AD Group Policy settings for Microsoft Teams Room on Windows Part 3/3

Microsoft Teams Rooms (MTR) on Windows platform solutions are by far the most deployed Microsoft meeting room solutions today and there are many vendors to choose from such as the Poly MTR on Windows kits. The solution comprises key components such as a Windows PC running Windows 10 with the Teams Room application, a Touchscreen control panel as well as a number of Peripheral devices (camera, microphone, speaker). Many organization have policies that require Windows PCs to join the AD Domain and have Group Policy Objects (GPOs) assigned to improve the security of the device. This blogpost aims to assist administrators on what GPOs may safely be applied to an MTRoW device without losing any functionality and what GPOs will render the device unusable. It is a continuation of the previous blog post.

In addition to the Teams Room Security features already included by default as described by Microsoft in this document: Microsoft Teams Rooms Security - Microsoft Teams | Microsoft Docs, by joining the MTRoW device to the AD Domain, then AD Group Policy Objects (GPOs) can has also provide additional security hardening requirements related to the Windows10 OS which are categorized into 3 areas:

1. Windows 10 Security Requirements
2. Strong User Rights
3. Security Options

Note that this blogpost is based on Teams Room version 4.9.12 on Windows 10 20H2. Lets look at each of these areas in more detail.

3. Security Options

Policy	Parameter	MTR Default	Possible Changes
Account: Administrator account status	Disabled	​Disabled	Not necessary
​Accounts: Guest account status	​Disabled	Disabled	Not necessary
​Accounts: Limit local account use of blank passwords to console logon only	Enabled	Enabled	Not necessary
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings	Enabled	Not Defined	Enabled
​Audit: Shut down system immediately if unable to log security audits	Disabled	Disabled	Not necessary
​Domain member: Digitally encrypt secure channel data (when possible)	Enabled	Enabled	Not necessary
​Domain member: Digitally sign secure channel data (when possible)	​Enabled	Enabled	Not necessary
Domain member: Disable machine account password changes	​Disabled	​Disabled	​Not necessary
​Domain member: Maximum machine account password age	90 days	30 days	​No impact
​Domain member: Require strong (Windows 2000 or later) session key	Enabled	Enabled	​Not necessary
​Interactive logon: Do not require CTRL+ALT+DEL	Disabled	Not Defined	Must be enabled as the Skype account needs to be able to sign-in seamlessly after nightly maintenance reboot or device restart must always sign the device back in using Skype account without user interaction
​Interactive logon: Machine account lockout threshold	​5 invalid logon attempts	Not defined	No impact
​Interactive logon: Machine inactivity limit	600 seconds	Not Defined	​Must not be changed as the device needs to be ready to all the time
Interactive logon: Number of previous logons to cache (in case domain controller is not available)	​5 logons	​10 logons	No impact
Interactive logon: Prompt user to change password before expiration	​14 days	​5 days	No impact
​Interactive logon: Smart card removal behavior	No action	No action	Not necessary
Microsoft network client: Digitally sign communications (always)	Enabled	Disabled	No impact
​Microsoft network client: Send unencrypted password to third-party SMB servers	Disabled	Disabled	​​Not necessary
​Microsoft network server: Amount of idle time required before suspending session	30 minutes	Not Defined	No impact
Microsoft network server: Digitally sign communications (always)	​Enabled	Disabled	No impact
​Microsoft network server: Disconnect clients when logon hours expire	​Enabled	​Enabled	​​Not necessary
​Network access: Allow anonymous SID/Name translation	Disabled	Disabled	​​​Not necessary
Network access: Do not allow anonymous enumeration of SAM accounts	​Enabled	Enabled	​​Not necessary
Network access: Do not allow anonymous enumeration of SAM accounts and shares	Enabled	Disabled	No impact
​Network access: Let Everyone permissions apply to anonymous users	​Disabled	​Disabled	​​Not necessary
Network access: Remotely accessible registry paths	​System\CurrentControlSet\Control\ProductOptions; System\CurrentControlSet\Control\Server Applications; Software\Microsoft\Windows NT\CurrentVersion	​System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion	​​Not necessary
Network access: Remotely accessible registry paths and sub-paths	System\CurrentControlSet\Control\Print\Printers; System\CurrentControlSet\Services\Eventlog; Software\Microsoft\OLAP Server; Software\Microsoft\Windows NT\CurrentVersion\Print; Software\Microsoft\Windows NT\CurrentVersion\Windows; System\CurrentControlSet\Control\ContentIndex; System\CurrentControlSet\Control\Terminal Server; System\CurrentControlSet\Control\Terminal Server\UserConfig; System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration; Software\Microsoft\Windows NT\CurrentVersion\Perflib; System\CurrentControlSet\Services\SysmonLog	​System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Serve\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog	​​Not necessary
Network access: Restrict anonymous access to Named Pipes and Shares	​Enabled	​Enabled	Not necessary
​Network access: Sharing and security model for local accounts	​Classic - local users authenticate as themselves	​Classic - local users authenticate as themselves	Not necessary
Network security : Allow Local System to use computer identity for NTLM	​Enabled	Not Defined	No impact
​Network security: Allow Local System NULL session fallback	​Disabled	Not Defined	No impact
​Network security: Do not store LAN Manager hash value on next password change	Enabled	Enabled	Not necessary
Network security: Force logoff when logon hours expire (to be set at Domain Controller)	​Disabled	​Disabled	​Not necessary
Network security: LAN Manager authentication level	Send NTLMv2 response only. Refuse LM & NTLM	​Not Defined	No impact
Network security: LDAP client signing requirements	​Negotiate signing	​Negotiate signing	Not necessary
​Network security: Minimum session security for NTLM SSP based (including secure RPC) clients	​Require NTLMv2 session security, Require 128-bit encryption	Require 128-bit encryption	No impact
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers	​Require NTLMv2 session security, Require 128-bit encryption	​Require 128-bit encryption	No impact
​System objects: Require case insensitivity for non-Windows subsystems	​Enabled	​Enabled	Not necessary
​System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)	​Enabled	​Enabled	​Not necessary
​System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies	Disabled	Disabled	​​Not necessary
​User Account Control: Admin Approval Mode for the Built-in Administrator account	​Enabled	Not Defined	No impact
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode	​Prompt for consent for non-Windows binaries	Prompt for consent for non-Windows binaries	​​Not necessary
User Account Control: Behavior of the elevation prompt for standard users	​Prompt for credentials	Prompt for credentials	​​Not necessary
​User Account Control: Detect application installations and prompt for elevation	Enabled	Enabled	​​Not necessary
​User Account Control: Only elevate UIAccess applications that are installed in secure locations	Enabled	Enabled	​​​Not necessary
User Account Control: Run all administrators in Admin Approval Mode	​Enabled	​Enabled	​​​​Not necessary
​User Account Control: Switch to the secure desktop when prompting for elevation	​Enabled	​Enabled	​​​Not necessary
​User Account Control: Virtualize file and registry write failures to per-user locations	​Enabled	Enabled	​​​Not necessary

This finally concludes a long 3-part series blog article that covers many of the common security policy parameters for Windows10 that may or may not be applied to Teams Room on Windows devices. It did not cover 100% of the parameters available but hopefully sufficient for most organization's requirements. Should there be any other parameters which should be covered, kindly leave in the comments section below.