Centrally managing Microsoft Teams Room devices is a must, especially if you’re in charge of a large fleet of devices, spread across multiple locations.
In this series, we’ll look at how you can use Microsoft Intune to manage MTR’s. In part 1, we’re focusing on customised themes – the look and feel of the device.
A shoutout to Ben Reader (twitter: @powers_hell) too for the assistance with Intune!
Let’s dive in!
Bits and Pieces You’ll need
There’s a few things you’ll need to ensure you have in place first:
- At least one Windows Based Microsoft Teams Room Device (MTR)
- An Office 365 tenant
- Suitable licensing for Microsoft Teams and Intune – more on this below
- Azure subscription – You can sign up for $200 free credit to get you started
Getting things set up
First things first, I’m starting with an out of the box Microsoft Teams Room (MTR) device. I’ll be using a Logitech TAP, but the actions apply to any windows-based MTR.
MTR Room Account
Our MTR will need a room account created for it within Office 365. The exact steps to create your room account will vary depending on if you’re purely within Office 365, or if you’re currently syncing from on premises AD.
Microsoft have the steps to create a room account documented here: https://docs.microsoft.com/en-us/microsoftteams/rooms/rooms-configure-accounts
Licensing the MTR
There are a number of ways to license an MTR for Intune:
- Meeting Room license
- Microsoft 365 E5 license
- Intune Device license
The simplest (and most cost effective) is to license your MTR with a meeting room license. This license grants the device:
- Phone System
- Audio Conferencing
- Microsoft Intune
In this example, I’m going to be licensing my test meeting room:
Licensing an Intune Administrator
To administer Intune, you’ll also need to grant an Intune license to one or more Intune Service Administrators (or Office 365 Global Tenant Administrators).
Again, there are a number of ways to achieve this. The easiest is to apply a Microsoft 365 E5 license to the administrator, or purchase a separate Intune license. You can even apply a 30 day M365 E5 trial license.
In my example, i’ve created a temporary admin account called firstname.lastname@example.org and have assigned it a trial M365 E5 license.
Note that if you don’t license an Intune Administrator and attempt to access the Intune portal (endpoint.microsoft.com), you’ll see various 403 access denied errors.
This account does not need global tenant administrator rights, but does need to be assigned Intune Admin rights, under Manage Roles > Devices under Users in the Office 365 Admin Center.
Setting up an Azure storage account
We need to set up a Storage Account in Azure to host our XML settings file and customised desktop background image.
To set the storage account up:
- Sign in to the Azure portal at https://portal.azure.com
- Search for Storage Accounts
- Click Add
- Fill out the Project Details.
You’ll more than likely need to create a new Resource Group, if you don’t already have a suitable one.
You’ll note too that I’ve changed the replication to Locally-redundant storage (LRS). There’s no need to have a geo-redundant storage platform for this use case.
- When ready, click Review + create to create the storage account.
- Once created, Open Settings > Static Website and tick Enabled to turn this feature on.
Make a note of the primary endpoint URL – we’ll need this later in our PowerShell script.
Securing Our Storage Account
Right now, our storage account’s web page (and anything we store on it) is accessible by anyone on the web.
Before we go any further, let’s secure this web site so that only our IP can access it.
- Click firewalls and virtual networks then click selected networks
- Add your current IP address in the Address Range field, and click Save
Configuring our custom theme settings
To configure various settings on your MTR devices, you’ll need to create an XML file with those settings contained within. You must name your XML file SkypeSettings.xml
Microsoft have documented all available variables that you can control within the XML file here: https://docs.microsoft.com/en-us/microsoftteams/rooms/xml-config-file
In this example, we’re going to be configuring the following settings via the XML file.
- Auto screen share
- Hiding the name of the meeting
- Setting Teams as the default client
- Enabling Bluetooth beaconing
- Disabling auto accept for proximity Join
- Enabling support for SfB meetings
- Enabling support for WebEx meetings
- Enabling custom info for third party meetings
- Disabling dual screen mode
- Where to send log files via email
- Custom Theming
We can safely remove the settings that we don’t want/need from within the file, so long as we keep the formatting the same, as well as the <SkypeSettings> </SkypeSettings> tags at the start and end of the file.
