You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close
You are viewing the article in preview mode. It is not live at the moment.
Home > 410: Scripts & Triggers Manager > Knowledge Base > 01: Troubleshooting > 08: Upgrading MS Teams to latest version displays prompts for Admin Approval
08: Upgrading MS Teams to latest version displays prompts for Admin Approval
print icon
David Miller
May 10, 2024
views icon 1411

PROBLEM:

When updating Microsoft Teams to the latest version you receive an Admin Approval message like the one below.

CAUSE:

Customer has enabled AA + Enforce Admin Approval for installers …

But when MS Teams attempts to update, Windows runs a helper process (msiexec.exe without any arguments as SYSTEM). This msiexec.exe creates another child process (msiexec -embedding {GUID}), and Admin Approval correctly classifies it as installer and intercepts it as expected.

WORKAROUND 1: (Recommended, works only for PolicyPak Least Privilege Manager versions 24.4 and later)

Using PolicyPak Least Privilege Manager, now has a parent process condition to the PolicyPak Least Privilege Manager explicit policy. Therefore you can instruct PolicyPak Least Privilege Manager to securely to elevate a command like msiexec -embedding *, if it is known that its parent is also msiexec.exe, and signed by Microsoft.

The manual steps to generate the XML are:

Additionally, you will need a PolicyPak Least Privilege Manager UWP Policy which specifies that “Any UWP app allowed” as follows…

Or you can specify some applications which appear to be required during a Teams upgrade.

You can use this XML which is coded for Computer-side policy to accomplish the goals stated in this Workaround #1.
 IMPORTANT: If using this XML, you must be running PolicyPak Admin Console (MMC) version 24.4.x and higher otherwise the Parent Process filter will be missing from the imported policy.


 

WORKAROUND 2: (Also Recommended)

Using PolicyPak Scripts and Triggers, create the 2 separate PowerShell policies as shown in the screenshots below.

Note: If you are not licensed for PolicyPak Scripts & Triggers you can still use Workaround 1 by creating the policies below in Microsoft Group policy using regular computer or user side scripts.

Policy 1: PowerShell script scoped to MACHINE that remove all versions of MS Teams that are currently installed on endpoint.

 

Policy 2: PowerShell script scoped to USER that Installs the latest version of MS Teams.

 

Note: You will need to update the path to the latest version of MS Teams file for your environment in policy #2, see below.

PolicyPak Scripts & Triggers policy XML is attached.

WORKAROUND 3: For CSEs previous to 24.4 (Not recommended - as any MSIEXEC command line with "-embedding *" will be elevated - use at own risk)

Using PolicyPak Least Privilege Manager create the 2 separate policies as shown in the screenshots below.

Feedback
0 out of 0 found this helpful

close button
scroll to top icon