 | In the latest 4.19.57 version of Teams Room on Windows, Microsoft introduced a simplified deployment option using one-time passwords, or OTPs. This is especially useful for those who work with a system integrator. An OTP eliminates the security risk of needing to share room credentials, like usernames and passwords, with your installer. The code is shared with a company administrator, who can remotely provision credentials to the device. OTPs are currently available on Windows devices only. In this blog post, we walk through the steps of deploying MTR Windows using this new option. |
To begin we head over to the Teams Room Pro Management Portal at https://portal.rooms.microsoft.com/ and sign in with an account that has administrative permissions on Teams. On the Resource Accounts tab on the left pane, the list of al the resource accounts that can be used for Teams Rooms or Panels are displayed. The newly added "Generate OTP" button is the on the top of the list. To create a OTP, we fiirst select a resource account. If the "Generate OTP" button is greyed out, the "Readiness Status" column will likely show a "Needs action". This usually means that password expiration is enabled for the resource account. The screenshot below shows this scenario:
For the OTP deployment method to work, we need to disable password expiration for the resource account which is enabled by default. To do this, we can use the Azure AD powershell cmdlets but since this will soon be deprecated in March 2024, now would be a good time to start using the Microsoft Graph Powershell SDK that will replace Azure AD powershell. As of this writing, the latest version is 1.0 and can be installed at this URL: https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0
After installing, we run the following commands to disable password expiration for a resource account that we want to generate an OTP:
Connect-MgGraph -Scopes "User.ReadWrite.All"
Update-MgUser -UserId [email protected] -PasswordPolicies DisablePasswordExpiration
Example is shown in the picture below:
After installing, we run the following commands to disable password expiration for a resource account that we want to generate an OTP:
Connect-MgGraph -Scopes "User.ReadWrite.All"
Update-MgUser -UserId [email protected] -PasswordPolicies DisablePasswordExpiration
Example is shown in the picture below:
Now when we go back to the Teams Pro Portal and select the resource account that has password expiration disabled and we now see that the "Generate OTP" button is no longer greyed out. Clicking on the button will bring up the account selection pane as shown below:
Ensuring that the correct resource account is selected, we can click on "Next" which brings up the Configuration page. Here we can choose to let the system automatically generate passwords for the resource accounts, which will replace any existing password that it may have, or to retain the existing password via a CSV file that can be uploaded. For this walk through, we will just select the first option and proceed to the next step:
Finally in the review page, we click on "Generate" to create the OTP:
Next we can choose to download a CSV file containing the OTP along with the passwords, or just a file with the OTP. For example, below is the contents of the CSV file for our resource account and note that the OTP has an expiry of 24 hours by default:
UPN |
Display name |
OTP |
OTP expiry |
Password |
Poly MTR03 |
E9NZ-99WW-Y9Q3-U523 |
2023-12-30 01:19:50 AM - GMT+8 |
************* |
Now that we have the OTP, we can proceed to deploy the MTR on Windows device. At the intro screen on the device touch panel, we click on "Get started" and accept the license agreement:
 |  |
The next screen allows us to enter the OTP and click "Continue":
A message will display on the touch console stating that it is waiting for admin to approve our request. Now we can head back to the Teams Room Pro Portal and click on the "Review OTP requests" which will allow us to approve or reject the request:
Finally, we see on the MTR Windows devices touch console that the system is now signed in:
Last but not least, administrators can choose how long is the expiry of the OTP and whether to auto-approve in the "Preferences" page:
This concludes the walk through on how MTR Windows devices can now be deployed using the OTP method, providing administrators with a fast, easy and secure way to provision new MTR rooms throughout the organization.
RSS Feed