Microsoft Teams Device Deployment Playbook
Microsoft Teams Device Deployment Playbook
Microsoft Teams Device Deployment Playbook
Playbook
Microsoft Teams Devices
https://aka.ms/teams-devices-
deployment-playbook
Got Feedback?
aka.ms/TeamsPlaybookFeedback
NOTE: This playbook will focus on the most common & best practice methods for deploying/managing/monitoring Teams devices. Custom & complex environments should consult with their
account team and/or a partner for support.
Microsoft 365
© Microsoft Corporation Microsoft 365
What are Teams Devices?
Teams makes it easy to get a portfolio of devices to meet your business
needs. This includes plug and play solutions such as headsets,
speakerphones, webcams, and monitors, where no extra configuration is
required.
Note: This playbook will not address plug and play solutions. For more
information, see the following:
https://learn.microsoft.com/microsoftteams/devices/usb-devices
Teams rooms transform meeting spaces ranging from small huddle areas to
large conference rooms with a rich, collaborative Teams experiences.
Teams panels are dedicated Teams devices that display meeting details,
typically mounted outside meeting rooms.
Microsoft 365
© Microsoft Corporation Microsoft 365
Selecting your device experience
I II III IV
What type What type of If room, which type of room System accessories
of experience? device? device?
Intelligent devices,
Shared Display MTRoW
content cameras, etc.
Intelligent devices,
Shared Display MTRoW
content cameras, etc.
I II III IV
What type What type of If room, which type of room System accessories
of experience? device? device?
I II III IV
What type What type of If room, which type of room System accessories
of experience? device? device?
Intelligent devices,
Shared Display MTRoW
content cameras, etc.
Touchscreen vs physical
Personal Phone MTRoA buttons
How to
Deploy
Provide traditional desk phone experiences for
• Common Area Phones (CAP) such as lobbies and breakrooms
Shared use areas such as retail stores or manufacturing spaces
Recommended:
•
• Small huddle rooms that provide dedicated calling experiences
Teams Phone • Supports a wide range of calling features
(shared)
Touchscreen vs physical
Personal Phone MTRoA buttons
Intelligent Devices,
Shared Display MTRoW
Content Cameras, etc.
Touch screen, no
Personal Phone MTRoA handset
Top
Microsoft 365
© Microsoft Corporation Microsoft 365
What are Certified Devices?
The Microsoft Teams Devices Certification Program ensures certified devices meet a high standard, with higher performance targets and
quality metrics across the entire Teams experience (audio, video, user interface). Microsoft and Original Equipment Manufacturer (OEM)
partners are actively working together to ensure devices meet all certification requirements, including security, audio and video quality,
Teams experience, and accessibility.
For devices running Android: Certification end dates are based on the Android OS version running on the device when it enters the
certification program. Our OEM partners are working to extend the lifetime of the certification by upgrading the Android OS version and re-
certifying, or by releasing new models that are state-of-the-art. Beyond the certification period, Microsoft is committed to make efforts to
support the most recent version of the Teams client on such devices for two years following the end of the certification period.
Azure Active
Exchange OEM Management
Directory
Admin Center Portal (per OEM)
Portal
Microsoft Teams
Room Pro
Management Portal
(License required)
Design
type of space.
• Leverage certified devices for all deployments for the best experience
• Understand dependencies, map any partner teams, and engage as required for a
successful deployment
Implement
• Have processes understood and tested for implementation and problem resolution
• Engage on-site hands and plan resources to physically deploy as early as possible.
Monitor
• Create standard operating procedures for monitoring the performance of devices,
using tools such as the Quality of Experience Report for Devices
(aka.ms/qerpbitemplates)
Top
Microsoft 365
© Microsoft Corporation Microsoft 365
Teams Rooms on Windows
Resource account created: Click Here
Set resource account policies in Exchange: Click Here
Password expiration disabled: Click Here
Meeting room license assigned: Click Here
Phone number assigned: Click Here
AAD security group created and all MTRoW resource accounts are
added to it: Click Here
AAD dynamic group created for MTR devices (matching to device
name: “MTR-”): Click Here
Intune Compliance Policy Created and assigned to dynamic device
group: Click Here
Conditional access configured (with IP restrictions & device
compliance) and assigned to resource account group (exclude from
other existing policies): Click Here
Ensure the AAD resource account group is in scope for Intune auto
enrollment with AAD join: Click Here
© Microsoft Corporation Microsoft 365
Teams Rooms on Windows (cont.)
