Managing Microsoft Teams Rooms with Intune

Is there an easy way to control the Microsoft Teams Room app updates via Intune -  to allow us to hit a testing ring and actually confirm we have no unintended side-effects before we push out across our entire meeting room fleet?

We were stung by a previous room app update which clearly changed something in how certs were used for Skype On-prem - and took out the one entire office that had Teams rooms for couple of days a our knowledgeable team members were also on leave.

We are now all O365, but also all on a Teams Room device -so don't want to repeat that scenario if there is anyway to avoid it.

Also would give us time to update our documentation for the room every time the GUI changes.

->How to keep Autologon working with an MTR that is Azure AD joined and managed by Intune? Currently the local "Skype" account autologon fails.

->What is the added value to use DEM vs MTR Room Account (which also has an Intune license) to register the device?

-Can we have a default best practices for MTR's?

 -Autopilot

 -Specific Conditional Access Rules/Exclusions.

Hi everybody,

We've deployed a lot of Team Room Systems where I work and encountered the dreaded "autologon" issue. I opened a ticket with MS Support but didn't get any help. I am posting my experience here and the solution in case it helps someone out there.

First, some background about our Team Room Systems (you can then decide if you are in a similar environment)...

- All our Team Room Systems are domain joined to our Active Directory. This also creates an object for them in Azure AD and it enrolls the computer account of the room in InTune.

- All of them have a GPO applied to them that pushes the "AdminAutoLogon" and all the other appropriate settings to make sure the rooms start correctly and autologin with the "Skype" user account after their daily reboots.

- Keep in mind that we also use InTune to manage mobile devices and some Windows 10 devices (this becomes important later).

The issue...

As many others have experienced with their Team Room Systems, the "autologon" feature did not work or stopped working for unknown reasons.

For us, if we looked on the affected Team Room Systems, we could see the warning "The autologon setting has been removed because the EAS policy is set" message in Event Viewer -> Applications and Services Logs\Microsoft\Windows\Authentication\Operations.

And if we looked in the Registry, under "HKLM\SYSTEM\CurrentControlSet\Control\EAS", there was a "Policies" folder with a value of "5" in it.

If we deleted the "HKLM\SYSTEM\CurrentControlSet\Control\EAS\Policies" registry folder (and MDM sub-folder) and rebooted the room, the problem was temporarily resolved... but something was adding back the "Policies" folder and settings in the registry during the course of the day and the problem would just come back the next day.

The root cause...

1 word: InTune.

But to be more specific... 3 words: something in InTune.

I did a lot of research and I discovered that something in InTune was pushing a very specific registry key down to the Team Room Systems (more on that in the "solutions" below).

Unfortunately, I looked like a mad man at all our InTune compliance policies and settings that we push down and I could not find the exact InTune Compliance Policy or InTune Configuration Profile that was pushing down the "DeviceLock" features that you will read about in the next section... so let's jump to the solution...

The solution to my problem (and hopefully yours)...

Part 1 - Check if this solution applies to you...

1. Log into your Team Room System and open up the Registry Editor.
2. Go to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\"
3. There will be a folder with a GUID under the "Accounts" key: make a note of the GUID that is shown there. That is your "EnrollmentID". It's some sort of magical GUID that links that specific machine to your InTune subscription. Note that the EnrollmentID is unique per machine.
4. Go to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers" and locate the folder under that key that has the same GUID as your EnrollmentID.
5. Under the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\[ENROLLMENTID]\default\Device\" check to see if you have a "DeviceLock" folder.
6. If you have a "DeviceLock" folder, check to see if you have keys like "DevicePasswordEnabled", "AllowSimpleDevicePassword", etc...
7. IF you have those keys then this solution should apply to you...

So, if you see the keys mentioned in Step 6, try the following...

Part 2 - Exclude the Team Room System(s) from InTune...

1. Create a security group in AD or in Azure AD (do as appropriate in your environment) and call it "Team Room Systems - InTune Exclusion" (or whatever you want).
2. In that new security group, put all the computer accounts of your Team Room Systems.
3. Now, log into InTune.
4. Go to "Devices -> Compliance Policies".
5. In each Windows 10 Compliance Policy listed there, add the group you created with the room as an Exclusion to the policy (it's in the "Assignment" section of the policy).
6. Once you have modified all your Windows 10 Compliance Policies, go to "Devices -> Configuration Profiles".
7. In each Windows 10 Configuration Profile listed there, add the group you created with the rooms as an Exclusion to the profile.

