Managing Teams Meeting Rooms with Intune

Published Dec 16 2019 03:54 PM 58.8K Views

We’ve heard a few questions recently from customers looking for guidance how to manage your Microsoft Teams Rooms devices with Intune. This post answers a few of the frequently asked questions and provides general guidance. If you’ve discovered additional tips or tricks on your deployment journey, or have other feedback or suggestions, let us know by commenting on this post!

 

Picture1.png

 

Teams meeting room devices can be enrolled and managed by Intune to provide many of the device management and security capabilities available to other endpoints managed by Intune. As these devices are running Windows 10 under the hood, several of the Windows 10 features will be available to use, but many are not going to be applicable or recommended.

 

I’ll break this post into these Intune feature areas:

  • Enrollment
  • Windows 10 Configuration Profiles
  • Compliance Policies
  • Conditional Access
  • Grouping and Targeting

 

Enrollment

Recommendation: Azure AD join the device from Settings, utilizing an Intune DEM Account

 

Windows 10 based Teams devices arrive from suppliers prepared with an OS image, user accounts, and pre-configured profiles. Signing into Windows with the admin profile and performing the Azure AD Join from settings enables a smooth “Automatic MDM enrollment” into Intune. The additional recommendation to use an Intune Device Enrollment Manager (DEM) account is due to these meeting room devices being a shared device rather than one that has User-Device association in Intune. DEM accounts are used for shared device scenarios. Learn more about DEM accounts here.

 

The Meeting Room resource account can be used for Intune enrollment, but should not be used for Windows 10 login on the device due to issues that can arise during autologin of the Microsoft Teams Room application account. Please use a tenant or device admin account to administer local device settings.

 

NOTE: Automatic enrollment requires Azure AD Premium licensing. If you don’t have this feature available or enabled in your tenant, you will need to undertake two steps to enroll Windows 10 teams devices. First, Azure AD Domain Join. Then, do manual enrollment from Windows settings. Learn more about Windows enrollment here.

 

An additional tip is to name meeting room devices with a prefix that allows devices to be grouped dynamically. For example, use “MTR” for meeting room. You can rename devices with either a Windows 10 configuration policy or manually per device in Intune. I’ll talk about that a bit more about this approach below under Grouping and Targeting.

 

Depending on your current scenario, there are several other enrollment options available, including:

  • Use Windows Configuration Designer to create a Windows 10 Provisioning Package that performs a bulk Azure AD Join. Details are here.
  • Customers who have some devices domain joined and/or managed by Configuration Manager may choose to enable Co-management or initiate an Intune enrollment via the “Enable Automatic MDM enrollment using default Azure AD credentials” Group Policy setting.

 

This article goes into more depth on all the Windows 10 enrollment methods: Intune enrollment methods for Windows devices.

 

Windows 10 Configuration Profiles

Recommendation: Use Windows Configuration profiles to configure device settings that you need to change beyond the shipped defaults.

 

The following Windows 10 Configuration Policy types may be used with Windows 10 based meeting room devices:

 

Profile type

Can you use the profile?

Administrative Templates

Yes

Certificates

Yes

Delivery Optimization

Yes

Device Firmware Configuration Interface

Check for supported hardware here

Device restrictions

Yes

Edition Upgrade

Not supported

Email

Not recommended

Endpoint Protection

Yes

eSim

Not supported

Identity Protection

Not supported

Kiosk

Not supported

Powershell Scripts

Yes (Devices need to be AADJ’d or HAADJ’d)

Shared multi-user device

Not supported

VPN

Not recommended

Wi-Fi

Not recommended

Windows Information Protection

Not recommended

 

NOTE: “Not recommended” in the table is due to this Windows 10 policy type not being a good fit for meeting room scenarios. For example, Meeting room devices are not enabled for Wi-Fi, therefore it’s not recommended (or necessary) to configure a Wi-Fi profile. Learn more about available configuration policies here: Create a device profile in Microsoft Intune.

 

Compliance Policies
Recommendation: Use Compliance Policies to achieve the desired security level for your Teams devices.


You can use Compliance policies on your meeting room devices. You should take care to create the appropriate exclusions for any existing Windows 10 compliance policies that are currently deployed in your organization to “All devices”.  For example, you may have configured the setting “Maximum minutes of inactivity before password is required” in a Policy for all Windows 10 desktop devices but this would result in a poor meeting room experience if applied to teams devices. If you currently have Windows 10 compliance policies deployed to large groups of devices, make sure you use the “Exclude group” feature so that you can target a more specific compliance policy for the Meeting Room Devices.


This doc goes into more depth on compliance policies: Use compliance policies to set rules for devices you manage with Intune.

 

Conditional Access

Conditional Access policies with only location-based conditions can be applied to Microsoft Teams Rooms accounts at this time.  Microsoft is currently working on updates that will allow additional conditions to be set, such as device compliance.

 

NOTE: As a reminder, Conditional Access is an Azure Active Directory Premium (P1) feature.

 

Grouping and Targeting

A good idea is to use Azure AD dynamic groups to effectively group all teams meeting room devices. One way that this can be best achieved is by using a naming standard during deployment/enrollment. For example, as mentioned earlier in this article, if you name all devices starting with MTR, you can then name devices “MTR-%SER%” which gives all devices a prefix of “MTR” with the serial number forming the second part of the name. Then you can use the dynamic group feature to group together all devices that start with MTR. Keep in mind, Azure AD dynamic groups is an AAD P1 feature.

 

Picture2.png

NOTE: Device renaming via Intune device management is supported on Azure AD Joined devices but not Hybrid Azure AD Joined devices.

 

When targeting Configuration and Compliance policies, and Apps it’s a good idea to target a group that contains devices rather than users. The reason for device-group assignment is that Teams meeting room devices sign into windows with a local user account (instead of an Azure AD User Account) and during sync with Intune, would not request any user-assigned policy.

 

More info and feedback

As always, we want to hear from you! If you have any suggestions, questions, or comments, please comment below. You can also tag @IntuneSuppTeam out on Twitter.

 

Blog post updates:

  • 3/6/2020 - Updated the post to clarify what works with Conditional Access and Microsoft Teams Rooms. Removed mention of device compliance checks for CA; that feature is coming. 
  • 4/20/2020 - Updated the post to include an enrollment best practice - "Meeting Room resource account can be used for Intune enrollment, but should not be used for Windows 10 login on the device due to issues that can arise during autologin of the Microsoft Teams Room application account. Use a tenant or device admin account to administer local device settings."
  • 1/27/2021 - Updated the More info and feedback section.
56 Comments
Visitor

@PLJ_HolisticIT did you have an direct access in the internet? we had so much problems with the proxy. SSL inspection, Proxy trought IE settings and proxy on the host system....

Microsoft

The link that is in the following sentence is broken: -"Use Windows Configuration Designer to create a Windows 10 Provisioning Package that performs a bulk Azure AD Join. Details are"

Thank for the feedback @yayoayala. Link fixed!

Occasional Contributor

Can we get a similar kind of document for managing Surface Hub devices using Intune?

Thanks for the feedback @Frank Rijt-van! We have a couple of resources available in our docs. Please see: Manage Microsoft Surface Hub - Surface Hub and Manage Microsoft Teams configuration on Surface Hub - Microsoft Teams to learn more. Hope this helps!

Contributor

@marcchampoux thanks for the analysis and how to troubleshoot the issue. It was very useful in my situations!

