Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1069230%22%20slang%3D%22en-US%22%3EManaging%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1069230%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EBy%26nbsp%3BScott%20Duffey%20%7C%20Senior%20Program%20Manager%2C%20Microsoft%20Endpoint%20Manager%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99ve%20heard%20a%20few%20questions%20recently%20from%20customers%20looking%20for%20guidance%20how%20to%20manage%20your%20Microsoft%20Teams%20Rooms%20devices%20with%20Intune.%20This%20post%20answers%20a%20few%20of%20the%20frequently%20asked%20questions%20and%20provides%20general%20guidance.%20If%20you%E2%80%99ve%20discovered%20additional%20tips%20or%20tricks%20on%20your%20deployment%20journey%2C%20or%20have%20other%20feedback%20or%20suggestions%2C%20let%20us%20know%20by%20commenting%20on%20this%20post!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162061i45C6F07EB8820581%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Picture1.png%22%20title%3D%22Picture1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETeams%20meeting%20room%20devices%20can%20be%20enrolled%20and%20managed%20by%20Intune%20to%20provide%20many%20of%20the%20device%20management%20and%20security%20capabilities%20available%20to%20other%20endpoints%20managed%20by%20Intune.%20As%20these%20devices%20are%20running%20Windows%2010%20under%20the%20hood%2C%20several%20of%20the%20Windows%2010%20features%20will%20be%20available%20to%20use%2C%20but%20many%20are%20not%20going%20to%20be%20applicable%20or%20recommended.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%E2%80%99ll%20break%20this%20post%20into%20these%20Intune%20feature%20areas%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EEnrollment%3C%2FLI%3E%0A%3CLI%3EWindows%2010%20Configuration%20Profiles%3C%2FLI%3E%0A%3CLI%3ECompliance%20Policies%3C%2FLI%3E%0A%3CLI%3EConditional%20Access%3C%2FLI%3E%0A%3CLI%3EApp%20Management%3C%2FLI%3E%0A%3CLI%3EGrouping%20and%20Targeting%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EEnrollment%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3ERecommendation%3A%20Azure%20AD%20join%20the%20device%20from%20Settings%2C%20utilizing%20an%20Intune%20DEM%20Account%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWindows%2010%20based%20Teams%20devices%20arrive%20from%20suppliers%20prepared%20with%20an%20OS%20image%2C%20user%20accounts%2C%20and%20pre-configured%20profiles.%20Signing%20into%20Windows%20with%20the%20admin%20profile%20and%20performing%20the%20Azure%20AD%20Join%20from%20settings%20enables%20a%20smooth%20%E2%80%9CAutomatic%20MDM%20enrollment%E2%80%9D%20into%20Intune.%20The%20additional%20recommendation%20to%20use%20an%20Intune%20Device%20Enrollment%20Manager%20(DEM)%20account%20is%20due%20to%20these%20meeting%20room%20devices%20being%20a%20shared%20device%20rather%20than%20one%20that%20has%20User-Device%20association%20in%20Intune.%20DEM%20accounts%20are%20used%20for%20shared%20device%20scenarios.%20Learn%20more%20about%20DEM%20accounts%20here%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fintune%2Fenrollment%2Fdevice-enrollment-manager-enroll%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fintune%2Fenrollment%2Fdevice-enrollment-manager-enroll%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENOTE%3C%2FSTRONG%3E%3A%20Automatic%20enrollment%20requires%20Azure%20AD%20Premium%20licensing.%20If%20you%20don%E2%80%99t%20have%20this%20feature%20available%20or%20enabled%20in%20your%20tenant%2C%20you%20will%20need%20to%20undertake%20two%20steps%20to%20enroll%20Windows%2010%20teams%20devices.%20First%2C%20Azure%20AD%20Domain%20Join.%20Then%2C%20do%20manual%20enrollment%20from%20Windows%20settings.%20Learn%20more%20about%20Windows%20enrollment%20here%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fintune%2Fenrollment%2Fwindows-enroll%23enable-windows-10-automatic-enrollment%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fintune%2Fenrollment%2Fwindows-enroll%23enable-windows-10-automatic-enrollment%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAn%20additional%20tip%20is%20to%20name%20meeting%20room%20devices%20with%20a%20prefix%20that%20allows%20devices%20to%20be%20grouped%20dynamically.%20For%20example%2C%20use%20%E2%80%9CMTR%E2%80%9D%20for%20meeting%20room.%20You%20can%20rename%20devices%20with%20either%20a%20Windows%2010%20configuration%20policy%20or%20manually%20per%20device%20in%20Intune.%20I%E2%80%99ll%20talk%20about%20that%20a%20bit%20more%20about%20this%20approach%20below%20under%20Grouping%20and%20Targeting.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDepending%20on%20your%20current%20scenario%2C%20there%20are%20several%20other%20enrollment%20options%20available%2C%20including%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUse%20Windows%20Configuration%20Designer%20to%20create%20a%20Windows%2010%20Provisioning%20Package%20that%20performs%20a%20bulk%20Azure%20AD%20Join.%20Details%20are%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fclient-management%2Fmdm%2Fbulk-enrollment-using-windows-provisioning-tool%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fclient-management%2Fmdm%2Fbulk-enrollment-using-windows-provisioning-tool.%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3ECustomers%20who%20have%20some%20devices%20domain%20joined%20and%2For%20managed%20by%20Configuration%20Manager%20may%20choose%20to%20enable%20Co-management%20or%20initiate%20an%20Intune%20enrollment%20via%20the%20%E2%80%9CEnable%20Automatic%20MDM%20enrollment%20using%20default%20Azure%20AD%20credentials%E2%80%9D%20Group%20Policy%20setting.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20article%20goes%20into%20more%20depth%20on%20all%20the%20Windows%2010%20enrollment%20methods%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fintune%2Fenrollment%2Fwindows-enrollment-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fintune%2Fenrollment%2Fwindows-enrollment-methods%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWindows%2010%20Configuration%20Profiles%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3ERecommendation%3A%20Use%20Windows%20Configuration%20profiles%20to%20configure%20device%20settings%20that%20you%20need%20to%20change%20beyond%20the%20shipped%20defaults.