Lots of organisations use Microsoft Intune to manage their end-user devices but did you know it can also be used to manage Microsoft Teams rooms? Enrolling Microsoft Teams rooms into Intune allows them to be subject to compliance policies which can be used for conditional access approval, in addition settings can be configured via configuration profiles.
Microsoft Teams rooms come in two versions, Android and Windows. This post is covering the steps required to enrol Windows based rooms into Intune.
The simplest method of enrolment is via the use of provisioning packages, these can be used by Windows during the Out of Box Experience (OOBE) portion of setup or later once the machine has been setup.
The first step is to install Windows configuration designer from https://www.microsoft.com/store/productId/9NBLGGH4TX22 which will allow us to create the package.
After it has been installed, open it and then select “Provision desktop devices”
Enter a name for the project and an optional description.
Enter a naming convention, for instance MTR-%RAND:4% and ensure “Configure devices for shared use” is set to no, otherwise the device will not allow local logon.
On the Set up network page, disable Wi-Fi connection to ensure the LAN is used.
On the Account Management page select “Enroll in Azure AD” after which you can click the “Get Bulk Token” button that appears. The account requesting the token should be a member of one of the following Azure AD groups
- Global Administrator
- Cloud Device Administrator
- Intune Administrator
- Password Administrator
Note: If the account running the designer is not a member of the correct group an error message will be displayed, select refresh AAD credentials to force it to open an authentication window where you can enter valid credentials
If this is the first time running the designer and requesting the token a prompt to accept the requested permissions will be displayed for authorisation, click Accept.
If prompted, untick allow my organisation to manage my device and then click “No, sign in to this app only”
Once successful, a confirmation message of “Bulk Token Fetched Successfully” will be displayed in green.
At the same time in Azure AD, a new account will be created and used as the enrolment account.
We do not need to add any applications
Or add any certificates in this example
Click the Finish button and then click the Create button, after which a link to the folder containing the package is displayed.
The newly created .PPKG file then needs to be copied to the root of a USB drive.
On the Teams room device, launch into Windows Settings by entering the admin credentials
and then go through settings into Accounts, Access work and school before then clicking Add or remove a provisioning package.
Click Add a package
Click on the package name and then Add
Accept the User Account Control by clicking Yes
You are then prompted to trust the package and see the changes it will make
After clicking, “Yes, Add it” the system will then reboot.
It is important to note that this does not reset the machine configuration, it just applies the new settings, renames the machine and joins it to Azure AD.
Within Intune it is possible to see the device has no primary user assigned to it.
Once the machine has joined Azure AD, the experience for entering settings changes. If you still wish to log in with the existing local account, just enter .\admin in the “email address” box.