Hello,

I wanted to update you on the issues we are facing after cleaning Classic Teams. Older versions of Teams are still appearing in the registry for other user profiles and are being flagged as vulnerable in 365 Defender, specifically in the HKEY_USERS registry path for others users.

For example, as evidence from the Defender portal, here are some entries indicating software issues:

– Endpoint Name: TestPC

  – ComputerHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionUninstallTeams

  – HKEY_USERSuser1SOFTWAREMicrosoftWindowsCurrentVersionUninstallTeams

  – HKEY_USERSuser2SOFTWAREMicrosoftWindowsCurrentVersionUninstallTeams

  – HKEY_USERSuser3SOFTWAREMicrosoftWindowsCurrentVersionUninstallTeams

We attempted to remove the registry entries from other user profiles to clean up the Classic Teams presence by using the following commands:

powershell

      ” reg load “hku$user” “C:Users$userNTUSER.DAT”

      ” Test-Path -Path Registry::HKEY_USERS$hiveNameSOFTWAREMicrosoftWindowsCurrentVersionUninstallTeams “

For checking the registry presence, we used the detection and remediation method in Intune for cleaning Classic Teams. I ran the detection script on only three PCs for testing.

Surprisingly, we received a warning from Sentinel about “User and group membership reconnaissance (SAMR) on one endpoint,” indicating a potential security incident involving suspicious SAMR (Security Account Manager Remote) queries. This was detected for admin accounts, DC, and also for an account belonging to someone who left the organization five years ago (ABC Admin).

I am looking for appreciate your guidance on the best practices for detecting and removing Classic Teams leftovers in the registry for other user profiles.

Best Practice:

– How to detect and remove Classic Teams registry entries for other user profiles in the system.

– Best method? Using the Hive to load another user profile into the registry and remove the Classic Teams registry entries.

Reference Links:

– [Older versions of Teams showing in user profiles](https://answers.microsoft.com/en-us/msteams/forum/all/older-versions-of-teams-showing-in-user-profiles/2bc7563c-ccc9-4afc-b522-337acff9d20e?page=1)

– [Remove old user profiles on Microsoft Teams (Reddit)](https://www.reddit.com/r/PowerShell/comments/1bvjner/remove_old_user_profiles_on_microsoft_teams/)

​ Hello, I wanted to update you on the issues we are facing after cleaning Classic Teams. Older versions of Teams are still appearing in the registry for other user profiles and are being flagged as vulnerable in 365 Defender, specifically in the HKEY_USERS registry path for others users. For example, as evidence from the Defender portal, here are some entries indicating software issues:- Endpoint Name: TestPC  – ComputerHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionUninstallTeams  – HKEY_USERSuser1SOFTWAREMicrosoftWindowsCurrentVersionUninstallTeams  – HKEY_USERSuser2SOFTWAREMicrosoftWindowsCurrentVersionUninstallTeams  – HKEY_USERSuser3SOFTWAREMicrosoftWindowsCurrentVersionUninstallTeams We attempted to remove the registry entries from other user profiles to clean up the Classic Teams presence by using the following commands:powershell      ” reg load “hku$user” “C:Users$userNTUSER.DAT”      ” Test-Path -Path Registry::HKEY_USERS$hiveNameSOFTWAREMicrosoftWindowsCurrentVersionUninstallTeams ” For checking the registry presence, we used the detection and remediation method in Intune for cleaning Classic Teams. I ran the detection script on only three PCs for testing. Surprisingly, we received a warning from Sentinel about “User and group membership reconnaissance (SAMR) on one endpoint,” indicating a potential security incident involving suspicious SAMR (Security Account Manager Remote) queries. This was detected for admin accounts, DC, and also for an account belonging to someone who left the organization five years ago (ABC Admin). I am looking for appreciate your guidance on the best practices for detecting and removing Classic Teams leftovers in the registry for other user profiles. Best Practice:- How to detect and remove Classic Teams registry entries for other user profiles in the system.- Best method? Using the Hive to load another user profile into the registry and remove the Classic Teams registry entries. Reference Links:- [Older versions of Teams showing in user profiles](https://answers.microsoft.com/en-us/msteams/forum/all/older-versions-of-teams-showing-in-user-profiles/2bc7563c-ccc9-4afc-b522-337acff9d20e?page=1)- [Remove old user profiles on Microsoft Teams (Reddit)](https://www.reddit.com/r/PowerShell/comments/1bvjner/remove_old_user_profiles_on_microsoft_teams/)  Read More

​