Share via

Defender reporting multiple New Versions of Teams Installed.

Rob Benotti 5 Reputation points
2025-07-31T14:10:22.0866667+00:00

Hello.

Going through and using Defender for application cleanup, and I'm noticing there are multiple versions of New Teams being reported for a single PC.

I cannot find where the information is coming from for the older version. Registry entries can be found, but not the application (exe) itself.

Any help is appreciated.

Thanks!

Microsoft Teams | Microsoft Teams for business | Other

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jess-Q 4,750 Reputation points Microsoft External Staff Moderator
    2025-07-31T15:01:13.11+00:00

    Hi @Rob Benotti

    Thank you for posting your question in the Microsoft Q&A forum.

    Regarding your issue, Microsoft Defender for Endpoint is reporting multiple Teams versions or outdated Teams vulnerabilities usually happens because Classic Teams leaves behind registry keys and user profile data even after upgrading to New Teams. This might happen because of old classic Teams remnants remain after migration, registry keys under multiple user profiles or machine-wide installer traces.

    Here are a few steps you can try:

    1. Clean Registry entries
    • Open Registry Editor (regedit.exe) as admin.
    • Delete these keys (search for "Teams" using Ctrl+F to find all instances):
      • HKEY_CURRENT_USER\Software\Microsoft\Office\Teams.
      • HKEY_CURRENT_USER\Software\Microsoft\Teams.
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Teams.
      • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Teams (for 32-bit on 64-bit systems).
    • For other user profiles (common cause of lingering detections): Load user hives.
    • In regedit, select HKEY_USERS, then File > Load Hive.
    • Load C:\Users<username>\NTUSER.DAT (name it temporarily, e.g., "TempHive").
    • Navigate to HKEY_USERS\TempHive\Software\Microsoft\Office\Teams and delete Teams keys.
    • Unload the hive (select it > File > Unload Hive).
    • Repeat for each user profile.
    1. Use PowerShell Script (Recommended) Save the script below as TeamsCleanup.ps1 and run it as Administrator:
    # Uninstall Classic Teams and Machine-Wide Installer
Get-AppxPackage -Name Microsoft.Teams | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*Teams*"} | ForEach-Object {$_.Uninstall()}
 
# Delete folders for current user
$paths = @(
    "$env:APPDATA\Microsoft\Teams",
    "$env:LOCALAPPDATA\Microsoft\Teams",
    "$env:LOCALAPPDATA\Microsoft\TeamsMeetingAddin",
    "$env:LOCALAPPDATA\Microsoft\TeamsPresenceAddin",
    "$env:LOCALAPPDATA\SquirrelTemp"
)
foreach ($path in $paths) {
    if (Test-Path $path) { Remove-Item -Path $path -Recurse -Force -ErrorAction SilentlyContinue }
}
 
# Clean registry for current user
$regKeys = @(
    "HKCU:\Software\Microsoft\Office\Teams",
    "HKCU:\Software\Microsoft\Teams"
)
foreach ($key in $regKeys) {
    if (Test-Path $key) { Remove-Item -Path $key -Recurse -Force -ErrorAction SilentlyContinue }
}
 
# For all user profiles (load hives)
$users = Get-ChildItem C:\Users -Directory
foreach ($user in $users) {
    $ntuser = "C:\Users\$($user.Name)\NTUSER.DAT"
    if (Test-Path $ntuser) {
        reg load HKU\TempHive $ntuser
        $userRegKeys = @(
            "HKU\TempHive\Software\Microsoft\Office\Teams",
            "HKU\TempHive\Software\Microsoft\Teams"
        )
        foreach ($userKey in $userRegKeys) {
            if (Test-Path $userKey) { Remove-Item -Path $userKey -Recurse -Force -ErrorAction SilentlyContinue }
        }
        [gc]::Collect()
        reg unload HKU\TempHive
    }
    # Delete per-user folders
    $userPaths = @(
        "C:\Users\$($user.Name)\AppData\Roaming\Microsoft\Teams",
        "C:\Users\$($user.Name)\AppData\Local\Microsoft\Teams"
    )
    foreach ($userPath in $userPaths) {
        if (Test-Path $userPath) { Remove-Item -Path $userPath -Recurse -Force -ErrorAction SilentlyContinue }
    }
}
 
# Machine-wide registry
$machineKeys = @(
    "HKLM:\SOFTWARE\Microsoft\Teams",
    "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Teams"
)
foreach ($mKey in $machineKeys) {
    if (Test-Path $mKey) { Remove-Item -Path $mKey -Recurse -Force -ErrorAction SilentlyContinue }
}
 
Write-Output "Cleanup complete. Restart PC and check Defender."

    Finally you should:

    • Restart your PC.
    • Open New Teams to confirm it works (it should auto-update if needed).
    • In Microsoft Defender portal (security.microsoft.com), check Device inventory or Vulnerability management for the PC. If the old version still shows, trigger a manual scan via the Defender agent or wait for the next automatic one.
    • If issues persist, use Microsoft's Teams deployment cleanup script or contact Microsoft Support via the Defender portal.

    For more details, please refer to: Uninstall the classic Teams client using a script Bulk install classic Teams using Windows Installer (MSI).

    New teams not in defender for endpoint

    If you have any other questions or need further assistance, feel free to ask. 

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".  

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread  

  2. Craig Vibert 1 Reputation point
    2025-09-26T08:06:04.17+00:00

    Also seeing this on some devices which is affecting our secure score and therefore triggering my OCD.

    0 comments
  3. Gary Cutri 0 Reputation points
    2025-12-03T00:02:15.73+00:00

    Hi,

    On all of the sites we manage all customers have Defender detections in the portal for old\uninstalled version of Teams. Uninstalling all versions manually and\or via the PowerShell scripts does not remove these legacy builds. As you can see by the example below Defender has detected a legacy build of Teams that is not installed but simply stuck in the WindowsApps protected folder.

    Defender Detected Build:

    Folder: *C:\Program Files\WindowsApps*

    14/11/2022  01:54 PM    <DIR>          MicrosoftTeams_22287.702.1670.9453_x64__8wekyb3d8bbwe

    The current installed version is also shown in the same folder location (see below). The current build folder also reflects any changes when uninstalled or updated. 

    02/12/2025  02:26 PM    <DIR>          MSTeams_25306.804.4102.7193_x64__8wekyb3d8bbwe

    Microsoft need to include cleanup tool for the "Microsoft Store" apps that are no longer installed and are stuck in the WindowsApp folder. I know we can change permissions on the protected WindowsApps folder and delete the detected builds (this is a security risk) or we can use an Admin PowerShell to run the commands below (based on example detection above). In short my main issue is the manual intervention.

    Option 1:

    Remove-AppxPackage -Package MicrosoftTeams_22287.702.1670.9453_x64__8wekyb3d8bbwe -AllUsers

    Option 2: (Modern versions of Teams use "MSTeams" so the command below only deletes older builds )

    Get-AppxPackage -AllUsers -Name "MicrosoftTeams*" | Remove-AppxPackage -AllUsers

    Thanks,

    Gary

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.