers. Instead, generic names such as “Desktop-1234” will be used.

 

Enroll devices with a resource account

Using a resource account to register Teams Rooms devices is a manual process. On the device user interface, select More (…) and then select Settings.

 

Image of the Teams UI showing the "More" option with an ellipsis icon.Image of the Teams UI showing the "More" option with an ellipsis icon.

 

Image of the Teams UI showing the "Settings" option with a gear icon.Image of the Teams UI showing the "Settings" option with a gear icon.

 

Confirm that you are signing in with a local Administrator account and enter the password.


In the Settings menu, choose Windows Settings and you will be prompted to sign in with an Administrator account again. Save and exit Teams.

 

Image of the Settings menu in Teams, showing the "Windows Settings" option on the bottom left.Image of the Settings menu in Teams, showing the "Windows Settings" option on the bottom left.

 

From the Windows Start menu, open Settings, select Accounts, and then select Access work or school. On the Set up a work or school account dialog, under Alternate actions, select Join this device to Azure Active Directory.

 

A screenshot showing the "Microsoft account - Set up a work or school account" pop-up, with "Join this device to Azure Active Directory" selected at the bottom.A screenshot showing the "Microsoft account - Set up a work or school account" pop-up, with "Join this device to Azure Active Directory" selected at the bottom.

 

Sign in with the resource account credentials. Keep in mind that the resource account is added to the local machine and uses Administrator credentials. However, in Azure AD the user does not have any rights.

 

A screenshot of the "Make sure this is your organization" pop-up, showing "User type: Administrator" to confirm you are signed in with Administrator credentials.A screenshot of the "Make sure this is your organization" pop-up, showing "User type: Administrator" to confirm you are signed in with Administrator credentials.

 

If the connection was successful, you’ll see the account under Access work or school.

 

A screenshot of the "Settings - Access work or school" menu that shows a connected Azure AD account.A screenshot of the "Settings - Access work or school" menu that shows a connected Azure AD account.

 

After the device has joined Azure AD it will appear in Intune as a Windows device. We used a user account for enrollment, so the device is mapped to the resource account, as we can see in the Primary user field.

 

An image of the device "Overview" page in the Microsoft Endpoint Manager admin center, showing the "Primary user" field.An image of the device "Overview" page in the Microsoft Endpoint Manager admin center, showing the "Primary user" field.

 

Typically, these types of devices are considered shared devices, so you should manually remove the primary user. Select Properties, and then select Remove primary user and select Save at the top of the page.

 

Note: You can use a DEM account to enroll Teams Rooms devices in the same way. However, the DEM account will become the primary user of the device, and you’ll need to remove it as well. A benefit of using a DEM account over a resource account is that the DEM account can only enroll devices and will not have any rights to access mailboxes, calendars etc.

 

An image of the device "Properties" page in the Microsoft Endpoint Manager admin center, showing the option to "Remove primary user".An image of the device "Properties" page in the Microsoft Endpoint Manager admin center, showing the option to "Remove primary user".

 

You’ll see a notification that the device will now operate in shared mode.

 

An image of the warning message that you will get if you choose to remove the primary user: "Removing the primary user of a device configures it to operate in shared mode. In this mode, users, including the previously assigned primary user, can no longer self-service this device in the Company Portal. Learn more [link]".An image of the warning message that you will get if you choose to remove the primary user: "Removing the primary user of a device configures it to operate in shared mode. In this mode, users, including the previously assigned primary user, can no longer self-service this device in the Company Portal. Learn more [link]".

 

At this point, we have successfully enrolled Teams Rooms in Intune. In the next section, we’ll review how to bulk enroll Teams Rooms using a Windows Configuration Designer package.

 

Enroll devices with Windows Configuration Designer

An easy way to enroll Teams Rooms Windows devices is with a Windows Configuration Designer provisioning package. First, install Windows Configuration Designer from the Windows Store: https://www.microsoft.com/store/productId/9NBLGGH4TX22.

 

Open Windows Configuration Designer—it should look like this:

A screenshot of the Windows Configuration Designer UI that has different options to create different types of provisioning packages, or open a recent project.A screenshot of the Windows Configuration Designer UI that has different options to create different types of provisioning packages, or open a recent project.

 

For our example, we select Provision desktop devices to create a new project, add a name, the project folder path, and an optional description, and then select Finish.

