Forum Discussion
Older versions of Teams are still appearing in the registry for other user profiles and are being fl
Hello,
I wanted to update you on the issues we are facing after cleaning Classic Teams. Older versions of Teams are still appearing in the registry for other user profiles and are being flagged as vulnerable in 365 Defender, specifically in the HKEY_USERS registry path for others users.
For example, as evidence from the Defender portal, here are some entries indicating software issues:
- Endpoint Name: TestPC
- Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Teams
- HKEY_USERS\user1\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams
- HKEY_USERS\user2\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams
- HKEY_USERS\user3\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams
We attempted to remove the registry entries from other user profiles to clean up the Classic Teams presence by using the following commands:
powershell
" reg load "hku\$user" "C:\Users\$user\NTUSER.DAT"
" Test-Path -Path Registry::HKEY_USERS\$hiveName\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams "
For checking the registry presence, we used the detection and remediation method in Intune for cleaning Classic Teams. I ran the detection script on only three PCs for testing.
Surprisingly, we received a warning from Sentinel about "User and group membership reconnaissance (SAMR) on one endpoint," indicating a potential security incident involving suspicious SAMR (Security Account Manager Remote) queries. This was detected for admin accounts, DC, and also for an account belonging to someone who left the organization five years ago (ABC Admin).
I am looking for appreciate your guidance on the best practices for detecting and removing Classic Teams leftovers in the registry for other user profiles.
Best Practice:
- How to detect and remove Classic Teams registry entries for other user profiles in the system.
- Best method? Using the Hive to load another user profile into the registry and remove the Classic Teams registry entries.
Reference Links:
- [Older versions of Teams showing in user profiles](https://answers.microsoft.com/en-us/msteams/forum/all/older-versions-of-teams-showing-in-user-profiles/2bc7563c-ccc9-4afc-b522-337acff9d20e?page=1)
- [Remove old user profiles on Microsoft Teams (Reddit)](https://www.reddit.com/r/PowerShell/comments/1bvjner/remove_old_user_profiles_on_microsoft_teams/)
- durairaj1991Copper Contributor
# Script that i used for Detection # Function to check registry for Teams function Check-TeamsRegistry { param ( [string]$hiveName ) $registryPaths = @( "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams" ) foreach ($path in $registryPaths) { $fullPath = "Registry::HKEY_USERS\$hiveName\$path" if (Test-Path -Path $fullPath) { return $true } } return $false } # Get all user profiles except system profiles and Public/Default profiles $userProfiles = Get-ChildItem 'C:\Users' | Where-Object { $_.PSIsContainer -and $_.Name -notlike "ITAdmin" -and $_.Name -notlike "zzzadmin" -and $_.Name -notlike "yyyadmin" -and $_.Name -notlike "xxxadmin" -and $_.Name -notlike "Public" -and $_.Name -notlike "Default*" } $registryCheck = $false foreach ($userProfile in $userProfiles) { $userName = $userProfile.Name $userProfilePath = $userProfile.FullName $ntUserDatPath = "$userProfilePath\NTUSER.DAT" if (Test-Path -Path $ntUserDatPath) { $hiveName = "TEMP_HIVE_$userName" try { # Load the user hive reg load "HKEY_USERS\$hiveName" "$ntUserDatPath" 2>&1 | Out-Null Write-Host "Loaded hive for $userName" -ForegroundColor Green if (Check-TeamsRegistry -hiveName $hiveName) { Write-Host "Teams installation found for user: $userName" -ForegroundColor Green $registryCheck = $true } else { Write-Host "No Teams installation found for user: $userName" -ForegroundColor Yellow } } catch { $errorMessage = $_.Exception.Message Write-Host "Failed to load hive for '$userName': $errorMessage" -ForegroundColor Red } finally { # Unload the user hive reg unload "HKEY_USERS\$hiveName" 2>&1 | Out-Null Write-Host "Unloaded hive for $userName`n" -ForegroundColor Green } } else { Write-Host "NTUSER.DAT not found for user: $userName`n" -ForegroundColor Red } } # Get Teams installation paths $TeamsClassic = Get-ChildItem -Path "C:\Users\*\AppData\Local\Microsoft\Teams\current" -Filter "Teams.exe" -ErrorAction SilentlyContinue $TeamsPersonal = Get-AppxPackage -Name MicrosoftTeams -AllUsers $TeamsNew = Get-ChildItem "C:\Program Files\WindowsApps" -Filter "MSTeams_*" # Check if Classic Teams is installed from registry $ClassicTeamsRegistry = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Teams" -ErrorAction SilentlyContinue # Check if Classic Teams is installed from registry Current Users $ClassicTeamsRegistry_CurrentUser = Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\Teams" -ErrorAction SilentlyContinue # Check if Teams registry path exists for current user $ClassicTeamsRegistry_CurrentUserExists = Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\Teams" # Output values of the registry checks Write-Host "ClassicTeamsRegistry: $ClassicTeamsRegistry" -ForegroundColor Yellow Write-Host "ClassicTeamsRegistry_CurrentUser: $ClassicTeamsRegistry_CurrentUser" -ForegroundColor Yellow Write-Host "ClassicTeamsRegistry_CurrentUserExists: $ClassicTeamsRegistry_CurrentUserExists" -ForegroundColor Yellow # Output values of the Teams installation paths Write-Host "`nTeamsClassic: $TeamsClassic" -ForegroundColor Yellow Write-Host "TeamsPersonal: $TeamsPersonal" -ForegroundColor Yellow Write-Host "TeamsNew: $TeamsNew" -ForegroundColor Yellow # Determine result based on detection checks if (-not $TeamsClassic -and -not $TeamsPersonal -and $TeamsNew -and -not $registryCheck -and -not $ClassicTeamsRegistry -and -not $ClassicTeamsRegistry_CurrentUser -and -not $ClassicTeamsRegistry_CurrentUserExists) { Write-Host "`nClassic and Personal Teams Not Found, ClassicTeamsRegistry not found, or Teams registry path not found for current user.`nNew Teams Only!" -ForegroundColor Yellow } else { Write-Host "`nClassic and Personal Teams Found!`nClassicTeamsRegistry found." -ForegroundColor Yellow } # Output success message Write-Host "`nDetection script completed."
- kcelmerCopper Contributor
I'm having the same problem. I can't find Classic Teams installed on any of our endpoints, but Sentinel One keeps reporting CVEs from it on them all. Was there ever a fix?
- IS_OsayiCopper Contributor
I have a script that detects and cleans teams classic from endpoint.
You can test this on few of your endpoints to see if it works for you.
Remember to open powershell with admin priviledges
# Get all user profiles on the machine (excluding special/system profiles)
$users = Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.Special -eq $false }
foreach ($user in $users) {
$sid = $user.SID
$profilePath = $user.LocalPath
$ntUserDatPath = "$profilePath\NTUSER.DAT"
$teamsLocalAppDataPath = "$profilePath\AppData\Local\Microsoft\Teams"
Write-Host "Processing user profile: $profilePath (SID: $sid)"
# Remove Teams data folder from LocalAppData for each user
if (Test-Path $teamsLocalAppDataPath) {
Write-Host "Removing Teams application data from $teamsLocalAppDataPath"
Remove-Item -Path $teamsLocalAppDataPath -Recurse -Force
} else {
Write-Host "Teams data folder not found for user: $profilePath"
}
# Check if NTUSER.DAT file exists for the user profile (for registry cleanup)
if (Test-Path $ntUserDatPath) {
# Load the user's registry hive into HKEY_USERS
reg load "hku\$sid" "$ntUserDatPath" | Out-Null
# Set the path to the Teams uninstall registry key for the loaded hive
$uninstallKey = "Registry::HKEY_USERS\$sid\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams"
# Check if the Teams uninstall registry key exists
if (Test-Path -Path $uninstallKey) {
Write-Host "Removing Teams uninstall registry entry for user: $profilePath"
# Remove the Teams uninstall entry
Remove-Item -Path $uninstallKey -Recurse -Force
} else {
Write-Host "No Teams uninstall entry found for user: $profilePath"
}
# Unload the user's registry hive from HKEY_USERS
reg unload "hku\$sid" | Out-Null
} else {
Write-Host "NTUSER.DAT not found for user profile: $profilePath, skipping..."
}
}
# Remove Teams from the machine-wide installed applications
Write-Host "Uninstalling Teams Classic from the machine..."
$app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*Microsoft Teams*" }
if ($app) {
$app.Uninstall()
Write-Host "Teams Classic uninstalled from the machine."
} else {
Write-Host "Teams Classic is not installed at the machine-wide level."
}
Write-Host "Teams Classic cleanup complete for all users."