Common Microsoft Teams Rooms Deployment Issues

Having worked with many customers who are deploying Teams Meeting Rooms within their organisation, there are some common deployment issues that tend to crop up.

Let’s take a look at a few of these below.

 

Planning your deployment

Before you hit the submit button on that purchase order for some shiny new meeting room equipment, there’s a bit of housekeeping that needs to be taken care of first.

 

Internet Access

Each MTR requires Internet access to reach Office 365, Azure AD and optionally Intune. They also require access to the Microsoft Store to obtain MTR app updates, and Windows Update to obtain OS updates.

While MTRs can access the internet via a proxy server (for HTTP/HTTPS traffic), authenticated proxies are not supported. There is no mechanism to support proxy authentication on an MTR, even if you domain-join the device. This is because the MTR signs in using a local “Skype” account, before launching the MTR Teams room app and signing in to Teams.

If your organisation requires all traffic internet-bound to pass through an authenticated proxy, you can either white-list the Office 365 URLs, or segregate your MTRs by placing them on a separate VLAN that doesn’t pass through the proxy and has direct internet access.

It’s useful to note too that your MTRs don’t require access to your internal corp network – only access to the internet.

 

Security

While your security team may be tempted to push your default Windows 10 Intune policies to your Windows-based MTRs, doing so has a very good chance of breaking something.

Although Windows-based MTRs run Windows 10, when the device is logged in as the local Skype account, the interface doesn’t provide any access to anything other than being able to join or create a Teams meeting, or placing a phone call.

There’s no access to the Windows start menu, desktop, or any other apps like web browsers, file explorer, or Office apps. The MTR doesn’t store any company documents, and users can’t connect a USB thumb drive to upload or download any content to the MTR. Additionally, you can encrypt the MTRs drive with bitlocker for additional security should you wish.

Android-based devices will suffer the same fate if you enforce your default android policies that were designed for android mobile phones onto your devices. Things like enforcing password complexity will prevent the device from being able to pass your conditional access policy.

 

Conditional Access Policies

If you’re using conditional access policies to control access to your Office 365 tenant, know that MTRs are supported.

It’s advisable to Azure-AD join each Windows-based MTR (either using a DEM account, or the meeting room account), which then allows you to set configuration policies for Windows Updates (being careful not to install a non-supported version of Windows!) so that the device meets your conditional access requirements.

 

Deploying your rooms

When it comes time to deploy your room equipment, have a think about where you will place the cameras, mics and touch panel. Most MTRs today have a USB cable that links the touch screen panel with the room compute – meaning you’re going to need to have a way of getting that USB cable from the table to where ever you’ve installed the compute.

Some MTRs swap this USB cable out for an ethernet cable, which makes installing the touch panel on the table while utilising existing network cabling much simpler and cleaner.

 

Room management

Ok, so you’ve rolled out your rooms, everything is ticking along nicely. The next step is to ensure your rooms are managed and updated.

If you’re using Intune to manage your Windows-based MTRs, be sure to not push out an unsupported version of Windows. You can check the latest supported OS details here: Microsoft Teams Rooms app version support – Microsoft Teams | Microsoft Docs

If you’re letting the MTR manage its own updates automatically, be sure to allow the MTR to access both Windows Update and the Microsoft Store to obtain updates.

If you’ve blocked all updates on the MTR, think again! Microsoft will prevent the app from signing in to Teams if its older than 3 months.

 

Final thoughts

If you haven’t already seen it, I’ve written a blog series on managing Teams Meeting Rooms. You can read the series of posts here: Managing a Microsoft Teams Room (MTR) Device with Intune – Part 1 – Theme – Blog – Chiffers.com

I’ve also written a piece on deploying Teams Room Premium here: Deploying Microsoft Teams Room Premium – Blog – Chiffers.com

How are you managing your rooms? Have you ran into any issues with your deployment? drop a comment below.

 

5 1 vote
Article Rating
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Nick
Nick
7 months ago

This is very informative set.
When talking about corp security policies like MFA, how MTR respond to that also over credentials based internet access networks.