Microsoft Teams Rooms on Windows consoles can now be efficiently deployed, provisioned, and managed using Windows AutoPilot and Autologin. This combination streamlines the process, eliminating the need for physical interaction during setup. Windows Autopilot and Autologin have just been released in PREVIEW this week. In this blog post, we walk through the steps on how to leverage this powerful feature for mass deployment of MTRW devices |
AutoPilot with Autologin accelerates on-site deployment time for Teams Rooms consoles. It automates the Windows and Teams app installation, allowing the console to sign in to the Teams Room app without manual intervention.
Prerequisites
Before deployment, ensure you have:
- Teams Rooms Pro Licenses: Purchase sufficient licenses, which include Intune and Microsoft Entra ID P1 licenses.
- Correct Permissions: Verify deployment account permissions for Intune and Teams Management Pro portal.
- Resource Accounts: Set up required resource accounts for Teams Rooms consoles.
- Windows Support: Confirm you're deploying on Windows11 consoles supported by Teams Rooms.
Summary of steps:
Step 1: Verify that all prerequisites are met
Step 2: Register devices as AutoPilot devices
Step 3: Create a AzureAD dynamic device group
Step 4: Deploy Teams Rooms app update tool
Step 5: Create an Enrollment Status Page (ESP) profile
Step 6: Create and assign Autopilot profile
Step 7: Create and assign a Local Administrator Password Solution policy
Step 8: Set up Autologin in the Pro Management Portal
Step 9: Deploy the device
Autopilot requires Teams Rooms Pro licenses for each of the consoles you're provisioning and deploying. Teams Rooms Pro licenses include the correct Intune and Microsoft Entra ID P1 licenses. Teams Room Basic licenses will NOT work with Autopilot. For Intune, the account used must have the Intune Administrator or Policy and Profile Manager permissions, For the Teams Management Pro portal, the account mjust have Teams Rooms Pro Manager permissions.
Step 2: Register devices as AutoPilot devices
Use Windows Autopilot device registration to collect hardware hashes, placing them in a CSV file and upload them to Intune. Ensure the GroupTag has the prefix 'MTR-ConsoleName' for identification in the Teams Pro Management portal. Normally, the hardware hashes can be provided by the reseller of the MTRW solution, otherwise it can be obtained manually from the device itself using Windows Autopilot Diagnostics tool on Windows 11. The Windows Autopilot Diagnostics is only available during the OOBE by hitting Ctrl-Shift-D to bring up the Diagnostics Page. From this page, export MDMDiagReport.zip to a USB drive and extract the CSV file with the hardware hash. Eg DeviceHash_COMPUTERNAME.csv. Add a "Goup Tag" field in the header and add "MTR-ConsoleNAme" as the data for this field. Below is an example of a valid CSV file
Device groups are a collection of devices used in Autopilot to target devices for specific configurations such as what policies and applications to install on the device as well as to target Enrollment Status Page (ESP) configurations, Autopilot profile configurations, and domain join profiles to devices. Dynamic groups are primarily used since a large number of devices are normally involved. Sign in to the Microsoft Intune admin center and in the Home screen, select Groups in the left hand pane. In the Groups | All groups screen, make sure All groups is selected, and then select New group. In the New Group screen configure the following settings as shown below:
Field |
|
Group Type |
Security |
Group Name |
<Enter a Name> |
Microsoft Entra roles can be assigned to the group |
No |
Membership Type |
Dynamic Device |
Add Dynamic Query |
(device.devicePhysicalIds -any _ -startswith"[OrderID]:MTR-") |
The Teams Rooms app update tool updates the Teams room app to a version that supports AutoPilot and Autologin. The update tool needs to be first downloaded, then uploaded to Intune. This enables Intune to push the update tool to the Teams Rooms enrolling through AutoPilot. The update tool then automatically updates the Teams app on the console so it can automatically log in. To deploy the Teams Rooms app update tool to your consoles:
- Download the update tool Win32 package https://mmrprodglobstor.blob.core.windows.net/public/softwareupdates/onboarding/MTRPUpdater/ProvisioningToolInstaller.intunewin
- In the Microsoft Intune Admin center, navigate to Apps and under By platform select Windows.
- Select Add. In the Select app type detail pane, select Windows app (Win32) in the drop-down menu.
- Browse to select the update tool app package file downloaded in Step 1.
- On this page, most fields are automatically populated. To see the update tool in the list, put in Microsoft as the publisher, then select Next.
- Under Program, select Next. Under Requirements set the following:
- Under Operating system architecture, select 32-bit and 64-bit.
- Under Minimum operating system, select Windows 10 21H2.
- Under Detection rules, set:
- Rules format: Manually configure detection rules, select Add.
- In the Detection rule detail pane, select MSI in the Rule type. The MSI product code should fill in automatically
- Select No for MSI product version check
- Select OK
- Select Next.
- Under Dependencies, select Next. Under Supersedence, select Next. Under Assignments, select Add group.
- Under the Required section, in the Select groups detail pane, choose the group created for the Microsoft Teams Rooms consoles being deployed with Windows AutoPilot. Select Next.
- On the Review + create page, review your settings. If everything is set correctly, select Create.
An enrollment status page profile for your Teams Room on Windows deployment. Enrollment Status Page (ESP) is to display progress and current status while the device is being set up and enrolled via the Autopilot process.
- In the Devices | Overview screen, under By platform, select Windows. In the Windows | Windows devices screen, select Windows enrollment.
- Under Windows Autopilot, select Enrollment Status Page. In the Enrollment Status Page screen that opens, select Create.
- The Create profile screen opens. In the Basics page:
- Next to Name, enter a name for the ESP profile. Eg: MTRW Autopilot ESP
- Next to Description, enter a description. Select Next.
- In the Settings page, toggle the option Show app and profile configuration progress to Yes.
- After the option Show app and profile configuration progress is toggled to Yes, several new options will appear. Configure these options based on the table below.
- Once the different ESP options under the Settings page have been configured as desired, select Next.
- In the Assignments page:
- Under Included groups, select Add groups.
- In the Select groups to include window that opens, select the device group(s) to target the ESP profile. This will be the Dynamic Device Group we created in Step 1. Eg: “MTRW Autopilot Devices”
- After selecting the device group, select Select to close the Select groups to include window. Select Next. In the Scope tags page, select Next.
- In the Review + create page, review the settings and verify everything is correct and configured as desired. Once verified, select Create to save the changes and assign the ESP profile.
For Teams rooms devices, create a Self-deploying Autopilot profile and assign the Autopilot profile to the previously created device group
- In the Microsoft Intune admin center – https://intune.microsoft.com. In the Home screen, select Devices in the left hand pane.
- In the Devices | Overview screen, under By platform, select Windows. In the Windows | Windows devices screen, select Windows enrollment.
- Under Windows Autopilot Deployment Program, select Deployment Profiles. In the Windows Autopilot deployment profiles screen, select Create Profile > Windows PC.
- The Create profile screen opens. In the Basics page:
- Next to Name, enter a name for the Autopilot profile.
- Next to Description, enter a description.
- Select Next.
- In the Out-of-box experience (OOBE) page:
a) For Deployment mode, select Self-Deploying (preview).
b) Join to Microsoft Entra ID as defaults to Microsoft Entra joined, is greyed out, and can't be changed. Only Microsoft Entra joined is available because self-deploying mode only supports Microsoft Entra join. Self-deploying modes doesn't support Microsoft Entra hybrid join.
c) Microsoft Software License Terms defaults to Hide, is greyed out, and can't be changed.
d) Privacy settings defaults to Hide, is greyed out, and can't be changed.
e) Hide change account options defaults to Hide, is greyed out, and can't be changed.
f) User account type defaults to Standard, is greyed out, and can't be changed.
g) For Language (Region), select Operating system default to use the default language for the operating system being configured. If another language is desired, select the desired language from the drop-down list.
h) For Automatically configure keyboard, select Yes to skip the keyboard selection page. - For Apply device name template, select Yes to apply a device name template and enter MTR-%SERIAL%. This will rename the computer name to MTR-SERIALNUMBER
a) NOTE: Be aware of the following if the name template is selected to Yes:
Names must be 15 characters or less, and can have letters, numbers, and hyphens. Names can't be all numbers.
Use the %SERIAL% macro to add a hardware-specific serial number.
Use the %RAND:x% macro to add a random string of numbers, where x equals the number of digits to add. - Once the options in the Out-of-box experience (OOBE) page are configured as desired, select Next.
- In the Assignments page, Under Included groups, choose Add groups:
- In the Select groups to include window that opens, select the Dynamic Device Group you created in Step 1. Eg: “MTRW Autopilot Devices”. Once done, click Select.
- Under Included groups > Groups, ensure the correct group was selected, and then select Next.
- In the Review + Create page, review and verify that all of the settings are set as desired, and then choose Create to create the Autopilot profile.
For Teams Rooms, it is highly recommended to create and assign a LAPS policy as a good security practice. This may also be required in certain jurisdictions. To configure a LAPS policy, follow the steps here.
- In the Microsoft Intune admin center – https://intune.microsoft.com go to Endpoint security > Account protection, and then select Create Policy.
- Set the Platform to Windows 10 and later, Profile to Local admin password solution (Windows LAPS), and then select Create.
- On Basics, enter the following properties:
- Name: Enter a descriptive name for the profile. Name profiles so you can easily identify them later.
- Description: Enter a description for the profile. This setting is optional but recommended.
- Name: Enter a descriptive name for the profile. Name profiles so you can easily identify them later.
- On Configuration settings, for Backup Directory – select Not Configured
- For Administrator Account Name – Toggle the switch and enter “Admin” for the account name.
- Leave all other Configuration settings unmodified and select Next
- In the Scope tags page, don’t configure anything and then select Next.
- For Assignments, select the groups to receive this policy – in this case it will be the Group you created in Step 1. Eg: “MTRW Autopilot Devices”. Once done, click Review + create.
- In the Review + create page, review your settings and then select Create. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the policy list.
After all the configuration is completed in the Endpoint Manager portal, we will assign resource accounts to the Autopilot devices so that the Teams Rooms can automatically login upon deployment Before configuring, ensure that you have valid permissions to configure Windows Autopilot devices.
- Log into the Teams Rooms Pro Management Portal – https://portal.rooms.microsoft.com
- In the left navigation of the Microsoft Teams Rooms Pro Management portal, go to Planning > Autopilot devices
- On the Windows Autopilot devices page, select Sync to populate the device list. NOTE: Only devices that the user has permissions to will be synced. If the user does not have permissions to previously synced devices visible in the Pro portal, they will not be able to assign a resource account. These devices will be marked as Disabled
- Select a device from the list.
- Select Assign account
- On the Device selection page, the device is pre-selected. Select Next
- On the Account selection page, select the account you want to associate to this device. Select Next.
- On the Configuration page, configure the following options: Select Generate password automatically . This sets automatically sets a password for the account. Alternatively, you can enter the credentials if manual selected
- On the Review page, select Finish to complete the association of the resource account to Autopilot device.
Once all the configurations for Windows Autopilot self-deploying deployment and Auto-login have been completed in Intune and the Pro Management Portal, the next step is to start the deployment process on the device.
To start the Autopilot deployment process on the device, select a device that is Autopilot registered and has a resource account assigned, then simply – POWER IT ON.
Once the device boots up, one of two things occurs depending on the state of network connectivity: If the device is connected to a wired network and has network connectivity, the device may reboot to apply critical security updates (if available or applicable). After the reboot to apply critical security updates, the Autopilot process begins.
- If the device isn't connected to a wired network or if it doesn't have network connectivity, it prompts to connect to a network. Connectivity to the Internet is required: OOBE (out of box experience) begins and a screen asking for a country or region appears. Select the appropriate country or region, and then select Yes.
- The keyboard screen appears to select a keyboard layout. Select the appropriate keyboard layout, and then select Yes.
- An additional keyboard layouts screen appears. If needed, select additional keyboard layouts via Add layout, or select Skip if no additional keyboard layouts are needed