Windows 11 OS upgrades and new Windows 11 workstations are coming with a built-in Teams for home chat app preinstalled, intented to use with a personal Microsoft account . This can be an issue for orgs that use Teams for work or school edition as the preinstalled chat version of app remains installed even after installing Teams for work or shool, causing confusion between which one to use. Users may attempt to sign in to chat app with their work account which wont work.
Use the methods below on how to uninstall and disable the built-in chat app using Intune.
Step 1: Use a Proactive Remediation script
Proactive remediation script package will detect uninstall the Teams chat app if it exists and also configure the registry to disable auto-install of chat app in future.
For this, you’ll need to create two powershell script files, one for detecting the issue and another for remediation:
- Detect_TeamsChatApp.ps1
- Remediate_TeamsChatApp.ps1
You can download both files in zip format here:
TeamsChatApp_ProactiveRemediation_Files.zip
OR
Copy paste contents of each file below to create your own files
Detect_TeamsChatApp.ps1
$OSversion = (Get-WmiObject -class Win32_OperatingSystem).Buildnumber
If ($OSversion -like "2*") {
try {
# check the reg key for teams chat app autoinstall
If (((Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Communications').PSObject.Properties.Name -contains 'ConfigureChatAutoInstall') -eq $true) {
if ( (Get-ItemPropertyValue -LiteralPath 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Communications' -Name 'ConfigureChatAutoInstall' -ErrorAction Stop ) -eq 0 ) {
$RegCompliance = $true
}
else {
$RegCompliance = $false
}
}
else { $RegCompliance = $true }
# check if the teams app is installed
if ($null -eq (Get-AppxPackage -Name MicrosoftTeams) ) { $AppCompliance = $true }
else { $AppCompliance = $false }
# evaluate the compliance
if ($RegCompliance -and $AppCompliance -eq $true) {
Write-Host "Success, app/reg in Compliance"
exit 0
}
else {
Write-Host "Failure, app/reg detected"
exit 1
}
}
catch {
$errMsg = $_.Exception.Message
Write-Host $errMsg
exit 1
}
}
else {
Write-Output "OS is not windows 11. Exiting"
Exit 0
}Remediate_TeamsChatApp.ps1
# Give "Administrators" group full ownership of HKLM:\Software\Microsoft\Windows\CurrentVersion\Communications.
function enable-privilege {
param(
## The privilege to adjust. This set is taken from
## http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
[ValidateSet(
"SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",
"SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",
"SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
"SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
"SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",
"SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",
"SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",
"SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
"SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",
"SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
"SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]
$Privilege,
## The process on which to adjust the privilege. Defaults to the current process.
$ProcessId = $pid,
## Switch to disable the privilege, rather than enable it.
[Switch] $Disable
)
## Taken from P/Invoke.NET with minor adjustments.
$definition = @'
using System;
using System.Runtime.InteropServices;
public class AdjPriv
{
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = new IntPtr(processHandle);
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
if(disable)
{
tp.Attr = SE_PRIVILEGE_DISABLED;
}
else
{
tp.Attr = SE_PRIVILEGE_ENABLED;
}
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
}
}
'@
$processHandle = (Get-Process -id $ProcessId).Handle
$type = Add-Type $definition -PassThru
$type[0]::EnablePrivilege($processHandle, $Privilege, $Disable)
}
enable-privilege SeTakeOwnershipPrivilege
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Communications", [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::takeownership)
# You must get a blank acl for the key b/c you do not currently have access
$acl = $key.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None)
$me = [System.Security.Principal.NTAccount]"Administrators"
$acl.SetOwner($me)
$key.SetAccessControl($acl)
# After you have set owner you need to get the acl with the perms so you can modify it.
$acl = $key.GetAccessControl()
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Administrators", "FullControl", "Allow")
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
$key.Close()
# Remediation
try {
#Disable Auto Install registry for Teams chat app
if (((Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Communications').PSObject.Properties.Name -contains 'ConfigureChatAutoInstall') -eq $true) {
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Communications' -Name 'ConfigureChatAutoInstall' -Value 0 -Type "Dword"
}
else {
Write-Output "Registry value ConfigureChatAutoInstall not found"
}
# uninstall the teams consumer app
Get-AppxPackage -Name MicrosoftTeams | Remove-AppxPackage -ErrorAction stop
# as nothing errored out, we will report success
Write-Output "Success, regkey set and app uninstalled"
exit 0
}
catch {
$errMsg = $_.Exception.Message
Write-Host $errMsg
exit 1
}Once you have both a detection and a remediation script file:
Launch Intune portal and navigate to Devices > Remediations > Create script package
Type in a Name for your script and hit Next button
On the Settings page, upload the Detection and the Remediation scripts created in earlier steps and hit Next
In the next step, Select any Scope tags as needed and Hit Next
Under Assignments, select your Device or User groups you would like to apply this remediation scripts and also select your preferred Schedule and interval time. I recommend running this with daily schedule repeating everyday once every morning.
Finally, under Review + create hit Create button after reviewing all settings.
After the proactive remediation implemenation you can always head to Devices > Remediations and click on the script package name you created to check the device status report
Step 2: Hide the chat icon from taskbar
The above proactive remediation script will uninstall the app but users may still see the Teams chat app icon in the taskbar which upon click can reinstall itself. Create a configuration profile in Intune to disable the Teams Chat app icon from taskbar as shown below:
Navigate to Devices > Windows > Configuration profiles and Hit Create profile button
Select Windows 10 or later for Platform and Setting Catalog for Profile type in next step and hit Create button
Next, give your profile a name and hit Next button
On Configuration settings page, click Add settings and search for “Configure Chat” in the settings picker search box on the right and press Enter. You will see category “Experience” loaded under the search. Click on Experience category and check the box next to Configure Chat Icon setting.
This will add the Configure Chat Icon setting to your Configuration settings. Select Disabled from the drop down menu next to Configure Chat Icon setting as shown below and Hit Next.
You can also set it to Hide but this will allow users to show or hide in local taskbar settings. Read more
Apply Scope tags and required and hit Next.
Under Assignments, add your desired device or user groups to apply this policy to and Hit Next.
At last, hit the Create button to finish creating and applying this Configuration profile.
Congratulations, you have now created a proactive remediation and a configuration profile to disable and block Teams home Chat app from installing
