Older versions of Teams are still appearing in the registry for other user profiles and are being fl
Hello, I wanted to update you on the issues we are facing after cleaning Classic Teams. Older versions of Teams are still appearing in the registry for other user profiles and are being flagged as vulnerable in 365 Defender, specifically in the HKEY_USERS registry path for others users. For example, as evidence from the Defender portal, here are some entries indicating software issues: - Endpoint Name: TestPC - Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Teams - HKEY_USERS\user1\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams - HKEY_USERS\user2\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams - HKEY_USERS\user3\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams We attempted to remove the registry entries from other user profiles to clean up the Classic Teams presence by using the following commands: powershell " reg load "hku\$user" "C:\Users\$user\NTUSER.DAT" " Test-Path -Path Registry::HKEY_USERS\$hiveName\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams " For checking the registry presence, we used the detection and remediation method in Intune for cleaning Classic Teams. I ran the detection script on only three PCs for testing. Surprisingly, we received a warning from Sentinel about "User and group membership reconnaissance (SAMR) on one endpoint," indicating a potential security incident involving suspicious SAMR (Security Account Manager Remote) queries. This was detected for admin accounts, DC, and also for an account belonging to someone who left the organization five years ago (ABC Admin). I am looking for appreciate your guidance on the best practices for detecting and removing Classic Teams leftovers in the registry for other user profiles. Best Practice: - How to detect and remove Classic Teams registry entries for other user profiles in the system. - Best method? Using the Hive to load another user profile into the registry and remove the Classic Teams registry entries. Reference Links: - [Older versions of Teams showing in user profiles](https://answers.microsoft.com/en-us/msteams/forum/all/older-versions-of-teams-showing-in-user-profiles/2bc7563c-ccc9-4afc-b522-337acff9d20e?page=1) - [Remove old user profiles on Microsoft Teams (Reddit)](https://www.reddit.com/r/PowerShell/comments/1bvjner/remove_old_user_profiles_on_microsoft_teams/)
AAD Sign In Activity Details: Getting the Result Details
Hello, I've spent hours figuring out how to write a script using the "Get-MgAuditLogSignIn"to create a report showing which sign-in events had a "Result detail" of "Correct password" that occurred outside a set of predefined locations for all users in the last 24 hours. The concept is to be able to run this script daily to check which users may have had a guessed password from someone outside a series of predefined locations. The screenshot below communicates, in a different way, what info I want pulled for each user. The basic script I'm running revolves around this generally: # Set PowerShell execution policy Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser # Install the Microsoft Graph PowerShell Package for Reports Install-Module Microsoft.Graph.Reports # Verify Microsoft Graph was Installed Get-InstalledModule Microsoft.Graph # Sign in with the required permissions to use the "Get-MgAuditLogSignIn" cmdlet Connect-MgGraph -Scopes "AuditLog.Read.All", "Directory.Read.All" # Then some type of filtering using "Get-MgAuditLogSignIn" # When done, sign out of Microsoft Graph Disconnect-MgGraph The hope is to have a script that produces the name, email, time, location, and "correct password"/Result detail for each user in the last 24 hours in a table format. Any feedback would be greatly appreciated. Here are some of the sources I've tried: https://learn.microsoft.com/en-us/graph/aad-advanced-queries?tabs=powershell https://learn.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0-preview https://learn.microsoft.com/en-us/answers/questions/1098591/export-authentication-details-from-azure-sign-in-l https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureadauditsigninlogs?view=azureadps-2.0-preview https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.reports/get-mgauditlogsignin?view=graph-powershell-1.0 https://learn.microsoft.com/en-us/powershell/microsoftgraph/get-started?toc=%2Fgraph%2Ftoc.json&view=graph-powershell-1.0 https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.signins/get-mguserauthenticationmethod?view=graph-powershell-1.0
Powershell JEA - WMI Queries
Hi, I'm looking at using PowerShell JEA to run some WMI queries aimed at monitoring servers. Is this possible? An example of the query is below. The objective is to prevent the service account used by the monitoring application from having local administrator access. SELECT Name,VolumeName,FileSystem from Win32_LogicalDisk WHERE DriveType='3' SELECT Name from Win32_PerfRawData_PerfDisk_LogicalDisk SELECT Name from Win32_PerfRawData_PerfDisk_PhysicalDiskDisconnect work or school acount
