Last updated on June 16th, 2022 at 02:23 am
Businesses are increasingly adopting Teams as their company telephony solution. At the same, many are also ditching on prem Active Directory and turning to Endpoint Manager with Azure AD for device and identity management. In many cases, implementing QoS won’t make a noticeable difference in audio/video performance. However, if the organization has a more complex network, it can be greatly beneficial. With QoS configured, you will achieve more consistent performance for the traffic targeted by the QoS policy, regardless of how busy your network is on a given day.
QoS and why should we use it?
For anyone not familiar with QoS, its essentially the prioritization of certain types of traffic. In this case – Teams audio/video network traffic for Windows clients. The goal is this post is not a deep dive into QoS, it’s to show you how to use Intune to deploy the Teams QoS configuration to your Windows clients. For a brief overview of QoS I recommend you watch Kevin Wallace’s 20-minute video on QoS – https://www.youtube.com/watch?v=xp1V_NRf0qY. Understand that QoS markings are not honored over the internet. Once the packets leave your edge router, the traffic is treated like any other Internet traffic.
For this to work properly, you must have network hardware that is configured to use QoS. So, what is the drawback of implementing this? Or, what if I have hybrid employees with laptops who work at home some days. Will this affect their performance at home since their home network hardware likely doesn’t even support QoS? No, if Network hardware doesn’t support QoS or is not configured for it, it simply does not read the QoS header and routes traffic like normal with “best effort”.
Implementation:
Microsoft provides some well written documentation here – https://docs.microsoft.com/en-US/microsoftteams/qos-in-teams?WT.mc_id=TeamsAdminCenterCSH. Enabling QoS for handsets is rather easy. You simply enable this in the Teams admin center under meeting settings. The handsets will get these settings after their next reboot:
But what about the Windows clients? Well, they need to be told to mark QoS traffic, they do not pull the configuration from Teams admin center. Microsoft’s official documentation says… to use Group Policy 🙁 https://docs.microsoft.com/en-us/microsoftteams/qos-in-teams-clients. For those with clients that have no on prem AD with group policy, Microsoft was kind enough to provide pre-built PowerShell scripts for this. The scripts are located in their documentation and contains the recommended default start/end ports (https://docs.microsoft.com/en-US/microsoftteams/qos-in-teams?WT.mc_id=TeamsAdminCenterCSH):
Now we just have to combine these three lines into a single script, and push it out to our Windows Intune Clients. You may be tempted to use the Scripts section in Endpoint Manager for this. That will work, but I recommend using a Win32 app instead. Win32 apps allow us more flexibility and can be deployed with detection rules (scripts cannot). So, lets have a look at the scripts we need to package our Win32 App. The install/uninstall scripts are located here – https://github.com/gnon17/MS-Cloud-Scripts/tree/main/teams. The install script is the three Microsoft PowerShell script lines in one script, and the uninstall script removes the QoS entries:
Next, package your Win32 application using the IntuneWinAppUtil by placing both scripts in the same folder and specifying the necessary fields:
After creating the intunewin package, create a new Win32 app. Give it a name and complete the field you’d like. When you get to the install/uninstall commands, use:
Powershell.exe -executionpolicy bypass .\TeamsQoS.ps1
Powershell.exe -executionpolicy bypass .\TeamsQoS-Uninstall.ps1
For the detection rule, there are three registry keys created by the install command. The uninstall command removes those keys. So, we use the registry detection rule for all three. The path to the Keys is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\QoS. Our three detection entries are to the location of the keys and if they exist:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\QoS\Teams Audio
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\QoS\Teams Video
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\QoS\Teams Sharing
Complete the Win32 app setup and deploy to your target groups. Here is a snip of the reg keys/values after a successful install:
Making a test call from Teams and performing a packet capture at my edge firewall, you can see the DSCP markings in the packets using expedited forwarding, as specified for Teams audio.
