Microsoft Teams Rooms (MTR) on Windows platform solutions are by far the most deployed Microsoft meeting room solutions today and there are many vendors to choose from such as the Poly MTR on Windows kits. The solution comprises key components such as a Windows PC running Windows 10 with the Teams Room application, a Touchscreen control panel as well as a number of Peripheral devices (camera, microphone, speaker). Many organization have policies that require Windows PCs to join the AD Domain and have Group Policy Objects (GPOs) assigned to improve the security of the device. This blogpost aims to assist administrators on what GPOs may safely be applied to an MTRoW device without losing any functionality and what GPOs will render the device unusable. |
- Windows 10 Security Requirements
- Strong User Rights
- Security Options
1. Windows 10 Security Requirements
Windows10 Feature |
Configuration |
MTR Default |
Possible changes |
Setup the endpoint using NTFS file system |
Make sure that all partitions on the endpoint are in NTFS format. |
Yes |
Not Necessary |
Configure to use internal NTP server, time zone, region and formats |
Internal NTP server using UDP/123 |
Yes |
Not Necessary |
Installation of the latest service pack and patches |
Install and use additional tools such as Configuration Manager or 3rd party software to ensure latest Windows services packs and patches as well as Applications updates are installed |
No |
Teams Rooms is configured to automatically keep itself patched with the latest Windows updates, including security updates. Teams Rooms installs any pending updates every day beginning at 2:00am using a pre-set local policy. There is no need to use additional tools to deploy and apply Windows Updates. Using additional tools to deploy and apply updates can delay the installation of Windows patches and thus lead to a less secure deployment. The Teams Rooms app is deployed using the Microsoft Store. If your devices are licensed with Microsoft Teams Rooms Standard, any new versions of the app are automatically installed during the nightly patching process |
Install antivirus software and endpoint protection |
Obtain and install 3rd party antivirus and endpoint protection software with regular updates of signature patterns |
No |
Even though end users can't put files on a Teams Rooms hard drive, Microsoft Defender is still enabled. Teams Rooms performance is tested with Microsoft Defender. Disabling this or adding endpoint security software can lead to unpredictable results and potential system degradation. |
Enable the screen saver password |
Set the screen saver password and screen saver timeout to 15 minutes. Also set ‘On resume display logon screen’ checkbox |
No |
Screensaver is not allowed nor required during normal operations as the device is already running in Kiosk mode with access to only the Teams Room App. However the screen will automatically go into power save mode when not in use |
Disable the Guest user account |
Disable the guest account from computer management. |
Yes |
Guest account is disabled by default on the Teams Room device |
Disable Internet Connection Sharing (ICS) Service |
Disable ICS service and configure it to not start-up automatically during boot |
No |
ICS cannot be disabled due to the use of Hypervisor-protected code integrity (HVCI) in MTR. However, Group Policy can be used to disable the ability for users to share internet connection: Local Computer Policy->Computer Configuration-> Administrative Templates->Network->Network Connections->Prohibit use of Internet Connection Sharing on your DNS domain network->Enabled |
Disable Remote Services |
Remote Desktop Configuration Remote Desktop Services Remote Desktop Services UserMode Port Redirector Remote Registry |
No |
Can be disabled |
Configure manual startup |
Configure manual start-up for these services: Remote Procedure Call (RPC) Locater Windows Error Reporting Service |
Yes |
Not necessary |
Enforce a strong password and account policy |
Password Policy Configuration: Enforce password history Maximum password age Minimum password age Minimum Password Length Passwords Must Meet Complexity Requirements: Enabled Store Password Using Reversible Encryption: Disabled Account Lockout Policy: Account lockout duration: Account lockout threshold: Reset account lockout counter after: |
No |
These can be applied for AD Domain accounts. However, they must not be applied at the local account level as the hardened Skype account is configured without password |
Disable all Non essential privileged accounts |
Disable all accounts that do not meet system or application objectives. |
Yes |
Only the Skype account and local admin account are enabled by default. When joined to the domain, the domain admin will be added to the local admin group and the local admin account can be disabled |
Deny autorun and access to removable media devices |
Set the default behaviour for AutoRun : Enabled All Removable Storage classes: Deny all access : Enabled CD and DVD: Deny read access : Enabled CD and DVD: Deny write access : Enabled Removable Disks: Deny read access : Enabled Removable Disks: Deny write access : Enabled WPD Devices: Deny read access : Enabled WPD Devices: Deny write access : Enabled |
No |
These settings can be configured without any impact to MTR functionality |