Part 3 - Clean up the Team Room System(s) registry...

The "catch-22" with InTune is that not all settings that are pushed down to the registry are deleted or "reverted" when a machine is excluded from InTune... so you need to do some manual cleanup in this case.

1. Log into your Team Room System.
2. First, let's "sync" the changes from InTune by going to "Start -> Settings -> Accounts -> Access work or School".
3. Click on the "Connect to [CompanyName Azure AD] and then click on "Info".
4. In the "Managed by CompanyName screen", scroll down and click on "Sync".
5. Wait for the sync to finish.
6. Now for the fun part: open up the Registry Editor.
7. Go to the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EAS" key.
8. Under the "EAS" key, delete the "Policies" folder (and MDM sub-folder if it exists).
9. Go to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\"
10. There will be a folder with a GUID under that "Accounts" key: make a note of the GUID that is shown there. That's your "EnrollmentID".
11. Go to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers" and locate the folder under that key that has the same GUID as your EnrollmentID.
12. Under the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\[ENROLLMENTID]\default\Device\" go to the "DeviceLock" folder.
13. Delete all the keys in the "DeviceLock" folder: keys like "DevicePasswordEnabled", "AllowSimpleDevicePassword", "AlphanumericDevicePasswordRequired" should be deleted. Seriously, feel free to delete all the keys in there.
14. Now, this is important, go to the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock" registry folder.
15. This is where the settings from each Policy Provider are copied into and this indicates which settings are currently active! So, you need to delete all the keys you find in there... for example "DevicePasswordEnabled", "DevicePasswordEnabled_ProviderSet", "DevicePasswordEnabled_WinningProvider",  "AllowSimpleDevicePassword", "AllowSimpleDevicePassword_ProviderSet", etc, etc... there might a bunch of keys in there to delete so have fun deleting them all.
16. Once your "spring cleanup" of the registry is done, open a command prompt in admin mode.
17. Issue a good ol' GPUPDATE /FORCE to ensure that the "AdminAutoLogon" and other settings that are supposed to be pushed by your GPO are applied to your domain joined Team Room System and are set correctly.
18. If you want to be paranoid, go back to the Registry Editor and then go to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"... and verify that "AdminAutoLogon" is set to "1" and that the "DefaultUserName" user name is set to "Skype" as it should be (as per your GPO).
19. When you are ready, close everything and reboot the Team Room System.
20. Finally, over the next few days, monitor the room to make sure the "Auto Logon" thing works correctly.

As I said, this is what "fixed" it for me... hopefully, this will help someone, somewhere or at least give you a clue that will point you in the right direction... and good luck!

Marc

yankeedoodlegandy , The "Microsoft Teams Room" app is a store signed app which means it would automatically be updated via the store. One possible solution to pin the app version would be to disable store updates. When ready to move to the next version of the app you could use Intune to deploy the it as an LOB app.

MTayal Let me get back to you on responses to that after discussing with the Teams Admin Center team.

Scott Duffey 

We are also seeing the device failing to auto login after AADJ.  We currently have no MDM profiles targeted to the device.  It seems like the AADJ + Intune Manage process is breaking the AppLocker / Kiosk Policy.  Any ideas?

@yankeedoodlegandy Scott Duffey you can also control App Store updates from Intune or on the local App Store app itself (via … settings).

I'm not too sure how you would deploy the app as an LOB app as I've never seen any visibility of the app on the store to see how you can do anything like that ?

Is there an easy way to control the Microsoft Teams Room app updates via Intune -  to allow us to hit a testing ring and actually confirm we have no unintended side-effects before we push out across our entire meeting room fleet?

Jeremyb - This is just a hunch, but I wonder if its the Windows Hello for Business configuration breaks the AutoAdminLogon? I say that because it defaults to "on" for AADJ'd devices. You can create an Intune policy to disable WHFB and target to MTR device groups. If it is that, we should definitely update this guidance.

Hi Scott Duffey Hello is disabled, and ESP is not configured.  This worked in 1809, in upgrading the device to 1903 autologin seems to be broken.  Seems to be a regression.