Skype Room Systems

Adding a Skype Room System to the domain

In general I would rather not join one, but to make managing them easier I find having them in a domain better.  The problem is once I do that, then InfoSec knows about them, and they want to put patches on, and other software that may cause issues.  But let’s put that aside.  Adding one to the domain is not that tricky.  It involves only a few steps

  1. Creating an OU for the room systems
  2. Creating (and maybe blocking inheritance) GPO
  3. Adding the computer to the domain.

Simple right?

The first step, I would assume you know how to create an OU.  I put all the SrS in one OU.  It makes managing them simpler and gives me a single place to look.  Also by adding them to the domain, if your Skype deployment is on premise, the certificate authorties will be pushed down.  If you don’t add them to the domain, you have to install the certificates for your internal PKI (see my other post coming on dealing with this) There is no other reason that I can think of besides that. I also have delegation setup on that OU so my team that deploys room systems can add computers to that OU (since it since under a OU that only Server Admins have access to).  But you will see later why you may not even need to delegate out permmisions.

Create the group Policy.

These are all domain policies, not local policies. By default there are two accounts on a Skype Room System, the skype and the admin account.  The Administrator account is actually just admin.  The skype user account has no password and the admin password is sfb.  There is nothing stopping you from changing these, and in fact I would recommend it.  But for this example, we are going to use the default passwords.

To allow for blank passwords you have to set this policy

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies/Security Options\Accounts\Policy: Accounts: Limit local account use of blank passwords to console logon only:Disabled

Allow remote desktop.  The problem with remote desktop, especially for the skype user (say for example to remote configuration, those settings are not remembered, so you always have to configure from the actual console)

Computer Configuration\Policies\Administrative Templates\Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connectionsshow : Allow users to connect remotely by using Remote Desktop Services : Enabled

Allow who can RDP into the system

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies/Security Options\Restricted Groups: Groups: Domain\CSAdministrator,CSHelpDesk, Member of Builtin\Administrators

Computer Configuration\Preferences\Windows Settings\Registry

  • Action: Update
  • Hive: HKEY_LOCAL_MACHINE
  • Key path: SYSTEM\CurrentControlSet\Control\Terminal Server
  • Value name: fDenyTSConnections
  • value type: REG_SZ
  • value data: 00000000

Allow remote Administration.  This one uses the default policies listed.

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies/Security Options\\Windows Firewall with Advanced Security

  • Remote Desktop – Shadow (TCP-In)
  • Remote Desktop – User Mode (UDP-In)
  • Remote Desktop – User Mode (TCP-In)
  • Remote Event Log Management (RPC-EPMAP)
  • Remote Event Log Management (NP-In)
  • Remote Event Log Management (RPC-EPMAP)
  • Remote Event Log Management (NP-In)
  • Remote Event Log Management (RPC)
  • Inbound Rule for Remote Shutdown (RPC-EP-In)
  • Inbound Rule for Remote Shutdown (TCP-In)

Computer Configuration\Policies\Administrative Templates\Network/Network Connections/Windows Firewall/Domain Profile

  • Windows Firewall: Allow inbound remote administration exception
  • Windows Firewall: Allow inbound Remote Desktop exceptions

Disabling Windows Updates

There have been a few instances where windows updates have had problems, or windows update has forced the system to reboot at an in-opportune time, so I disable windows Updates.  This means that I have to manually push out updates via script or SystemCenter (for the old people, that is SMS). It also means that I am one revision behind.  Usually more than that since I don’t check that often.  Yes I realize that this is overkill, but there are a lot of hands in GPOs, especially with InfoSec, and they may change something, so I want to keep protected.

Computer Configuration\Policies\Administrative Templates\System/Internet Communication Management/Internet Communication settings : Turn off access to all Windows Update features : Enabled

Computer Configuration\Policies\Administrative Templates\Windows Components/Windows Update

Disable the following

  • Allow Automatic Updates immediate installation
  • Allow non-administrators to receive update notifications
  • Turn on recommended updates via Automatic Updates

Enable the following

  • Do not connect to any Windows Update Internet locations
  • Do not include drivers with Windows Updates
  • No auto-restart with logged on users for scheduled automatic updates installations

Log Files

There is a setting on where to store log files, so I have a GPO to create that directory.

Computer Configuration\Preferences\Windows Settings\Folders

  • Path: c:\sfbLogs
  • Read-only: Disabled
  • Hidden: Disabled
  • Archive: Enabled

Computer Configuration\Preferences\Windows Settings\Network Shares

  • Share Name: sfblogs
  • Action: Update
  • folder path: c:\sfblogs

Setting up the auto-logon part.

Remember, it takes at least 2 reboots (because of fast GPO processing) for the GPO to get applied. So the first two times you will need to logon manually to bring up the console to reboot. This is the magic of all of it, the only part that really matters to make this work.  The rest of the stuff above can be ignored, except for allowing the blank password, unless you changed the default.

Computer Configuration\Preferences\Windows Settings\Registry

The Hive and  Key path for all of these are HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Value Name Value Type Value Data
AutoAdminLogon REG_SZ 1
DefaultDomainName REG_SZ . (that is a period)
DefaultUserName REG_SZ Skype
DefaultPassword REG_SZ BLANK

Notice the domain is . This means use the local computer name. If I did not use a ., I would have to create a GPO for each computer name. And the Skype user is only a local user. If I have changed the local Skype User Password I would update that here.

Fixing the windows 10 creator update bug

There was an issue when Windows 10 creator came out that caused prevented the touchscreen for showing drop downs or fly out windows when in the console. This will fix that issue, I just leave it in.

Computer Configuration\Preferences\Windows Settings\Registry

  • Hive: HKEY_LOCAL_MACHINE
  • Key path: SOFTWARE\Microsoft\TabletTip\1.7
  • Value Name: EnableDesktopModeAutoInvoke
  • Value type: REG_DWORD
  • value data: 0x1 (1)

Setting Power Options

The last GPO setting is to configure the power for the tablet.  In some cases there is a higher level GPO setting, the Room System has some special requirements.

Computer Configuration\Control Panel Settings\Power Options\Power Plan (At least Windows 7) (Name Balanced)\Pwer Plan (At least Windows 7) (Order: 1)\Properties

  • Action: Update
  • Make this the active Power Plan: Enabled
  • Name: Balanced
When computer is: Plugged in Running on batteries
Require a password on wakeup: Yes Yes
Turn off hard disk after: After 20 minutes After 10 minutes
Sleep after: Never After 15 minutes
Allow hybrid sleep: Off On
Hibernate after: Never After 180 minutes
Lid close action: Sleep Sleep
Power button action: Sleep Sleep
Start menu power button: Do nothing Do nothing
Link State Power Management: Maximum power savings Maximum power savings
Minimum processor state: After 5 minutes After 5 minutes
Maximum processor state: After 100 minutes After 100 minutes
Turn off display after: After 10 minutes After 5 minutes
Adaptive display: On On
Critical battery action: Hibernate Hibernate
Low battery level: After 10 minutes After 10 minutes
Critical battery level: After 5 minutes After 5 minutes
Low battery notification: Off Off
Low battery action: Do nothing Do nothing

The PowerShell Script

I have a script that does one simple thing, it enables PS Remoting.  I use a script to do this rather than a specific command line because it allows for more flexibility down the road, and well, it is just simple. The script is called SkypeRoomSystems.ps1 and is ran as a Startup Script

Computer Configuration\Policies\Windows Settings\Scripts\Startup:

  • For this GPO, script Order Windows PowerShell scripts will run first
  • Name: SkypeRoomSystems.ps1

The script contains one line: Enable-PSRemoting -force -confirm:$false

Adding the computer to the domain

We have now set all the group policies, now we can add the computer to the domain.  I prefer to pre-stage the computer in the domain, that makes sure it get’s only the correct policies and I don’t need to worry about it being moved later.  This is also helpful if you have one of those security things where you admin password changes everyday so you can use your regular user credentials to add the computer to the domain from the console.

  1. Right click on the OU and choose new computer
  2. enter the computer name, I prefer all lower case
  3. For user or group choose Domain Admins, or another user account to add it the system.  I would recommend using your regular user account if you have a complex password or need to use a yubikey or some other usb password tool

Go to the Skype Room System

  1. on the lower right corner click the gear icon
  2. click settings, the password by default is admin with sfb as the password
  3. Click on Windows Settings and then Admin Sign in
  4. Click on Administrator in the lower left corner and use the same password
  5. From there change the computer name
    1. Click on the Folder Explorer
    2. Expand This PC
    3. Pres and hold on This PC to bring up the context menu
    4. Choose Properties
    5. Under Computer name click Change settings on the right
    6. In the Computer Name Tab, click Change to rename the computer
    7. Enter the computer name, and click Apply/OK and reboot the system
  6. Go back to the administrator desktop like you did above
    1. This time, when you click Change, set the Member of Domain to your domain you want to join it to (Make sure the computer name has already been created in the correct OU)

Reboot the System 2 more times.

Conclusion

One of the larges downfalls of this, is when you do have to make any changes, you will need to enter the username as .\admin on the keyboard, which can be a pain with how the password field shows up behind the on-screen keyboard.

The other issue is people refuse to treat it as an appliance since it is running windows 10.  If you can, I would recommend setting this so they do not fall under standard windows desktop update cycles, and treat them like appliances.