These items are intended to further secure your MTR deployment and
speed up the deployment time:
How to join to Azure AD & Intune: Click Here
Set the system name (MTR-SerialNumber): Click Here
Configure PowerShell script to change the default local admin
password: Click Here
Create an AAD security group and add user accounts you want to
have administrative access on your MTR: Click Here
Configure an Intune CSP to deploy your new AAD admin group to
all MTRs: Click Here
If using the Teams Pro Management Portal, you can set the Teams
Room Pro Installer to be deploy via Intune scoped to your device
AAD group: Click Here
Set proxy settings: Click Here
Deploy certificates: Click Here
IT Admin Guidance:
Review Intelligent Speaker requirements: Click Here
Connect and setup the Intelligent Speaker: Click Here
Enable user recognition and transcription: Click Here
Teams Premium licensed users will receive a ‘Meeting Recap’ with in-
room speaker attribution: Click Here
End User Guidance:
Note: Each meeting attendee must be invited individually, either on the original invite or through a
forwarded invitation. Click here for more info
Microsoft 365
© Microsoft Corporation Microsoft 365
Security Considerations
Resource Accounts:
Do not enforce password expiration
Do not enforce multi-factor authentication through another device (push notification, text, phone call, etc), instead
leverage known location and/or device compliance as the second factor to secure accounts
Conditional Access:
Resource accounts should be excluded from user CA policies and have unique policies created to ensure the resource
accounts are locked down appropriately
Consider device filters to apply your CA policies
Local Device Security:
Ensure all local administrative passwords are changed during setup
Teams Rooms performance is tested with Microsoft Defender. Disabling this or adding other endpoint security
software is not supported as it can lead to unpredictable results and potential system degradation
Administrative Portals:
Only grant those who need access to manage devices access to the Teams Admin Center & Pro Management portals
and scope those permissions to specific devices.
Top
Microsoft 365
© Microsoft Corporation Microsoft 365
Conditional Access with Teams Devices
Teams Devices support integration with Conditional Access in Azure Active Directory.
Planning your access strategy around both the account being used, and the device type. The
importance of this is reflected both in the conditional access policies assigned to the account, but
also the capabilities of the device against those policies.
Examples include:
• Shared Android Devices vs Android Mobile Phones
• Use of Filters for Devices to configure granular policies
• Use of Multi Factor Authentication
Tip: Use the “What If” tool within Microsoft Entra Admin Center to view what policies are being
applied to the accounts your devices will sign-in with.
Tip: Check what policies are supported, per device type here
Tip: Check out our best practices for Conditional Access and Intune compliance here
© Microsoft Corporation Microsoft 365
Understanding Intune Enrollment
Android enrollment
• Company Portal client built into the firmware enrolls using Device
Administrator profile at time of login.
• Controlled by the assignment of the Intune license to the resource
account the device signs into.
• Intune enrollment is recommended for all Teams Android devices
Windows enrollment
• Leverages existing Windows 10 IoT enrollment process
• Devices can be enrolled into Intune with two methods:
• Using the Teams resource account
• Using a DEM account for bulk enrolment which allows the
device to be setup in shared device mode (Recommended)
• Can be automated using a provisioning package.
Enrolling Microsoft Teams Rooms on Windows devices with Microsoft
Endpoint Manager - Microsoft Tech Community
Compliance
Users & Groups: Conditions: Grant Type:
Settings
SharePoint Online
Compliance
Users & Groups: Conditions: Grant Type:
Settings
Compliance
Conditions: Grant Type:
Settings
Device Platforms Rooted Devices: Block
Grant Access Block Minimum OS:
8.0
Android Android
Cloud Apps: Actions for
Controls: non-compliance
Locations
Exchange Online Mark device
All trusted locations Require Device noncompliant:
to be marked Immediately
Microsoft Teams as Compliant
Device Scoping Filters
Team Android
SharePoint Online
Device Models Device Scoping
Filters
Teams Android
Device Models
Microsoft 365
© Microsoft Corporation Microsoft 365
Monitoring Teams Devices
I II III IV V VI
Teams Admin Teams Admin Teams Admin Teams Admin Teams Admin Teams Admin
Center Center Center Center Center Center
3rd Party Tools 3rd Party Tools 3rd Party Tools 3rd Party Tools 3rd Party Tools
Teams Admin Teams Admin Teams Admin Teams Admin Teams Admin Teams Admin
Center Center Center Center Center Center
Configuration Configuration
Files Files
Group Policy
SCCM
3rd Party Tools 3rd Party Tools 3rd Party Tools 3rd Party Tools 3rd Party Tools
Recommended Available
• Ensure you have installed the latest version of the QER MTR Power BI template
• Review QER MTR Power BI for MTR health and user experience issues and remediate
• Sign on to the Teams Room Pro Management Portal and confirm updates are
applying successfully and no issues need to be addressed
• Sign on to Teams Admin Center and confirm devices are updated and no issues need to be
addressed
7 • Review new Teams Room software releases for MTRoW and MTRoA
• Review What’s New In Teams Devices for a complete list of updates
• Review the Microsoft 365 Roadmap for planned and released MTR features
• Review the Teams blog for insights into new and upcoming features and announcements for
Teams, including MTR
• Review health & usage reports in Teams Pro Management Portal
Got Feedback?
aka.ms/TeamsPlaybookFeedback