Introduction: The Challenge of Managing Microsoft Teams Rooms
Microsoft Teams Rooms (MTR) are purpose-built devices that bring seamless Teams meetings into physical conference rooms. However, if you’re an IT admin or consultant trying to manage these devices with Microsoft Intune, you may have already hit a major wall: you can’t deploy standard applications like Win32 or MSI packages.
In this post, I’ll walk you through:
- Why app deployment fails on MTRs
- How to use Intune Proactive Remediation Scripts to install apps anyway
- A real-world script-based workaround you can implement today
This article is especially useful for IT administrators, Microsoft 365 consultants, and organizations managing MTR on Windows devices using Microsoft Intune.
What Are Microsoft Teams Rooms (MTR) Devices?
Microsoft Teams Rooms are specialized endpoints running Windows or Android, designed to facilitate video conferencing in meeting spaces.
This article focuses on MTR on Windows, which:
- Boots into a kiosk-like shell
- Uses a locked-down local user account (usually “Skype”)
- Automatically launches the Teams Rooms app
- Is managed differently from typical Windows endpoints
Why Are MTRs So Locked Down?
Because they’re designed to do one thing very well: run meetings reliably and securely. That means:
- Minimal background processes
- No user distractions
- Reduced vulnerability footprint
Unfortunately, this also means limited support for app deployment using traditional Microsoft Intune methods.
Why Standard App Deployment Doesn’t Work on MTR
Let’s quickly review how app deployment in Intune normally works:
- You upload a Win32 or MSI app
- Intune pushes it to the device
- The app installs silently in the background
But MTRs are a special case:
| Issue | Description |
|---|---|
| Kiosk Shell | MTR devices run a locked-down shell that prevents user interaction. |
| Limited Admin Access | The logged-in “Skype” user doesn’t have full local admin rights. |
| Silent Installs Often Fail | Even SYSTEM-context installs can hang or fail silently. |
| Win32 App Deployment Not Supported | MTRs are excluded from full app deployment via Intune. |
TL;DR: Intune treats MTRs like they’re manageable—but for apps, they’re basically off-limits.
What Can You Manage on MTR with Intune?
| Feature | MTR Support? |
|---|---|
| Enroll in Intune | ✅ Yes |
| Configuration Profiles (Wi-Fi, Certificates) | ✅ Yes |
| Compliance Policies | ✅ Yes |
| PowerShell Scripts | ⚠️ Limited |
| Win32/MSI App Deployment | ❌ Not Supported |
| Store App Deployment | ❌ Not Supported |
| Remediation Scripts | ✅ Yes — this is our workaround! |
The Workaround: Use Proactive Remediation Scripts
What Are Proactive Remediations in Intune?
Proactive Remediations are part of Endpoint Analytics in Microsoft Intune. They allow you to:
- Detect issues on endpoints (e.g., missing apps or settings)
- Run scripts in the SYSTEM context to remediate them
And because these scripts run as SYSTEM, they can bypass the user restrictions imposed by the MTR shell. That’s the secret sauce here.
Step-by-Step: Deploy Apps to MTR Devices Using Remediation Scripts
Step 1: Choose an Application
Pick an application with a silent installer. Examples include:
- Zoom Rooms Plugin
- Custom certificate tools
- Remote support agents
Pro tip: Avoid apps that require UI interaction or restart the system.
Step 2: Host the Installer
Since you can’t upload Win32 apps, host the installer externally:
- Azure Blob Storage with SAS token
- SharePoint Online
- A secure HTTPS server
Step 3: Write the Detection Script
This script checks whether the app is already installed.
powershellCopyEdit# Detect-Zoom.ps1
$app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*Zoom*" }
if ($app) {
exit 0 # App is installed
} else {
exit 1 # App is missing
}
Exit code
1tells Intune that remediation is needed.
Step 4: Write the Remediation Script
This script installs the application silently.
powershellCopyEdit# Remediate-Zoom.ps1
$installerUrl = "https://yourstorage.blob.core.windows.net/apps/ZoomRoomsInstaller.msi"
$tempPath = "$env:TEMP\ZoomInstall.msi"
$logPath = "C:\ProgramData\ZoomInstall.log"
Invoke-WebRequest -Uri $installerUrl -OutFile $tempPath -UseBasicParsing
Start-Process "msiexec.exe" -ArgumentList "/i `"$tempPath`" /quiet /norestart /log `"$logPath`"" -Wait
Remove-Item $tempPath -Force
Store logs in
C:\ProgramData\for later troubleshooting.
Step 5: Deploy via Intune
- Go to Endpoint Security > Endpoint Analytics > Proactive Remediations
- Click + Create Script Package
- Upload both scripts (Detect and Remediate)
- Assign the policy to a dynamic group of MTR devices
- Set the schedule (e.g., once a day)
Tip: Filter devices by naming convention like
MTR-*.
Real-World Example: Install Chocolatey on MTR
Let’s say you want to deploy Chocolatey to MTR devices to enable future package management.
Detection Script
powershellCopyEditif (Get-Command "choco" -ErrorAction SilentlyContinue) {
exit 0
} else {
exit 1
}
Remediation Script
powershellCopyEditSet-ExecutionPolicy Bypass -Scope Process -Force
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
This installs Chocolatey silently using PowerShell.
Security Tips for Remediation Scripts on MTR
Best practices to stay secure:
- Use SAS tokens for Azure Blob Storage to avoid public links.
- Avoid complex UIs or restarts in your install logic.
- Sign your scripts with a trusted certificate if possible.
- Log everything: install logs, errors, success flags.
How to Maintain This Workaround
Treat remediation scripts like code:
- Version control with GitHub or Azure Repos
- Store application versions and update logic
- Schedule re-checks weekly or monthly
- Rotate download URLs periodically if they expire
When Should You Use This Workaround?
| Use Case | Good Candidate? |
|---|---|
| Small hotfix | ✅ Yes |
| Lightweight plugin | ✅ Yes |
| Large apps with UI | ❌ No |
| Mission-critical installs | ⚠️ Use caution |
For complex applications, consider a manual install window, or coordinate with the OEM.
Alternatives to Intune Remediation Scripts
| Method | Notes |
|---|---|
| Manual Deployment | Good for one-off fixes |
| OEM Management Tools | Logitech Sync, Poly Lens, etc. |
| Group Policy | Works for Hybrid AAD Join MTRs |
| Teams Pro Management | Useful for Teams config, not apps |
Conclusion: MTR App Deployment is Possible—With the Right Tools
Deploying applications to Microsoft Teams Rooms using Intune isn’t supported natively—but that doesn’t mean it’s impossible. With a bit of scripting and smart use of Proactive Remediation, you can achieve automated, scalable, and relatively safe application installs.
This method:
- Uses supported Intune features (Endpoint Analytics)
- Works in the locked-down MTR environment
- Scales across multiple devices and locations
