Share via

Older versions of Teams are still appearing in the registry for other user profiles and are being flagged as vulnerable in 365 Defender, specifically in the HKEY_USERS registry path for others users

Durairaj Puttalai 6 Reputation points
2024-07-09T06:55:28.4433333+00:00

Dear Teams,

 

I wanted to update you on the issues we are facing after cleaning Classic Teams. Older versions of Teams are still appearing in the registry for other user profiles and are being flagged as vulnerable in 365 Defender, specifically in the HKEY_USERS registry path for others users.

 

For example, as evidence from the Defender portal, here are some entries indicating software issues:

  • Endpoint Name: TestPC

  - Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Teams

  - HKEY_USERS\user1\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams

  - HKEY_USERS\user2\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams

  - HKEY_USERS\user3\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams

 

We attempted to remove the registry entries from other user profiles to clean up the Classic Teams presence by using the following commands:

powershell

      " reg load "hku$user" "C:\Users$user\NTUSER.DAT"

      " Test-Path -Path Registry::HKEY_USERS$hiveName\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams "

 

also, used this this PS cmd to get SID for the Users 

        "WMIC useraccount get name,sid"

For checking the registry presence, we used the detection and remediation method in Intune for cleaning Classic Teams. I ran the detection script on only three PCs for testing.

 

Surprisingly, we received a warning from Sentinel about "User and group membership reconnaissance (SAMR) on one endpoint," indicating a potential security incident involving suspicious SAMR (Security Account Manager Remote) queries. This was detected for admin accounts, DC, and also for an account belonging to someone who left the organization five years ago (ABC Admin).

 

I am looking for appreciate your guidance on the best practices for detecting and removing Classic Teams leftovers in the registry for other user profiles. or is there is any method that clean the classic teams.

 

Best Practice:

  • How to detect and remove Classic Teams registry entries for other user profiles in the system.
  • Best method? Using the Hive to load another user profile into the registry and remove the Classic Teams registry entries.
  • How to clean the classic teams for all users from Installed Programs, Appdata folder, registry including all user's registry

 

Reference Links:

  • Older versions of Teams showing in user profiles
  • Remove old user profiles on Microsoft Teams (Reddit)
  • https://answers.microsoft.com/en-us/msteams/forum/all/older-versions-of-teams-are-still-appearing-in-the/6a10ae63-5a1e-43d3-8511-835271c82c21 Dear Teams,   I wanted to update you on the issues we are facing after cleaning Classic Teams. Older versions of Teams are still appearing in the registry for other user profiles and are being flagged as vulnerable in 365 Defender, specifically in the HKEY_USERS registry path for others users.   For example, as evidence from the Defender portal, here are some entries indicating software issues:
    • Endpoint Name: TestPC
      - Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Teams   - HKEY_USERS\user1\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams   - HKEY_USERS\user2\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams   - HKEY_USERS\user3\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams   We attempted to remove the registry entries from other user profiles to clean up the Classic Teams presence by using the following commands: powershell       " reg load "hku$user" "C:\Users$user\NTUSER.DAT"       " Test-Path -Path Registry::HKEY_USERS$hiveName\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams "   also, used this this PS cmd to get SID for the Users 
            "WMIC useraccount get name,sid"
    For checking the registry presence, we used the detection and remediation method in Intune for cleaning Classic Teams. I ran the detection script on only three PCs for testing.   Surprisingly, we received a warning from Sentinel about "User and group membership reconnaissance (SAMR) on one endpoint," indicating a potential security incident involving suspicious SAMR (Security Account Manager Remote) queries. This was detected for admin accounts, DC, and also for an account belonging to someone who left the organization five years ago (ABC Admin).   I am looking for appreciate your guidance on the best practices for detecting and removing Classic Teams leftovers in the registry for other user profiles. or is there is any method that clean the classic teams.   Best Practice:
    • How to detect and remove Classic Teams registry entries for other user profiles in the system.
    • Best method? Using the Hive to load another user profile into the registry and remove the Classic Teams registry entries.
    • How to clean the classic teams for all users from Installed Programs, Appdata folder, registry including all user's registry
      Reference Links:
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,523 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.