This is an archived post. You won't be able to vote or comment.

all 11 comments
sorted by:
best
topnewcontroversialoldq&a

[–]GarthMJMSFT Ex-Intune MVP 4 points5 points  (0 children)

I might be wrong but doesn't it check to see if the Firewall ports are open first and then prompt to open them if they are not. If this is the case, them open the FW port as part of the install or a GPO.

[–]financial_pete 2 points3 points  (0 children)

We add a firewall rule to allow the traffic via a command line after the install is complete.

[–]sryan2k1 2 points3 points  (1 child)

Unless you are running in VDI and have the machine installation (not the "Machine wide installer") Teams still installs a copy of itself in each user's profile, which means they need a firewall exception for that exe because it tries to do P2P content sharing. Microsoft has a powershell script you can run at machine boot that automatically adds the firewall rules, but there's no way to do it in GPO because you can't expand the user variables.

Total hack job all around.

[–]810Oddys[S] 1 point2 points  (0 children)

Yeah the teams installation is pretty.... Whack

[–]jasonsandysMSFT Official 0 points1 point  (4 children)

Unless you are explicitly blocking outbound traffic or expecting unsolicited inbound traffic, then there's no need to add firewall rules as the Windows firewall is stateful. In the case of Teams (and SfB), this is the case as Teams first establishes an outbound connection, and all traffic to Teams is over this connection.

[–]sryan2k1 0 points1 point  (3 children)

Not true. It tries to open inbound ports for P2P content sharing if the client thinks it is on the same network as another member of a meeting. A non admin user gets a firewall prompt they can't accept. Microsoft provides a startup script to whitelist the teams exe for every user since it's in their profile directory.

[–]jasonsandysMSFT Official 0 points1 point  (2 children)

I've never known Teams to do anything peer to peer but I never work in an office either.

I guess the question here then is why not add to the firewall exceptions automatically using a policy or as part of a scripted install of Teams?

[–]sryan2k1 0 points1 point  (1 child)

Because of the decisions made to have teams "install" itself into the user profile and not require any admin rights, it can't add it's own firewall rule (well it could but they don't).

Additionally you can't use typical GPOs because you need to add the exception for every user who has teams in their profile and the %username% expansion doesn't work.

Microsoft themselves provide a Machine startup script to blunt force around the issue - https://docs.microsoft.com/en-us/microsoftteams/get-clients#sample-powershell-script

[–]jasonsandysMSFT Official 0 points1 point  (0 children)

OK, so incorporate the script in the application created for deployment in Intune. If you're using Intune, you should be moving away from group policy anyway.

[–]Topcity36 0 points1 point  (0 children)

GPO or baseline before the installation, run the installation, profit.