Improve Install options - Install for all users and install location
Raising this again as Microsoft closed the previous request, saying it was complete even though it was not. (link below)
Teams should install to the program files directory, not the users AppData.
And NO, the answer is not to put a copy of the MSI in Pogram Files and deploy to the users AppData when they login.
Gary Law commented
Note the NCSC guidance *was discussed and agreed with Microsoft Security*.
Applications MUST install in locations an unprivileged user cannot write to. Preventing applications from running from user writable locations is an effective and simple security control which Teams completely undermines.
Pete Westlake commented
All UK public sector bodies are instructed to follow NCSC End User Device Guidance (which is essentially just good practice) https://www.ncsc.gov.uk/guidance/eud-security-guidance-windows-10-1709#applicationwhitelistingsection which instructs enterprises not to install applications to locations where users can write files - which includes AppData. Opening up AppData to allow users to run any application is a massive security hole, but whitelisting by application ID is no way to permit it to run as this can change. Please stop ignoring the feedback on user voice and change the way the installer works so that the application is installed to Program Files. AppData should be for just that - data relating to applications.
Just testing this in a school environment and it's a shambles.
We NEED an enterprise solution with a regulated update stream. Just like every other Office product.
Dan Kellett commented
Another pain the current solution causes is disk space usage. Teams uses a non trivial amount of disk space.
Jude De Souza commented
Please could somebody send me the link to the EUD NCSC Guidance article that references why using AppData rather than Program Files means the Teams application is not Enterprise ready or why there is cause for concern? Thank you.
What's the point? commented
This initiative is never going to get up... first Warren closed the original as completed even though it was not even close to the mark, then everywhere else it gets mentioned MS either point to newly created requests or ask people to create a new request.
Why are all of these requests for the same functionality not consolidated? Is it a deliberate approach to make it appear a less desirable option, to help drive your own agenda?
I was really frustrated to see that the previous feedback was closed. Even more frustrated to find there is no way to query the closure/resolution.
Reading the feedback, it was clear what was being asked for. Admins do not want installations into user profiles. I would love to hear Microsoft's reasoning behind this!!
Not only does it consume unnecessary space in a users' profile, consume additional bandwidth for every download/update, it's just not manageable from an admin perspective.
If someone uninstalls the app after it has been deployed via MSI, and then they want to start using it, we have to **** about with cleanup scripts on a per user basis? Why?
What's wrong with a traditional program files installation?
We are only just testing Teams, and before I'd even looked at deployment options, you know how I found out about it's install process? I was shadowing a user on a server that did not have it installed, and I saw they were running Teams! I had a look at the file location and it turned out it was in their profile. I was disgusted to see that this had been installed and used without our knowledge. Google saw the error of their ways with this and gave enterprises a proper MSI installer, why can Microsoft not do the same?
Agree. The original request was not completed. This is so egregious it is borderline willful misconduct. A per-machine installation of the application, with no executables in program files, to support VDI environments, Configuration Manager inventory, with an MSI installation, as per industry standards. Microsoft Office does not have a Per-User installation. Neither should Microsoft Teams.
Martin Godfrey commented
I agree with all of the statements I've read. Teams will be a valuable communications to our Business, however I cannot stress the pathetic way it is installed. We use Citrix with Appsense (Ivanti) Application Control. All users are users, not admins, yet the Teams install wants to punch its way through all the security procedures we have in place. And we all wonder why how Malware is installed. Left Microsoft ruin your security strategy and allow these holes from the malware to be installed. Come on Microsoft - you need to rethink how Teams is installed. This is a great tool but you are so spoiling the experience for admins. Address the installation as soon as possible.
How could they close the original request and call it done? Either stupidity or arrogance... I'm going with arrogance given their recent track record.
Julian Knight commented
Agree with the other comments that the approach taken by the MSI "installer" is appalling.
Teams is NOT a consumer too but an enterprise one - Microsoft, you need to behave like you understand what an enterprise tool is.
Installing to appdata creates massive bloat in roaming profiles and may be unworkable for people in locked down enterprise environments. Or indeed in locked down environments in general.
I can vouch for the huge amount of disruption the teams installation is causing for teachers in lessons. We were at a point where staff were using the online version and had adopted the useful features it has to offer. Sadly, once I installed teams across the site, (following some testing on a VM), we have had a very disappointed group of staff who have complained about severe performance impacts after logging in. So, I thought it would be easy to remove, or at least stop from runnning at startup - sadly this was not the case at all. There are NO options to prevent it running from startup AFTER installing. Provision of some ADMX templates, (like onedrive) would have been really useful so we could at least have some control on a per user basis.
Anyway, I looked into removing it due to the disruption we had experienced across our site but as seems to be the way with this new array of apps, we are forced to either devise and run a script at login and remove it from appdata, thus slowing down user login times, or trawling various forums and articles who all seem to be venting the same concerns.
For the sake of this almighty headache I've probably acquired due to stress this has caused, PLEASE SORT THIS OUT!
S. Fischer commented
We were about to switch to Teams for most of our communication, but not being able to install ONE copy per PC to ProgramFiles has put a screeching halt on these intentions. We will not be using Teams until this is possible, with the reasons being iterated by many others.
Again: It's NOT ok to have one copy per user per pc in the name of "seamless updates" circumventing MS own policies and guidelines as to where stuff should go.
Jason Gould commented
Have left comments here, github, microsoft teams youtube videos, IT community forums, and so on. I'm legitimately tired of asking. My only hope now is that they release a windows store app that I can whitelist.
this, and I'm borderline angry that the same request was CLOSED as completed here:
anyone who reads this, please @MicrosoftTeams & @Office365 on Twitter to make this public.
Daniel Milisic commented
Hard to believe I can't instal Teams globally for all users on a machine. How do i publish Teams as a RemoteApp? This is insane, please fix this!
until this behaviour is changed we will not be using Teams in out education environment.
Agree, and the youtube movie released on the 13:th of september does not show any good changes... https://www.youtube.com/watch?v=zp1_wGzq1ic
Agree, on a Remote desktop server this is not ideal.
They have marked this as fixed but are not addressing the fact that it has to be installed via appdata for every user. I think this is there way of pushing updates.