Microsoft Teams Rooms (MTR) on Windows platform solutions are by far the most deployed Microsoft meeting room solutions today and there are many vendors to choose from such as the Poly MTR on Windows kits. The solution comprises key components such as a Windows PC running Windows 10 with the Teams Room application, a Touchscreen control panel as well as a number of Peripheral devices (camera, microphone, speaker). Many organization have policies that require Windows PCs to join the AD Domain and have Group Policy Objects (GPOs) assigned to improve the security of the device. This blogpost aims to assist administrators on what GPOs may safely be applied to an MTRoW device without losing any functionality and what GPOs will render the device unusable. It is a continuation of the previous blog post. |
- Windows 10 Security Requirements
- Strong User Rights
- Security Options
2. Strong User Rights
Policy |
Parameter |
MTR Default |
Possible Changes |
Access Credential Manager as a trusted caller |
<No one> |
<No one> |
Not necessary |
Access this computer from the network |
Administrators, Authenticated Users |
Administrators |
Not necessary |
Act as part of the operating system |
<No one> |
<No one> |
Not necessary |
Adjust memory quotas for a process |
LOCAL SERVICE, NETWORK SERVICE, Administrators |
LOCAL SERVICE, NETWORK SERVICE, Administrators |
Not necessary |
Allow log on locally |
Administrators, Users |
Skype, Guest, Administrators, Backup Operators |
Can remove Guest and Backup Operator since it isn't used |
Back up files and directories |
Administrators |
Administrators, Backup Operators |
Can remove Backup Operators |
Change the system time |
LOCAL SERVICE, Administrators |
LOCAL SERVICE, Administrators |
Not necessary |
Change the time zone |
LOCAL SERVICE, Administrators, Users |
LOCAL SERVICE, Administrators, Users |
Not necessary |
Create a pagefile |
Administrators |
Administrators |
Not necessary |
Create a token object |
<No One> |
<No One> |
Not necessary |
Create global objects |
LOCAL SERVICE, NETWORK SERVICE, Administrators, SERVICE |
LOCAL SERVICE, NETWORK SERVICE, Administrators, SERVICE |
Not necessary |
Create permanent shared objects |
<No One> |
<No One> |
Not necessary |
Create symbolic links |
Administrators |
Administrators, NT VIRTUAL MACHINE\Virtual Machines |
Removing the NT virtual machine group did not have any impact since we do not run virtual machines on the MTR |
Debug programs |
Administrators |
Administrators |
Not necessary |
Deny access to this computer from the network |
Guests |
Guests |
Not necessary |
Deny log on as a batch job |
Guests |
<No One> |
No impact as Guests account is disabled |
Deny log on as a service |
Guests |
<No One> |
No impact as Guests account is disabled |
Deny log on locally |
Guests |
Guests |
Not necessary |
Deny log on through Remote Desktop Services |
Guests |
<No One> |
Not necessary |
Enable computer and user accounts to be trusted for delegation |
<No One> |
<No One> |
Not necessary |
Force shutdown from a remote system |
Administrators |
Administrators |
Not necessary |
Generate security audits |
LOCAL SERVICE, NETWORK SERVICE |
LOCAL SERVICE, NETWORK SERVICE |
Not necessary |
Impersonate a client after authentication |
LOCAL SERVICE, NETWORK SERVICE, Administrators, SERVICE |
LOCAL SERVICE, NETWORK SERVICE, Administrators, SERVICE |
Not necessary |
Increase scheduling priority |
Administrators, Window Manager\Window Manager Group |
Administrators, Window Manager\Window Manager Group |
Not necessary |
Load and unload device drivers |
Administrators |
Administrators |
Not necessary |
Lock pages in memory |
<No One> |
<No One> |
Not necessary |
Manage auditing and security log |
Administrators |
Administrators |
Not necessary |
Modify an object label |
<No One> |
<No One> |
Not necessary |
Modify firmware environment values |
Administrators |
Administrators |
|
Perform volume maintenance tasks |
Administrators |
Administrators |
Not necessary |
Profile single process |
Administrators |
Administrators |
Not necessary |
Profile system performance |
Administrators, NT SERVICE\WdiServiceHost |
Administrators, NT SERVICE\WdiServiceHost |
Not necessary |
Restore files and directories |
Administrators |
Administrators, Backup Operators |
Removing Backup Operators did not have any impact |
Shut down the system |
Administrators, Users |
Administrators, Users, Backup Operators |
Removing Backup Operators did not have any impact |
Synchronize directory service data |
<No One> |
<No One> |
Not necessary |
Take ownership of files or other objects |
Administrators |
Not necessary |