Managing Teams Meeting Rooms with Intune

Published Dec 16 2019 03:54 PM 65.3K Views

We’ve heard a few questions recently from customers looking for guidance how to manage your Microsoft Teams Rooms devices with Intune. This post answers a few of the frequently asked questions and provides general guidance. If you’ve discovered additional tips or tricks on your deployment journey, or have other feedback or suggestions, let us know by commenting on this post!

 

Picture1.png

 

Teams meeting room devices can be enrolled and managed by Intune to provide many of the device management and security capabilities available to other endpoints managed by Intune. As these devices are running Windows 10 under the hood, several of the Windows 10 features will be available to use, but many are not going to be applicable or recommended.

 

I’ll break this post into these Intune feature areas:

  • Enrollment
  • Windows 10 Configuration Profiles
  • Compliance Policies
  • Conditional Access
  • Grouping and Targeting

 

Enrollment

Recommendation: Azure AD join the device from Settings, utilizing an Intune DEM Account

 

Windows 10 based Teams devices arrive from suppliers prepared with an OS image, user accounts, and pre-configured profiles. Signing into Windows with the admin profile and performing the Azure AD Join from settings enables a smooth “Automatic MDM enrollment” into Intune. The additional recommendation to use an Intune Device Enrollment Manager (DEM) account is due to these meeting room devices being a shared device rather than one that has User-Device association in Intune. DEM accounts are used for shared device scenarios. Learn more about DEM accounts here.

 

The Meeting Room resource account can be used for Intune enrollment, but should not be used for Windows 10 login on the device due to issues that can arise during autologin of the Microsoft Teams Room application account. Please use a tenant or device admin account to administer local device settings.

 

NOTE: Automatic enrollment requires Azure AD Premium licensing. If you don’t have this feature available or enabled in your tenant, you will need to undertake two steps to enroll Windows 10 teams devices. First, Azure AD Domain Join. Then, do manual enrollment from Windows settings. Learn more about Windows enrollment here.

 

An additional tip is to name meeting room devices with a prefix that allows devices to be grouped dynamically. For example, use “MTR” for meeting room. You can rename devices with either a Windows 10 configuration policy or manually per device in Intune. I’ll talk about that a bit more about this approach below under Grouping and Targeting.

 

Depending on your current scenario, there are several other enrollment options available, including:

  • Use Windows Configuration Designer to create a Windows 10 Provisioning Package that performs a bulk Azure AD Join. Details are here.
  • Customers who have some devices domain joined and/or managed by Configuration Manager may choose to enable Co-management or initiate an Intune enrollment via the “Enable Automatic MDM enrollment using default Azure AD credentials” Group Policy setting.

 

This article goes into more depth on all the Windows 10 enrollment methods: Intune enrollment methods for Windows devices.

 

Windows 10 Configuration Profiles

Recommendation: Use Windows Configuration profiles to configure device settings that you need to change beyond the shipped defaults.

 

The following Windows 10 Configuration Policy types may be used with Windows 10 based meeting room devices:

 

Profile type

Can you use the profile?

Administrative Templates

Yes

Certificates

Yes

Delivery Optimization

Yes

Device Firmware Configuration Interface

Check for supported hardware here

Device restrictions

Yes

Edition Upgrade

Not supported

Email

Not recommended

Endpoint Protection

Yes

eSim

Not supported

Identity Protection

Not supported

Kiosk

Not supported

Powershell Scripts

Yes (Devices need to be AADJ’d or HAADJ’d)

Shared multi-user device

Not supported

VPN

Not recommended

Wi-Fi

Not recommended

Windows Information Protection

Not recommended

 

NOTE: “Not recommended” in the table is due to this Windows 10 policy type not being a good fit for meeting room scenarios. For example, Meeting room devices are not enabled for Wi-Fi, therefore it’s not recommended (or necessary) to configure a Wi-Fi profile. Learn more about available configuration policies here: Create a device profile in Microsoft Intune.

 

Compliance Policies
Recommendation: Use Compliance Policies to achieve the desired security level for your Teams devices.


You can use Compliance policies on your meeting room devices. You should take care to create the appropriate exclusions for any existing Windows 10 compliance policies that are currently deployed in your organization to “All devices”.  For example, you may have configured the setting “Maximum minutes of inactivity before password is required” in a Policy for all Windows 10 desktop devices but this would result in a poor meeting room experience if applied to teams devices. If you currently have Windows 10 compliance policies deployed to large groups of devices, make sure you use the “Exclude group” feature so that you can target a more specific compliance policy for the Meeting Room Devices.


This doc goes into more depth on compliance policies: Use compliance policies to set rules for devices you manage with Intune.

 

Conditional Access

Conditional Access policies with only location-based conditions can be applied to Microsoft Teams Rooms accounts at this time.  Microsoft is currently working on updates that will allow additional conditions to be set, such as device compliance.

 

NOTE: As a reminder, Conditional Access is an Azure Active Directory Premium (P1) feature.

 

Grouping and Targeting

A good idea is to use Azure AD dynamic groups to effectively group all teams meeting room devices. One way that this can be best achieved is by using a naming standard during deployment/enrollment. For example, as mentioned earlier in this article, if you name all devices starting with MTR, you can then name devices “MTR-%SER%” which gives all devices a prefix of “MTR” with the serial number forming the second part of the name. Then you can use the dynamic group feature to group together all devices that start with MTR. Keep in mind, Azure AD dynamic groups is an AAD P1 feature.

 

Picture2.png

NOTE: Device renaming via Intune device management is supported on Azure AD Joined devices but not Hybrid Azure AD Joined devices.

 

When targeting Configuration and Compliance policies, and Apps it’s a good idea to target a group that contains devices rather than users. The reason for device-group assignment is that Teams meeting room devices sign into windows with a local user account (instead of an Azure AD User Account) and during sync with Intune, would not request any user-assigned policy.

 

More info and feedback

As always, we want to hear from you! If you have any suggestions, questions, or comments, please comment below. You can also tag @IntuneSuppTeam out on Twitter.

 

Blog post updates:

  • 3/6/2020 - Updated the post to clarify what works with Conditional Access and Microsoft Teams Rooms. Removed mention of device compliance checks for CA; that feature is coming. 
  • 4/20/2020 - Updated the post to include an enrollment best practice - "Meeting Room resource account can be used for Intune enrollment, but should not be used for Windows 10 login on the device due to issues that can arise during autologin of the Microsoft Teams Room application account. Use a tenant or device admin account to administer local device settings."
  • 1/27/2021 - Updated the More info and feedback section.
56 Comments
Version history
Last update:
‎Jun 03 2021 05:53 PM
Updated by: