Managing a Microsoft Teams Room (MTR) Device with Intune – Part 2 – Updates

Welcome to part 2 of my series on Managing Microsoft Teams Room (MTR) devices with Intune.

Update 1st March 2022 – added details around firmware updates with Intune

Be sure to check out the series of posts:

Managing a Microsoft Teams Room (MTR) Device with Intune – Part 1 – Theme
Managing a Microsoft Teams Room (MTR) Device with Intune – Part 2 – Updates
Managing a Microsoft Teams Room (MTR) Device with Intune – Part 3 – Configuration Profiles
Managing a Microsoft Teams Room (MTR) Device with Intune – Part 4 – Autopilot

 

Updates – a hot topic

Love them or hate them, updates are an integral part of keeping your IT environment up to date, secure and running smoothly. Microsoft Teams Room devices run a version of Windows 10, and Microsoft strongly recommends that you keep both the OS, and MTR app patched and up to date.

Of course, you may already be aware that the MTR does a fine job of managing its own updates today via a built in scheduled task that runs every night at 2am. The task runs a PowerShell script that queries Windows Update and the Microsoft Store for Business to obtain the latest supported OS updates and Microsoft Teams Room system app, before installing them and automatically rebooting the MTR where the device signs back in as the local Skype user, launches the MTR app and signs itself back into Teams ready for another day of Teams meetings.

Hang on – What are Supported OS Updates?

You’ll notice I underlined and bolded supported OS updates in the above paragraph. Microsoft rigorously tests the MTR app before confirming that a particular version of Windows is given the tick of approval to confirm that its supported.

It’s important to check the Microsoft Teams Rooms app version support  to confirm which specific versions of Windows 10 are listed as supported, before attempting to push a version to your MTRs via Intune. Installing a more up to date version of Windows that hasn’t been tested yet may mean you experience undesired results on the MTR.

Why would I want to control my updates via Intune?

Great question! In general, I always recommend that my customers utilise the MTRs built in update patch management where possible.

However, there are scenarios where customers may wish to manage these updates via Intune instead. Common scenarios include:

  • Wanting to manage the version of Windows installed across all devices within the org
  • Wanting to ensure the device meets a certain compliance threshold
  • Wanting to manage updates using another form of update distribution – such as WSUS
  • Wanting control over when updates are installed

Windows Updates vs Teams App Updates

One important thing to note is that while you can control Windows updates on the device, the MTR app updates that come from the Windows Store cannot be controlled via Intune.

It is strongly recommended that you allow the MTR to download updates from the Windows Store for Business itself. If however you block access to the Windows Store for Business, you can manually deploy MTR updates by downloading the latest MTR app, and deploying it manually via PowerShell. I’ve documented this approach here: https://blog.chiffers.com/2021/09/06/manually-update-an-mtr-with-the-latest-teams-app/

Driver and Firmware Updates

It’s important to point out that while Intune has the ability to download driver and firmware updates for your MTR devices, it’s a little more complicated that simply enabling the feature inside of Intune.

Driver and firmware updates are highly dependent on whether the manufacturer of the device has chosen to publish driver and firmware updates to Windows Update. Secondly, it is highly likely that while driver and firmware updates may be published to Windows Update and able to be downloaded by Intune on your MTRs, they will most likely not be automatically installed.

This comes down to the risk profile of automatically these updates. A bad driver may take a camera offline, but a failed firmware update can brick a device or entire machine.

Because of this, you’ll notice Intune places the updates within the Optional Updates section of Windows update on the MTR. You can then choose whether you want to install these driver and firmware updates, or not.

 

Configuring an Update Policy for an MTR

Let’s go ahead and setup our update policy in Intune to manage updates on our MTR.

  1. Login to the Intune portal at manage.microsoft.com
  2. Expand Devices > Windows > Update rings for Windows 10 and Later > Create Profile


  3. We’ll give our profile a name: MTR_Updates


  4. Next we’ll configure our update ring for our MTR devices.

    Item Setting Notes
    Servicing Channel Semi-Annual Channel Don’t choose Windows Insider.
    Microsoft Product Updates Allow  
    Windows Drivers Allow  
    Quality update deferral period (days) 0 The number of days to defer quality (security updates and bug fixes etc) updates before installing them
    Feature update deferral period (days) 0 The number of days to defer feature (new versions of Windows 10) updates before installing them
    Set feature update uninstall period 60 The number of days you can uninstall a feature update on an MTR before the files are removed
    Automatic update behavior Auto install and restart at maintenance time  
    Active hours start and end 3AM til 7AM I’d recommend a 4 hour window
    Restart checks Skip  
    Option to pause Windows Updates Disable  
    Option to check for Windows Updates Disable  
    Require user approval to dismiss restart notification No  
    Remind user prior to required auto-restart with dismissible reminder (hours) blank  
     
    blank  
    Change notification update level turn off all notifications, including restart warnings You may choose to leave these enabled if you wish
    Use deadline settings Not configured  

  5. Lastly, assign the policy to your group of MTR devices.

Once that’s done, we’ll need to create Feature and Quality update rules.

  1. Click Feature updates for Windows 10 and later on the left, then click Create profile


  2. Give it a name: MTR Feature Updates and be sure to select either Windows 10, version 20H2, or Windows 10, version 1909


  3. Add your MTR device group to the list of Included Groups
  4. Click Create  to create the Feature Update policy

Now we’ll create our Quality Update policy

  1. Choose Quality Updates for Windows 10 and later > Create Profile
  2. Give the policy a name: MTR Quality Updates
  3. Be sure to select an up to date version of quality updates
  4. Select the number of days to wait before a restart is enforced. I’d recommend 1 day, but keep in mind that this may enforce the MTR to restart during business hours.


  5. Assign the policy to your group of MTR devices, and click Create.

 

That’s it! Your MTRs are now configured to have their updates managed by Intune. Your MTR app updates will still come from the Windows Store for Business (unless you’ve specifically blocked this from occurring).

 

Be sure to check out the series of posts:

Managing a Microsoft Teams Room (MTR) Device with Intune – Part 1 – Theme
Managing a Microsoft Teams Room (MTR) Device with Intune – Part 2 – Updates
Managing a Microsoft Teams Room (MTR) Device with Intune – Part 3 – Configuration Profiles
Managing a Microsoft Teams Room (MTR) Device with Intune – Part 4 – Autopilot

0 0 votes
Article Rating
Subscribe
Notify of
guest


This site uses Akismet to reduce spam. Learn how your comment data is processed.

9 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
ChunBao
ChunBao
3 years ago

Hi May I know which category do mtr app belong? Features update, Quality updates or Rings?

Thomas Engler
Thomas Engler
2 years ago

Hi Craig, do you already have experience when it comes to managing updates via Intune vs. MTR manages services?

Last edited 2 years ago by Thomas Engler
Roger
Roger
2 years ago

nice article! I’ve just setup my update policies based on ur recommendations. One question, do we need to anything with the scheduler script? I assume that will still run for updates. Do we need to disable it so intune takes over?

iamtnerb
iamtnerb
2 years ago

I have a question with Active hours start and end 3AM til 7AM. Does this mean that restart will only be supress during this hours?

Kenneth Sundby
Kenneth Sundby
1 year ago
Reply to  iamtnerb

Yes, he made a mistake here probably thinking he was setting the maintenance window, but it’s actually the opposite since this is configuring when *not* to interrupt the user.

“Configure a period when restarts due to update installations will be suppressed.”