%3CLINGO-SUB%20id%3D%22lingo-sub-1069838%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1069838%22%20slang%3D%22en-US%22%3E%3CP%3E-%26gt%3BHow%20to%20keep%20Autologon%20working%20with%20an%20MTR%20that%20is%20Azure%20AD%20joined%20and%20managed%20by%20Intune%3F%20Currently%20the%20local%20%22Skype%22%20account%20autologon%20fails.%3C%2FP%3E%3CP%3E-%26gt%3BWhat%20is%20the%20added%20value%20to%20use%20DEM%20vs%20MTR%20Room%20Account%20(which%20also%20has%20an%20Intune%20license)%20to%20register%20the%20device%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Can%20we%20have%20a%20default%20best%20practices%20for%20MTR's%3F%3C%2FP%3E%3CP%3E%26nbsp%3B-Autopilot%3C%2FP%3E%3CP%3E%26nbsp%3B-Specific%20Conditional%20Access%20Rules%2FExclusions.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1069446%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1069446%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20an%20easy%20way%20to%20control%20the%20Microsoft%20Teams%20Room%20app%20updates%20via%20Intune%20-%26nbsp%3B%20to%20allow%20us%20to%20hit%20a%20testing%20ring%20and%20actually%20confirm%20we%20have%20no%20unintended%20side-effects%20before%20we%20push%20out%20across%20our%20entire%20meeting%20room%20fleet%3F%3C%2FP%3E%3CP%3EWe%20were%20stung%20by%20a%20previous%20room%20app%20update%20which%20clearly%20changed%20something%20in%20how%20certs%20were%20used%20for%20Skype%20On-prem%20-%20and%20took%20out%20the%20one%20entire%20office%20that%20had%20Teams%20rooms%20for%20couple%20of%20days%20a%20our%20knowledgeable%20team%20members%20were%20also%20on%20leave.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20now%20all%20O365%2C%20but%20also%20all%20on%20a%20Teams%20Room%20device%20-so%20don't%20want%20to%20repeat%20that%20scenario%20if%20there%20is%20anyway%20to%20avoid%20it.%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%20would%20give%20us%20time%20to%20update%20our%20documentation%20for%20the%20room%20every%20time%20the%20GUI%20changes.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1071807%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1071807%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20MTR%20support%20Modern%20Authentication%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1071809%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1071809%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20we%20will%20be%20able%20to%20Upgrade%2C%20manage%20MTR's%20from%20Teams%20Admin%20center%2C%20what%20is%20the%20pre-requisites%20for%20MTR%20management%3A%20SCCM%2C%20Intune%20or%20Hybrid%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072561%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072561%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F332550%22%20target%3D%22_blank%22%3E%40yankeedoodlegandy%3C%2FA%3E%26nbsp%3B%2C%20The%20%22Microsoft%20Teams%20Room%22%20app%20is%20a%20store%20signed%20app%20which%20means%20it%20would%20automatically%20be%20updated%20via%20the%20store.%20One%20possible%20solution%20to%20pin%20the%20app%20version%20would%20be%20to%20disable%20store%20updates.%20When%20ready%20to%20move%20to%20the%20next%20version%20of%20the%20app%20you%20could%20use%20Intune%20to%20deploy%20the%20it%20as%20an%20LOB%20app.%3CA%20id%3D%22link_16%22%20class%3D%22lia-link-navigation%20lia-page-link%20lia-user-name-link%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F332550%22%20target%3D%22_self%22%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072584%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072584%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F8769%22%20target%3D%22_blank%22%3E%40Frank%20Rijt-van%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-%20I%20have%20not%20heard%20about%20the%20autologon%20not%20working%20after%20AADJ.%20I%20wonder%20if%20you%20have%20a%20policy%20configured%20in%20your%20environment%20that%20breaks%20it%3F%3C%2FP%3E%0A%3CP%3E-%20DEM%20accounts%20are%20used%20for%20shared%20devices%20in%20Intune.%20When%20shared%20devices%20are%20enrolled%20with%20DEM%20accounts%2C%20Intune%20knows%20they%20are%20shared%20instead%20of%20a%20single-user%20device.%20DEM%20accounts%20can%20also%20enroll%20more%20than%2015%20devices%20(A%20limit%20that%20exists%20for%20normal%20accounts).%20You%20could%20possibly%20make%20the%20MTR%20room%20account%20a%20DEM%20account.%3C%2FP%3E%0A%3CP%3E-%20We%20are%20working%20with%20customers%20on%20establishing%20further%20best%20practices%20in%20the%20areas%20you%20asked%20for.%20Stay%20tuned.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072592%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072592%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F267551%22%20target%3D%22_blank%22%3E%40MTayal%3C%2FA%3E%26nbsp%3BLet%20me%20get%20back%20to%20you%20on%20responses%20to%20that%20after%20discussing%20with%20the%20Teams%20Admin%20Center%20team.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072803%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072803%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20there%20any%20other%20parameters%20available%20which%20could%20be%20used%20from%20a%20dynamic%20group%20query%20perspective%3F%20I.e.%20something%20which%20could%20indicate%20that%20it%20IS%20a%20valid%20MTR%20installation%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExcluding%20devices%20from%20compliance-%20and%20CA%20policies%20doesn't%20really%20go%20well%20with%20allowing%20BYOD%20registrations%20and%20having%20zero%20trust%2FInternet%20based%20networks%20without%20known%20IP%20ranges%20in%20the%20offices%20where%20the%20MTR%20will%20be%20placed%20and%20having%20manual%20groups%20is%20too%20much%20of%20a%20hassle%20to%20even%20think%20of%20in%20larger%20organizations%20with%20huge%20but%20smaller%20branch%20offices%20with%20%22JIT%20infrastructure%22%20%3AD%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1074472%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1074472%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20also%20seeing%20the%20device%20failing%20to%20auto%20login%20after%20AADJ.%26nbsp%3B%20We%20currently%20have%20no%20MDM%20profiles%20targeted%20to%20the%20device.%26nbsp%3B%20It%20seems%20like%20the%20AADJ%20%2B%20Intune%20Manage%20process%20is%20breaking%20the%20AppLocker%20%2F%20Kiosk%20Policy.%26nbsp%3B%20Any%20ideas%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1074588%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1074588%22%20slang%3D%22en-US%22%3EAre%20there%20any%20plans%20to%20support%20Autopilot%20capability%20for%20MTR%20and%20also%20deploy%20SkypeSettings.xml%20via%20Intune%20or%20better%20provide%20a%20configuration%20profile%20to%20configure%20Skype%2FTeams%20settings%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1074671%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1074671%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F291777%22%20target%3D%22_blank%22%3E%40Jeremyb%3C%2FA%3E%26nbsp%3B-%20This%20is%20just%20a%20hunch%2C%20but%20I%20wonder%20if%20its%20the%20Windows%20Hello%20for%20Business%20configuration%20breaks%20the%20AutoAdminLogon%3F%20I%20say%20that%20because%20it%20defaults%20to%20%22on%22%20for%20AADJ'd%20devices.%20You%20can%20create%20an%20Intune%20policy%20to%20disable%20WHFB%20and%20target%20to%20MTR%20device%20groups.%20If%20it%20is%20that%2C%20we%20should%20definitely%20update%20this%20guidance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1074675%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1074675%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11555%22%20target%3D%22_blank%22%3E%40Kapila%20Munaweera%3C%2FA%3E%26nbsp%3BWe%20are%20looking%20into%20how%20we%20can%20improve%20the%20setup%20experience%20for%20MTRs%20all%20up.%20This%20post%20is%20just%20a%20first%20step%20in%20that%20direction.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1074740%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1074740%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F493094%22%20target%3D%22_blank%22%3E%40MartinGustafsson%3C%2FA%3E%26nbsp%3BI%20dont%20think%20we%20do%20have%20that%20today%20based%20on%20the%20properties%20exposed%20for%20AAD%20Device%20Dynamic%20groups%20today.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fgroups-dynamic-membership%23rules-for-devices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fgroups-dynamic-membership%23rules-for-devices%3C%2FA%3E.%20Its%20a%20good%20piece%20of%20feedback%20though%20that%20we'll%20consider%20as%20we%20improve%20the%20management%20experience%20for%20MTR's.%3C%2FP%3E%0A%3CP%3EMy%20point%20about%20%22excluding%22%20from%20CA%2FCompliance%20policy%20was%20more%20about%20taking%20into%20consideration%20how%20and%20where%20these%20devices%20are%20used%20and%20applying%20policies%20based%20on%20that%20rather%20than%20subjecting%20to%20them%20the%20same%20standard%20as%20Information%20Workers%2C%20Mobile%20Devices%20and%20Desktop%20PC's.%20It%20wasn't%20supposed%20to%20be%20prescriptive.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1075003%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1075003%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%26nbsp%3B%20Agreed%2C%20I%20fully%20understand%20this%20is%20only%20recommendations%20and%20not%20prescriptions.%20Just%20pointing%20out%20the%20risks%20with%20the%20OTC%20recommendations%20%3Aface_with_tears_of_joy%3A%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1076028%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1076028%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F291777%22%20target%3D%22_blank%22%3E%40Jeremyb%3C%2FA%3E%20-%20Try%20disabling%20ESP%20(enrolment%20status%20page)%20if%20it%20resolve%20the%20issue.