December 2023 Windows update defaulting to New Teams

Steel Contributor

I was curious if anyone else was seeing the behavior that Teams is defaulting to New Teams after updating to the release for Windows 11, December 2023? Our global Teams policy is set to "Not enabled" for using new Teams. So, upon updating/starting up Teams they get a screen saying "Your admin has restricted access to the new Teams", and they can switch back to classic Teams via a button on that screen. 

 

There's not any option in the Office Configuration portal policies that controls this behavior so, what the heck Microsoft? So, how do we ensure that our users do not have this happen when our tenant Teams policy has the Use new Teams Client set to Not Enabled? 

7 Replies
So you are looking for a policy like when you set not enable it, then it opens the old Microsoft Teams instead of open the new one and ask to revert back?
I believe this is a behavior by design but with not a positive user experience and I advise you to file a report in the Feedback Hub app.
Nope, we have the policy in Teams Admin to not enable new Teams - regardless of that policy after an update occurred on our Windows 11 devices and the first time opening Teams it attempted to open New Teams.
From what you explained, I believe this is a bug.
I advise you to report this issue to the Microsoft Teams:
https://support.microsoft.com/en-us/office/give-feedback-in-microsoft-teams-c0fb6297-22af-4db5-b19b-...
You may file a bug report using the Feedback Hub app in Windows.

Hi Timothy, please check this article as well Deploy Microsoft Teams with Microsoft 365 Apps - Deploy Office | Microsoft Learn. We also have unwanted installations of Teams New Client. Since December MS started enrolment for Teams New Client inside of M365 Apps Package - as well for GIVEN installations. The weird thing in your case ist the Autostart - we openend a ticket to MS and got the confirmation that the combination with Global Teams Update Rule stating NO new Teams will not impcact user with Classic Teams. In that documentations there is only one case with autostart, if there is any kind of (even default) deployment with Office Deployment Tools. I would check this as well. Greetings from Germany , dmTech Corp

We had some reports that our Mac OS devices/users saw this behavior as well over my time out of the office. Once they switch back to Teams classic everything is OK. We're in a monitoring mode until the next time Teams updates.

@Timothy Balk What we noticed was that a new 8KB shortcut was created in user's device and URL file associations were modified first. Then, when a user clicked on a link to a Teams meeting (from an email for example), it would prompt them to use "Microsoft Teams (work or school)" or "Microsoft Teams". Clicking on the Microsoft Teams (work or school) would launch the 8KB shortcut that will then install the full application. Very sneakily done by MS! Then, once the installation is complete and user tries to launch a meeting, they will experience the behaviour you described. We also have policies created to block new Teams, but MS always finds a way!

 

If you want to see this behaviour in action, I recommend you review device logs in Defender. The easiest way is - in Defender itself, search for "ms-teams.exe" in the top Seach bar. When the results start showing up, make sure to click on one from the "Files" section. That will open the Files profile page for ms-teams.exe. Once there, click on any of the devices in the Device name column. The Device page will load and you should review the Timeline. You are looking for an entry like similar to "svchost.exe has initiated a TLS connection to https://statics.teams.cdn.office.net" or "OfficeClickToRun.exe has initiated a TLS connection to https://statics.teams.cdn.office.net".  Once you locate that entry, the "mechanism" of how this works will be in the many lines above. For security reasons, I can't share what our log looks like, but you'll see .js, .gz, .svg, as well as ms-teams.exe, and many other ms- files being created. If you click on any of them you'll be able to confirm the path. 

I would not have thought about looking through Defender to examine installation behaviors like this. This does make sense as a sneaky method to swap the new client into an environment that is using the default settings. Thanks Ziv!