 

An image of the New project page in Windows Configuration Designer, where you add a project name, browse for the project folder, and add a description.  For our example, we add the name "MTR Provisioning package" and the description "Configuration package for Windows MTR devices"  Our example folder location is blurred out.An image of the New project page in Windows Configuration Designer, where you add a project name, browse for the project folder, and add a description. For our example, we add the name "MTR Provisioning package" and the description "Configuration package for Windows MTR devices" Our example folder location is blurred out.

 

In the package definition, you can specify some rules for the computer name. For this example, we want to ensure that every device starts with “MTR” followed by a three-digit random number. We use the value: MTR-%RAND:3%

 

Note:

  • To add already existing Teams Rooms devices to a dynamic group, it is recommended to configure the Device Name in the provisioning package.
  • Make sure to disable the Configure devices for shared use setting. If you allow this option, Windows Teams Rooms devices will not allow local sign-ins.

A screenshot of the new project tab ("MTR Provisioning package") in Windows Configuration Designer, on the "Set up device" page in the left menu. There are two areas selected: the "Device name" field and the "Configure devices for shared use" section, with the toggle set to "No".A screenshot of the new project tab ("MTR Provisioning package") in Windows Configuration Designer, on the "Set up device" page in the left menu. There are two areas selected: the "Device name" field and the "Configure devices for shared use" section, with the toggle set to "No".

 

We disable the Wi-Fi connection for Teams Rooms, which require LAN connections in meeting rooms. Select Next.

 

A screenshot of the "Set up network" page from the left menu in Windows Configuration Designer, with the "Set up network" toggle set to "Off".A screenshot of the "Set up network" page from the left menu in Windows Configuration Designer, with the "Set up network" toggle set to "Off".

 

Under Account management, select Enroll in Azure AD to join the device to Azure AD. Next, select Get Bulk Token to request an enrollment token from Azure AD. You can use a DEM account, or any other account that has rights to gather the bulk token. During the enrollment, a new account will be created. Note the token expiration date in the Bulk Token Expiry field and select Next.

 

A screenshot of the "Account Management" page from the left menu in Windows Configuration Designer, with the "Enroll in Azure AD" option selected, and an example value of 06/28/2022 in the "Bulk Token Expiry" field.A screenshot of the "Account Management" page from the left menu in Windows Configuration Designer, with the "Enroll in Azure AD" option selected, and an example value of 06/28/2022 in the "Bulk Token Expiry" field.

 

When the token is issued, we see the status Bulk Token Fetched Successfully.

 

Cropped image of the "Account Management" page showing the "Bulk AAD Token" field with a status "Bulk Token Fetched Successfully" in green font.Cropped image of the "Account Management" page showing the "Bulk AAD Token" field with a status "Bulk Token Fetched Successfully" in green font.

 

In Intune, we see the new, corresponding enrollment account that Windows Configuration Designer created.

 

Note: The account that was used for the token request is not stored in the package.

 

A cropped image of the package as a new profile in Intune (the Endpoint Manager admin center).A cropped image of the package as a new profile in Intune (the Endpoint Manager admin center).

 

For our example, we do not need to add any apps and there are no certificates, either. Select Next to continue to the Finish page, review the summary, and then select Create to generate the package.

 

A screenshot of the "Finish" page in the Windows Configuration Designer UI showing the "Create" button (under "You are ready to create the package!").A screenshot of the "Finish" page in the Windows Configuration Designer UI showing the "Create" button (under "You are ready to create the package!").

 

After the package is created, you’ll see the storage location below the create button.

 

A cropped image of the Finish page, showing the "copied to" location of the new package we just created.A cropped image of the Finish page, showing the "copied to" location of the new package we just created.

 

As a last step, copy the PPKG File to a USB drive.

 

An image of the package file in a local directory. Our example file name is "MTR Provisioning package" and the "Type" shows as "RunTime Provisioning Tool".An image of the package file in a local directory. Our example file name is "MTR Provisioning package" and the "Type" shows as "RunTime Provisioning Tool".

 

To assign a Windows configuration Designer package, open Windows Settings as an Administrator. From the Windows Start menu, select Settings and then sign in with a local Administrator account (if you are not already signed is as a local Admin).


In Settings, select Accounts > Access work and school > Add or remove a provisioning package.

 

Screenshot of the Windows Settings "Access work or school" menu, with the option "Add or remove a provisioning package" selected.Screenshot of the Windows Settings "Access work or school" menu, with the option "Add or remove a provisioning package" selected.