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1085865%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1085865%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%26nbsp%3BHello%20is%20disabled%2C%20and%26nbsp%3BESP%20is%20not%20configured.%26nbsp%3B%20This%20worked%20in%201809%2C%20in%20upgrading%20the%20device%20to%201903%20autologin%20seems%20to%20be%20broken.%26nbsp%3B%20Seems%20to%20be%20a%20regression.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1087479%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1087479%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F291777%22%20target%3D%22_blank%22%3E%40Jeremyb%3C%2FA%3E%26nbsp%3BI%20tested%20this%20today%20(Upgrade%20from%201809-%26gt%3B1903)%20and%20did%20not%20get%20the%20same%20repro.%20Can%20you%20please%20raise%20a%20support%20call%20with%20the%26nbsp%3B%40Intune%20Support%26nbsp%3B%20Team.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1092487%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1092487%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20been%20managing%20our%20MTR%20devices%20through%20Intune%20for%20last%202%20years%20including%20.%26nbsp%3B%20Our%20AADJ%20devices%20are%20set%20to%20automatic%20enrollment%20to%20Intune.%20Also%20we%20been%20doing%20nightly%20reboots%20and%20wallpaper%20management%20by%20pushing%20powershell%20scripts%20through%20Intune.%20Monitoring%20agents%20and%20windows%20update%20is%20also%20pushed%20through%20Intune%20app.%20With%20addition%20of%20advanced%20capabilities%20it%20has%20become%20easy%20to%20manage%20MTR%20devices%20with%20Intune.%3C%2FP%3E%3CP%3EOne%20big%20piece%20that%20has%20been%20missing%20is%20support%20of%20Modern%20auth%20by%20MTR%20devices.%20Is%20there%20any%20timeline%20when%20we%20can%20expect%20this%3F%3C%2FP%3E%3CP%3ESupport%20for%20EWS%20for%20basic%20Auth%20is%20planned%20to%20end%20Oct%202020%20I%20hope%20this%20is%20available%20way%20before%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1092530%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1092530%22%20slang%3D%22en-US%22%3E%3CP%3ESecond%20the%20question%20about%20Modern%20Auth.%20Any%20updates%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1097626%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1097626%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F192527%22%20target%3D%22_blank%22%3E%40Sukhdev%20Rehal%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170351%22%20target%3D%22_blank%22%3E%40CHRISTOPHER%20BUES%3C%2FA%3E%26nbsp%3B.%20Thanks%20for%20the%20comments.%26nbsp%3B%20We%20are%20targeting%20a%202020%20Q1%20release%20for%20Modern%20Auth%20on%20MTR%20devices.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098000%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098000%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20Is%20there%20any%20response%20on%20My%20earlier%20query%2C%20Management%20of%20MTR%20from%20Teams%20Admin%20Center%2C%20what%20is%20the%20prerequisite%20for%20same%20and%20will%20it%20be%20supporting%20all%20scenarios%20whether%20configuration%20is%20done%20using%20Intune%2C%20SCCM%20or%20Hybrid%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098915%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098915%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F291777%22%20target%3D%22_blank%22%3E%40Jeremyb%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20doing%20AADJ%20on%20Win10%201903%20Teams%20Room%20the%20default%20logon%20to%20local%20Skype%20account%20is%20not%20working%20to%20due%20change%20of%20default%20login%20domain%20to%20e.g.%20corp.com.%20To%20fix%20Skype%20autologon%20issue%2C%20the%20update%20of%20registry%20key%20is%20needed%20to%20add%20%22local%5C%22prefix.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20the%20registry%20key%20to%20be%20modified%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EHKEY_LOCAL_MACHINE%5CSOFTWARE%5CMicrosoft%5CWindows%20NT%5CCurrentVersion%5CWinlogon%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EChange%26nbsp%3B%3CSTRONG%3EDefaultUserName%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3Bentry%20value%20from%20%22%3CEM%3ESkype%3C%2FEM%3E%22%20to%20%22%3CEM%3Elocal%5CSkype%3C%2FEM%3E%22.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F324737%2Fhow-to-turn-on-automatic-logon-in-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F324737%2Fhow-to-turn-on-automatic-logon-in-windows%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20registry%20change%20and%20reboot%2C%20all%20is%20back%20to%20normal%20(I%20hope).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1099428%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1099428%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45060%22%20target%3D%22_blank%22%3E%40Maheshwar%20Tayal%3C%2FA%3E%26nbsp%3B-%20Sorry%20I%20don't%20have%20any%20information%20to%20share%20on%20Teams%20Admin%20Center%20roadmap%20at%20this%20time.%20Note%20that%20Intune%20Hybrid%20mode%20is%20deprecated%20-%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconfigmgr%2Fmdm%2Funderstand%2Fhybrid-mobile-device-management%23deprecation-announcement%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconfigmgr%2Fmdm%2Funderstand%2Fhybrid-mobile-device-management%23deprecation-announcement%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1103155%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1103155%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F332550%22%20target%3D%22_blank%22%3E%40yankeedoodlegandy%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%20you%20can%20also%20control%20App%20Store%20updates%20from%20Intune%20or%20on%20the%20local%20App%20Store%20app%20itself%20(via%20%E2%80%A6%20settings).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20too%20sure%20how%20you%20would%20deploy%20the%20app%20as%20an%20LOB%20app%20as%20I've%20never%20seen%20any%20visibility%20of%20the%20app%20on%20the%20store%20to%20see%20how%20you%20can%20do%20anything%20like%20that%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E%3CSPAN%3EIs%20there%20an%20easy%20way%20to%20control%20the%20Microsoft%20Teams%20Room%20app%20updates%20via%20Intune%20-%26nbsp%3B%20to%20allow%20us%20to%20hit%20a%20testing%20ring%20and%20actually%20confirm%20we%20have%20no%20unintended%20side-effects%20before%20we%20push%20out%20across%20our%20entire%20meeting%20room%20fleet%3F%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20828px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164896iC5A8F77B3C3B14EB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1106244%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1106244%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F30420%22%20target%3D%22_blank%22%3E%40Jed%20Ellerby%3C%2FA%3E%26nbsp%3Bfor%20the%20useful%20comments!%20Y%3CSPAN%3Eou%20can%20get%20the%20APPX%20packages%20and%20dependencies%20from%20the%26nbsp%3B%3C%2FSPAN%3E%3CU%3E%3CA%20tabindex%3D%22-1%22%20title%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D851168%22%20href%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D851168%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3Edeployment%20kit%3C%2FA%3E%3C%2FU%3E%3CSPAN%3E%26nbsp%3B.%20We're%20working%20with%20Teams%20to%20make%20this%20package%20easier%20for%20you%20to%20find.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1106587%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1106587%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F30420%22%20target%3D%22_blank%22%3E%40Jed%20Ellerby%3C%2FA%3E%26nbsp%3B%20-%20Thanks%20for%20the%20note%20about%20Intune%20-%20trialing%20out%20the%20control%20of%20App%20Store%20updates%20via%20profile%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1137560%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1137560%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%2C%3C%2FP%3E%3CP%3ECan%20you%20confirme%20me%20that%20we%20can%20use%20the%20Software%20Update%20feature%20on%20Intune%20to%20manage%20OS%20Quality%20and%20Feature%20Updates%20of%20MTR%3F%3C%2FP%3E%3CP%3EBecause%20I%20configured%20it%20like%20below%2C%20but%20I%20received%20this%20error%20message%20%3CSTRONG%3EServicing%20channel%20%3D%20ERROR%3A%20-2016281111%20(Not%20applicable%20for%20this%20device)%26nbsp%3B%3C%2FSTRONG%3E%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20667px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F167910i83E5CEBD3C22AA8A%2Fimage-dimensions%2F667x805%3Fv%3D1.0%22%20width%3D%22667%22%20height%3D%22805%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3Ethanks%20for%20your%20help%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1141823%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1141823%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F17277%22%20target%3D%22_blank%22%3E%40mohamed%20ait%20salah%3C%2FA%3E%26nbsp%3BCan%20you%20please%20open%20a%20support%20ticket%20for%20Intune%20to%20get%20to%20the%20bottom%20of%20the%20error%20message%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1151187%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1151187%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3Ewhat%20is%20the%20Microsoft%20recommendation%20when%20the%20%22Require%20MFA%20to%20join%20AAD%22%20is%20set%20in%20AAD%20but%20to%20avoid%20MFA%20prompt%20when%20MTR%20enrolling%20to%20Intune%3F%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20777px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F169022iF5BF2E835C9D15C5%2Fimage-dimensions%2F777x313%3Fv%3D1.0%22%20width%3D%22777%22%20height%3D%22313%22%20alt%3D%22mtrintune.PNG%22%20title%3D%22mtrintune.