Microsoft Teams Rooms on Windows and Teams Android device security
This article provides security guidance for Microsoft Teams Rooms devices on both Windows and Android as well as Teams panels, Teams Phone, and Teams Displays. This guidance includes information on hardware, software, network, and account security.
Select the Teams Rooms on Windows or Teams Android devices tab for more information on security for your device.
Microsoft works with our partners to deliver a solution that is secure and doesn't require extra actions to secure Microsoft Teams Rooms on Windows. This section discusses many of the security features found in Teams Rooms on Windows.
For information about security on Teams Rooms on Android devices, select the Teams Rooms on Android tab.
Note
Microsoft Teams Rooms should not be treated like a typical end-user workstation. Not only are the use cases vastly different, but the default security profiles are also much different, we recommend treating them as appliances. Installing additional software on your Teams Rooms devices is not supported by Microsoft. This article applies to Microsoft Teams Rooms devices running on Windows.
Limited end-user data is stored on Teams Rooms. End-user data may be stored in the log files for troubleshooting and support only. No attendees of a meeting using Teams Rooms can copy files to the hard drive or sign in as themselves. No end-user data is transferred to, or accessible by, the Microsoft Teams Rooms device.
Even though end users can't put files on a Teams Rooms hard drive, Microsoft Defender is still enabled out of the box. Teams Rooms performance is tested with Microsoft Defender, including enrolling into the Defender for Endpoint portal. Disabling this or adding endpoint security software can lead to unpredictable results and potential system degradation.
Hardware security
In a Teams Rooms environment, there's a central compute module that runs Windows 10 or 11 IoT Enterprise edition. Every certified compute module must have a secure mounting solution, a security lock slot (for example, Kensington lock), and I/O port access security measures to prevent the connection of unauthorized devices. You can also disable specific ports via Unified Extensible Firmware Interface (UEFI) configuration.
Every certified compute module must ship with Trusted Platform Module (TPM) 2.0 compliant technology enabled by default. TPM is used to encrypt the login information for the Teams Rooms resource account.
Secure boot is enabled by default. Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system. For more information, see Secure boot.
Access to UEFI settings is only possible by attaching a physical keyboard and mouse, which prevents being able to access UEFI via the Teams Rooms touch-enabled console or any other touch-enabled displays attached to Teams Rooms.
Kernel Direct Memory Access (DMA) Protection is a Windows setting that is enabled on Teams Rooms. With this feature, the OS and the system firmware protect the system against malicious and unintended DMA attacks for all DMA-capable devices: during the boot process and against malicious DMA by devices connected to easily accessible internal/external DMA-capable ports, such as M.2 PCIe slots and Thunderbolt 3, during OS runtime.
Teams Rooms also enable Hypervisor-protected code integrity (HVCI). One of the features provided by HVCI is Credential Guard. Credential Guard provides the following benefits:
Hardware security NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
Virtualization-based security Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
Better protection against advanced persistent threats When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using Virtualization-based security, the credential theft attack techniques, and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges can't extract secrets that are protected by Virtualization-based security.
Software Security
After Microsoft Windows boots, Teams Rooms automatically signs into a local Windows user account named Skype. The Skype account has no password. To make the Skype account session secure, the following steps are taken.
Important
Don't change the password or edit the local Skype user account. Doing so can prevent Teams Rooms from automatically signing in.
The Microsoft Teams Rooms app runs using the Assigned Access feature found in Windows 10 1903 and later. Assigned Access is a feature in Windows that limits the application entry points exposed to the user and enables single-app kiosk mode. Using Shell Launcher, Teams Rooms is configured as a kiosk device that runs a Windows desktop application as the user interface. The Microsoft Teams Rooms app replaces the default shell (explorer.exe) that usually runs when a user logs on. In other words, the traditional Explorer shell doesn't get launched at all which greatly reduces the Microsoft Teams Rooms vulnerability surface within Windows. For more information, see Configure kiosks and digital signs on Windows desktop editions.
