MS Teams has local installed by default but it leverages the client side to user profile, that is how it works. I also see that if local admin is logged in, teams will launch on his behalf as well but not signed in because no license there. Anyway, I believe that if users are using Teams, it will update and that local admin side does not matter. You should also consider to create a policy via MS Teams admin center to use latest Teams version, maybe that will fix your problem.
How to remove legacy software via Intune that was installed under the local admin account Windows 11 Azure joined device
We are constantly receiving reports on the defender weaknesses page that software needs removing or updating on our Windows 11 devices, in this example it's for Microsoft Teams, but it's not the user account but the local admin account that the software is on, and we have too many devices to keep remoting in and removing it, why does it install on the local admin account and what can we do to remove without having to remote in each time? how do we stop the software loading up on the local admin account each time we configure a device?
The file path in defender shows it under: C:\Users**Admin account\AppData\Roaming\Microsoft\Teams
This is just this one example of the problem, there are going to be plenty more locations over time where S/W lays dormant.
Run through of events when configuring a new device on site, prior to sending out to user (remote working)
Sign in with 'personal' Microsoft account, it doesn't allow us to sign in the the work account at this stage.
Create a local admin account in Computer Management and add to 'Administrators group'
Log out of personal account and sign into the device with local admin account, and set up for 'new user' Azure joined, this is where we add user account work or school account and join it to azure, now switch account and sign in with new user to configure it, once configured, sign back in with admin account to remove admin permissions from user and make it a standard user account.
Remove personal MS account details.
Problem now is that because the device has been logged in with the local admin account, it loads a profile and for some reason some software, including MS365 suite, so with S/W it's sitting there doing nothing and not having any updates applied, due to the admin account not being used to sign in again on that device, therefore updates are not being applied and eventually the S/W is out of date and appears on our defender for endpoint weaknesses page.
Moving backwards, how can we remove this legacy S/W via Intune? We have too many devices to try and remote into each device, which we have done for some but it's not ideal.
Moving forwards, what would be the best way to avoid this? Is this the correct way to configure a device?
1 answer
Sort by: Most helpful
-
Pavel yannara Mirochnitchenko 12,781 Reputation points MVP
2023-12-08T11:22:28.6733333+00:00