Network Authentication Methods for Microsoft Teams Rooms on Windows
When configuring a Microsoft Teams Rooms on Windows (MTR-W) device to connect to your enterprise network, you may run into network authentication issues that can prevent the device from connecting or staying connected to your network. This article explains network authentication for MTR-W and why machine-based authentication should be used for both wired and wireless connections.
Windows Network Authentication Methods ⚓︎
In most enterprise environments, 802.1x authentication is commonly used for both wired and wireless networks to ensure only authorized devices and users can connect to it. Typically, administrators configure Windows devices to use one of two primary authentication methods for network access: user-based authentication or machine-based authentication.
User-Based Authentication ⚓︎
User-based authentication allows a Windows device to authenticate to the enterprise network using the credentials of the currently logged-in Windows user. For Microsoft Teams Rooms on Windows devices, after the system boots, Teams Rooms automatically signs into a local Windows user account named “Skype”, which has no password. This is the account Windows will use for user-based network authentication.
Important: Don’t change the password or edit the local Skype user account. Doing so can prevent Teams Rooms from automatically signing in.
If you want to configure an MTR-W device for user-based network authentication you’ll need to work with your identity team to approve the use of the local MTR-W account “.\Skype” with no password as valid network credentials. This is not recommended, and instead machine-based authentication should be used.
The image below illustrates how the local Skype account is used by Teams Rooms to launch the MTR-W end-user conferencing experience.
Machine-Based Authentication ⚓︎
Machine-based authentication uses the machine’s identity and a certificate to authenticate the Windows device to the network. This authentication method operates independently of which user account is signed into Windows. Because authentication is based on the machine, instead of the user, this is the method that should be used for MTR-W devices to authenticate with both wired and wireless networks.
Wireless Networks ⚓︎
Traditionally, Microsoft Teams Rooms devices are configured to use wired network connections for the best performance and due to MTR’s fixed, console-based nature. However, with the availability of Teams Rooms on Surface Hub, configuring MTR devices for wireless networks has become more common. If your organization hasn’t previously configured devices to use machine-based authentication on your wireless network, you’ll need to work to enable this and then configure the MTR-W devices accordingly.
Implement Machine-Based Authentication ⚓︎
To implement machine-based authentication, follow these steps:
- Consult with your networking team: Work with your IT department’s networking team to understand the requirements for implementing and using machine-based authentication in your organization. Explain this is needed for MTR-W conferencing devices to authenticate with the network.
- Work with network vendor: If you or your network team require further support, contact your network vendor’s support team. Inform them that you need assistance configuring your environment to enable Windows 11 IoT Enterprise devices (MTR-W) to authenticate via machine-based authentication.
- Configure the device: Install the necessary network profile and certificate for machine-based authentication. As a test, ensure the device can authenticate to the network before any local user signs into Windows. This confirms network access is granted based on the machine, not the user.
Network Profile ⚓︎
When creating or validating the XML network profile for machine-based authentication, ensure authMode is set to “machine”. Any other authMode setting will result in MTR-W defaulting to user-based network authentication, which won’t work due to the OS behavior mentioned in this article.
