Solved

Managing 'stale' MS Teams installs under Windows

  • 7 August 2023
  • 7 replies
  • 207 views

Userlevel 1
Badge

We use Tenable.io for vulnerability scanning and it has flagged a number of Windows endpoints that have old versions of Teams installed. I was puzzled by this as Automox patches Teams, and it turns out that because we’re using the machine wide installer, the Teams application is being installed into the user’s Appdata directory. This will only get updated if the user logs in but we don’t regularly log in with some accounts.

I’ve read suggested fixes including:

  1. Create a GPO that deletes old accounts from the machines. This is problematic for us IT admins.
  2. Remove the machine wide installer so that Teams is not automatically installed when a user first logs in.

Has anyone found a way to resolve this using Automox? I’d be interested to learn how others have resolved this.

 

TIA

icon

Best answer by AnthonyM-Automox 7 August 2023, 18:48

View original

7 replies

Userlevel 1

Good morning @sparrowhawk ! 

 

This is quite an interesting dilemma! I did some reading to brush up on the particulars of the Teams machine-wide installer behavior. While I don’t know that we can directly solve for keeping the user-level installs current, a potential remedy that occurs to me is through Worklets we could:

  1. Ascertain the version of the installed machine-wide Teams package
  2. Enumerate all users that have logged into the device and:
    • Discern the last time the account logged in
    • Identify the version of the user-level ( AppData-installed ) Teams package
  3. IF the user has not logged in for a certain amount of time ( e.g. 14-days ), AND IF the user-level Teams client is behind the machine-wide installer’s version THEN we uninstall the user-level Teams package for the non-compliant account.

 

While not a perfect solution, it should resolve orphaned/vulnerable Teams installations and clean up your reporting.

 

If this is something you’d like to dive further into, just let me know and we can cook up some Worklet scripts for this.

 

Hope this helps, and thanks for the question!

 

- Anthony M.

 

Userlevel 1
Badge

Hi Anthony, thanks very much for your reply. You’re right, this is a tricky one.

What you suggest sounds reasonable, but as you say, it’s not perfect. It does seem a bit inelegant to reinstall and uninstall Teams for infrequently used accounts e.g. admin accounts.

But then I’m not sure what the impact of moving away from the machine wide installer might be either.

I’m just discussing your proposal with my team and will let you know what we decide.

Thanks again!

Userlevel 1

As an additional point I didn’t touch on originally: we could also leverage the PreventInstallFromMsi registry value to prevent installation from the machine-wide package for things like dedicated “admin” accounts and similar.

Userlevel 1
Badge

Ah, that’s a great idea. Ok, then I’m interested in helping you put this Worklet together. Let me know what you need from me.

Cheers

Userlevel 1

Ah, that’s a great idea. Ok, then I’m interested in helping you put this Worklet together. Let me know what you need from me.

Cheers

 

I’m going to continue this thread over private message to facilitate a time to discuss more in-depth, if possible.

 

Look forward to getting this buttoned up!

 

- Anthony M.

 

Userlevel 1
Badge

Hi @AnthonyM-Automox , I can’t reply to your PM?

“This member can only receive messages from members they are following.”

Userlevel 1

Hi @AnthonyM-Automox , I can’t reply to your PM?

“This member can only receive messages from members they are following.”

Whoops, fixed!

Reply