Managing Teams Meeting Rooms with Intune

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

By Scott Duffey | Senior Program Manager, Microsoft Endpoint Manager

 

We’ve heard a few questions recently from customers looking for guidance how to manage your Microsoft Teams Rooms devices with Intune. This post answers a few of the frequently asked questions and provides general guidance. If you’ve discovered additional tips or tricks on your deployment journey, or have other feedback or suggestions, let us know by commenting on this post!

 

Picture1.png

 

Teams meeting room devices can be enrolled and managed by Intune to provide many of the device management and security capabilities available to other endpoints managed by Intune. As these devices are running Windows 10 under the hood, several of the Windows 10 features will be available to use, but many are not going to be applicable or recommended.

 

I’ll break this post into these Intune feature areas:

  • Enrollment
  • Windows 10 Configuration Profiles
  • Compliance Policies
  • Conditional Access
  • App Management
  • Grouping and Targeting

 

Enrollment

Recommendation: Azure AD join the device from Settings, utilizing an Intune DEM Account

 

Windows 10 based Teams devices arrive from suppliers prepared with an OS image, user accounts, and pre-configured profiles. Signing into Windows with the admin profile and performing the Azure AD Join from settings enables a smooth “Automatic MDM enrollment” into Intune. The additional recommendation to use an Intune Device Enrollment Manager (DEM) account is due to these meeting room devices being a shared device rather than one that has User-Device association in Intune. DEM accounts are used for shared device scenarios. Learn more about DEM accounts here - https://docs.microsoft.com/intune/enrollment/device-enrollment-manager-enroll.

 

NOTE: Automatic enrollment requires Azure AD Premium licensing. If you don’t have this feature available or enabled in your tenant, you will need to undertake two steps to enroll Windows 10 teams devices. First, Azure AD Domain Join. Then, do manual enrollment from Windows settings. Learn more about Windows enrollment here - https://docs.microsoft.com/intune/enrollment/windows-enroll#enable-windows-10-automatic-enrollment.

 

An additional tip is to name meeting room devices with a prefix that allows devices to be grouped dynamically. For example, use “MTR” for meeting room. You can rename devices with either a Windows 10 configuration policy or manually per device in Intune. I’ll talk about that a bit more about this approach below under Grouping and Targeting.

 

Depending on your current scenario, there are several other enrollment options available, including:

 

This article goes into more depth on all the Windows 10 enrollment methods: https://docs.microsoft.com/intune/enrollment/windows-enrollment-methods

 

Windows 10 Configuration Profiles

Recommendation: Use Windows Configuration profiles to configure device settings that you need to change beyond the shipped defaults.

 

The following Windows 10 Configuration Policy types may be used with Windows 10 based meeting room devices:

 

Profile type

Can you use the profile?

Administrative Templates

Yes

Certificates

Yes

Delivery Optimization

Yes

Device Firmware Configuration Interface

Check for supported hardware here

Device restrictions

Yes

Edition Upgrade

Not supported

Email

Not recommended

Endpoint Protection

Yes

eSim

Not supported

Identity Protection

Not supported

Kiosk

Not supported

Powershell Scripts

Yes (Devices need to be AADJ’d or HAADJ’d)

Shared multi-user device

Not supported

VPN

Not recommended

Wi-Fi

Not recommended

Windows Information Protection

Not recommended

 

NOTE: “Not recommended” in the table is due to this Windows 10 policy type not being a good fit for meeting room scenarios. For example, Meeting room devices are not enabled for Wi-Fi, therefore it’s not recommended (or necessary) to configure a WI-Fi profile. Learn more about available configuration policies here: https://docs.microsoft.com/intune/configuration/device-profile-create

 

Compliance Policies
Recommendation: Use Compliance Policies to achieve the desired security level for your Teams devices.


You can use Compliance policies on your meeting room devices. You should take care to create the appropriate exclusions for any existing Windows 10 compliance policies that are currently deployed in your organization to “All devices”.  For example, you may have configured the setting “Maximum minutes of inactivity before password is required” in a Policy for all Windows 10 desktop devices but this would result in a poor meeting room experience if applied to teams devices. If you currently have Windows 10 compliance policies deployed to large groups of devices, make sure you use the “Exclude group” feature so that you can target a more specific compliance policy for the Meeting Room Devices.


This doc goes into more depth on compliance policies: https://docs.microsoft.com/en-us/intune/protect/device-compliance-get-started.

 

Conditional Access

You can use Conditional Access policies with Teams meeting room devices. Teams connects to both SharePoint online and Exchange online cloud services. If you have an existing Conditional Access rule that protects access to Exchange online and SharePoint online cloud services for the users in your organization, you should take care to either exclude the Teams resource account (which is used to sign-in to the Teams app), or create a group containing all of the resource accounts and target a more specific and appropriate Conditional Access policy. For example, since meeting room devices always connect to these services from the same location, then a location-based CA rule, in combination with a device compliance rule, might be more appropriate. You can also use device compliance in your Conditional Access policies but be careful that teams devices are not broadly targeted in compliance policies that were created for Windows 10 desktop devices in your organization.

 

NOTE: As a reminder, Conditional Access is an Azure Active Directory Premium (P1) feature.

 

App Management

Recommendation: Use Win32 App deployment to install any additional agents required by your organization.

 

Windows 10 based meeting room devices typically arrive with the right applications pre-installed. However, there may be cases where IT admins need to install an app package or deploy app updates. Any apps that get deployed should be deployed as “Required”. “Available” apps require the further installation of the Company Portal app which is not recommended in the case of Teams meeting room devices. You’ll also want to make sure that any apps install in the device context (so that it’s accessible to all windows profiles).

 

App Type

Can you use this app type on a teams device?

Win32 App

Yes (As long as the device is Azure AD Joined or Hybrid Azure AD Joined)

LOB App

Yes

Microsoft Store for Business App

Yes

Web App

Not Supported

Store App

Not Supported

 

Grouping and Targeting

A good idea is to use Azure AD dynamic groups to effectively group all teams meeting room devices. One way that this can be best achieved is by using a naming standard during deployment/enrollment. For example, as mentioned earlier in this article, if you name all devices starting with MTR, you can then name devices “MTR-%SER%” which gives all devices a prefix of “MTR” with the serial number forming the second part of the name. Then you can use the dynamic group feature to group together all devices that start with MTR. Keep in mind, Azure AD dynamic groups is an AAD P1 feature.

 

Picture2.png

NOTE: Device renaming via Intune device management is supported on Azure AD Joined devices but not Hybrid Azure AD Joined devices.

 

When targeting Configuration and Compliance policies, and Apps it’s a good idea to target a group that contains devices rather than users. The reason for device-group assignment is that Teams meeting room devices sign into windows with a local user account (instead of an Azure AD User Account) and during sync with Intune, would not request any user-assigned policy.

 

 

I hope this was helpful in addressing some of the most common questions. Again, if you have any feedback or questions we’d love to hear from you so please comment below or find me on Twitter - @Scottduf.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.