Here’s my XML file: (original xml file here)
<SkypeSettings> <AutoScreenShare>true</AutoScreenShare> <HideMeetingName>true</HideMeetingName> <IsTeamsDefaultClient>true</IsTeamsDefaultClient> <BluetoothAdvertisementEnabled>true</BluetoothAdvertisementEnabled> <AutoAcceptProximateMeetingInvitations>false</AutoAcceptProximateMeetingInvitations> <SkypeMeetingsEnabled>true</SkypeMeetingsEnabled> <TeamsMeetingsEnabled>true</TeamsMeetingsEnabled> <WebExMeetingsEnabled>true</WebExMeetingsEnabled> <UseCustomInfoForThirdPartyMeetings>true</UseCustomInfoForThirdPartyMeetings> <CustomDisplayNameForThirdPartyMeetings>Craig's Conference Room</CustomDisplayNameForThirdPartyMeetings> <CustomDisplayEmailForThirdPartyMeetings>email@example.com</CustomDisplayEmailForThirdPartyMeetings> <DualScreenMode>false</DualScreenMode> <DuplicateIngestDefault>false</DuplicateIngestDefault> <SendLogs> <EmailAddressForLogsAndFeedback>firstname.lastname@example.org</EmailAddressForLogsAndFeedback> <SendLogsAndFeedback>true</SendLogsAndFeedback> </SendLogs> <Theming> <ThemeName>Custom</ThemeName> <CustomThemeImageUrl>mtr-wallpaper.jpg</CustomThemeImageUrl> <CustomThemeColor> <RedComponent>100</RedComponent> <GreenComponent>100</GreenComponent> <BlueComponent>100</BlueComponent> </CustomThemeColor> </Theming> </SkypeSettings></SkypeSettings>
Custom Background Image
Our custom background image that will be displayed on the room’s displays needs to be exactly 3840×1080 pixels, and either a JPG, PNG or BMP.
Note that if the room only has a single display, by default the right hand side of the entire image will be displayed on the in-room displays. Dual display rooms will display the full image stretched across both displays.
Microsoft have produced a custom theme Photoshop template that can help you design your custom background, ensuring you don’t put graphics over on screen elements like the time.
I’m using a free wallpaper file in this example: mtr-wallpaper.jpg
Now that we have our background image file, and SkypeSettings.XML file we can upload these to our Azure Storage account using the Azure Storage Explorer
Deploying the theme via PowerShell
We need a way of getting our SkypeSettings.xml file, and our custom background image on to each of our MTRs.
To do this, we can use Intune to run PowerShell on each of our MTRs to connect to our storage account, download our SkypeSettings.xml and mtr-wallpaper.jpg file and place them in the correct location on the MTR.
Here’s our script: (original file here)
$WebClient = New-Object System.Net.WebClient
$WebClient = New-Object System.Net.WebClient
you’ll need to edit the DownloadFile locations in red text to point towards your Azure Storage URL that you took note of earlier.
C:\Users\Skype\AppData\Local\Packages\Microsoft.SkypeRoomSystem_8wekyb3d8bbwe\LocalState\as it is.
We’ll save this PowerShell script as mtr-custombg.ps1 on our local machine.
Upload the script into Intune
Now we need to upload the script into Intune.
Sign in to the Intune portal: https://endpoint.microsoft.com
Select Devices > Scripts
Give your PowerShell script a name, and click Next
Upload your mtr-custombg.ps1 file under Script Location
On the Assignments page select Selected Groups and choose the group that contains your MTR Devices from the list – for now, our MTR wont be in this list as we haven’t Azure-AD joined in yet.
This group should contain each of your MTR device computer names.
When ready, click Add to add your script.
Configure Intune Automatic Enrollment
If you have the correct Azure AD Premium licensing in place, you can use Intune auto enrollment to automatically enroll any Azure AD-joined machine to Intune.
If you don’t have the licensing in place, or want to enroll machines manually, you can skip this step.
- Sign in to the Intune portal: https://endpoint.microsoft.com
- Expand Devices > Enroll Devices > Automatic Enrollment
- Ensure that the MDM User Scope is set to All (unless you specifically don’t want to add all Azure-AD joined devices to Intune).
- Leave MAM set to none
- Hit Save
Note: If you don’t want all Azure AD joined machines to automatically enroll in Intune, you can select Some instead, and then target a security group that contains the user accounts you wish to target for Intune enrollment (ensure this group targets users, not devices).
Azure AD Join your MTR
Lets go ahead and Azure AD join our MTR:
- Log in to the local admin account on the MTR (username: .\admin password: sfb)
- Open Settings > Accounts > Access work or School
- Click Connect
- In the window that appears, click Join this device to Azure Active Directory
- Sign in using your Office 365 meeting room account details (e.g. email@example.com) – this account MUST be licensed with Microsoft Intune. you could also use an Intune DEM account here instead, if you wish.
- After a few moments, your MTR will be joined to Azure Active Directory.
Now we need to add our MTR to our MTR Devices group in Azure AD:
- Open the Azure Active Directory Portal > Groups > MTR Devices (or what ever you’ve named your group)
- Add our newly Azure-AD joined device into this group.
Extra Steps if you don’t have automatic enrollment enabled in Intune:
- Open Settings > Accounts > Access work or School
- In the sign in screen that appears, enter your meeting room account details again and sign in (e.g. firstname.lastname@example.org)
Once you have enrolled the device in Intune, you’ll need to wait a while for the device to connect to the Intune service and download the Microsoft Intune Management Extension.
This extension will then automatically run the PowerShell script, pulling down the SkypeSettings.XML and mtr-wallpaper.jpg file to the MTR.
Now that everything is in place, let’s test to make sure everything is working as expected
- Log in to your MTR as a local admin.
- Open Windows Explorer, and browse to c:\program files (x86)
- Check to ensure that the Microsoft Intune Management Extension folder exists
- Next, browse to C:\Users\Skype\AppData\Local\Packages\Microsoft.SkypeRoomSystem_8wekyb3d8bbwe\LocalState and confirm that mtrbg.png and SkypeSettings.XML exist within the folder
- Restart the MTR and confirm that the new background image is displayed on the in room displays
Making Changes to the Theme
From time to time, you’ll more probably want to update the theme and push those changes out to your MTRs.
To ensure your changes appear on your MTR devices, it’s important to understand how often Intune runs PowerShell scripts.
The Intune management extension agent checks with Intune once every hour and after every reboot for any new scripts or changes. Once the script executes, it doesn’t execute again unless there’s a change in the script or policy. If the script fails, the Intune management extension agent will attempt to retry the script three times for the next 3 consecutive Intune management extension agent check-ins.
This means that if you wish to publish a new MTR background image, you’ll need to upload the image to your Azure Storage Account, and then re-upload your PowerShell script into Intune – even if your script hasn’t had any changes made to it.
Be sure to name your new MTR background image differently to your current image too – I’ve noticed that if the old and new image names are the same, they don’t update.
If you’d like to read up further on PowerShell scripts and Intune, Microsoft have documented the process here: https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension
One of the most common issues that can occur is that the Intune management extension agent does not install on the MTR.
To solve this problem, first ensure the device is both Azure-AD joined, and enrolled correctly in Intune.
Next, ensure you’ve waited enough time (at least an hour) for the Intune management extension agent to download and install on the device.
Another common issue is that the theme doesn’t apply. Be sure that your SkypeSettings.XML file contains the correct file name and extension for your wallpaper file, and that your PowerShell script contains the correct URL to download the file from your Azure storage account. Check too that you can browse to the storage account from the MTR.
Managing your MTR deployment via Intune is straightforward, and enables you to have greater control of the end user experience.
About the Author:
Craig Chiffers is a Microsoft MVP who’s passionate about helping others transform their way of working with Microsoft Teams and is an organiser of the Sydney UC Meetup group.
Chiffers, C. (2020). Managing a Microsoft Teams Room (MTR) Device with Intune – Part 1 – Theme. Available at: https://blog.chiffers.com/2020/11/16/managing-a-microsoft-teams-room-mtr-device-with-intune-part-1-theme/ [Accessed: 25th November 2020].