Older versions of Teams are still appearing in the registry for other user profiles and are being fl

Copper Contributor

 

Hello,

 

I wanted to update you on the issues we are facing after cleaning Classic Teams. Older versions of Teams are still appearing in the registry for other user profiles and are being flagged as vulnerable in 365 Defender, specifically in the HKEY_USERS registry path for others users.

 

For example, as evidence from the Defender portal, here are some entries indicating software issues:

- Endpoint Name: TestPC

  - Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Teams

  - HKEY_USERS\user1\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams

  - HKEY_USERS\user2\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams

  - HKEY_USERS\user3\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams

 

We attempted to remove the registry entries from other user profiles to clean up the Classic Teams presence by using the following commands:

powershell

      " reg load "hku\$user" "C:\Users\$user\NTUSER.DAT"

      " Test-Path -Path Registry::HKEY_USERS\$hiveName\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams "

 

For checking the registry presence, we used the detection and remediation method in Intune for cleaning Classic Teams. I ran the detection script on only three PCs for testing.

 

Surprisingly, we received a warning from Sentinel about "User and group membership reconnaissance (SAMR) on one endpoint," indicating a potential security incident involving suspicious SAMR (Security Account Manager Remote) queries. This was detected for admin accounts, DC, and also for an account belonging to someone who left the organization five years ago (ABC Admin).

 

I am looking for appreciate your guidance on the best practices for detecting and removing Classic Teams leftovers in the registry for other user profiles.

 

Best Practice:

- How to detect and remove Classic Teams registry entries for other user profiles in the system.

- Best method? Using the Hive to load another user profile into the registry and remove the Classic Teams registry entries.

 

Reference Links:

- [Older versions of Teams showing in user profiles](https://answers.microsoft.com/en-us/msteams/forum/all/older-versions-of-teams-showing-in-user-profil...)

- [Remove old user profiles on Microsoft Teams (Reddit)](https://www.reddit.com/r/PowerShell/comments/1bvjner/remove_old_user_profiles_on_microsoft_teams/)



1 Reply

 

# Script that i used for Detection

# Function to check registry for Teams
function Check-TeamsRegistry {
    param (
        [string]$hiveName
    )

    $registryPaths = @(
        "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams"
    )

    foreach ($path in $registryPaths) {
        $fullPath = "Registry::HKEY_USERS\$hiveName\$path"
        if (Test-Path -Path $fullPath) {
            return $true
        }
    }

    return $false
}

# Get all user profiles except system profiles and Public/Default profiles
$userProfiles = Get-ChildItem 'C:\Users' | Where-Object { $_.PSIsContainer -and $_.Name -notlike "ITAdmin" -and $_.Name -notlike "zzzadmin" -and $_.Name -notlike "yyyadmin" -and $_.Name -notlike "xxxadmin" -and $_.Name -notlike "Public" -and $_.Name -notlike "Default*" }

$registryCheck = $false

foreach ($userProfile in $userProfiles) {
    $userName = $userProfile.Name
    $userProfilePath = $userProfile.FullName
    $ntUserDatPath = "$userProfilePath\NTUSER.DAT"

    if (Test-Path -Path $ntUserDatPath) {
        $hiveName = "TEMP_HIVE_$userName"
        
        try {
            # Load the user hive
            reg load "HKEY_USERS\$hiveName" "$ntUserDatPath" 2>&1 | Out-Null
            Write-Host "Loaded hive for $userName" -ForegroundColor Green
            
            if (Check-TeamsRegistry -hiveName $hiveName) {
                Write-Host "Teams installation found for user: $userName" -ForegroundColor Green
                $registryCheck = $true
            } else {
                Write-Host "No Teams installation found for user: $userName" -ForegroundColor Yellow
            }
        } catch {
            $errorMessage = $_.Exception.Message
            Write-Host "Failed to load hive for '$userName': $errorMessage" -ForegroundColor Red
        } finally {
            # Unload the user hive
            reg unload "HKEY_USERS\$hiveName" 2>&1 | Out-Null
            Write-Host "Unloaded hive for $userName`n" -ForegroundColor Green
        }
    } else {
        Write-Host "NTUSER.DAT not found for user: $userName`n" -ForegroundColor Red
    }
}

# Get Teams installation paths
$TeamsClassic = Get-ChildItem -Path "C:\Users\*\AppData\Local\Microsoft\Teams\current" -Filter "Teams.exe" -ErrorAction SilentlyContinue
$TeamsPersonal = Get-AppxPackage -Name MicrosoftTeams -AllUsers
$TeamsNew = Get-ChildItem "C:\Program Files\WindowsApps" -Filter "MSTeams_*"

# Check if Classic Teams is installed from registry
$ClassicTeamsRegistry = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Teams" -ErrorAction SilentlyContinue

# Check if Classic Teams is installed from registry Current Users
$ClassicTeamsRegistry_CurrentUser = Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\Teams" -ErrorAction SilentlyContinue

# Check if Teams registry path exists for current user
$ClassicTeamsRegistry_CurrentUserExists = Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\Teams"

# Output values of the registry checks
Write-Host "ClassicTeamsRegistry: $ClassicTeamsRegistry" -ForegroundColor Yellow
Write-Host "ClassicTeamsRegistry_CurrentUser: $ClassicTeamsRegistry_CurrentUser" -ForegroundColor Yellow
Write-Host "ClassicTeamsRegistry_CurrentUserExists: $ClassicTeamsRegistry_CurrentUserExists" -ForegroundColor Yellow

# Output values of the Teams installation paths
Write-Host "`nTeamsClassic: $TeamsClassic" -ForegroundColor Yellow
Write-Host "TeamsPersonal: $TeamsPersonal" -ForegroundColor Yellow
Write-Host "TeamsNew: $TeamsNew" -ForegroundColor Yellow

# Determine result based on detection checks
if (-not $TeamsClassic -and -not $TeamsPersonal -and $TeamsNew -and -not $registryCheck -and -not $ClassicTeamsRegistry -and -not $ClassicTeamsRegistry_CurrentUser -and -not $ClassicTeamsRegistry_CurrentUserExists) {
    Write-Host "`nClassic and Personal Teams Not Found, ClassicTeamsRegistry not found, or Teams registry path not found for current user.`nNew Teams Only!" -ForegroundColor Yellow
} else {
    Write-Host "`nClassic and Personal Teams Found!`nClassicTeamsRegistry found." -ForegroundColor Yellow
}

# Output success message
Write-Host "`nDetection script completed."