Hey, Users are joining the domain @xyz, and some of them have registered their devices to another domain, causing conflicts with the operating system license due to multiple accounts on their work and school accounts. How can I find a solution using Intune or PowerShell to disconnect all other accounts and keep only our domain account? Thanks.PowerShell Script Failing with Auth Header and 500 Internal Server Error for REST API
Hi everyone, I'm encountering multiple issues with the PowerShell script that interacts with a REST API to execute batch jobs in FDMEE. The script is supposed to send an HTTP request with a Basic Authorization header, but I'm facing the following problems: "Invalid or Missing Authorization Header" Error: When I visit the API URL directly in the browser, I get: { "links": [], "status": 9, "details": "EPMFDM-ERROR: Invalid or Missing Authorization Header in request" } 2."Internal Server Error (500)": When running the script, it often goes to the catch block and displays a 500 Internal Server Error. Here's the error message I receive in PowerShell: PS>TerminatingError(Invoke-RestMethod): "Request failed." Error encountered in PowerShell Script. Here is the script I'm using: #HTTP Basic Authorization. Contains encrypted username and password encoded to base64 string. $headers = @{Authorization = 'Basic encryptedpassword';} # Set parameter values $jobName = $args[0] $uri =http://server.comm.iocs.address.com:0000/aif/rest/V1/jobs # Monitor status of current batch run Write-Output "Checking Job Status..." Start-Sleep -Seconds 5 $restResponse = Invoke-RestMethod -Uri $uri -Method Get -Headers $headers -ContentType "application/json" $lastJobID = $restResponse.items[0].jobID $payload = @{ jobType = "BATCH" jobName = $jobName } | ConvertTo-Json # Establish REST connection and execute batch job using REST API $restResponse = Invoke-RestMethod -Uri $uri -Method Post -Body $payload -Headers $headers -ContentType "application/json" $uri = $restResponse.links[0].href # Display initial status of batch Write-Output "See below status of batch run..." $restResponse = Invoke-RestMethod -Uri $uri -Method Get -Headers $headers -ContentType "application/json" $currentJobID = $restResponse.jobID Write-Output "Last Job ID: $lastJobID" Write-Output "Current Job ID: $currentJobID" } catch { Write-Output "Error encountered in PowerShell Script.." Write-Output $_.Exception.Message if ($_.InvocationInfo) { Write-Output "Error in script: $($_.InvocationInfo.ScriptName)" Write-Output "Error on line: $($_.InvocationInfo.ScriptLineNumber)" Write-Output "Error in command: $($_.InvocationInfo.Line)" } if ($_.Exception.Response) { Write-Output "HTTP Status Code: $($_.Exception.Response.StatusCode.Value__)" Write-Output "Status Description: $($_.Exception.Response.StatusDescription)" Write-Output "Response Content: $($_.Exception.Response.Content)" } exit 1 } Despite my efforts, the request still fails with the "Invalid or Missing Authorization Header" error and occasionally hits a 500 Internal Server Error. Here are the steps I've taken to debug the issues: Checked Base64 Encoding: Confirmed that the credentials are correctly encoded in Base64. Verified Header Format: Ensured that the Authorization header is correctly formed and included in the request. Tested with Postman: Manually tested the API request with Postman using the same Authorization header, and I'm getting the same header authorization error. Added Detailed Error Logging: Included more detailed error logging in the catch block to capture HTTP status codes and response content. I'm looking for advice on what might be causing these issues in the PowerShell script and how I can resolve them. Any insights or suggestions would be greatly appreciated!
Need advise on the below powershell script to deploy on intune devices
Hi Champs, Not sure if below script is correct. Looks like it is working if we run powershell as administrator but otherwise throwing errors. I want to deploy below script to endpoint devices via intune. Please assist. I want to set the below location path at word, options, save, Default personal templates location ForEach ($user in (Get-ChildItem "C:\Users" -Exclude Public)) { $location = "C:\Users\$($user.Name)\Documents\Custom Office Templates" $IsPresent = Get-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Office\16.0\Word\Options' | ForEach-Object {If($_ -like '*PersonalTemplates*'){ Return 'True' }} if(-Not($IsPresent -eq 'True')) { New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Office\16.0\Word\Options' -Name 'PersonalTemplates' -Value $location -PropertyType ExpandString -Force New-Item -ItemType Directory -Force -Path $location } $existingValue= Get-ItemPropertyValue -Path 'HKCU:\SOFTWARE\Microsoft\Office\16.0\Word\Options' -Name 'PersonalTemplates' if([string]::IsNullOrWhiteSpace($existingValue)){ Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Office\16.0\Word\Options' -Name 'PersonalTemplates' -Value $location } else{ $location=$existingValue if(!(test-path $existingValue)) { New-Item -ItemType Directory -Force -Path $existingValue } } } Regards, Ram
