Here’s a fun one … Disabling Teams auto-startup. Imagine this scenario:
- You haven’t trained your service desk on how to answer/troubleshoot/manage Teams help desk calls
- You’ve configured restrictions on who can create Teams
- You’ve deployed the new Office ProPlus update with Teams integrated.
- You haven’t applied licenses to everyone
You push out your new Office ProPlus and the entire world goes sideways when Teams auto-launches and no one can log in, or the ones that can log in can’t create Teams (if you’ve gone through the this process to limit Office 365 Group Creation).
No problem, you think … There’s probably a GPO for that. And, there is. Except for this little note in the deployment guidelines:
Yes, you right that read. The only way to prevent Teams from starting up using the GPO template is to deploy the template before you know you have a problem. Talk about the value of planning ahead.
Fortunately, you can sort nick this after the fact, though it may take two reboot/login cycles for your users.
Background
Teams autorun functionality has two pieces: a registry startup value and some data in-app that will configure the startup registry value.
Teams is built on the Electron platform, and as such, doesn’t exactly work the same way a lot of our other products do. A lot of data is stored in %APPDATA%, which means that simply uninstalling the application won’t clean up the settings. So, if you uninstall and attempt to reinstall (and apply the GPO settings), you may not get the desired result. Plus, if you’ve already got the app deployed but just want to phase it in, uninstalling it is literally the opposite direction of phasing it in.
The settings we’re talking about managing live in two places:
Registry
First stop is in the Registry, under the HKCU\Software\Microsoft\Windows\CurrentVersion\Run
key.
Teams Client
And then there’s the Teams client setting, which will put the registry value back every time it opens.
The Teams setting data is stored in %APPDATA%\Microsoft\Teams\desktop-config.json
, so while it’s not an INI file, it’s challenging because it means the desktop has to be touched somehow.
Here’s what you can do.
PowerShell to the Rescue
You can use a PowerShell logon script to clear the HCKU entry as well as update the JSON configuration for the user’s installation. Fortunately, JSON is relatively easy to manipulate, so we can just run the values through PowerShell and ta-da!
# If Teams autorun entry exists, remove it $TeamsAutoRun = (Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -ea SilentlyContinue)."com.squirrel.Teams.Teams" if ($TeamsAutoRun) { Remove-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name "com.squirrel.Teams.Teams" } # Stop Teams before modifying config Stop-Process -Name Teams -EA SilentlyContinue # Teams Config Data $TeamsConfig = "$env:APPDATA\Microsoft\Teams\desktop-config.json" $TeamsConfigData = Get-Content $TeamsConfig -Raw -ea SilentlyContinue | ConvertFrom-Json # If Teams already doesn't have the autorun config, exit If ($TeamsConfigData) { If ($TeamsConfigData.appPreferenceSettings.openAtLogin -eq $false) { # It's already configured to not startup exit } else { # If Teams hasn't run, then it's not going to have the openAtLogin:true value # Otherwise, replace openAtLogin:true with openAtLogin:false If ($TeamsConfigData.appPreferenceSettings.openAtLogin -eq $true) { $TeamsConfigData.appPreferenceSettings.openAtLogin = $false } else # If Teams has been intalled but hasn't been run yet, it won't have an autorun setting { $Values = ($TeamsConfigData.appPreferenceSettings | GM -MemberType NoteProperty).Name If ($Values -match "openAtLogin") { $TeamsConfigData.appPreferenceSettings.openAtLogin = $false } else { $TeamsConfigData.appPreferenceSettings | Add-Member -Name "openAtLogin" -Value $false -MemberType NoteProperty } } # Save $TeamsConfigData | ConvertTo-Json -Depth 100 | Out-File -Encoding UTF8 -FilePath $TeamsConfig -Force } }
Additional Resources
Since we’re managing an application that starts automatically, you may find that you need to manage the login script processing behavior (such as setting it to synchronous) to ensure this config happens before Teams starts and resets the config. It may also make sense to make it a logoff script as well. Your mileage may vary, so you may find some help in these links in configuring synchronous processing.
https://blogs.technet.microsoft.com/askds/2010/03/23/group-policy-script-processing-behavior/
https://superuser.com/questions/1430596/windows-10-v1809-ignores-configure-logon-script-delay-gpo-2
You can also configure with Intune, if you’re so inclined: https://osddeployment.dk/2019/08/10/use-admx-policy-to-prevent-microsoft-teams-from-starting-automatically-after-installation-with-intune/
Last line in the script saves the JSON file in an incorrect format (UTF-16 LE) which the application does not recognize (in my case Windows 10 1903 build 18362.295 and Microsoft Teams 1.2.00.22654)
Don’t forget that the application must be closed in order to execute this script so add the line
Stop-Process -name Teams
And in order to save the file using UTF-8 replace the last line:
$TeamsConfigData | ConvertTo-Json -Depth 100 | Out-File $TeamsConfig -Force
with:
$TeamsConfigData | ConvertTo-Json -Depth 100 | Out-File -Encoding default $TeamsConfig -Force
Interesting–of course, “it worked in the lab” on my machine. 🙂 I’ve updated it to force it to UTF8 in the output and to stop the teams process. Thanks for the suggestions!