This article aims to answer some common questions and provide general advice but does not replace the full recommendations of experts Lambert Consulting.
Teams Rooms Systems (TRS) or Skype Room Systems (SRS) can be registered and managed by Intune to provide many of the device management and security features available to other managed endpoints in Intune. As these devices run Windows 10 under the bonnet, many of the features of Windows 10 will be available, but many will not be applicable or recommended.
We have divided this article by the scope of features managed around Intune.
Windows 10 Configuration Profiles
Group and Targeting
The Teams devices based on Windows 10 come from vendors prepared with preconfigured operating system image, user accounts and profiles. Logging into Windows with the administrator profile and running the Azure join AD from the settings allows for seamless enrolment/enrolment into Intune. The additional recommendation to use a Intune Device Enrollment Manager (DEM) account is due to the fact that these Room Systems devices are shared devices rather than those that have a User-Device association in Intune. DEM accounts are used for shared device scenarios. Find out more about DEM accounts here - https://docs.microsoft.com/intune/enrollment/device-enrollment-manager-enroll.
NOTE: Automatic Enrolment requires an Azure AD Premium license.
Depending on your current scenario, several other enrolment options are available, including
Use the Windows Configuration Designer to create a Windows 10 provisioning package that performs a bulk AD Azure join. The details are here: https: //docs.microsoft.com/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning -...
Windows 10 Configuration Policy
Recommendation: use configuration profiles Windows to configure device settings that you need to change beyond the default values provided.
Learn more about the configuration policies available here: https://docs.microsoft.com/intune/configuration/device-profile-create
Recommendation: Use compliance strategies to achieve the desired level of security for your TRS.
You can use compliance policies on devices in your meeting room. You should take care to create appropriate exclusions for any existing Windows 10 compliance policies that are currently deployed in your organisation on "All devices". For example, you may have set the "Maximum minutes of inactivity before password is required" setting in a policy for all Windows 10 desktop devices, but this would result in a poor meeting room experience if applied to Teams Rooms Systems. If you currently have Windows 10 compliance policies deployed on large groups of devices, be sure to use the "Exclude Group" feature so that you can target a more specific compliance policy for meeting room devices.
This document goes into more detail about compliance policies: https://docs.microsoft.com/en-us/intune/protect/device-compliance-get-started.
You can useconditional access policies with Teams Rooms Systems devices. Microsoft Teams connects to the cloud SharePoint Online and Exchange Online services. If you have an existing conditional access policy that protects access to the cloud Exchange Online and SharePoint Online services for users in your organization, you should take care to exclude the Teams resource account (which is used to connect to the Teams application) or create a group containing all resource accounts and target a more specific and appropriate conditional access policy. For example, since meeting room devices always connect to these services from the same location, a location-based certificate authority rule in combination with a device compliance rule may be more appropriate.
NOTE: As a reminder, conditional access is an Azure Active Directory Premium (P1) feature.
Recommendation: use the Win32 application deployment to install additional agents required by your organisation.
Meeting room devices based on Windows 10 usually come with the right applications pre-installed. However, in larger organisations, administrators IT must install an application package or deploy application updates. All applications that are deployed must be deployed as "required". Available" applications require additional installation of the Enterprise Portal application, which is not recommended for meeting room devices Teams. You will also want to ensure that all applications are installed in the context of the device (so that they are accessible to all profiles Windows).
Grouping and Targeting
A good idea is to use dynamic Azure groups AD to effectively group all your Teams Rooms Systems. One of the best ways to do this is to use a naming standard when deploying/enrolling. Keep in mind that Azure Dynamic Groups AD is a AAD P1 feature.