Security of Microsoft Teams Room Devices

MTRs have become the meeting room systems of choice for many organisations. Generally available in two forms, i.e. on Windows or on Android. Security is a major concern affecting businesses around the world. Here we at VideoCentric summarise why we believe it is one of the safest forms of communication. And Why Microsoft certification of devices remains critically important when choosing your systems.

The first point we must make, and this is reinforced by Microsoft on its own website. Is that MTRs must not be treated like any other computer workstation. Whether on Windows or Android, they must be treated as appliances and installing additional software on Teams Room devices is NOT supported. Android devices look like, and are therefore treated like, appliances. So in this article, we focus on those that do not look like appliances, i.e. Microsoft Teams Rooms on Windows (MTRoW).

Here we have summarised the main points but encourage a full read of Microsoft’s own website. Where it is expanded in full and is regularly updated.

See the reference at the foot of the bullet points.

1. Limited Storage of End User Data:
   • The Microsoft Teams Room (MTR) system ensures minimal storage of end-user data, primarily retaining support log files only. This deliberate limitation enhances privacy and reduces the risk associated with storing sensitive information on the system.
2. Anonymous Meeting Room Access:
   • Attendees do not sign in individually but instead use a shared meeting room resource. This approach promotes a streamlined and secure meeting experience without individual user accounts being involved.
3. File Copy Restrictions:
   • Users are restricted from copying files to the hard drive. Emphasising a controlled environment where potential security threats through file transfer are mitigated.
4. Isolation of End User Data:
   • The system ensures that no end-user data is accessible or transferred to the MTR device. Maintaining a secure boundary between user information and the meeting room hardware.
5. Microsoft Defender Integration:
   • Despite limitations on file transfer, Microsoft Defender remains enabled on the MTR, providing an additional layer of security through real-time threat detection and prevention.
6. Trusted Platform Module 2.0 Compliance:
   • Microsoft certifies computing processors compliant with Trusted Platform Module 2.0, enhancing security by encrypting login data and safeguarding against unauthorised access.
7. Secure Boot Default Setting:
   • Secure boot is enabled by default, verifying the signature of each software component, including drivers, applications, and the operating system. This prevents the execution of unsigned or malicious code.
8. Physical Keyboard and Mouse Security:
   • Certain settings are accessible only through a physical keyboard and mouse, preventing unauthorised access through the touch control panel or hand-held remote, adding an extra layer of physical security.
9. Direct Memory Access (DMA) Protection:
   • DMA protection is activated on Windows for all MTRs, guarding against malicious attacks that might attempt to exploit vulnerabilities in direct memory access.
10. Assigned Access for Limited Functionality:
    • Windows’ Assigned Access feature restricts entry points, replacing the default explorer.exe shell with the MS Teams Room application. This limits functionalities to essential components, reducing the attack surface.
11. External Penetration Tests:
    • Microsoft recommends IT staff to conduct external penetration tests on MTRs, emphasising a proactive approach to identifying and addressing potential security vulnerabilities.
12. Administrative Rights Restriction:
    • Only users with local or domain administrative rights can sign in to manage an MTR on Windows, ensuring that only authorized personnel can make configuration changes.
13. Protected Portal:
    • Teams Room Pro licenses include Defender for Endpoint, enabling secure enrolment of the MTR into the Defender Portal and providing advanced threat protection.
14. Resource Account Requirement:
    • A resource account is necessary for each MTR to sign into Teams. Modern Authentication replaces two-factor or multi-factor authentication, and MS Entra Conditional Access and Intune Compliance policies can be deployed for additional security.
15. Standardised Firewall Access:
    • Access through firewalls and other security devices for MTRs is consistent with any other Teams client, ensuring a standardized and secure communication pathway.
16. Automated Update Installations:
    • Microsoft ensures the timely installation of updates, including security patches, at 2 am every day, reducing the window of vulnerability and keeping the MTR system up-to-date.
17. Limited Bluetooth Usage:
    • Bluetooth technology on Teams is restricted and certified, with wired connectivity recommended over WiFi. This limitation minimises potential security risks associated with wireless communication.

It’s important to note that the details provided here are a comprehensive overview, and for the most up-to-date and detailed information, it’s advisable to refer to Microsoft’s official website, as indicated in the provided reference.

For a full explanation of all these points, and more, including URLs to be accessed, network security and portal prerequisites, go to Microsoft’s Release Notes!

VideoCentric maintains a list of all Microsoft-certified MTRs, Android bars, Cameras, Microphones, Speakers, DSPs, add-on peripherals etc and demonstrates most of them live in its Thames Valley showroom where you can visit in person or arrange a remote Teams session at short notice. We are proud to share our 30 years’ experience in video communications with you and compare the best on test. We are continually updating our systems, providing our pre and post sales teams with the equipment and knowledge they need to support you properly, usually without reference to our manufacturers and with sufficient spares for next business day swap out of faulty equipment, keeping your meeting rooms up and running without RTB return delays.

Contact our Sales Team Here!