Microsoft Teams Rooms (MTR) on Windows platform solutions are by far the most deployed Microsoft meeting room solutions today and there are many vendors to choose from such as the Poly MTR on Windows kits. The solution comprises key components such as a Windows PC running Windows 10 with the Teams Room application, a Touchscreen control panel as well as a number of Peripheral devices (camera, microphone, speaker). Many organization have policies that require Windows PCs to join the AD Domain and have Group Policy Objects (GPOs) assigned to improve the security of the device. This blogpost aims to assist administrators on what GPOs may safely be applied to an MTRoW device without losing any functionality and what GPOs will render the device unusable. It is a continuation of the previous blog post. |
- Windows 10 Security Requirements
- Strong User Rights
- Security Options
3. Security Options
Policy |
Parameter |
MTR Default |
Possible Changes |
Account: Administrator account status |
Disabled |
Disabled |
Not necessary |
Accounts: Guest account status |
Disabled |
Disabled |
Not necessary |
Accounts: Limit local account use of blank passwords to console logon only |
Enabled |
Enabled |
Not necessary |
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings |
Enabled |
Not Defined |
Enabled |
Audit: Shut down system immediately if unable to log security audits |
Disabled |
Disabled |
Not necessary |
Domain member: Digitally encrypt secure channel data (when possible) |
Enabled |
Enabled |
Not necessary |
Domain member: Digitally sign secure channel data (when possible) |
Enabled |
Enabled |
Not necessary |
Domain member: Disable machine account password changes |
Disabled |
Disabled |
Not necessary |
Domain member: Maximum machine account password age |
90 days |
30 days |
No impact |
Domain member: Require strong (Windows 2000 or later) session key |
Enabled |
Enabled |
Not necessary |
Interactive logon: Do not require CTRL+ALT+DEL |
Disabled |
Not Defined |
Must be enabled as the Skype account needs to be able to sign-in seamlessly after nightly maintenance reboot or device restart must always sign the device back in using Skype account without user interaction |
Interactive logon: Machine account lockout threshold |
5 invalid logon attempts |
Not defined |
No impact |
Interactive logon: Machine inactivity limit |
600 seconds |
Not Defined |
Must not be changed as the device needs to be ready to all the time |
Interactive logon: Number of previous logons to cache (in case domain controller is not available) |
5 logons |
10 logons |
No impact |
Interactive logon: Prompt user to change password before expiration |
14 days |
5 days |
No impact |
Interactive logon: Smart card removal behavior |
No action |
No action |
Not necessary |
Microsoft network client: Digitally sign communications (always) |
Enabled |
Disabled |
No impact |
Microsoft network client: Send unencrypted password to third-party SMB servers |
Disabled |
Disabled |
Not necessary |
Microsoft network server: Amount of idle time required before suspending session |
30 minutes |
Not Defined |
No impact |
Microsoft network server: Digitally sign communications (always) |
Enabled |
Disabled |
No impact |
Microsoft network server: Disconnect clients when logon hours expire |
Enabled |
Enabled |
Not necessary |
Network access: Allow anonymous SID/Name translation |
Disabled |
Disabled |
Not necessary |
Network access: Do not allow anonymous enumeration of SAM accounts |
Enabled |
Enabled |
Not necessary |
Network access: Do not allow anonymous enumeration of SAM accounts and shares |
Enabled |
Disabled |
No impact |
Network access: Let Everyone permissions apply to anonymous users |
Disabled |
Disabled |
Not necessary |
Network access: Remotely accessible registry paths |
System\CurrentControlSet\Control\ProductOptions; System\CurrentControlSet\Control\Server Applications; Software\Microsoft\Windows NT\CurrentVersion |
System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion |
Not necessary |
Network access: Remotely accessible registry paths and sub-paths |
System\CurrentControlSet\Control\Print\Printers; System\CurrentControlSet\Services\Eventlog; Software\Microsoft\OLAP Server; Software\Microsoft\Windows NT\CurrentVersion\Print; Software\Microsoft\Windows NT\CurrentVersion\Windows; System\CurrentControlSet\Control\ContentIndex; System\CurrentControlSet\Control\Terminal Server; System\CurrentControlSet\Control\Terminal Server\UserConfig; System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration; Software\Microsoft\Windows NT\CurrentVersion\Perflib; System\CurrentControlSet\Services\SysmonLog |
System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Serve\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog |
Not necessary |
Network access: Restrict anonymous access to Named Pipes and Shares |
Enabled |
Enabled |
Not necessary |
Network access: Sharing and security model for local accounts |
Classic - local users authenticate as themselves |
Classic - local users authenticate as themselves |
Not necessary |
Network security : Allow Local System to use computer identity for NTLM |
Enabled |
Not Defined |
No impact |
Network security: Allow Local System NULL session fallback |
Disabled |
Not Defined |
No impact |
Network security: Do not store LAN Manager hash value on next password change |
Enabled |
Enabled |
Not necessary |
Network security: Force logoff when logon hours expire (to be set at Domain Controller) |
Disabled |
Disabled |
Not necessary |
Network security: LAN Manager authentication level |
Send NTLMv2 response only. Refuse LM & NTLM |
Not Defined |
No impact |
Network security: LDAP client signing requirements |
Negotiate signing |
Negotiate signing |
Not necessary |
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients |
Require NTLMv2 session security, Require 128-bit encryption |
Require 128-bit encryption |
No impact |
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers |
Require NTLMv2 session security, Require 128-bit encryption |
Require 128-bit encryption |
No impact |
System objects: Require case insensitivity for non-Windows subsystems |
Enabled |
Enabled |
Not necessary |
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) |
Enabled |
Enabled |
Not necessary |
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies |
Disabled |
Disabled |
Not necessary |
User Account Control: Admin Approval Mode for the Built-in Administrator account |
Enabled |
Not Defined |
No impact |
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode |
Prompt for consent for non-Windows binaries |
Prompt for consent for non-Windows binaries |
Not necessary |
User Account Control: Behavior of the elevation prompt for standard users |
Prompt for credentials |
Prompt for credentials |
Not necessary |
User Account Control: Detect application installations and prompt for elevation |
Enabled |
Enabled |
Not necessary |
User Account Control: Only elevate UIAccess applications that are installed in secure locations |
Enabled |
Enabled |
Not necessary |
User Account Control: Run all administrators in Admin Approval Mode |
Enabled |
Enabled |
Not necessary |
User Account Control: Switch to the secure desktop when prompting for elevation |
Enabled |
Enabled |
Not necessary |
User Account Control: Virtualize file and registry write failures to per-user locations |
Enabled |
Enabled |
Not necessary |