Removing Classic Teams is a Nightmare, help needed
Posted by MrHappyface92@reddit | sysadmin | View on Reddit | 13 comments
Hi All,
I've been wracking my brain on this for a few weeks now and wondered if anybody has a solution.
The Scenario is that we are attempting to remove Classic Teams from all computers, we're able to do this fairly well using Platform Scripts or Win32 apps within Intune, however I can only seem to get this to run "As User", im guessing due to the app being a User Based installation.
The problem is, MS Defender is still reporting a few thousand devices as being vulnerable, when you check the inventories you can see these are the remaining vulnerable items:
File paths
C:\Users\Administrator\AppData\Local\Microsoft\Teams\current\Teams.exe
Registry paths
HKEY_USERS\Administrator\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams
The primary user of this computer has been able to uninstall Teams but .\administrator which is a local account that was created as part of the Task Sequence still remains flagged.
For the life of me I can't seem to get Intune to remove Teams from the Administrator account or profiles that are no longer signed in and likely won't ever be, if I run my script AS user I can get this done.
These Administrator accounts use LAPs so I can't easily use the password details to authenticate as them and run it as user, in my situation a lot of these accounts haven't been signed in for a long time and unless we were to do this by hand, probably will never be.
Our Teams Global Policy is currently set to New Teams Only and we've sucessfully got new Teams everywhere, Classic Teams is no longer usable but our reporting is still haywire because of Teams Machine-Wide Installer, I'd honestly be quite happy just to delete these Registry Keys and Executable files but outside of being logged in as the user, only the executable is viewable meaning that the REG key still flags.
Things I've attempted:
- TeamsBootStrapper -u
- Script uninstall using uninstall string found in RegEdit (works as user)
- Script using uninstall string for ALL users as SYSTEM (does not work) - Multiple attempts at this
- Script to remove vulnerable .exe and reg key (Able to remove .exe, SYSTEM cannot view items past this key: Computer\HKEY_USERS\S-#-#-####\Software\Microsoft\Windows\CurrentVersion\Uninstall - Meaning Teams Key is not deletable
I'm considering running my script that is able to remove AS user but attempting to authenticate as a Global Administrator instead, hoping that this will be able to view the registry keys that SYSTEM can't, but waiting to get some business red tape out of the way before I try this.
Has anyone faced a similar situation? Any help would be much much much appreciated.
Unable-Entrance3110@reddit
This is what I run as the user to remove classic Teams Outlook add-in and Teams itself, respectively:
MsiExec.exe /qn /norestart /X{A7AB73A3-CB10-4AA5-9D38-6AEFFBDE4C91}"%LocalAppData%\Microsoft\Teams\Update.exe" --uninstall -sUnderstandingHour454@reddit
Any idea how to accomplish this as System or to avoid UA prompts when running these? I've been trying to uninstall Teams Classic and Teams Machine-Wide Installer from all our devices now that we just use the O365 installer to handle Teams installs/updates.
I've tried running "teamsbootstrapper.exe -u" running as system and the user through our RMM tool. As system it just doesn't do anything, and as the user, it pops and UA prompt. I've tried:
start-process -wait MsiExec.exe -argumentlist "/X{731F6BAA-A986-45A4-8936-7C3AAAAA760B} /q"
This resulted in Teams Classic uninstalling, but no uninstall of Teams Machine-Wide Installer
I've also tried this, but I'm not seeing this ID on our systems:
start-process -wait MsiExec.exe -argumentlist "/X{F2CAD463-0DCB-4779-8169-AD35CE71E47C} /q"
I also don't see this one posted earlier:
MsiExec.exe /qn /norestart /X{A7AB73A3-CB10-4AA5-9D38-6AEFFBDE4C91}
Lastly, I iterated through all the user profiles (usually just one) with the following:
$users = get-childitem "C:\Users\" | where-object -Property Name -ne "Public" | Where-Object {$_.Name -ne "Public"}
foreach($user in $users)
{
}
I've combined all of these, and I still find the Teams Machine-Wide Installer still on devices until I manually intervene. Just looking for a solution on this.
Unable-Entrance3110@reddit
Your first UUID (731F6BAA-A986-45A4-8936-7C3AAAAA760B) was what I have as the MWI in my system. You run that one as an elevated user.
The rest of the Teams uninstalls need to be done within the user's context. I am not sure that you can run the Classic Teams uninstaller as an elevated user unless that is the user context you want to remove Teams from.
I am sure that you could simply delete the directories and registry entries for Teams manually if you want to do everything as admin.
retiredaccount@reddit
Why not just delete those profiles? You say they’re not being used and may never be. So delete them!
MrHappyface92@reddit (OP)
These are local accounts, while I agree personally we don't need them our processes hamstring me enough where I don't have enough say to have these removed unfortunately, they're not domain profiles so get made when Windows Pro is installed via Task Sequence.
I've sorted any new PCs that are being bought and imaged but its the old stock I have issues with.
Playing the business politics to remove the .\administrator account is going to be fruitless, we've got offices all over Europe so I'd require sign off from too many people that don't care or need any say in a change like that.
retiredaccount@reddit
As others have already explained, delete the profiles not the accounts. You got this!
MeanE@reddit
You don't have to remove the account. Just delete the whole profile. It's safe to delete since nobody is using the account and there is no user data there. It will be recreated if someone logs in as the local admin.
humptydumpty369@reddit
This exact issue occurred in our environment. MS supports final solution was for us to manually remove the file and key from every profile or delete the profiles.
mangonacre@reddit
My thoughts exactly. Even if they are being used, they should be recreated the next time that account is logged on to that computer, and without a 'machine-wide installer', that profile should not have classic Teams.
7ep3s@reddit
IDK about Defender, but in Tenable's case I think it just cares if the files exist from a vulnerability report perspective. So you can just try to nuke them from all profiles as system on some machines to test and see if anything catches fire.
Gakamor@reddit
Here's a script that I posted a while back that other people have had success with. https://www.reddit.com/r/sysadmin/comments/193bz6r/comment/kh894tk/
KneticTheory@reddit
Tried the MS SARA tool?
gandraw@reddit
You probably have to "reg load" the ntuser.dat in those dormant user profiles to delete the key in their HKCU. SYSTEM will have the right to load and view all keys in those files if you load them first.