Welcome to part 2 of my series on Managing Microsoft Teams Room (MTR) devices with Intune.
Update 1st March 2022 – added details around firmware updates with Intune
Be sure to check out the series of posts:
Managing a Microsoft Teams Room (MTR) Device with Intune – Part 1 – Theme
Managing a Microsoft Teams Room (MTR) Device with Intune – Part 2 – Updates
Managing a Microsoft Teams Room (MTR) Device with Intune – Part 3 – Configuration Profiles
Managing a Microsoft Teams Room (MTR) Device with Intune – Part 4 – Autopilot
Updates – a hot topic
Love them or hate them, updates are an integral part of keeping your IT environment up to date, secure and running smoothly. Microsoft Teams Room devices run a version of Windows 10, and Microsoft strongly recommends that you keep both the OS, and MTR app patched and up to date.
Of course, you may already be aware that the MTR does a fine job of managing its own updates today via a built in scheduled task that runs every night at 2am. The task runs a PowerShell script that queries Windows Update and the Microsoft Store for Business to obtain the latest supported OS updates and Microsoft Teams Room system app, before installing them and automatically rebooting the MTR where the device signs back in as the local Skype user, launches the MTR app and signs itself back into Teams ready for another day of Teams meetings.
Hang on – What are Supported OS Updates?
You’ll notice I underlined and bolded supported OS updates in the above paragraph. Microsoft rigorously tests the MTR app before confirming that a particular version of Windows is given the tick of approval to confirm that its supported.
It’s important to check the Microsoft Teams Rooms app version support to confirm which specific versions of Windows 10 are listed as supported, before attempting to push a version to your MTRs via Intune. Installing a more up to date version of Windows that hasn’t been tested yet may mean you experience undesired results on the MTR.
Why would I want to control my updates via Intune?
Great question! In general, I always recommend that my customers utilise the MTRs built in update patch management where possible.
However, there are scenarios where customers may wish to manage these updates via Intune instead. Common scenarios include:
- Wanting to manage the version of Windows installed across all devices within the org
- Wanting to ensure the device meets a certain compliance threshold
- Wanting to manage updates using another form of update distribution – such as WSUS
- Wanting control over when updates are installed
Windows Updates vs Teams App Updates
One important thing to note is that while you can control Windows updates on the device, the MTR app updates that come from the Windows Store cannot be controlled via Intune.
It is strongly recommended that you allow the MTR to download updates from the Windows Store for Business itself. If however you block access to the Windows Store for Business, you can manually deploy MTR updates by downloading the latest MTR app, and deploying it manually via PowerShell. I’ve documented this approach here: https://blog.chiffers.com/2021/09/06/manually-update-an-mtr-with-the-latest-teams-app/
Driver and Firmware Updates
It’s important to point out that while Intune has the ability to download driver and firmware updates for your MTR devices, it’s a little more complicated that simply enabling the feature inside of Intune.
Driver and firmware updates are highly dependent on whether the manufacturer of the device has chosen to publish driver and firmware updates to Windows Update. Secondly, it is highly likely that while driver and firmware updates may be published to Windows Update and able to be downloaded by Intune on your MTRs, they will most likely not be automatically installed.
This comes down to the risk profile of automatically these updates. A bad driver may take a camera offline, but a failed firmware update can brick a device or entire machine.
Because of this, you’ll notice Intune places the updates within the Optional Updates section of Windows update on the MTR. You can then choose whether you want to install these driver and firmware updates, or not.
Configuring an Update Policy for an MTR
Let’s go ahead and setup our update policy in Intune to manage updates on our MTR.
- Login to the Intune portal at manage.microsoft.com
- Expand Devices > Windows > Update rings for Windows 10 and Later > Create Profile
- We’ll give our profile a name: MTR_Updates
- Next we’ll configure our update ring for our MTR devices.
Item Setting Notes Servicing Channel Semi-Annual Channel Don’t choose Windows Insider. Microsoft Product Updates Allow Windows Drivers Allow Quality update deferral period (days) 0 The number of days to defer quality (security updates and bug fixes etc) updates before installing them Feature update deferral period (days) 0 The number of days to defer feature (new versions of Windows 10) updates before installing them Set feature update uninstall period 60 The number of days you can uninstall a feature update on an MTR before the files are removed Automatic update behavior Auto install and restart at maintenance time Active hours start and end 3AM til 7AM I’d recommend a 4 hour window Restart checks Skip Option to pause Windows Updates Disable Option to check for Windows Updates Disable Require user approval to dismiss restart notification No Remind user prior to required auto-restart with dismissible reminder (hours) blank blank Change notification update level turn off all notifications, including restart warnings You may choose to leave these enabled if you wish Use deadline settings Not configured - Lastly, assign the policy to your group of MTR devices.
Once that’s done, we’ll need to create Feature and Quality update rules.
- Click Feature updates for Windows 10 and later on the left, then click Create profile
- Give it a name: MTR Feature Updates and be sure to select either Windows 10, version 20H2, or Windows 10, version 1909
- Add your MTR device group to the list of Included Groups
- Click Create to create the Feature Update policy
Now we’ll create our Quality Update policy
- Choose Quality Updates for Windows 10 and later > Create Profile
- Give the policy a name: MTR Quality Updates
- Be sure to select an up to date version of quality updates
- Select the number of days to wait before a restart is enforced. I’d recommend 1 day, but keep in mind that this may enforce the MTR to restart during business hours.
- Assign the policy to your group of MTR devices, and click Create.
That’s it! Your MTRs are now configured to have their updates managed by Intune. Your MTR app updates will still come from the Windows Store for Business (unless you’ve specifically blocked this from occurring).
Be sure to check out the series of posts:
Managing a Microsoft Teams Room (MTR) Device with Intune – Part 1 – Theme
Managing a Microsoft Teams Room (MTR) Device with Intune – Part 2 – Updates
Managing a Microsoft Teams Room (MTR) Device with Intune – Part 3 – Configuration Profiles
Managing a Microsoft Teams Room (MTR) Device with Intune – Part 4 – Autopilot