If you decide to run a security scan or a Center for Internet Security (CIS) benchmark on Teams Rooms, the scan can only run under the context of a local administrator account as the Skype user account doesn't support running applications other than the Teams Rooms app. Many of the security features applied to the Skype user context don't apply to other local users and, as a result, these security scans don't surface the full security lockdown applied to the Skype account. Therefore, we don't recommend to running a local scan on Teams Rooms. However, you can run external penetration tests if so desired. Because of this configuration, we recommend that you run external penetration tests against Teams Rooms devices instead of running local scans.
Additionally, lock down policies are applied to limit nonadministrative features from being used. A keyboard filter is enabled to intercept and block potentially insecure keyboard combinations that aren't covered by Assigned Access policies. Only users with local or domain administrative rights are permitted to sign into Windows to manage Teams Rooms. These and other policies applied to Windows on Microsoft Teams Rooms devices are continually assessed and tested during the product lifecycle.
Microsoft Defender is enabled out of the box. The Teams Rooms Pro license also includes Defender for Endpoint, which allows customers to enroll their Teams Rooms into Defender for Endpoint. This enrollment can provide security teams visibility into the security posture of Teams Room on Windows devices from the Defender portal. Teams Rooms on Windows can be enrolled following the steps for Windows devices. We don't recommend modifying Teams Rooms using protection rules (or other Defender policies that make configuration changes) as these policies can impact Teams Rooms functionality; however, reporting functionality into the portal is supported.
Account Security
Teams Rooms devices include an administrative account named "Admin" with a default password. We strongly recommend that you change the default password as soon as possible after you complete setup.
The Admin account isn't required for proper operation of Teams Rooms devices and can be renamed or even deleted. However, before you delete the Admin account, make sure that you set up an alternate local administrator account configured before removing the one that ships with Teams Rooms devices. For more information on how to change a password for a local Windows account using built-in Windows tools or PowerShell, see these guides:
You can also import domain accounts into the local Windows Administrator group by using Intune. For more information, see Policy CSP – RestrictedGroups..
Note
If you are using a Crestron Teams Rooms with a network connected console, ensure you follow Crestron's guidance for how to configure the Windows account used for pairing.
Caution
If you delete or disable the Admin account before granting local Administrator permissions to another local or domain account, you may lose the ability to administer the Teams Rooms device. If this happens, you'll need to reset the device back to its original settings and complete the setup process again.
Don't grant local Administrator permissions to the Skype user account.
Windows Configuration Designer can be used to create Windows provisioning packages. Along with changing the local Admin password, you can also do things like changing the machine name and enrolling into Microsoft Entra ID. For more information on creating a Windows Configuration Designer provisioning package, see Provisioning packages for Windows 10.
You need to create a resource account for each Teams Rooms device so that it can sign into Teams. You can't use user interactive two-factor or multifactor authentication with this account. Requiring a user interactive second factor would prevent the account from being able to automatically sign into the Teams Rooms app after a reboot. In addition, Microsoft Entra Conditional Access policies and Intune Compliance Policies can be deployed to secure the resource account and achieve multifactor authentication through other means. For more information, see Supported Conditional Access and Intune device compliance policies for Microsoft Teams Rooms and Conditional Access and Intune compliance for Microsoft Teams Rooms.
We recommend that you create the resource account in Microsoft Entra ID, if possible as a cloud-only account. While a synced account can work with Teams Rooms in hybrid deployments, these synced accounts often have difficulty signing into Teams Rooms and can be difficult to troubleshoot. If you choose to use a third-party federation service to authenticate the credentials for the resource account, ensure the third-party IDP responds with the wsTrustResponse
attribute set to urn:oasis:names:tc:SAML:1.0:assertion
. If your organization doesn't want to use WS-Trust, use cloud-only accounts instead.
