Home

Teams Rooms and Conditional Access

%3CLINGO-SUB%20id%3D%22lingo-sub-764669%22%20slang%3D%22en-US%22%3ETeams%20Rooms%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-764669%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20folks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eregardless%20of%20using%20a%20OEM%20device%20like%20the%20Lenovo%20ThinkSmart%20hub%20or%20a%20teams%20room%20system%20console%20deployed%20onto%20a%20surface%20pro%20we%20got%20always%20the%20same%20issue%3A%3C%2FP%3E%3CP%3ETo%20secure%20our%20Office%20365%20Tenant%20we%20use%20conditional%20access.%20Any%20accessing%20device%20must%20be%20a%20in%20intune%20registered%20device.%3C%2FP%3E%3CP%3EBut%20when%20we%20join%20the%20console%20to%20AzureAD%20and%20register%20the%20team%20room%20system%20devices%20always%20the%20local%20user%20with%20the%20auto%20logon%20breaks.%20On%20startup%20the%20normal%20Windows%2010%20logon%20screen%20appears.%3C%2FP%3E%3CP%3EWe%20tested%20this%20serveral%20ways%2C%20at%20last%20with%20the%20windows%2010%201803%20and%20the%20teams%20room%20system%20deployment%20script.%3C%2FP%3E%3CP%3ERegister%20a%20surface%20hub%20(old%20generation)%20works%20fine.%3C%2FP%3E%3CP%3EWhat%20is%20the%20right%20way%20to%20use%20team%20room%20systems%20with%20conditional%20access%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ekind%20regards%3C%2FP%3E%3CP%3EAndy%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-764669%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETeams%20Room%20System%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1003200%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Rooms%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1003200%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F93489%22%20target%3D%22_blank%22%3E%40Andreas%20MS%20Badur%3C%2FA%3E%26nbsp%3BSeconded.%26nbsp%3B%20Really%20trying%20to%20close%20that%20gap%20on%20my%20secure%20score%20%3A)...%20These%20accounts%20are%20holding%20us%20up%20because%20the%20systems%20cannot%20be%20used%201)under%20AAD%20join%20do%20to%20policies%20breaking%20the%20console%202)conditional%20access%20wont%20let%20Non-joined%20devices%20integrate...%3C%2FP%3E%3CP%3EIs%20there%20any%20plan%20for%20MS%20to%20address%20this%20or%20is%20there%20guidance%20on%20working%20around%20it...%3C%2FP%3E%3C%2FLINGO-BODY%3E
Andreas MS Badur
New Contributor

Hello folks,

 

regardless of using a OEM device like the Lenovo ThinkSmart hub or a teams room system console deployed onto a surface pro we got always the same issue:

To secure our Office 365 Tenant we use conditional access. Any accessing device must be a in intune registered device.

But when we join the console to AzureAD and register the team room system devices always the local user with the auto logon breaks. On startup the normal Windows 10 logon screen appears.

We tested this serveral ways, at last with the windows 10 1803 and the teams room system deployment script.

Register a surface hub (old generation) works fine.

What is the right way to use team room systems with conditional access?

 

kind regards

Andy

1 Reply

@Andreas MS Badur Seconded.  Really trying to close that gap on my secure score :)... These accounts are holding us up because the systems cannot be used 1)under AAD join do to policies breaking the console 2)conditional access wont let Non-joined devices integrate...

Is there any plan for MS to address this or is there guidance on working around it...