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20following%20Windows%2010%20Configuration%20Policy%20types%20may%20be%20used%20with%20Windows%2010%20based%20meeting%20room%20devices%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20width%3D%22617%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3E%3CSTRONG%3EProfile%20type%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3E%3CSTRONG%3ECan%20you%20use%20the%20profile%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EAdministrative%20Templates%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3ECertificates%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EDelivery%20Optimization%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EDevice%20Firmware%20Configuration%20Interface%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ECheck%20for%20supported%20hardware%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fconfiguration%2Fdevice-firmware-configuration-interface-windows%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EDevice%20restrictions%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EEdition%20Upgrade%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ENot%20supported%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EEmail%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ENot%20recommended%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EEndpoint%20Protection%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EeSim%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ENot%20supported%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EIdentity%20Protection%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ENot%20supported%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EKiosk%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ENot%20supported%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EPowershell%20Scripts%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3EYes%20(Devices%20need%20to%20be%20AADJ%E2%80%99d%20or%20HAADJ%E2%80%99d)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EShared%20multi-user%20device%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ENot%20supported%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EVPN%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ENot%20recommended%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EWi-Fi%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ENot%20recommended%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EWindows%20Information%20Protection%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ENot%20recommended%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENOTE%3C%2FSTRONG%3E%3A%20%E2%80%9CNot%20recommended%E2%80%9D%20in%20the%20table%20is%20due%20to%20this%20Windows%2010%20policy%20type%20not%20being%20a%20good%20fit%20for%20meeting%20room%20scenarios.%20For%20example%2C%20Meeting%20room%20devices%20are%20not%20enabled%20for%20Wi-Fi%2C%20therefore%20it%E2%80%99s%20not%20recommended%20(or%20necessary)%20to%20configure%20a%20WI-Fi%20profile.%20Learn%20more%20about%20available%20configuration%20policies%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fintune%2Fconfiguration%2Fdevice-profile-create%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fintune%2Fconfiguration%2Fdevice-profile-create%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSTRONG%3ECompliance%20Policies%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CEM%3ERecommendation%3A%20Use%20Compliance%20Policies%20to%20achieve%20the%20desired%20security%20level%20for%20your%20Teams%20devices.%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CBR%20%2F%3EYou%20can%20use%20Compliance%20policies%20on%20your%20meeting%20room%20devices.%20You%20should%20take%20care%20to%20create%20the%20appropriate%20exclusions%20for%20any%20existing%20Windows%2010%20compliance%20policies%20that%20are%20currently%20deployed%20in%20your%20organization%20to%20%E2%80%9CAll%20devices%E2%80%9D.%26nbsp%3B%20For%20example%2C%20you%20may%20have%20configured%20the%20setting%20%E2%80%9CMaximum%20minutes%20of%20inactivity%20before%20password%20is%20required%E2%80%9D%20in%20a%20Policy%20for%20all%20Windows%2010%20desktop%20devices%20but%20this%20would%20result%20in%20a%20poor%20meeting%20room%20experience%20if%20applied%20to%20teams%20devices.%20If%20you%20currently%20have%20Windows%2010%20compliance%20policies%20deployed%20to%20large%20groups%20of%20devices%2C%20make%20sure%20you%20use%20the%20%E2%80%9CExclude%20group%E2%80%9D%20feature%20so%20that%20you%20can%20target%20a%20more%20specific%20compliance%20policy%20for%20the%20Meeting%20Room%20Devices.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CBR%20%2F%3EThis%20doc%20goes%20into%20more%20depth%20on%20compliance%20policies%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fprotect%2Fdevice-compliance-get-started%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fprotect%2Fdevice-compliance-get-started%3C%2FA%3E.%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EConditional%20Access%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20use%20Conditional%20Access%20policies%20with%20Teams%20meeting%20room%20devices.%20Teams%20connects%20to%20both%20SharePoint%20online%20and%20Exchange%20online%20cloud%20services.%20If%20you%20have%20an%20existing%20Conditional%20Access%20rule%20that%20protects%20access%20to%20Exchange%20online%20and%20SharePoint%20online%20cloud%20services%20for%20the%20users%20in%20your%20organization%2C%20you%20should%20take%20care%20to%20either%20exclude%20the%20Teams%20resource%20account%20(which%20is%20used%20to%20sign-in%20to%20the%20Teams%20app)%2C%20or%20create%20a%20group%20containing%20all%20of%20the%20resource%20accounts%20and%20target%20a%20more%20specific%20and%20appropriate%20Conditional%20Access%20policy.%20For%20example%2C%20since%20meeting%20room%20devices%20always%20connect%20to%20these%20services%20from%20the%20same%20location%2C%20then%20a%20location-based%20CA%20rule%2C%20in%20combination%20with%20a%20device%20compliance%20rule%2C%20might%20be%20more%20appropriate.%20You%20can%20also%20use%20device%20compliance%20in%20your%20Conditional%20Access%20policies%20but%20be%20careful%20that%20teams%20devices%20are%20not%20broadly%20targeted%20in%20compliance%20policies%20that%20were%20created%20for%20Windows%2010%20desktop%20devices%20in%20your%20organization.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENOTE%3C%2FSTRONG%3E%3A%20As%20a%20reminder%2C%20Conditional%20Access%20is%20an%20Azure%20Active%20Directory%20Premium%20(P1)%20feature.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EApp%20Management%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3ERecommendation%3A%20Use%20Win32%20App%20deployment%20to%20install%20any%20additional%20agents%20required%20by%20your%20organization.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWindows%2010%20based%20meeting%20room%20devices%20typically%20arrive%20with%20the%20right%20applications%20pre-installed.%20However%2C%20there%20may%20be%20cases%20where%20IT%20admins%20need%20to%20install%20an%20app%20package%20or%20deploy%20app%20updates.%20Any%20apps%20that%20get%20deployed%20should%20be%20deployed%20as%20%E2%80%9CRequired%E2%80%9D.%20%E2%80%9CAvailable%E2%80%9D%20apps%20require%20the%20further%20installation%20of%20the%20Company%20Portal%20app%20which%20is%20not%20recommended%20in%20the%20case%20of%20Teams%20meeting%20room%20devices.%20You%E2%80%99ll%20also%20want%20to%20make%20sure%20that%20any%20apps%20install%20in%20the%20device%20context%20(so%20that%20it%E2%80%99s%20accessible%20to%20all%20windows%20profiles).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20style%3D%22width%3A%20234px%3B%22%3E%3CP%3E%3CSTRONG%3EApp%20Type%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22width%3A%20210px%3B%22%3E%3CP%3E%3CSTRONG%3ECan%20you%20use%20this%20app%20type%20on%20a%20teams%20device%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20style%3D%22width%3A%20234px%3B%22%3E%3CP%3EWin32%20App%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22width%3A%20210px%3B%22%3E%3CP%3EYes%20(As%20long%20as%20the%20device%20is%20Azure%20AD%20Joined%20or%20Hybrid%20Azure%20AD%20Joined)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20style%3D%22width%3A%20234px%3B%22%3E%3CP%3ELOB%20App%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22width%3A%20210px%3B%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20style%3D%22width%3A%20234px%3B%22%3E%3CP%3EMicrosoft%20Store%20for%20Business%20App%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22width%3A%20210px%3B%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20style%3D%22width%3A%20234px%3B%22%3E%3CP%3EWeb%20App%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22width%3A%20210px%3B%22%3E%3CP%3ENot%20Supported%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20style%3D%22width%3A%20234px%3B%22%3E%3CP%3EStore%20App%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22width%3A%20210px%3B%22%3E%3CP%3ENot%20Supported%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EGrouping%20and%20Targeting%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EA%20good%20idea%20is%20to%20use%20Azure%20AD%20dynamic%20groups%20to%20effectively%20group%20all%20teams%20meeting%20room%20devices.%20One%20way%20that%20this%20can%20be%20best%20achieved%20is%20by%20using%20a%20naming%20standard%20during%20deployment%2Fenrollment.%20For%20example%2C%20as%20mentioned%20earlier%20in%20this%20article%2C%20if%20you%20name%20all%20devices%20starting%20with%20MTR%2C%20you%20can%20then%20name%20devices%20%E2%80%9CMTR-%25SER%25%E2%80%9D%20which%20gives%20all%20devices%20a%20prefix%20of%20%E2%80%9CMTR%E2%80%9D%20with%20the%20serial%20number%20forming%20the%20second%20part%20of%20the%20name.%20Then%20you%20can%20use%20the%20dynamic%20group%20feature%20to%20group%20together%20all%20devices%20that%20start%20with%20MTR.%20Keep%20in%20mind%2C%20Azure%20AD%20dynamic%20groups%20is%20an%20AAD%20P1%20feature.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162066i34728DE9E7663D86%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Picture2.png%22%20title%3D%22Picture2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENOTE%3C%2FSTRONG%3E%3A%20Device%20renaming%20via%20Intune%20device%20management%20is%20supported%20on%20Azure%20AD%20Joined%20devices%20but%20not%20Hybrid%20Azure%20AD%20Joined%20devices.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20targeting%20Configuration%20and%20Compliance%20policies%2C%20and%20Apps%20it%E2%80%99s%20a%20good%20idea%20to%20target%20a%20group%20that%20contains%20devices%20rather%20than%20users.%20The%20reason%20for%20device-group%20assignment%20is%20that%20Teams%20meeting%20room%20devices%20sign%20into%20windows%20with%20a%20local%20user%20account%20(instead%20of%20an%20Azure%20AD%20User%20Account)%20and%20during%20sync%20with%20Intune%2C%20would%20not%20request%20any%20user-assigned%20policy.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20hope%20this%20was%20helpful%20in%20addressing%20some%20of%20the%20most%20common%20questions.%20Again%2C%20if%20you%20have%20any%20feedback%20or%20questions%20we%E2%80%99d%20love%20to%20hear%20from%20you%20so%20please%20comment%20below%20or%20find%20me%20on%20Twitter%20-%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%40Scottduf.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1069230%22%20slang%3D%22en-US%22%3E%3CP%3ERead%20this%20post%20for%20tips%20on%20how%20to%20manage%20your%20Teams%20meetings%20rooms%20with%20Intune.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1069230%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETeams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1069838%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1069838%22%20slang%3D%22en-US%22%3E%3CP%3E-%26gt%3BHow%20to%20keep%20Autologon%20working%20with%20an%20MTR%20that%20is%20Azure%20AD%20joined%20and%20managed%20by%20Intune%3F%20Currently%20the%20local%20%22Skype%22%20account%20autologon%20fails.%3C%2FP%3E%3CP%3E-%26gt%3BWhat%20is%20the%20added%20value%20to%20use%20DEM%20vs%20MTR%20Room%20Account%20(which%20also%20has%20an%20Intune%20license)%20to%20register%20the%20device%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Can%20we%20have%20a%20default%20best%20practices%20for%20MTR's%3F%3C%2FP%3E%3CP%3E%26nbsp%3B-Autopilot%3C%2FP%3E%3CP%3E%26nbsp%3B-Specific%20Conditional%20Access%20Rules%2FExclusions.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1069446%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1069446%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20an%20easy%20way%20to%20control%20the%20Microsoft%20Teams%20Room%20app%20updates%20via%20Intune%20-%26nbsp%3B%20to%20allow%20us%20to%20hit%20a%20testing%20ring%20and%20actually%20confirm%20we%20have%20no%20unintended%20side-effects%20before%20we%20push%20out%20across%20our%20entire%20meeting%20room%20fleet%3F%3C%2FP%3E%3CP%3EWe%20were%20stung%20by%20a%20previous%20room%20app%20update%20which%20clearly%20changed%20something%20in%20how%20certs%20were%20used%20for%20Skype%20On-prem%20-%20and%20took%20out%20the%20one%20entire%20office%20that%20had%20Teams%20rooms%20for%20couple%20of%20days%20a%20our%20knowledgeable%20team%20members%20were%20also%20on%20leave.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20now%20all%20O365%2C%20but%20also%20all%20on%20a%20Teams%20Room%20device%20-so%20don't%20want%20to%20repeat%20that%20scenario%20if%20there%20is%20anyway%20to%20avoid%20it.%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%20would%20give%20us%20time%20to%20update%20our%20documentation%20for%20the%20room%20every%20time%20the%20GUI%20changes.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1071807%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1071807%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20MTR%20support%20Modern%20Authentication%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1071809%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1071809%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20we%20will%20be%20able%20to%20Upgrade%2C%20manage%20MTR's%20from%20Teams%20Admin%20center%2C%20what%20is%20the%20pre-requisites%20for%20MTR%20management%3A%20SCCM%2C%20Intune%20or%20Hybrid%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072561%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072561%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F332550%22%20target%3D%22_blank%22%3E%40yankeedoodlegandy%3C%2FA%3E%26nbsp%3B%2C%20The%20%22Microsoft%20Teams%20Room%22%20app%20is%20a%20store%20signed%20app%20which%20means%20it%20would%20automatically%20be%20updated%20via%20the%20store.%20One%20possible%20solution%20to%20pin%20the%20app%20version%20would%20be%20to%20disable%20store%20updates.%20When%20ready%20to%20move%20to%20the%20next%20version%20of%20the%20app%20you%20could%20use%20Intune%20to%20deploy%20the%20it%20as%20an%20LOB%20app.%3CA%20id%3D%22link_16%22%20class%3D%22lia-link-navigation%20lia-page-link%20lia-user-name-link%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F332550%22%20target%3D%22_self%22%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072584%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072584%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F8769%22%20target%3D%22_blank%22%3E%40Frank%20Rijt-van%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-%20I%20have%20not%20heard%20about%20the%20autologon%20not%20working%20after%20AADJ.%20I%20wonder%20if%20you%20have%20a%20policy%20configured%20in%20your%20environment%20that%20breaks%20it%3F%3C%2FP%3E%0A%3CP%3E-%20DEM%20accounts%20are%20used%20for%20shared%20devices%20in%20Intune.%20When%20shared%20devices%20are%20enrolled%20with%20DEM%20accounts%2C%20Intune%20knows%20they%20are%20shared%20instead%20of%20a%20single-user%20device.%20DEM%20accounts%20can%20also%20enroll%20more%20than%2015%20devices%20(A%20limit%20that%20exists%20for%20normal%20accounts).%20You%20could%20possibly%20make%20the%20MTR%20room%20account%20a%20DEM%20account.%3C%2FP%3E%0A%3CP%3E-%20We%20are%20working%20with%20customers%20on%20establishing%20further%20best%20practices%20in%20the%20areas%20you%20asked%20for.%20Stay%20tuned.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072592%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072592%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F267551%22%20target%3D%22_blank%22%3E%40MTayal%3C%2FA%3E%26nbsp%3BLet%20me%20get%20back%20to%20you%20on%20responses%20to%20that%20after%20discussing%20with%20the%20Teams%20Admin%20Center%20team.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072803%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072803%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20there%20any%20other%20parameters%20available%20which%20could%20be%20used%20from%20a%20dynamic%20group%20query%20perspective%3F%20I.e.%20something%20which%20could%20indicate%20that%20it%20IS%20a%20valid%20MTR%20installation%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExcluding%20devices%20from%20compliance-%20and%20CA%20policies%20doesn't%20really%20go%20well%20with%20allowing%20BYOD%20registrations%20and%20having%20zero%20trust%2FInternet%20based%20networks%20without%20known%20IP%20ranges%20in%20the%20offices%20where%20the%20MTR%20will%20be%20placed%20and%20having%20manual%20groups%20is%20too%20much%20of%20a%20hassle%20to%20even%20think%20of%20in%20larger%20organizations%20with%20huge%20but%20smaller%20branch%20offices%20with%20%22JIT%20infrastructure%22%20%3AD%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1074472%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1074472%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20also%20seeing%20the%20device%20failing%20to%20auto%20login%20after%20AADJ.%26nbsp%3B%20We%20currently%20have%20no%20MDM%20profiles%20targeted%20to%20the%20device.%26nbsp%3B%20It%20seems%20like%20the%20AADJ%20%2B%20Intune%20Manage%20process%20is%20breaking%20the%20AppLocker%20%2F%20Kiosk%20Policy.%26nbsp%3B%20Any%20ideas%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1074588%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1074588%22%20slang%3D%22en-US%22%3EAre%20there%20any%20plans%20to%20support%20Autopilot%20capability%20for%20MTR%20and%20also%20deploy%20SkypeSettings.xml%20via%20Intune%20or%20better%20provide%20a%20configuration%20profile%20to%20configure%20Skype%2FTeams%20settings%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1074671%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1074671%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F291777%22%20target%3D%22_blank%22%3E%40Jeremyb%3C%2FA%3E%26nbsp%3B-%20This%20is%20just%20a%20hunch%2C%20but%20I%20wonder%20if%20its%20the%20Windows%20Hello%20for%20Business%20configuration%20breaks%20the%20AutoAdminLogon%3F%20I%20say%20that%20because%20it%20defaults%20to%20%22on%22%20for%20AADJ'd%20devices.%20You%20can%20create%20an%20Intune%20policy%20to%20disable%20WHFB%20and%20target%20to%20MTR%20device%20groups.%20If%20it%20is%20that%2C%20we%20should%20definitely%20update%20this%20guidance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1074675%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1074675%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11555%22%20target%3D%22_blank%22%3E%40Kapila%20Munaweera%3C%2FA%3E%26nbsp%3BWe%20are%20looking%20into%20how%20we%20can%20improve%20the%20setup%20experience%20for%20MTRs%20all%20up.%20This%20post%20is%20just%20a%20first%20step%20in%20that%20direction.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1074740%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1074740%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F493094%22%20target%3D%22_blank%22%3E%40MartinGustafsson%3C%2FA%3E%26nbsp%3BI%20dont%20think%20we%20do%20have%20that%20today%20based%20on%20the%20properties%20exposed%20for%20AAD%20Device%20Dynamic%20groups%20today.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fgroups-dynamic-membership%23rules-for-devices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fgroups-dynamic-membership%23rules-for-devices%3C%2FA%3E.%20Its%20a%20good%20piece%20of%20feedback%20though%20that%20we'll%20consider%20as%20we%20improve%20the%20management%20experience%20for%20MTR's.%3C%2FP%3E%0A%3CP%3EMy%20point%20about%20%22excluding%22%20from%20CA%2FCompliance%20policy%20was%20more%20about%20taking%20into%20consideration%20how%20and%20where%20these%20devices%20are%20used%20and%20applying%20policies%20based%20on%20that%20rather%20than%20subjecting%20to%20them%20the%20same%20standard%20as%20Information%20Workers%2C%20Mobile%20Devices%20and%20Desktop%20PC's.%20It%20wasn't%20supposed%20to%20be%20prescriptive.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1075003%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1075003%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%26nbsp%3B%20Agreed%2C%20I%20fully%20understand%20this%20is%20only%20recommendations%20and%20not%20prescriptions.%20Just%20pointing%20out%20the%20risks%20with%20the%20OTC%20recommendations%20%3Aface_with_tears_of_joy%3A%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1076028%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1076028%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F291777%22%20target%3D%22_blank%22%3E%40Jeremyb%3C%2FA%3E%20-%20Try%20disabling%20ESP%20(enrolment%20status%20page)%20if%20it%20resolve%20the%20issue.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1085865%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1085865%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%26nbsp%3BHello%20is%20disabled%2C%20and%26nbsp%3BESP%20is%20not%20configured.%26nbsp%3B%20This%20worked%20in%201809%2C%20in%20upgrading%20the%20device%20to%201903%20autologin%20seems%20to%20be%20broken.%26nbsp%3B%20Seems%20to%20be%20a%20regression.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1087479%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1087479%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F291777%22%20target%3D%22_blank%22%3E%40Jeremyb%3C%2FA%3E%26nbsp%3BI%20tested%20this%20today%20(Upgrade%20from%201809-%26gt%3B1903)%20and%20did%20not%20get%20the%20same%20repro.%20Can%20you%20please%20raise%20a%20support%20call%20with%20the%26nbsp%3B%40Intune%20Support%26nbsp%3B%20Team.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1092487%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1092487%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20been%20managing%20our%20MTR%20devices%20through%20Intune%20for%20last%202%20years%20including%20.%26nbsp%3B%20Our%20AADJ%20devices%20are%20set%20to%20automatic%20enrollment%20to%20Intune.%20Also%20we%20been%20doing%20nightly%20reboots%20and%20wallpaper%20management%20by%20pushing%20powershell%20scripts%20through%20Intune.%20Monitoring%20agents%20and%20windows%20update%20is%20also%20pushed%20through%20Intune%20app.%20With%20addition%20of%20advanced%20capabilities%20it%20has%20become%20easy%20to%20manage%20MTR%20devices%20with%20Intune.%3C%2FP%3E%3CP%3EOne%20big%20piece%20that%20has%20been%20missing%20is%20support%20of%20Modern%20auth%20by%20MTR%20devices.%20Is%20there%20any%20timeline%20when%20we%20can%20expect%20this%3F%3C%2FP%3E%3CP%3ESupport%20for%20EWS%20for%20basic%20Auth%20is%20planned%20to%20end%20Oct%202020%20I%20hope%20this%20is%20available%20way%20before%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1092530%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1092530%22%20slang%3D%22en-US%22%3E%3CP%3ESecond%20the%20question%20about%20Modern%20Auth.%20Any%20updates%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1097626%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1097626%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F192527%22%20target%3D%22_blank%22%3E%40Sukhdev%20Rehal%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170351%22%20target%3D%22_blank%22%3E%40CHRISTOPHER%20BUES%3C%2FA%3E%26nbsp%3B.%20Thanks%20for%20the%20comments.%26nbsp%3B%20We%20are%20targeting%20a%202020%20Q1%20release%20for%20Modern%20Auth%20on%20MTR%20devices.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098000%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098000%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20Is%20there%20any%20response%20on%20My%20earlier%20query%2C%20Management%20of%20MTR%20from%20Teams%20Admin%20Center%2C%20what%20is%20the%20prerequisite%20for%20same%20and%20will%20it%20be%20supporting%20all%20scenarios%20whether%20configuration%20is%20done%20using%20Intune%2C%20SCCM%20or%20Hybrid%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098915%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098915%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F291777%22%20target%3D%22_blank%22%3E%40Jeremyb%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20doing%20AADJ%20on%20Win10%201903%20Teams%20Room%20the%20default%20logon%20to%20local%20Skype%20account%20is%20not%20working%20to%20due%20change%20of%20default%20login%20domain%20to%20e.g.%20corp.com.%20To%20fix%20Skype%20autologon%20issue%2C%20the%20update%20of%20registry%20key%20is%20needed%20to%20add%20%22local%5C%22prefix.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20the%20registry%20key%20to%20be%20modified%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EHKEY_LOCAL_MACHINE%5CSOFTWARE%5CMicrosoft%5CWindows%20NT%5CCurrentVersion%5CWinlogon%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EChange%26nbsp%3B%3CSTRONG%3EDefaultUserName%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3Bentry%20value%20from%20%22%3CEM%3ESkype%3C%2FEM%3E%22%20to%20%22%3CEM%3Elocal%5CSkype%3C%2FEM%3E%22.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F324737%2Fhow-to-turn-on-automatic-logon-in-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F324737%2Fhow-to-turn-on-automatic-logon-in-windows%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20registry%20change%20and%20reboot%2C%20all%20is%20back%20to%20normal%20(I%20hope).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1099428%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1099428%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45060%22%20target%3D%22_blank%22%3E%40Maheshwar%20Tayal%3C%2FA%3E%26nbsp%3B-%20Sorry%20I%20don't%20have%20any%20information%20to%20share%20on%20Teams%20Admin%20Center%20roadmap%20at%20this%20time.%20Note%20that%20Intune%20Hybrid%20mode%20is%20deprecated%20-%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconfigmgr%2Fmdm%2Funderstand%2Fhybrid-mobile-device-management%23deprecation-announcement%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconfigmgr%2Fmdm%2Funderstand%2Fhybrid-mobile-device-management%23deprecation-announcement%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1103155%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1103155%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F332550%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40yankeedoodlegandy%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%20you%20can%20also%20control%20App%20Store%20updates%20from%20Intune%20or%20on%20the%20local%20App%20Store%20app%20itself%20(via%20%E2%80%A6%20settings).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20too%20sure%20how%20you%20would%20deploy%20the%20app%20as%20an%20LOB%20app%20as%20I've%20never%20seen%20any%20visibility%20of%20the%20app%20on%20the%20store%20to%20see%20how%20you%20can%20do%20anything%20like%20that%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E%3CSPAN%3EIs%20there%20an%20easy%20way%20to%20control%20the%20Microsoft%20Teams%20Room%20app%20updates%20via%20Intune%20-%26nbsp%3B%20to%20allow%20us%20to%20hit%20a%20testing%20ring%20and%20actually%20confirm%20we%20have%20no%20unintended%20side-effects%20before%20we%20push%20out%20across%20our%20entire%20meeting%20room%20fleet%3F%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20828px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164896iC5A8F77B3C3B14EB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1106244%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1106244%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F30420%22%20target%3D%22_blank%22%3E%40Jed%20Ellerby%3C%2FA%3E%26nbsp%3Bfor%20the%20useful%20comments!%20Y%3CSPAN%3Eou%20can%20get%20the%20APPX%20packages%20and%20dependencies%20from%20the%26nbsp%3B%3C%2FSPAN%3E%3CU%3E%3CA%20tabindex%3D%22-1%22%20title%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D851168%22%20href%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D851168%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edeployment%20kit%3C%2FA%3E%3C%2FU%3E%3CSPAN%3E%26nbsp%3B.%20We're%20working%20with%20Teams%20to%20make%20this%20package%20easier%20for%20you%20to%20find.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1106587%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1106587%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F30420%22%20target%3D%22_blank%22%3E%40Jed%20Ellerby%3C%2FA%3E%26nbsp%3B%20-%20Thanks%20for%20the%20note%20about%20Intune%20-%20trialing%20out%20the%20control%20of%20App%20Store%20updates%20via%20profile%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E

By Scott Duffey | Senior Program Manager, Microsoft Endpoint Manager

 

We’ve heard a few questions recently from customers looking for guidance how to manage your Microsoft Teams Rooms devices with Intune. This post answers a few of the frequently asked questions and provides general guidance. If you’ve discovered additional tips or tricks on your deployment journey, or have other feedback or suggestions, let us know by commenting on this post!

 

Picture1.png

 

Teams meeting room devices can be enrolled and managed by Intune to provide many of the device management and security capabilities available to other endpoints managed by Intune. As these devices are running Windows 10 under the hood, several of the Windows 10 features will be available to use, but many are not going to be applicable or recommended.

 

I’ll break this post into these Intune feature areas:

  • Enrollment
  • Windows 10 Configuration Profiles
  • Compliance Policies
  • Conditional Access
  • App Management
  • Grouping and Targeting

 

Enrollment

Recommendation: Azure AD join the device from Settings, utilizing an Intune DEM Account

 

Windows 10 based Teams devices arrive from suppliers prepared with an OS image, user accounts, and pre-configured profiles. Signing into Windows with the admin profile and performing the Azure AD Join from settings enables a smooth “Automatic MDM enrollment” into Intune. The additional recommendation to use an Intune Device Enrollment Manager (DEM) account is due to these meeting room devices being a shared device rather than one that has User-Device association in Intune. DEM accounts are used for shared device scenarios. Learn more about DEM accounts here - https://docs.microsoft.com/intune/enrollment/device-enrollment-manager-enroll.

 

NOTE: Automatic enrollment requires Azure AD Premium licensing. If you don’t have this feature available or enabled in your tenant, you will need to undertake two steps to enroll Windows 10 teams devices. First, Azure AD Domain Join. Then, do manual enrollment from Windows settings. Learn more about Windows enrollment here - https://docs.microsoft.com/intune/enrollment/windows-enroll#enable-windows-10-automatic-enrollment.

 

An additional tip is to name meeting room devices with a prefix that allows devices to be grouped dynamically. For example, use “MTR” for meeting room. You can rename devices with either a Windows 10 configuration policy or manually per device in Intune. I’ll talk about that a bit more about this approach below under Grouping and Targeting.

 

Depending on your current scenario, there are several other enrollment options available, including:

 

This article goes into more depth on all the Windows 10 enrollment methods: https://docs.microsoft.com/intune/enrollment/windows-enrollment-methods

 

Windows 10 Configuration Profiles

Recommendation: Use Windows Configuration profiles to configure device settings that you need to change beyond the shipped defaults.

 

The following Windows 10 Configuration Policy types may be used with Windows 10 based meeting room devices:

 

Profile type

Can you use the profile?

Administrative Templates

Yes

Certificates

Yes

Delivery Optimization

Yes

Device Firmware Configuration Interface

Check for supported hardware here

Device restrictions

Yes

Edition Upgrade

Not supported

Email

Not recommended

Endpoint Protection

Yes

eSim

Not supported

Identity Protection

Not supported

Kiosk

Not supported

Powershell Scripts

Yes (Devices need to be AADJ’d or HAADJ’d)

Shared multi-user device

Not supported

VPN

Not recommended

Wi-Fi

Not recommended

Windows Information Protection

Not recommended

 

NOTE: “Not recommended” in the table is due to this Windows 10 policy type not being a good fit for meeting room scenarios. For example, Meeting room devices are not enabled for Wi-Fi, therefore it’s not recommended (or necessary) to configure a WI-Fi profile. Learn more about available configuration policies here: https://docs.microsoft.com/intune/configuration/device-profile-create

 

Compliance Policies
Recommendation: Use Compliance Policies to achieve the desired security level for your Teams devices.


You can use Compliance policies on your meeting room devices. You should take care to create the appropriate exclusions for any existing Windows 10 compliance policies that are currently deployed in your organization to “All devices”.  For example, you may have configured the setting “Maximum minutes of inactivity before password is required” in a Policy for all Windows 10 desktop devices but this would result in a poor meeting room experience if applied to teams devices. If you currently have Windows 10 compliance policies deployed to large groups of devices, make sure you use the “Exclude group” feature so that you can target a more specific compliance policy for the Meeting Room Devices.


This doc goes into more depth on compliance policies: https://docs.microsoft.com/en-us/intune/protect/device-compliance-get-started.

 

Conditional Access

You can use Conditional Access policies with Teams meeting room devices. Teams connects to both SharePoint online and Exchange online cloud services. If you have an existing Conditional Access rule that protects access to Exchange online and SharePoint online cloud services for the users in your organization, you should take care to either exclude the Teams resource account (which is used to sign-in to the Teams app), or create a group containing all of the resource accounts and target a more specific and appropriate Conditional Access policy. For example, since meeting room devices always connect to these services from the same location, then a location-based CA rule, in combination with a device compliance rule, might be more appropriate. You can also use device compliance in your Conditional Access policies but be careful that teams devices are not broadly targeted in compliance policies that were created for Windows 10 desktop devices in your organization.

 

NOTE: As a reminder, Conditional Access is an Azure Active Directory Premium (P1) feature.

 

App Management

Recommendation: Use Win32 App deployment to install any additional agents required by your organization.

 

Windows 10 based meeting room devices typically arrive with the right applications pre-installed. However, there may be cases where IT admins need to install an app package or deploy app updates. Any apps that get deployed should be deployed as “Required”. “Available” apps require the further installation of the Company Portal app which is not recommended in the case of Teams meeting room devices. You’ll also want to make sure that any apps install in the device context (so that it’s accessible to all windows profiles).

 

App Type

Can you use this app type on a teams device?

Win32 App

Yes (As long as the device is Azure AD Joined or Hybrid Azure AD Joined)

LOB App

Yes

Microsoft Store for Business App

Yes

Web App

Not Supported

Store App

Not Supported

 

Grouping and Targeting

A good idea is to use Azure AD dynamic groups to effectively group all teams meeting room devices. One way that this can be best achieved is by using a naming standard during deployment/enrollment. For example, as mentioned earlier in this article, if you name all devices starting with MTR, you can then name devices “MTR-%SER%” which gives all devices a prefix of “MTR” with the serial number forming the second part of the name. Then you can use the dynamic group feature to group together all devices that start with MTR. Keep in mind, Azure AD dynamic groups is an AAD P1 feature.

 

Picture2.png

NOTE: Device renaming via Intune device management is supported on Azure AD Joined devices but not Hybrid Azure AD Joined devices.

 

When targeting Configuration and Compliance policies, and Apps it’s a good idea to target a group that contains devices rather than users. The reason for device-group assignment is that Teams meeting room devices sign into windows with a local user account (instead of an Azure AD User Account) and during sync with Intune, would not request any user-assigned policy.

 

 

I hope this was helpful in addressing some of the most common questions. Again, if you have any feedback or questions we’d love to hear from you so please comment below or find me on Twitter - @Scottduf.

 

 

26 Comments
New Contributor

Is there an easy way to control the Microsoft Teams Room app updates via Intune -  to allow us to hit a testing ring and actually confirm we have no unintended side-effects before we push out across our entire meeting room fleet?

We were stung by a previous room app update which clearly changed something in how certs were used for Skype On-prem - and took out the one entire office that had Teams rooms for couple of days a our knowledgeable team members were also on leave.

We are now all O365, but also all on a Teams Room device -so don't want to repeat that scenario if there is anyway to avoid it.

Also would give us time to update our documentation for the room every time the GUI changes.


Occasional Contributor

->How to keep Autologon working with an MTR that is Azure AD joined and managed by Intune? Currently the local "Skype" account autologon fails.

->What is the added value to use DEM vs MTR Room Account (which also has an Intune license) to register the device?

 

-Can we have a default best practices for MTR's?

 -Autopilot

 -Specific Conditional Access Rules/Exclusions.

Occasional Contributor

Do MTR support Modern Authentication

Occasional Contributor

When we will be able to Upgrade, manage MTR's from Teams Admin center, what is the pre-requisites for MTR management: SCCM, Intune or Hybrid

Microsoft

@yankeedoodlegandy , The "Microsoft Teams Room" app is a store signed app which means it would automatically be updated via the store. One possible solution to pin the app version would be to disable store updates. When ready to move to the next version of the app you could use Intune to deploy the it as an LOB app.

 

Microsoft

@Frank Rijt-van 

- I have not heard about the autologon not working after AADJ. I wonder if you have a policy configured in your environment that breaks it?

- DEM accounts are used for shared devices in Intune. When shared devices are enrolled with DEM accounts, Intune knows they are shared instead of a single-user device. DEM accounts can also enroll more than 15 devices (A limit that exists for normal accounts). You could possibly make the MTR room account a DEM account.

- We are working with customers on establishing further best practices in the areas you asked for. Stay tuned. 

Microsoft

@MTayal Let me get back to you on responses to that after discussing with the Teams Admin Center team.

Occasional Visitor

Are there any other parameters available which could be used from a dynamic group query perspective? I.e. something which could indicate that it IS a valid MTR installation?

 

Excluding devices from compliance- and CA policies doesn't really go well with allowing BYOD registrations and having zero trust/Internet based networks without known IP ranges in the offices where the MTR will be placed and having manual groups is too much of a hassle to even think of in larger organizations with huge but smaller branch offices with "JIT infrastructure" :D

Regular Visitor

@Scott Duffey 

 

We are also seeing the device failing to auto login after AADJ.  We currently have no MDM profiles targeted to the device.  It seems like the AADJ + Intune Manage process is breaking the AppLocker / Kiosk Policy.  Any ideas?

Occasional Contributor
Are there any plans to support Autopilot capability for MTR and also deploy SkypeSettings.xml via Intune or better provide a configuration profile to configure Skype/Teams settings?
Microsoft

@Jeremyb - This is just a hunch, but I wonder if its the Windows Hello for Business configuration breaks the AutoAdminLogon? I say that because it defaults to "on" for AADJ'd devices. You can create an Intune policy to disable WHFB and target to MTR device groups. If it is that, we should definitely update this guidance.

Microsoft

@Kapila Munaweera We are looking into how we can improve the setup experience for MTRs all up. This post is just a first step in that direction.

Microsoft

@MartinGustafsson I dont think we do have that today based on the properties exposed for AAD Device Dynamic groups today. https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership.... Its a good piece of feedback though that we'll consider as we improve the management experience for MTR's.

My point about "excluding" from CA/Compliance policy was more about taking into consideration how and where these devices are used and applying policies based on that rather than subjecting to them the same standard as Information Workers, Mobile Devices and Desktop PC's. It wasn't supposed to be prescriptive.

Occasional Visitor

@Scott Duffey  Agreed, I fully understand this is only recommendations and not prescriptions. Just pointing out the risks with the OTC recommendations :face_with_tears_of_joy:

Occasional Contributor
@Jeremyb - Try disabling ESP (enrolment status page) if it resolve the issue.
Regular Visitor

Hi @Scott Duffey Hello is disabled, and ESP is not configured.  This worked in 1809, in upgrading the device to 1903 autologin seems to be broken.  Seems to be a regression.

Microsoft

@Jeremyb I tested this today (Upgrade from 1809->1903) and did not get the same repro. Can you please raise a support call with the @Intune Support  Team.

Senior Member

We have been managing our MTR devices through Intune for last 2 years including .  Our AADJ devices are set to automatic enrollment to Intune. Also we been doing nightly reboots and wallpaper management by pushing powershell scripts through Intune. Monitoring agents and windows update is also pushed through Intune app. With addition of advanced capabilities it has become easy to manage MTR devices with Intune.

One big piece that has been missing is support of Modern auth by MTR devices. Is there any timeline when we can expect this?

Support for EWS for basic Auth is planned to end Oct 2020 I hope this is available way before that.

 

New Contributor

Second the question about Modern Auth. Any updates?

Microsoft

@Sukhdev Rehal @CHRISTOPHER BUES . Thanks for the comments.  We are targeting a 2020 Q1 release for Modern Auth on MTR devices.

Frequent Contributor

@Scott Duffey 

Hi, Is there any response on My earlier query, Management of MTR from Teams Admin Center, what is the prerequisite for same and will it be supporting all scenarios whether configuration is done using Intune, SCCM or Hybrid

Thanks!

Established Member

@Jeremyb @Scott Duffey @Intune Support Team 

After doing AADJ on Win10 1903 Teams Room the default logon to local Skype account is not working to due change of default login domain to e.g. corp.com. To fix Skype autologon issue, the update of registry key is needed to add "local\"prefix.

 

Here the registry key to be modified: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Change DefaultUserName entry value from "Skype" to "local\Skype". 

https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows

 

After registry change and reboot, all is back to normal (I hope).

Microsoft

@Maheshwar Tayal - Sorry I don't have any information to share on Teams Admin Center roadmap at this time. Note that Intune Hybrid mode is deprecated -  https://docs.microsoft.com/en-us/configmgr/mdm/understand/hybrid-mobile-device-management#deprecatio...

Contributor

@yankeedoodlegandy @Scott Duffey you can also control App Store updates from Intune or on the local App Store app itself (via … settings).

 

I'm not too sure how you would deploy the app as an LOB app as I've never seen any visibility of the app on the store to see how you can do anything like that ?

 

Is there an easy way to control the Microsoft Teams Room app updates via Intune -  to allow us to hit a testing ring and actually confirm we have no unintended side-effects before we push out across our entire meeting room fleet?

 
 

image.png

Microsoft

Thanks @Jed Ellerby for the useful comments! You can get the APPX packages and dependencies from the deployment kit . We're working with Teams to make this package easier for you to find.

New Contributor

@Jed Ellerby  - Thanks for the note about Intune - trialing out the control of App Store updates via profile now.