UCPrimer
  • Tech Blog
  • About UCPrimer.com

AD Group Policy settings for Microsoft Teams Room on Windows Part 1/3

8/27/2021

0 Comments

 
Picture
Microsoft Teams Rooms (MTR) on Windows platform solutions are by far the most deployed Microsoft meeting room solutions today and there are many vendors to choose from such as the Poly MTR on Windows kits. The solution comprises key components such as a Windows PC running Windows 10 with the Teams Room application, a Touchscreen control panel as well as a number of Peripheral devices (camera, microphone, speaker). Many organization have policies that require Windows PCs to join the AD Domain and have Group Policy Objects (GPOs) assigned to improve the security of the device. This blogpost aims to assist administrators on what GPOs may safely be applied to an MTRoW device without losing any functionality and what GPOs will render the device unusable.
In addition to the Teams Room Security features already included by default as described by Microsoft in this document: Microsoft Teams Rooms Security - Microsoft Teams | Microsoft Docs, by joining the MTRoW device to the AD Domain, then AD Group Policy Objects (GPOs) can has also provide additional security hardening requirements related to the Windows10 OS which are categorized into 3 areas:
  1. Windows 10 Security Requirements
  2. Strong User Rights
  3. Security Options
Note that this blogpost is based on Teams Room version 4.9.12 on Windows 10 20H2. Lets look at each of these areas in more detail.

1. Windows 10 Security Requirements
Windows10 Feature
Configuration
MTR Default
Possible changes
​Setup the endpoint using NTFS file system
​Make sure that all partitions on the endpoint are in NTFS format.
Yes
Not Necessary
Configure to use internal NTP server, time zone, region and formats
Internal NTP server using UDP/123
Yes
Not Necessary
​Installation of the latest service pack and patches
Install and use additional tools such as Configuration Manager or 3rd party software to ensure latest Windows services packs and patches as well as Applications updates are installed
No
​Teams Rooms is configured to automatically keep itself patched with the latest Windows updates, including security updates. Teams Rooms installs any pending updates every day beginning at 2:00am using a pre-set local policy. There is no need to use additional tools to deploy and apply Windows Updates. Using additional tools to deploy and apply updates can delay the installation of Windows patches and thus lead to a less secure deployment. The Teams Rooms app is deployed using the Microsoft Store. If your devices are licensed with Microsoft Teams Rooms Standard, any new versions of the app are automatically installed during the nightly patching process
​Install antivirus software and endpoint protection
Obtain and install 3rd party antivirus and endpoint protection software with regular updates of signature patterns
No
​Even though end users can't put files on a Teams Rooms hard drive, Microsoft Defender is still enabled. Teams Rooms performance is tested with Microsoft Defender. Disabling this or adding endpoint security software can lead to unpredictable results and potential system degradation. 
Enable the screen saver password
Set the screen saver password and screen saver timeout to 15 minutes. Also set ‘On resume display logon screen’ checkbox
No
​Screensaver is not allowed nor required during normal operations as the device is already running in Kiosk mode with access to only the Teams Room App. However the screen will automatically go into power save mode when not in use
Disable the Guest user account
​Disable the guest account from computer management.
Yes
Guest account is disabled by default on the Teams Room device
Disable Internet Connection Sharing (ICS) Service
Disable ICS service and configure it to not start-up automatically during boot
No
ICS cannot be disabled due to the use of Hypervisor-protected code integrity (HVCI) in MTR. However, Group Policy can be used to disable the ability for users to share internet connection: Local Computer Policy->Computer Configuration->
Administrative Templates->Network->Network Connections->Prohibit use of Internet Connection Sharing on your DNS domain network->Enabled
Disable Remote Services
​Remote Desktop Configuration
Remote Desktop Services
Remote Desktop Services UserMode Port Redirector
Remote Registry
No
Can be disabled
Configure manual startup
Configure manual start-up for these services:
​Remote Procedure Call (RPC) Locater
Windows Error Reporting Service
Yes
Not necessary
Enforce a strong password and account policy
Password Policy Configuration:
Enforce password history
Maximum password age
Minimum password age
Minimum Password Length
Passwords Must Meet Complexity Requirements: Enabled
Store Password Using Reversible Encryption: Disabled

Account Lockout Policy:
Account lockout duration: 
Account lockout threshold:
Reset account lockout counter after: 
No
These can be applied for AD Domain accounts. However, they must not be applied at the local account level as the hardened Skype account is configured without password
Disable all Non essential privileged accounts
Disable all accounts that do not meet system or application objectives.
Yes
Only the Skype account and local admin account are enabled by default. When joined to the domain, the domain admin will be added to the local admin group and the local admin account can be disabled
Deny autorun and access to removable media devices
​Set the default behaviour for AutoRun : Enabled
All Removable Storage classes: Deny all access : Enabled
CD and DVD: Deny read access : Enabled
CD and DVD: Deny write access : Enabled
Removable Disks: Deny read access : Enabled
Removable Disks: Deny write access : Enabled
WPD Devices: Deny read access : Enabled
WPD Devices: Deny write access : Enabled
No
​These settings can be configured without any impact to MTR functionality
To be continued in Part 2/3 ...
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Picture
    Picture

    Important Links

    Microsoft Teams Docs
    Microsoft Learn

    ​Microsoft MVP Blogs

    Michael Tressler’s Blog
    Michael’s MTR Quick Tip Videos
    Jimmy Vaughan’s Blog
    Jeff Schertz
    Adam Jacobs
    James Cussen
    ​Damien Margaritis

    Archives

    September 2022
    August 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    June 2021
    April 2021
    March 2021
    December 2020
    October 2020
    September 2020
    August 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    March 2019
    November 2018
    October 2018
    September 2018
    August 2018
    June 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    August 2017
    July 2017
    April 2017
    March 2017
    February 2017
    January 2017
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    January 2016
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    September 2012
    August 2012

    Categories

    All
    Edge
    Exchange 2013
    Hybrid
    Lpe
    Lync 2010
    Lync 2013
    Mobility
    Oauth
    Office365
    Polycom
    Ucs

    RSS Feed

    This website uses marketing and tracking technologies. Opting out of this will opt you out of all cookies, except for those needed to run the website. Note that some products may not work as well without tracking cookies.

    Opt Out of Cookies