Network Security
Generally, Teams Rooms has the same network requirements as any Microsoft Teams client. Access through firewalls and other security devices is the same for Teams Rooms as for any other Microsoft Teams client. Specific to Teams Rooms, the categories listed as "required" for Teams must be open on your firewall. Teams Rooms also need access to Windows Update, Microsoft Store, and Microsoft Intune (if you use Microsoft Intune to manage your devices). For the full list of IPs and URLs required for Microsoft Teams Rooms, see:
- Microsoft Teams, Exchange Online, SharePoint, Microsoft 365 Common, and Office Online Office 365 URLs and IP address ranges
- Windows Update Configure WSUS
- Microsoft Store Microsoft Store endpoints
- Microsoft Intune Network Endpoints for Microsoft Intune
- Telemetry client endpoint: vortex.data.microsoft.com
- Telemetry settings endpoint: settings.data.microsoft.com
For Microsoft Teams Rooms Pro Management Portal, you also need to make sure that Teams Rooms can access the following URLs:
- agent.rooms.microsoft.com
- global.azure-devices-provisioning.net
- gj3ftstorage.blob.core.windows.net
- mmrstgnoamiot.azure-devices.net
- mmrstgnoamstor.blob.core.windows.net
- mmrprodapaciot.azure-devices.net
- mmrprodapacstor.blob.core.windows.net
- mmrprodemeaiot.azure-devices.net
- mmrprodemeastor.blob.core.windows.net
- mmrprodnoamiot.azure-devices.net
- mmrprodnoamstor.blob.core.windows.net
- mmrprodnoampubsub.webpubsub.azure.com
- mmrprodemeapubsub.webpubsub.azure.com
- mmrprodapacpubsub.webpubsub.azure.com
GCC customers will also need to enable the following URLs:
- mmrprodgcciot.azure-devices.net
- mmrprodgccstor.blob.core.windows.net
Teams Rooms is configured to automatically keep itself patched with the latest Windows updates, including security updates. Teams Rooms installs any pending updates every day beginning between 2:00 - 3:00 am local device time using a preset local policy. There's no need to use other tools to deploy and apply Windows Updates. Using other tools to deploy and apply updates can delay the installation of Windows patches and thus lead to a less secure deployment. The Teams Rooms app is deployed using the Microsoft Store.
Teams Rooms devices work with most 802.1X or other network-based security protocols. However, we're not able to test Teams Rooms against all possible network security configurations. Therefore, if performance issues arise that can be traced to network performance issues, you may need to disable these protocols.
For optimum performance of real time media, we strongly recommend that you configure Teams media traffic to bypass proxy servers and other network security devices. Real time media is very latency sensitive and proxy servers and network security devices can significantly degrade users' video and audio quality. Also, because Teams media is already encrypted, there's no tangible benefit from passing the traffic through a proxy server. For more information, see Networking up (to the cloud)—One architect’s viewpoint, which discusses network recommendations to improve the performance of media with Microsoft Teams and Microsoft Teams Rooms. If your organization utilizes tenant restrictions, it's supported for Teams Rooms on Windows devices following the configuration guidance in the prepare your environment document.
Teams Rooms devices don't need to connect to an internal LAN. Consider placing Teams Rooms in a secure isolated network segment with direct Internet access. If your internal LAN becomes compromised, the attack vector opportunities towards Teams Rooms is reduced.
We strongly recommend that you connect your Teams Rooms devices to a wired network. The use of wireless networks requires careful planning and assessment for the best experience. For more information, see Wireless network considerations.
Proximity Join and other Teams Rooms features rely on Bluetooth. However, the Bluetooth implementation on Teams Rooms devices doesn't allow for an external device connection to a Teams Rooms device. Bluetooth technology use on Teams Rooms devices is currently limited to advertising beacons and prompted proximal connections. The ADV_NONCONN_INT
protocol data unit (PDU) type is used in the advertising beacon. This PDU type is for nonconnectable devices advertising information to the listening device. There's no Bluetooth device pairing as part of these features. More details on Bluetooth protocols can be found on the Bluetooth SIG website.