This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.
By Scott Duffey | Senior Program Manager, Microsoft Endpoint Manager
We’ve heard a few questions recently from customers looking for guidance how to manage your Microsoft Teams Rooms devices with Intune. This post answers a few of the frequently asked questions and provides general guidance. If you’ve discovered additional tips or tricks on your deployment journey, or have other feedback or suggestions, let us know by commenting on this post!
Teams meeting room devices can be enrolled and managed by Intune to provide many of the device management and security capabilities available to other endpoints managed by Intune. As these devices are running Windows 10 under the hood, several of the Windows 10 features will be available to use, but many are not going to be applicable or recommended.
I’ll break this post into these Intune feature areas:
- Enrollment
- Windows 10 Configuration Profiles
- Compliance Policies
- Conditional Access
- App Management
- Grouping and Targeting
Enrollment
Recommendation: Azure AD join the device from Settings, utilizing an Intune DEM Account
Windows 10 based Teams devices arrive from suppliers prepared with an OS image, user accounts, and pre-configured profiles. Signing into Windows with the admin profile and performing the Azure AD Join from settings enables a smooth “Automatic MDM enrollment” into Intune. The additional recommendation to use an Intune Device Enrollment Manager (DEM) account is due to these meeting room devices being a shared device rather than one that has User-Device association in Intune. DEM accounts are used for shared device scenarios. Learn more about DEM accounts here - https://docs.microsoft.com/intune/enrollment/device-enrollment-manager-enroll.
NOTE: Automatic enrollment requires Azure AD Premium licensing. If you don’t have this feature available or enabled in your tenant, you will need to undertake two steps to enroll Windows 10 teams devices. First, Azure AD Domain Join. Then, do manual enrollment from Windows settings. Learn more about Windows enrollment here - https://docs.microsoft.com/intune/enrollment/windows-enroll#enable-windows-10-automatic-enrollment.
An additional tip is to name meeting room devices with a prefix that allows devices to be grouped dynamically. For example, use “MTR” for meeting room. You can rename devices with either a Windows 10 configuration policy or manually per device in Intune. I’ll talk about that a bit more about this approach below under Grouping and Targeting.
Depending on your current scenario, there are several other enrollment options available, including:
- Use Windows Configuration Designer to create a Windows 10 Provisioning Package that performs a bulk Azure AD Join. Details are here: https://docs.microsoft.com/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.
- Customers who have some devices domain joined and/or managed by Configuration Manager may choose to enable Co-management or initiate an Intune enrollment via the “Enable Automatic MDM enrollment using default Azure AD credentials” Group Policy setting.
This article goes into more depth on all the Windows 10 enrollment methods: https://docs.microsoft.com/intune/enrollment/windows-enrollment-methods
Windows 10 Configuration Profiles
Recommendation: Use Windows Configuration profiles to configure device settings that you need to change beyond the shipped defaults.
The following Windows 10 Configuration Policy types may be used with Windows 10 based meeting room devices:
Profile type |
Can you use the profile? |
Administrative Templates |
Yes |
Certificates |
Yes |
Delivery Optimization |
Yes |
Device Firmware Configuration Interface |
Check for supported hardware here |
Device restrictions |
Yes |
Edition Upgrade |
Not supported |
|
Not recommended |
Endpoint Protection |
Yes |
eSim |
Not supported |
Identity Protection |
Not supported |
Kiosk |
Not supported |
Powershell Scripts |
Yes (Devices need to be AADJ’d or HAADJ’d) |
Shared multi-user device |
Not supported |
VPN |
Not recommended |
Wi-Fi |
Not recommended |
Windows Information Protection |
Not recommended |
NOTE: “Not recommended” in the table is due to this Windows 10 policy type not being a good fit for meeting room scenarios. For example, Meeting room devices are not enabled for Wi-Fi, therefore it’s not recommended (or necessary) to configure a WI-Fi profile. Learn more about available configuration policies here: https://docs.microsoft.com/intune/configuration/device-profile-create
Compliance Policies
Recommendation: Use Compliance Policies to achieve the desired security level for your Teams devices.
You can use Compliance policies on your meeting room devices. You should take care to create the appropriate exclusions for any existing Windows 10 compliance policies that are currently deployed in your organization to “All devices”. For example, you may have configured the setting “Maximum minutes of inactivity before password is required” in a Policy for all Windows 10 desktop devices but this would result in a poor meeting room experience if applied to teams devices. If you currently have Windows 10 compliance policies deployed to large groups of devices, make sure you use the “Exclude group” feature so that you can target a more specific compliance policy for the Meeting Room Devices.
This doc goes into more depth on compliance policies: https://docs.microsoft.com/en-us/intune/protect/device-compliance-get-started.
Conditional Access
You can use Conditional Access policies with Teams meeting room devices. Teams connects to both SharePoint online and Exchange online cloud services. If you have an existing Conditional Access rule that protects access to Exchange online and SharePoint online cloud services for the users in your organization, you should take care to either exclude the Teams resource account (which is used to sign-in to the Teams app), or create a group containing all of the resource accounts and target a more specific and appropriate Conditional Access policy. For example, since meeting room devices always connect to these services from the same location, then a location-based CA rule, in combination with a device compliance rule, might be more appropriate. You can also use device compliance in your Conditional Access policies but be careful that teams devices are not broadly targeted in compliance policies that were created for Windows 10 desktop devices in your organization.
NOTE: As a reminder, Conditional Access is an Azure Active Directory Premium (P1) feature.
App Management
Recommendation: Use Win32 App deployment to install any additional agents required by your organization.
Windows 10 based meeting room devices typically arrive with the right applications pre-installed. However, there may be cases where IT admins need to install an app package or deploy app updates. Any apps that get deployed should be deployed as “Required”. “Available” apps require the further installation of the Company Portal app which is not recommended in the case of Teams meeting room devices. You’ll also want to make sure that any apps install in the device context (so that it’s accessible to all windows profiles).
App Type |
Can you use this app type on a teams device? |
Win32 App |
Yes (As long as the device is Azure AD Joined or Hybrid Azure AD Joined) |
LOB App |
Yes |
Microsoft Store for Business App |
Yes |
Web App |
Not Supported |
Store App |
Not Supported |
Grouping and Targeting
A good idea is to use Azure AD dynamic groups to effectively group all teams meeting room devices. One way that this can be best achieved is by using a naming standard during deployment/enrollment. For example, as mentioned earlier in this article, if you name all devices starting with MTR, you can then name devices “MTR-%SER%” which gives all devices a prefix of “MTR” with the serial number forming the second part of the name. Then you can use the dynamic group feature to group together all devices that start with MTR. Keep in mind, Azure AD dynamic groups is an AAD P1 feature.
NOTE: Device renaming via Intune device management is supported on Azure AD Joined devices but not Hybrid Azure AD Joined devices.
When targeting Configuration and Compliance policies, and Apps it’s a good idea to target a group that contains devices rather than users. The reason for device-group assignment is that Teams meeting room devices sign into windows with a local user account (instead of an Azure AD User Account) and during sync with Intune, would not request any user-assigned policy.
I hope this was helpful in addressing some of the most common questions. Again, if you have any feedback or questions we’d love to hear from you so please comment below or find me on Twitter - @Scottduf.