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1151209%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1151209%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11555%22%20target%3D%22_blank%22%3E%40Kapila%20Munaweera%3C%2FA%3E%26nbsp%3BWhy%20would%20you%20want%20someone%20to%20be%20able%20to%20join%20devices%20to%20your%20AAD%20without%20MFA%3F%20(Honest%20question)%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1151301%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1151301%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11555%22%20target%3D%22_blank%22%3E%40Kapila%20Munaweera%3C%2FA%3E%26nbsp%3BOne%20option%20would%20be%20to%20use%20a%20u%3CSPAN%3Ese%20Windows%20Configuration%20Designer%20to%20create%20a%20Windows%2010%20Provisioning%20Package%20that%20performs%20a%20bulk%20Azure%20AD%20Join.%20As%20long%20as%20the%20package%20was%20created%20by%20an%20IT%20admin%20who%20authenticated%20with%20MFA%20during%20the%20creation%20process%2C%20then%20the%20enrollment%20would%20proceed.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1152033%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1152033%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%26nbsp%3Bthanks%20for%20your%20answer%2C%20but%20my%20first%20question%20is%20%3A%3C%2FP%3E%3CP%3ECan%20you%20confirme%20me%20that%20we%20can%20use%20the%20Software%20Update%20feature%20on%20Intune%20to%20manage%20OS%20Quality%20and%20Feature%20Updates%20of%20MTR%3F%3C%2FP%3E%3CP%3EIf%20yes%20%2C%20do%20you%20have%20an%20official%20link%20to%20define%20the%20properties%20for%20MTR.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%20very%20much%20for%20your%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1152212%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1152212%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20reply.%20I%20thought%20about%20both%20bulk%20enrolment%20and%20using%20a%20DEP%20account%20but%20the%20challenge%20then%20is%20they%20enrolled%20as%20a%20shared%20device%20and%20there%20is%20no%20conditional%20access%20support%20for%20them%2C%20which%20we%20require%20to%20protect%20these%20accounts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Capture1.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F169103iEE535D9E4F1CDCEF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Capture1.PNG%22%20alt%3D%22Capture1.PNG%22%20%2F%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1160902%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1160902%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F17277%22%20target%3D%22_blank%22%3E%40mohamed%20ait%20salah%3C%2FA%3E%26nbsp%3B-%20The%20teams%20application%20itself%20configures%20Features%20updates%20based%20on%20this%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252FMicrosoftTeams%252Frooms%252Frooms-lifecycle-support%2523windows-10-release-support%26amp%3Bdata%3D04%257C01%257CScott.Duffey%2540microsoft.com%257C6933da37608f4697e29f08d7ac0fe09f%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637167056497843545%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C-1%26amp%3Bsdata%3Dh6hrAd5LLnOCUfZjjP7kemyubKhDsOHByBY1F%252B1A5QM%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FMicrosoftTeams%2Frooms%2Frooms-lifecycle-support%23windows-10-release-support%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E.%20So%20we%20wouldn't%20recommend%20trying%20to%20configure%20them%20with%20Intune.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1164023%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1164023%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20teams%20application%20itself%20configures%20Features%20updates%20based%20on%20this%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252FMicrosoftTeams%252Frooms%252Frooms-lifecycle-support%2523windows-10-release-support%26amp%3Bdata%3D04%257C01%257CScott.Duffey%2540microsoft.com%257C6933da37608f4697e29f08d7ac0fe09f%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637167056497843545%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C-1%26amp%3Bsdata%3Dh6hrAd5LLnOCUfZjjP7kemyubKhDsOHByBY1F%252B1A5QM%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FMicrosoftTeams%2Frooms%2Frooms-lifecycle-support%23windows-10-release-sup...%3C%2FA%3E%3C%2FP%3E%3CP%3E.%20So%20we%20wouldn't%20recommend%20trying%20to%20configure%20them%20with%20Intune.%3C%2FP%3E%3CP%3Ewhat%20is%20the%20recommendations%20for%20certificates%2C%20should%20we%20use%20Public%20vs%20Private%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1166093%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1166093%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%26nbsp%3Bthanks%20for%20your%20answer.%3C%2FP%3E%3CP%3EIf%20i%20correctly%20understand%2C%20nothing%20to%20configure%20in%20Intune%20or%20any%20others%20t%3CSPAN%3Ehird-party%20device%20management%20services%20to%20manage%20windows%20update%20or%20teams%20room%20software%20updates.%20Teams%20room%20system%20will%20automatically%20get%20update%20and%20install%20it%20and%20reboot%20during%20maintenance%20hours.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1258332%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1258332%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20experts%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20idea%20how%20to%20manage%20the%20default%20local%20admin%20account%20via%20Intune%3F%3C%2FP%3E%3CP%3EDo%20you%20disabled%20it%20or%20changed%20the%20password%20from%20Intune%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1312728%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1312728%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EConditional%20Access%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EConditional%20Access%20policies%20with%20only%20location-based%20conditions%20can%20be%20applied%20to%20Microsoft%20Teams%20Rooms%20accounts%20at%20this%20time.%26nbsp%3B%20Microsoft%20is%20currently%20working%20on%20updates%20that%20will%20allow%20additional%20conditions%20to%20be%20set%2C%20such%20as%20device%20compliance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20ETA%20in%20supporting%20device%20compliance%20as%20MTR%20now%20support%20modern%20auth%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Frooms%2Frooms-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Frooms%2Frooms-authentication%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1356422%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1356422%22%20slang%3D%22en-US%22%3E%3CP%3Ewe%20have%20recently%20put%20a%20test%20device%20onto%20intune%20and%20get%20the%20failed%20log%20in%20to%20skype%20-%20i%20tried%20the%20following%20makes%20no%20difference%20to%20ours%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EAfter%20doing%20AADJ%20on%20Win10%201903%20Teams%20Room%20the%20default%20logon%20to%20local%20Skype%20account%20is%20not%20working%20to%20due%20change%20of%20default%20login%20domain%20to%20e.g.%20corp.com.%20To%20fix%20Skype%20autologon%20issue%2C%20the%20update%20of%20registry%20key%20is%20needed%20to%20add%20%22local%5C%22prefix.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20the%20registry%20key%20to%20be%20modified%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EHKEY_LOCAL_MACHINE%5CSOFTWARE%5CMicrosoft%5CWindows%20NT%5CCurrentVersion%5CWinlogon%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EChange%26nbsp%3B%3CSTRONG%3EDefaultUserName%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3Bentry%20value%20from%20%22%3CEM%3ESkype%3C%2FEM%3E%22%20to%20%22%3CEM%3Elocal%5CSkype%3C%2FEM%3E%22.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F324737%2Fhow-to-turn-on-automatic-logon-in-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F324737%2Fhow-to-turn-on-automatic-logon-in-windows%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20registry%20change%20and%20reboot%2C%20all%20is%20back%20to%20normal%20(I%20hope).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1401085%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1401085%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20currently%20trying%20to%20deploy%20Bitlocker%20via%20Intune%20using%20Endpoint%20Protection%20configuration%20profile%20to%20the%20MTR.%26nbsp%3B%20However%2C%20the%20Deployment%20status%20shows%20Not%20Applicable.%20Does%20Bitlocker%20supported%20for%20IoT%20Enterprise%20via%20Intune%2C%20any%20idea%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1502279%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1502279%22%20slang%3D%22en-US%22%3E%3CP%3E1.%20The%20Bulk%20Token%20enrollment%20method.%20Just%20adding%20a%20comment%20here.%20My%20experience%20is%20that%20the%20bulk%20token%20stops%20working%20after%2014%20days%2C%20and%20CA%20complains%20about%20MFA%20on%20the%20Package%20Account.%20My%20thinking%20is%20that%20after%202%20weeks%20the%20%22MFA%20IN%20THE%20CLAIM%22%20is%20expired%2C%20and%20it%20is%20not%20renewing.%20So%20excluding%20the%20package%20account%20from%20MFA%20requirements%20and%20removing%20%22Require%20MFA%20to%20Join%20AAD%22%20in%20CA%20fixed%20that%20for%20me.%20The%20other%20option%20that%20works%20is%20to%20exclude%20package%20accounts%20on%20location%20(IP%20Address)%20-%20Trusted%20location.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1534662%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1534662%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Everyone%2C%3C%2FP%3E%3CP%3EDoing%20a%20bulk%20enrollment%20method%2C%20and%20I%20am%20unable%20to%20deploy%20a%20Win32app%20or%20configurations.%20%26nbsp%3BI%20assume%20I%20have%20to%20log%20on%20once%20with%20an%20AzureAD%20user%20account%20after%20enrolling%3F%20%26nbsp%3BI%20am%20basically%20getting%20errors%20in%20the%20IME%20log%20that%20state%20it%E2%80%99s%20trying%20to%20impersonate%20and%20failing%20to%20get%20an%20AAD%20token.%20%26nbsp%3BI%20have%20also%20tried%20just%20using%20the%20DEM%20account%20to%20join.%20%26nbsp%3BBut%20again%20I%20assume%20I%20have%20to%20switch%20users%20from%20the%20Skype%20account%20and%20log%20in%20with%20an%20AzureAD%20account%20to%20get%20the%20ball%20rolling.%20%26nbsp%3BPlease%20confirm%20or%20if%20I%20am%20misunderstanding.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFailed%20to%20get%20AAD%20token.%20len%20%3D%2034%20using%20client%20id%20xxxxxxx%20and%20resource%20id%20xxxxxxxx%2C%20errorCode%20%3D%203399548929%3C%2FP%3E%3CP%3ENeed%20user%20interaction%20to%20continue.%3CBR%20%2F%3EAAD%20user%20check%20is%20failed%2C%20exception%20is%20Intune%20Management%20Extension%20Error.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet%20me%20know%20if%20more%20information%20is%20needed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1672992%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1672992%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20do%20you%20join%20your%20MTR's%20to%20AAD%20and%20then%20enroll%20them%20to%20Intune.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20did%20every%20configuration%20on%20the%20Intune%20side%20(Enrollment%20restrictions%2C%20license%2C%20enrollment%20target%2C%20....).%3C%2FP%3E%3CP%3EThen%20i%20go%20on%20the%20MTR%20in%20the%20Access%20work%20or%20school%20settings%2C%20Connect%2C%20Add%20to%20Azure%20AD%2C%20Sign%20in%20with%20my%20informations%20and%20then%20i%20get%20the%20error%20in%20the%20logs%20describes%20the%20follow%3A%20MDM%20Enroll%3A%20Failed%20(Unknown%20Win32%20Error%20code%3A%200x80192ee7)%20or%20on%20the%20work%20settings%2C%20see%20attached.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProxy%20is%20set%20to%20any%20any%20for%20the%20tests.%20It%20seems%20that%20we%20don't%20have%20any%20network.%20We%20use%20this%20Crestron%20device%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.crestron.com%2FProducts%2FWorkspace-Solutions%2FUnified-Communications%2FCrestron-Flex-Integrator-Kits%2FUC-C160-T%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.crestron.com%2FProducts%2FWorkspace-Solutions%2FUnified-Communications%2FCrestron-Flex-Integrator-Kits%2FUC-C160-T%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20every%20small%20hint%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22Work%20Failure.jpg%22%20style%3D%22width%3A%20423px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F218727i24FE27306A6C1480%2Fimage-dimensions%2F423x564%3Fv%3D1.0%22%20width%3D%22423%22%20height%3D%22564%22%20title%3D%22Work%20Failure.jpg%22%20alt%3D%22Worksetting%20failure%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EWorksetting%20failure%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22LOG%20Failure.jpg%22%20style%3D%22width%3A%20422px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F218728iDA95AA41C1CBFABE%2Fimage-dimensions%2F422x563%3Fv%3D1.0%22%20width%3D%22422%22%20height%3D%22563%22%20title%3D%22LOG%20Failure.jpg%22%20alt%3D%22Eventviewer%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EEventviewer%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1739612%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1739612%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20doing%20an%20Azure%20AD%20Join%20by%20%3CSTRONG%3ESettings%20%26gt%3B%20Accounts%20%26gt%3B%20Access%20Work%20or%20School%20%26gt%3B%20%2BConnect%20%26gt%3B%20Join%20this%20device%20to%20Azure%20Active%20Directory%26nbsp%3B%26nbsp%3B%3C%2FSTRONG%3Eand%20signing%20in%20with%20DEM%20account.%26nbsp%3B%20The%20device%20successfully%20joins%20AAD%20but%20we%20are%20no%20longer%20able%20to%20use%20the%20local%20MTR%20Admin%20account.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20logging%20in%20to%20Windows%2C%20the%20Admin%20account%20is%20no%20longer%20listed.%26nbsp%3B%20You%20have%20to%20choose%20'Other%20user'%20and%20am%20prompted%20to%20sign%20in%20to%20Work%20or%20School%20account.%26nbsp%3B%20Trying%20to%20use%20the%20Admin%20account%20fails.%26nbsp%3B%20In%20your%20post%20it%20states%20an%20option%20to%20use%20'device%20admin%20account%20to%20administer%20local%20device%20settings.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22brcallicott_0-1601650001586.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F223686i602B99B0B3720BEE%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22brcallicott_0-1601650001586.png%22%20alt%3D%22brcallicott_0-1601650001586.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1787932%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1787932%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F381712%22%20target%3D%22_blank%22%3E%40brcallicott%3C%2FA%3E%26nbsp%3B%20I%20believe%20this%20was%20the%20same%20issue%20we%20ran%20into%2C%20where%20we%20had%20to%20use%20.%5Cadmin%20to%20login%20to%20the%20local%20admin%20account.%3C%2FP%3E%3CP%3EThis%20may%20be%20solved%20with%20the%20suggestion%20Krzwen%20came%20with%20September%201st.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3Ehave%20not%20tested%20this%20yet%20myself.%3C%2FP%3E%3CDIV%20class%3D%22lia-message-author-avatar%20lia-component-author-avatar%20lia-component-message-view-widget-author-avatar%20UserAvatarWrapper%22%3E%3CDIV%20class%3D%22UserAvatarWrapper%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1900254%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1900254%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Everyone%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20facing%20the%20same%20issue%20as%20one%20the%20user%20mentioned.%20We%20have%20enrolled%20MTR%20devices%20using%20a%20DEM%20account%2C%20it%20got%20auto%20enrolled%20in%20MDM%20and%20is%20now%20visible%20in%20Intune.%20Now%2C%20I'm%20unable%20to%20deploy%20MSI%20or%20Win32%20apps%20on%20the%20Machine.%20There%20are%20not%20error%20to%20found%20in%20the%20logs%20other%20than%20AAD%20token%20failure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20no%20logs%20generated%20on%20under%20the%20Devices%20%26gt%3B%20Managed%20App.%20Not%20able%20to%20find%20anything%20that%20can%20help.%20We%20had%20a%20call%20with%20MS%20and%20one%20of%20the%20guys%20was%20from%20MTR%20team%20and%20he%20specifically%20mentioned%20that%20use%20DEM%20Account%20%26gt%3B%20Auto%20Enrollment%20and%20App%20installation%20should%20follow%20however%20it%20is%20not%20happening.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2119976%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2119976%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everybody%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116732%22%20target%3D%22_blank%22%3E%40Scott%20Duffey%3C%2FA%3E%26nbsp%3B-%20Thanks%20alot%20for%20the%20article!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20looking%20for%20some%20recommendations%20or%20best%20practices%20regarding%20conditional%20access%2C%20configuration%20profiles%2C%20conditional%20access%2C%20update%20rings%20and%20endpoint%20security%20for%20MTR%20clients%20enrolled%20in%20Intune.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20would%20be%20highly%20appreciated!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2341194%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2341194%22%20slang%3D%22en-US%22%3E%3CP%3ELink%20to%20DEM%20accounts%20is%20broken%20%22%3CSPAN%3EThe%20additional%20recommendation%20to%20use%20an%20Intune%20Device%20Enrollment%20Manager%20(DEM)%20account%20is%20due%20to%20these%20meeting%20room%20devices%20being%20a%20shared%20device%20rather%20than%20one%20that%20has%20User-Device%20association%20in%20Intune.%20DEM%20accounts%20are%20used%20for%20shared%20device%20scenarios.%20Learn%20more%20about%20DEM%20accounts%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fenroll%2520devices%2520in%2520intune%2520by%2520using%2520a%2520device%2520enrollment%2520manager%2520account%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehere%3C%2FA%3E%3CSPAN%3E.%22%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2384745%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2384745%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everybody%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe've%20deployed%20a%20lot%20of%20Team%20Room%20Systems%20where%20I%20work%20and%20encountered%20the%20%3CEM%3Edreaded%3C%2FEM%3E%20%22autologon%22%20issue.%20I%20opened%20a%20ticket%20with%20MS%20Support%20but%20didn't%20get%20any%20help.%20I%20am%20posting%20my%20experience%20here%20and%20the%20solution%20in%20case%20it%20helps%20someone%20out%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EFirst%2C%20some%20background%20about%20our%20Team%20Room%20Systems%20(you%20can%20then%20decide%20if%20you%20are%20in%20a%20similar%20environment)...%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20All%20our%20Team%20Room%20Systems%20are%20domain%20joined%20to%20our%20Active%20Directory.%20This%20also%20creates%20an%20object%20for%20them%20in%20Azure%20AD%20and%20it%20enrolls%20the%20computer%20account%20of%20the%20room%20in%20InTune.%3C%2FP%3E%3CP%3E-%20All%20of%20them%20have%20a%20GPO%20applied%20to%20them%20that%20pushes%20the%20%22AdminAutoLogon%22%20and%20all%20the%20other%20appropriate%20settings%20to%20make%20sure%20the%20rooms%20start%20correctly%20and%20autologin%20with%20the%20%22Skype%22%20user%20account%20after%20their%20daily%20reboots.%3C%2FP%3E%3CP%3E-%20Keep%20in%20mind%20that%20we%20also%20use%20InTune%20to%20manage%20mobile%20devices%20and%20%3CEM%3Esome%3C%2FEM%3E%20Windows%2010%20devices%20(this%20becomes%20important%20later).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EThe%20issue...%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20many%20others%20have%20experienced%20with%20their%20Team%20Room%20Systems%2C%20the%20%22autologon%22%20feature%20did%20not%20work%20or%20stopped%20working%20for%20unknown%20reasons.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20us%2C%20if%20we%20looked%20on%20the%20affected%20Team%20Room%20Systems%2C%20we%20could%20see%20the%20warning%20%22%3CEM%3EThe%20autologon%20setting%20has%20been%20removed%20because%20the%20EAS%20policy%20is%20set%3C%2FEM%3E%22%20message%20in%20Event%20Viewer%20-%26gt%3B%26nbsp%3BApplications%20and%20Services%20Logs%5CMicrosoft%5CWindows%5CAuthentication%5COperations.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20if%20we%20looked%20in%20the%20Registry%2C%20under%20%22HKLM%5CSYSTEM%5CCurrentControlSet%5CControl%5CEAS%22%2C%20there%20was%20a%20%22Policies%22%20folder%20with%20a%20value%20of%20%225%22%20in%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20we%20deleted%20the%20%22HKLM%5CSYSTEM%5CCurrentControlSet%5CControl%5CEAS%5CPolicies%22%20registry%20folder%20(and%20MDM%20sub-folder)%20and%20rebooted%20the%20room%2C%20the%20problem%20was%20%3CEM%3Etemporarily%3C%2FEM%3E%20resolved...%20but%26nbsp%3B%3CEM%3Esomething%3C%2FEM%3E%20was%20adding%20back%20the%20%22Policies%22%20folder%20and%20settings%20in%20the%20registry%20during%20the%20course%20of%20the%20day%20and%20the%20problem%20would%20just%20come%20back%20the%20next%20day.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EThe%20root%20cause...%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1%20word%3A%20InTune.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20to%20be%20more%20specific...%203%20words%3A%26nbsp%3B%3CEM%3Esomething%20%3C%2FEM%3Ein%20InTune%3CEM%3E.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20did%20a%20lot%20of%20research%20and%20I%20discovered%20that%26nbsp%3B%3CEM%3Esomething%3C%2FEM%3E%20in%20InTune%20was%20pushing%20a%20very%20specific%20registry%20key%20down%20to%20the%20Team%20Room%20Systems%20(more%20on%20that%20in%20the%20%22solutions%22%20below).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%2C%20I%20looked%20like%20a%20mad%20man%20at%20all%20our%20InTune%20compliance%20policies%20and%20settings%20that%20we%20push%20down%20and%20I%20could%20not%20find%20the%20exact%20InTune%20Compliance%20Policy%20or%20InTune%20Configuration%20Profile%20that%20was%20pushing%20down%20the%20%22DeviceLock%22%20features%20that%20you%20will%20read%20about%20in%20the%20next%20section...%20so%20let's%20jump%20to%20the%20solution...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EThe%20solution%20to%20my%20problem%20(and%20hopefully%20yours)...%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPart%201%20-%20Check%20if%20this%20solution%20applies%20to%20you...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3ELog%20into%20your%20Team%20Room%20System%20and%20open%20up%20the%20Registry%20Editor.%3C%2FLI%3E%3CLI%3EGo%20to%20%22HKEY_LOCAL_MACHINE%5CSOFTWARE%5CMicrosoft%5CProvisioning%5COMADM%5CAccounts%5C%22%3C%2FLI%3E%3CLI%3EThere%20will%20be%20a%20folder%20with%20a%20GUID%20under%20the%20%22Accounts%22%20key%3A%20make%20a%20note%20of%20the%20GUID%20that%20is%20shown%20there.%20That%20is%20your%20%22EnrollmentID%22.%20It's%20some%20sort%20of%20magical%20GUID%20that%20links%20that%20specific%20machine%20to%20your%20InTune%20subscription.%20Note%20that%20the%20EnrollmentID%20is%20unique%20per%20machine.%3C%2FLI%3E%3CLI%3EGo%20to%20%22HKEY_LOCAL_MACHINE%5CSOFTWARE%5CMicrosoft%5CPolicyManager%5CProviders%22%20and%20locate%20the%20folder%20under%20that%20key%20that%20has%20the%20same%20GUID%20as%20your%20EnrollmentID.%3C%2FLI%3E%3CLI%3EUnder%20the%20%22HKEY_LOCAL_MACHINE%5CSOFTWARE%5CMicrosoft%5CPolicyManager%5CProviders%5C%5BENROLLMENTID%5D%5Cdefault%5CDevice%5C%22%20check%20to%20see%20if%20you%20have%20a%20%22DeviceLock%22%20folder.%3C%2FLI%3E%3CLI%3EIf%20you%20have%20a%20%22DeviceLock%22%20folder%2C%20check%20to%20see%20if%20you%20have%20keys%20like%20%22%3CSTRONG%3EDevicePasswordEnabled%3C%2FSTRONG%3E%22%2C%20%22%3CSTRONG%3EAllowSimpleDevicePassword%3C%2FSTRONG%3E%22%2C%20etc...%3C%2FLI%3E%3CLI%3EIF%20you%20have%20those%20keys%20then%20%3CSTRONG%3Ethis%20solution%20%3CEM%3Eshould%3C%2FEM%3E%26nbsp%3Bapply%20to%20you.%3C%2FSTRONG%3E..%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20if%20you%20see%20the%20keys%20mentioned%20in%20Step%206%2C%20try%20the%20following...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPart%202%20-%20Exclude%20the%20Team%20Room%20System(s)%20from%20InTune...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3ECreate%20a%20security%20group%20in%20AD%20or%20in%20Azure%20AD%20(do%20as%20appropriate%20in%20your%20environment)%20and%20call%20it%20%22Team%20Room%20Systems%20-%20InTune%20Exclusion%22%20(or%20whatever%20you%20want).%3C%2FLI%3E%3CLI%3EIn%20that%20new%20security%20group%2C%20put%20all%20the%20computer%20accounts%20of%20your%20Team%20Room%20Systems.%3C%2FLI%3E%3CLI%3ENow%2C%20log%20into%20InTune.%3C%2FLI%3E%3CLI%3EGo%20to%20%22Devices%20-%26gt%3B%20Compliance%20Policies%22.%3C%2FLI%3E%3CLI%3EIn%20each%20Windows%2010%20Compliance%20Policy%20listed%20there%2C%20add%20the%20group%20you%20created%20with%20the%20room%20as%20an%20%3CEM%3EExclusion%3C%2FEM%3E%20to%20the%20policy%20(it's%20in%20the%20%22Assignment%22%20section%20of%20the%20policy).%3C%2FLI%3E%3CLI%3EOnce%20you%20have%20modified%20all%20your%20Windows%2010%20Compliance%20Policies%2C%20go%20to%20%22Devices%20-%26gt%3B%20Configuration%20Profiles%22.%3C%2FLI%3E%3CLI%3EIn%20each%20Windows%2010%20Configuration%20Profile%20listed%20there%2C%20add%20the%20group%20you%20created%20with%20the%20rooms%20as%20an%26nbsp%3B%3CEM%3EExclusion%3C%2FEM%3E%20to%20the%20profile.%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPart%203%20-%20Clean%20up%20the%20Team%20Room%20System(s)%20registry...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20%22catch-22%22%20with%20InTune%20is%20that%20not%20all%20settings%20that%20are%20pushed%20down%20to%20the%20registry%20are%20deleted%20or%20%22reverted%22%20when%20a%20machine%20is%20excluded%20from%20InTune...%20so%20you%20need%20to%20do%20some%20manual%20cleanup%20in%20this%20case.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3ELog%20into%20your%20Team%20Room%20System.%3C%2FLI%3E%3CLI%3EFirst%2C%20let's%20%22sync%22%20the%20changes%20from%20InTune%20by%20going%20to%20%22Start%20-%26gt%3B%20Settings%20-%26gt%3B%20Accounts%20-%26gt%3B%20Access%20work%20or%20School%22.%3C%2FLI%3E%3CLI%3EClick%20on%20the%20%22Connect%20to%20%5BCompanyName%20Azure%20AD%5D%20and%20then%20click%20on%20%22Info%22.%3C%2FLI%3E%3CLI%3EIn%20the%20%22Managed%20by%20CompanyName%20screen%22%2C%20scroll%20down%20and%20click%20on%20%22Sync%22.%3C%2FLI%3E%3CLI%3EWait%20for%20the%20sync%20to%20finish.%3C%2FLI%3E%3CLI%3ENow%20for%20the%20fun%20part%3A%20open%20up%20the%20Registry%20Editor.%3C%2FLI%3E%3CLI%3EGo%20to%20the%20%22HKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CControl%5CEAS%22%20key.%3C%2FLI%3E%3CLI%3EUnder%20the%20%22EAS%22%20key%2C%20delete%20the%20%22Policies%22%20folder%20(and%20MDM%20sub-folder%20if%20it%20exists).%3C%2FLI%3E%3CLI%3EGo%20to%20%22HKEY_LOCAL_MACHINE%5CSOFTWARE%5CMicrosoft%5CProvisioning%5COMADM%5CAccounts%5C%22%3C%2FLI%3E%3CLI%3EThere%20will%20be%20a%20folder%20with%20a%20GUID%20under%20that%20%22Accounts%22%20key%3A%20make%20a%20note%20of%20the%20GUID%20that%20is%20shown%20there.%20That's%20your%20%22EnrollmentID%22.%3C%2FLI%3E%3CLI%3EGo%20to%20%22HKEY_LOCAL_MACHINE%5CSOFTWARE%5CMicrosoft%5CPolicyManager%5CProviders%22%20and%20locate%20the%20folder%20under%20that%20key%20that%20has%20the%20same%20GUID%20as%20your%20EnrollmentID.%3C%2FLI%3E%3CLI%3EUnder%20the%20%22HKEY_LOCAL_MACHINE%5CSOFTWARE%5CMicrosoft%5CPolicyManager%5CProviders%5C%5BENROLLMENTID%5D%5Cdefault%5CDevice%5C%22%20go%20to%20the%20%22DeviceLock%22%20folder.%3C%2FLI%3E%3CLI%3EDelete%20all%20the%20keys%20in%20the%20%22DeviceLock%22%20folder%3A%20keys%20like%20%22%3CSTRONG%3EDevicePasswordEnabled%3C%2FSTRONG%3E%22%2C%20%22%3CSTRONG%3EAllowSimpleDevicePassword%3C%2FSTRONG%3E%22%2C%20%22%3CSTRONG%3EAlphanumericDevicePasswordRequired%3C%2FSTRONG%3E%22%20should%20be%20deleted.%20Seriously%2C%20feel%20free%20to%20delete%20all%20the%20keys%20in%20there.%3C%2FLI%3E%3CLI%3ENow%2C%20this%20is%20%3CSTRONG%3Eimportant%3C%2FSTRONG%3E%2C%20go%20to%20the%20%22HKEY_LOCAL_MACHINE%5CSOFTWARE%5CMicrosoft%5CPolicyManager%5Ccurrent%5Cdevice%5CDeviceLock%22%20registry%20folder.%3C%2FLI%3E%3CLI%3EThis%20is%20where%20the%20settings%20from%20%3CEM%3Eeach%3C%2FEM%3E%20Policy%20Provider%20are%20copied%20into%20and%20this%20indicates%20which%20settings%20are%20currently%20active!%20So%2C%20you%20need%20to%20delete%20all%20the%20keys%20you%20find%20in%20there...%20for%20example%20%22%3CSTRONG%3EDevicePasswordEnabled%3C%2FSTRONG%3E%22%2C%20%22%3CSTRONG%3EDevicePasswordEnabled_ProviderSet%3C%2FSTRONG%3E%22%2C%20%22%3CSTRONG%3EDevicePasswordEnabled_WinningProvider%3C%2FSTRONG%3E%22%2C%26nbsp%3B%26nbsp%3B%22%3CSTRONG%3EAllowSimpleDevicePassword%3C%2FSTRONG%3E%22%2C%20%22%3CSTRONG%3EAllowSimpleDevicePassword_ProviderSet%3C%2FSTRONG%3E%22%2C%20etc%2C%20etc...%20there%20might%20a%20%3CI%3Ebunch%26nbsp%3B%3C%2FI%3Eof%20keys%20in%20there%20to%20delete%20so%20have%20fun%20deleting%20them%20all.%3C%2FLI%3E%3CLI%3EOnce%20your%20%22spring%20cleanup%22%20of%20the%20registry%20is%20done%2C%20open%20a%20command%20prompt%20in%20admin%20mode.%3C%2FLI%3E%3CLI%3EIssue%20a%20good%20ol'%20GPUPDATE%20%2FFORCE%20to%20ensure%20that%20the%20%22AdminAutoLogon%22%20and%20other%20settings%20that%20are%20supposed%20to%20be%20pushed%20by%20your%20GPO%20are%20applied%20to%20your%20domain%20joined%20Team%20Room%20System%20and%20are%20set%20correctly.%3C%2FLI%3E%3CLI%3EIf%20you%20want%20to%20be%20paranoid%2C%20go%20back%20to%20the%20Registry%20Editor%20and%20then%20go%20to%20%22HKEY_LOCAL_MACHINE%5CSOFTWARE%5CMicrosoft%5CWindows%20NT%5CCurrentVersion%5CWinlogon%22...%20and%20verify%20that%20%22AdminAutoLogon%22%20is%20set%20to%20%221%22%20and%20that%20the%20%22DefaultUserName%22%20user%20name%20is%20set%20to%20%22Skype%22%20as%20it%20should%20be%20(as%20per%20your%20GPO).%3C%2FLI%3E%3CLI%3EWhen%20you%20are%20ready%2C%20close%20everything%20and%20reboot%20the%20Team%20Room%20System.%3C%2FLI%3E%3CLI%3EFinally%2C%20over%20the%20next%20few%20days%2C%20monitor%20the%20room%20to%20make%20sure%20the%20%22Auto%20Logon%22%20thing%20works%20correctly.%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20I%20said%2C%20this%20is%20what%20%22fixed%22%20it%20for%20me...%20hopefully%2C%20this%20will%20help%20someone%2C%20somewhere%20or%20at%20least%20give%20you%20a%20clue%20that%20will%20point%20you%20in%20the%20right%20direction...%20and%20good%20luck!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMarc%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2406246%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2406246%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F358452%22%20target%3D%22_blank%22%3E%40cgolebiowski%3C%2FA%3E%26nbsp%3BDid%20you%20ever%20solve%20that%20error%3F%20I%20have%20an%20autopilot%20deployment%20with%20the%20same%20error%3A%3CBR%20%2F%3E%3CBR%20%2F%3EFailed%20to%20get%20AAD%20token.%26nbsp%3B%3C%2FP%3E%3CP%3ENeed%20user%20interaction%20to%20continue.%3C%2FP%3E%3CP%3EAAD%20User%20check%20is%20failed%2C%20exception%20is%20Intune%20Management%20Extension%20Error%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2406846%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2406846%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F909608%22%20target%3D%22_blank%22%3E%40PLJ_HolisticIT%3C%2FA%3E%26nbsp%3Bdid%20you%20have%20an%20direct%20access%20in%20the%20internet%3F%20we%20had%20so%20much%20problems%20with%20the%20proxy.%20SSL%20inspection%2C%20Proxy%20trought%20IE%20settings%20and%20proxy%20on%20the%20host%20system....%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2413849%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2413849%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20link%20that%20is%20in%20the%20following%20sentence%20is%20broken%3A%20-%22%3CSPAN%3EUse%20Windows%20Configuration%20Designer%20to%20create%20a%20Windows%2010%20Provisioning%20Package%20that%20performs%20a%20bulk%20Azure%20AD%20Join.%20Details%20are%22%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1069230%22%20slang%3D%22en-US%22%3EManaging%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1069230%22%20slang%3D%22en-US%22%3E%3CP%3EWe%E2%80%99ve%20heard%20a%20few%20questions%20recently%20from%20customers%20looking%20for%20guidance%20how%20to%20manage%20your%20Microsoft%20Teams%20Rooms%20devices%20with%20Intune.%20This%20post%20answers%20a%20few%20of%20the%20frequently%20asked%20questions%20and%20provides%20general%20guidance.%20If%20you%E2%80%99ve%20discovered%20additional%20tips%20or%20tricks%20on%20your%20deployment%20journey%2C%20or%20have%20other%20feedback%20or%20suggestions%2C%20let%20us%20know%20by%20commenting%20on%20this%20post!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Picture1.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162061i45C6F07EB8820581%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Picture1.png%22%20alt%3D%22Picture1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETeams%20meeting%20room%20devices%20can%20be%20enrolled%20and%20managed%20by%20Intune%20to%20provide%20many%20of%20the%20device%20management%20and%20security%20capabilities%20available%20to%20other%20endpoints%20managed%20by%20Intune.%20As%20these%20devices%20are%20running%20Windows%2010%20under%20the%20hood%2C%20several%20of%20the%20Windows%2010%20features%20will%20be%20available%20to%20use%2C%20but%20many%20are%20not%20going%20to%20be%20applicable%20or%20recommended.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%E2%80%99ll%20break%20this%20post%20into%20these%20Intune%20feature%20areas%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EEnrollment%3C%2FLI%3E%0A%3CLI%3EWindows%2010%20Configuration%20Profiles%3C%2FLI%3E%0A%3CLI%3ECompliance%20Policies%3C%2FLI%3E%0A%3CLI%3EConditional%20Access%3C%2FLI%3E%0A%3CLI%3EGrouping%20and%20Targeting%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EEnrollment%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3ERecommendation%3A%20Azure%20AD%20join%20the%20device%20from%20Settings%2C%20utilizing%20an%20Intune%20DEM%20Account%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWindows%2010%20based%20Teams%20devices%20arrive%20from%20suppliers%20prepared%20with%20an%20OS%20image%2C%20user%20accounts%2C%20and%20pre-configured%20profiles.%20Signing%20into%20Windows%20with%20the%20admin%20profile%20and%20performing%20the%20Azure%20AD%20Join%20from%20settings%20enables%20a%20smooth%20%E2%80%9CAutomatic%20MDM%20enrollment%E2%80%9D%20into%20Intune.%20The%20additional%20recommendation%20to%20use%20an%20Intune%20Device%20Enrollment%20Manager%20(DEM)%20account%20is%20due%20to%20these%20meeting%20room%20devices%20being%20a%20shared%20device%20rather%20than%20one%20that%20has%20User-Device%20association%20in%20Intune.%20DEM%20accounts%20are%20used%20for%20shared%20device%20scenarios.%20Learn%20more%20about%20DEM%20accounts%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fenrollment%2Fdevice-enrollment-manager-enroll%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Meeting%20Room%20resource%20account%20can%20be%20used%20for%20Intune%20enrollment%2C%20but%20should%20not%20be%20used%20for%20Windows%2010%20login%20on%20the%20device%20due%20to%20issues%20that%20can%20arise%20during%20autologin%20of%20the%20Microsoft%20Teams%20Room%20application%20account.%20Please%20use%20a%20tenant%20or%20device%20admin%20account%20to%20administer%20local%20device%20settings.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENOTE%3C%2FSTRONG%3E%3A%20Automatic%20enrollment%20requires%20Azure%20AD%20Premium%20licensing.%20If%20you%20don%E2%80%99t%20have%20this%20feature%20available%20or%20enabled%20in%20your%20tenant%2C%20you%20will%20need%20to%20undertake%20two%20steps%20to%20enroll%20Windows%2010%20teams%20devices.%20First%2C%20Azure%20AD%20Domain%20Join.%20Then%2C%20do%20manual%20enrollment%20from%20Windows%20settings.%20Learn%20more%20about%20Windows%20enrollment%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fintune%2Fenrollment%2Fwindows-enroll%23enable-windows-10-automatic-enrollment%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAn%20additional%20tip%20is%20to%20name%20meeting%20room%20devices%20with%20a%20prefix%20that%20allows%20devices%20to%20be%20grouped%20dynamically.%20For%20example%2C%20use%20%E2%80%9CMTR%E2%80%9D%20for%20meeting%20room.%20You%20can%20rename%20devices%20with%20either%20a%20Windows%2010%20configuration%20policy%20or%20manually%20per%20device%20in%20Intune.%20I%E2%80%99ll%20talk%20about%20that%20a%20bit%20more%20about%20this%20approach%20below%20under%20Grouping%20and%20Targeting.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDepending%20on%20your%20current%20scenario%2C%20there%20are%20several%20other%20enrollment%20options%20available%2C%20including%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUse%20Windows%20Configuration%20Designer%20to%20create%20a%20Windows%2010%20Provisioning%20Package%20that%20performs%20a%20bulk%20Azure%20AD%20Join.%20Details%20are%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fclient-management%2Fmdm%2Fbulk-enrollment-using-windows-provisioning-tool%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3ECustomers%20who%20have%20some%20devices%20domain%20joined%20and%2For%20managed%20by%20Configuration%20Manager%20may%20choose%20to%20enable%20Co-management%20or%20initiate%20an%20Intune%20enrollment%20via%20the%20%E2%80%9CEnable%20Automatic%20MDM%20enrollment%20using%20default%20Azure%20AD%20credentials%E2%80%9D%20Group%20Policy%20setting.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20article%20goes%20into%20more%20depth%20on%20all%20the%20Windows%2010%20enrollment%20methods%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fintune%2Fenrollment%2Fwindows-enrollment-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EIntune%20enrollment%20methods%20for%20Windows%20devices%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWindows%2010%20Configuration%20Profiles%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3ERecommendation%3A%20Use%20Windows%20Configuration%20profiles%20to%20configure%20device%20settings%20that%20you%20need%20to%20change%20beyond%20the%20shipped%20defaults.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20following%20Windows%2010%20Configuration%20Policy%20types%20may%20be%20used%20with%20Windows%2010%20based%20meeting%20room%20devices%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20width%3D%22617%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3E%3CSTRONG%3EProfile%20type%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3E%3CSTRONG%3ECan%20you%20use%20the%20profile%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EAdministrative%20Templates%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3ECertificates%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EDelivery%20Optimization%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EDevice%20Firmware%20Configuration%20Interface%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ECheck%20for%20supported%20hardware%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fintune%2Fconfiguration%2Fdevice-firmware-configuration-interface-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EDevice%20restrictions%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EEdition%20Upgrade%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ENot%20supported%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EEmail%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ENot%20recommended%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EEndpoint%20Protection%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EeSim%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ENot%20supported%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EIdentity%20Protection%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ENot%20supported%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EKiosk%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ENot%20supported%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EPowershell%20Scripts%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3EYes%20(Devices%20need%20to%20be%20AADJ%E2%80%99d%20or%20HAADJ%E2%80%99d)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EShared%20multi-user%20device%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ENot%20supported%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EVPN%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ENot%20recommended%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EWi-Fi%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ENot%20recommended%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22324%22%3E%3CP%3EWindows%20Information%20Protection%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22293%22%3E%3CP%3ENot%20recommended%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENOTE%3C%2FSTRONG%3E%3A%20%E2%80%9CNot%20recommended%E2%80%9D%20in%20the%20table%20is%20due%20to%20this%20Windows%2010%20policy%20type%20not%20being%20a%20good%20fit%20for%20meeting%20room%20scenarios.%20For%20example%2C%20Meeting%20room%20devices%20are%20not%20enabled%20for%20Wi-Fi%2C%20therefore%20it%E2%80%99s%20not%20recommended%20(or%20necessary)%20to%20configure%20a%20Wi-Fi%20profile.%20Learn%20more%20about%20available%20configuration%20policies%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fintune%2Fconfiguration%2Fdevice-profile-create%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECreate%20a%20device%20profile%20in%20Microsoft%20Intune%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSTRONG%3ECompliance%20Policies%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CEM%3ERecommendation%3A%20Use%20Compliance%20Policies%20to%20achieve%20the%20desired%20security%20level%20for%20your%20Teams%20devices.%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CBR%20%2F%3EYou%20can%20use%20Compliance%20policies%20on%20your%20meeting%20room%20devices.%20You%20should%20take%20care%20to%20create%20the%20appropriate%20exclusions%20for%20any%20existing%20Windows%2010%20compliance%20policies%20that%20are%20currently%20deployed%20in%20your%20organization%20to%20%E2%80%9CAll%20devices%E2%80%9D.%26nbsp%3B%20For%20example%2C%20you%20may%20have%20configured%20the%20setting%20%E2%80%9CMaximum%20minutes%20of%20inactivity%20before%20password%20is%20required%E2%80%9D%20in%20a%20Policy%20for%20all%20Windows%2010%20desktop%20devices%20but%20this%20would%20result%20in%20a%20poor%20meeting%20room%20experience%20if%20applied%20to%20teams%20devices.%20If%20you%20currently%20have%20Windows%2010%20compliance%20policies%20deployed%20to%20large%20groups%20of%20devices%2C%20make%20sure%20you%20use%20the%20%E2%80%9CExclude%20group%E2%80%9D%20feature%20so%20that%20you%20can%20target%20a%20more%20specific%20compliance%20policy%20for%20the%20Meeting%20Room%20Devices.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CBR%20%2F%3EThis%20doc%20goes%20into%20more%20depth%20on%20compliance%20policies%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fintune%2Fprotect%2Fdevice-compliance-get-started%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUse%20compliance%20policies%20to%20set%20rules%20for%20devices%20you%20manage%20with%20Intune%3C%2FA%3E.%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EConditional%20Access%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EConditional%20Access%20policies%20with%20only%20location-based%20conditions%20can%20be%20applied%20to%20Microsoft%20Teams%20Rooms%20accounts%20at%20this%20time.%26nbsp%3B%20Microsoft%20is%20currently%20working%20on%20updates%20that%20will%20allow%20additional%20conditions%20to%20be%20set%2C%20such%20as%20device%20compliance.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENOTE%3C%2FSTRONG%3E%3A%20As%20a%20reminder%2C%20Conditional%20Access%20is%20an%20Azure%20Active%20Directory%20Premium%20(P1)%20feature.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EGrouping%20and%20Targeting%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EA%20good%20idea%20is%20to%20use%20Azure%20AD%20dynamic%20groups%20to%20effectively%20group%20all%20teams%20meeting%20room%20devices.%20One%20way%20that%20this%20can%20be%20best%20achieved%20is%20by%20using%20a%20naming%20standard%20during%20deployment%2Fenrollment.%20For%20example%2C%20as%20mentioned%20earlier%20in%20this%20article%2C%20if%20you%20name%20all%20devices%20starting%20with%20MTR%2C%20you%20can%20then%20name%20devices%20%E2%80%9CMTR-%25SER%25%E2%80%9D%20which%20gives%20all%20devices%20a%20prefix%20of%20%E2%80%9CMTR%E2%80%9D%20with%20the%20serial%20number%20forming%20the%20second%20part%20of%20the%20name.%20Then%20you%20can%20use%20the%20dynamic%20group%20feature%20to%20group%20together%20all%20devices%20that%20start%20with%20MTR.%20Keep%20in%20mind%2C%20Azure%20AD%20dynamic%20groups%20is%20an%20AAD%20P1%20feature.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Picture2.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162066i34728DE9E7663D86%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Picture2.png%22%20alt%3D%22Picture2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENOTE%3C%2FSTRONG%3E%3A%20Device%20renaming%20via%20Intune%20device%20management%20is%20supported%20on%20Azure%20AD%20Joined%20devices%20but%20not%20Hybrid%20Azure%20AD%20Joined%20devices.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20targeting%20Configuration%20and%20Compliance%20policies%2C%20and%20Apps%20it%E2%80%99s%20a%20good%20idea%20to%20target%20a%20group%20that%20contains%20devices%20rather%20than%20users.%20The%20reason%20for%20device-group%20assignment%20is%20that%20Teams%20meeting%20room%20devices%20sign%20into%20windows%20with%20a%20local%20user%20account%20(instead%20of%20an%20Azure%20AD%20User%20Account)%20and%20during%20sync%20with%20Intune%2C%20would%20not%20request%20any%20user-assigned%20policy.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EMore%20info%20and%20feedback%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAs%20always%2C%20we%20want%20to%20hear%20from%20you!%20If%20you%20have%20any%20suggestions%2C%20questions%2C%20or%20comments%2C%20please%20comment%20below.%20You%20can%20also%20tag%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FIntuneSuppTeam%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%40IntuneSuppTeam%3C%2FA%3E%20out%20on%20Twitter.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EBlog%20post%20updates%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E3%2F6%2F2020%20-%20Updated%20the%20post%20to%20clarify%20what%20works%20with%20Conditional%20Access%20and%20Microsoft%20Teams%20Rooms.%20Removed%20mention%20of%20device%20compliance%20checks%20for%20CA%3B%20that%20feature%20is%20coming.%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3E4%2F20%2F2020%20-%20Updated%20the%20post%20to%20include%20an%20enrollment%20best%20practice%20-%20%22Meeting%20Room%20resource%20account%20can%20be%20used%20for%20Intune%20enrollment%2C%20but%20should%20not%20be%20used%20for%20Windows%2010%20login%20on%20the%20device%20due%20to%20issues%20that%20can%20arise%20during%20autologin%20of%20the%20Microsoft%20Teams%20Room%20application%20account.%20Use%20a%20tenant%20or%20device%20admin%20account%20to%20administer%20local%20device%20settings.%22%3C%2FLI%3E%0A%3CLI%3E1%2F27%2F2021%20-%20Updated%20the%20More%20info%20and%20feedback%20section.%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1069230%22%20slang%3D%22en-US%22%3E%3CP%3ERead%20this%20post%20for%20tips%20on%20how%20to%20manage%20your%20Teams%20meetings%20rooms%20with%20Intune.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1069230%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETeams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2414828%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2414828%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20for%20the%20feedback%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F870633%22%20target%3D%22_blank%22%3E%40yayoayala%3C%2FA%3E.%20Link%20fixed!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2415250%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2415250%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20we%20get%20a%20similar%20kind%20of%20document%20for%20managing%20Surface%20Hub%20devices%20using%20Intune%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2417456%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2417456%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20feedback%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F8769%22%20target%3D%22_blank%22%3E%40Frank%20Rijt-van%3C%2FA%3E!%20We%20have%20a%20couple%20of%20resources%20available%20in%20our%20docs.%20Please%20see%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fsurface-hub%2Fmanage-surface-hub%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EManage%20Microsoft%20Surface%20Hub%20-%20Surface%20Hub%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmicrosoftteams%2Frooms%2Fsurface-hub-manage-config%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EManage%20Microsoft%20Teams%20configuration%20on%20Surface%20Hub%20-%20Microsoft%20Teams%3C%2FA%3E%26nbsp%3Bto%20learn%20more.%20Hope%20this%20helps!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2480052%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Teams%20Meeting%20Rooms%20with%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2480052%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1062750%22%20target%3D%22_blank%22%3E%40marcchampoux%3C%2FA%3E%26nbsp%3Bthanks%20for%20the%20analysis%20and%20how%20to%20troubleshoot%20the%20issue.%20It%20was%20very%20useful%20in%20my%20situations!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Jun 03 2021 05:53 PM
Updated by: