December 2023 Windows update defaulting to New Teams

TimLB What we noticed was that a new 8KB shortcut was created in user's device and URL file associations were modified first. Then, when a user clicked on a link to a Teams meeting (from an email for example), it would prompt them to use "Microsoft Teams (work or school)" or "Microsoft Teams". Clicking on the Microsoft Teams (work or school) would launch the 8KB shortcut that will then install the full application. Very sneakily done by MS! Then, once the installation is complete and user tries to launch a meeting, they will experience the behaviour you described. We also have policies created to block new Teams, but MS always finds a way!

If you want to see this behaviour in action, I recommend you review device logs in Defender. The easiest way is - in Defender itself, search for "ms-teams.exe" in the top Seach bar. When the results start showing up, make sure to click on one from the "Files" section. That will open the Files profile page for ms-teams.exe. Once there, click on any of the devices in the Device name column. The Device page will load and you should review the Timeline. You are looking for an entry like similar to "svchost.exe has initiated a TLS connection to https://statics.teams.cdn.office.net" or "OfficeClickToRun.exe has initiated a TLS connection to https://statics.teams.cdn.office.net".  Once you locate that entry, the "mechanism" of how this works will be in the many lines above. For security reasons, I can't share what our log looks like, but you'll see .js, .gz, .svg, as well as ms-teams.exe, and many other ms- files being created. If you click on any of them you'll be able to confirm the path.