 

In the Provisioning packages dialog, select Add a package.

 

A screenshot of the Windows Settings "Provisioning packages" window with the option "Add a package" selected.A screenshot of the Windows Settings "Provisioning packages" window with the option "Add a package" selected.

 

Then select and add the package we created earlier from the USB drive.

 

A screenshot of the Windows Settings "Add a package" window that shows the package we created (MTP Provisioning package.ppkg) and the "Add" button.A screenshot of the Windows Settings "Add a package" window that shows the package we created (MTP Provisioning package.ppkg) and the "Add" button.

 

In the User Account Control (UAC) dialog, select Yes.

 

An image of the User Account Control pop-up dialog that says "Do you want to allow this app to make changes to your device?" with the "Yes" button selected.An image of the User Account Control pop-up dialog that says "Do you want to allow this app to make changes to your device?" with the "Yes" button selected.

 

A dialog opens, confirming that the package is from a trusted source. Additionally, it shows you the information about the changes that will be made to the system. To continue with the installation, select Yes, add it.

 

An image of the dialog "Is this package from a source you trust?" with the button "Yes, add it" selected.An image of the dialog "Is this package from a source you trust?" with the button "Yes, add it" selected.

 

After the confirmation, the device reboots and begins the setup process.

 

A screenshot showing the dialog "You're about to be signed out: Windows will shut down in 1 minute".A screenshot showing the dialog "You're about to be signed out: Windows will shut down in 1 minute".

 

Note: If you install a provisioning package on a device which is already in use, but not enrolled in Intune, it does not reset the system. Windows applies the new settings, renames the computer, and joins the device to Azure AD, if specified. Furthermore, enrollment accounts used by the provisioning process do not assign a primary user for the device.

 

For more information about using Windows Configuration Designer for bulk enrollment, see Bulk join a Windows device to Azure AD and Microsoft Endpoint Manager using a provisioning package.

 

Onboard a new Teams Rooms device automatically to Intune

The only way to enroll a new Teams Rooms device during setup is to use a provisioning package. You can use the package we built in our example and copy it to a USB drive in the root folder. Connect the drive to Teams Rooms during the Out of Box Experience (OOBE) phase. Setup will find the file and will continue with the enrollment. For more information, see Apply a provisioning package.

 

Important: Windows Autopilot enrollment is not supported for Teams Rooms devices.

 

If you have completed a new installation or have enrolled an existing device with a provisioning package, the User Account Control dialog will not show the local Administrator account anymore in your Teams Rooms settings. If you want to enter the device settings as an administrator, sign in with “.\” as a prefix for your local Admin account. For example, you will sign in with the account .\Admin.

 

An image of the User Account Control pop-up dialog that says "Do you want to allow this app to make changes to your device?" and an empty field under the message "To continue, enter an admin user name and password" where you need to enter an email address.An image of the User Account Control pop-up dialog that says "Do you want to allow this app to make changes to your device?" and an empty field under the message "To continue, enter an admin user name and password" where you need to enter an email address.

 

Summary

There are several ways to enroll Teams Rooms Windows devices in Intune. For existing devices, you can use the Teams resource account or a DEM account to perform an Azure AD join and enroll the device in Intune. However, instead of using these accounts and the manual steps they require, you can use a provisioning package to enroll Teams Rooms devices in Intune. This is the recommended method for a few reasons: the provisioning package enrolls the device with a token, so you don’t need to know or use a resource or DEM account and share the password; the device won’t have a primary user and will apply computer naming according to the rules defined in the package; and the device will be restarted, not reset, and will keep all the relevant settings.

 

If you do decide to enroll Teams Rooms devices with a resource account, remember that the account still has resource access to certain services. Using a DEM account will help you limit the account’s rights to device enrollment only. But in both scenarios, you will need to complete some manual post-installation tasks to remove the device’s primary user in Intune to make it a shared device, and to modify the computer name if needed.

 

For new installations of Teams Rooms, you can apply a provisioning package during the OOBE phase of the setup process. After completion, the device is already enrolled in Intune.

 

We hope this post helps you better understand the different options for enrolling Teams Rooms devices in Intune. Keep in mind that we recommend using a provisioning package and a dedicated account for enterprise installations and registrations with minimal interaction. If you have any questions or feedback, reply to this post or reach out to @IntuneSuppTeam on Twitter.

35 Comments
Version history
Last update:
‎Mar 04 2022 02:54 PM
Updated by: