Improve Install options - Install for all users and install location
Raising this again as Microsoft closed the previous request, saying it was complete even though it was not. (link below)
Teams should install to the program files directory, not the users AppData.
And NO, the answer is not to put a copy of the MSI in Pogram Files and deploy to the users AppData when they login.
I haven't read all the comments but my two cents on why this needs to become a single install... profiles take up space. Currently a computer lab where the students all sign into random machines. This creates a new install for each user and they all seem to have inflated to around 1GB of space. Doesn't seem like much, but when you have 60-70 or more students logging in, that's a lot of HD space. We don't have the money to be putting 500 GB or 1 TB drives in every computer (especially mobile labs)!
I agree entirely with the above comments on bad design/process etc. but it is quite easy to secure with AppLocker:
Publisher: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
Product Name: MICROSOFT TEAMS
This should allow it to run and update securely for non-admin users.
Stop the non sense and make the app install in Program Files....
Software needs to go to Program Files!!! Best practice in every single IT and Security standard in the world.
Copying an installer to Program Files and having that unpack the actual software to AppData is NOT a solution. Please get rid of the product manager who approved that method and fix this so Enterprises who give a **** about security can start adopting Teams.
First of all, closing the comments on the other (linked) user voice is just ignorant. Microsoft, you cannot deploy a feature half-assed and then shut your ears from any rightful critisim. When will you learn, that this ****** us of?
Back to topic. The current machine-wide MSI installer is garbage. Here is what I expect from a proper MSI installer:
1. It installs to Program Files.
2. It installs the software to any user with new or existing user profiles.
3. I don't have to do any cleanup (script or not) if I want to re-install the software.
Cris Kolkman commented
I also need to deploy this in an RDS environment and indeed the link with the MSI "solution" Anonimous provided is NOT working:
This is really something that NEEDS to be fixed by Microsoft.
How is it that 6 months after this, there isn't even an acknowledgement statement from Microsoft? Why develop a user voice platform if you don't want to hear your users' voice?!
@Microsoft I'm in the process of evaluating Teams and from an admin standpoint it is not reasonable to have an application like this residing in appdata.
Please give us a good reason why you did it the way it is that beats at least the arguments of security issues (executing from appdata) and disk space issues (multiple copies of the same thing).
@Microsoft; what is the last status of this? We also see problems with the lack of this feature but really want to make use of Microsoft Teams desktop client throughout the company. When can we expect a solution?
Until we have this, we will not deploy teams and hang on to "legacy" Skype for as long as possible (should apply to OS X too). We have 8,500 devices. 4500 of these are shared by 17,000 users who get a fresh profile every time they login! There needs to be a device based installation!
Gary Law commented
Note the NCSC guidance *was discussed and agreed with Microsoft Security*.
Applications MUST install in locations an unprivileged user cannot write to. Preventing applications from running from user writable locations is an effective and simple security control which Teams completely undermines.
Pete Westlake commented
All UK public sector bodies are instructed to follow NCSC End User Device Guidance (which is essentially just good practice) https://www.ncsc.gov.uk/guidance/eud-security-guidance-windows-10-1709#applicationwhitelistingsection which instructs enterprises not to install applications to locations where users can write files - which includes AppData. Opening up AppData to allow users to run any application is a massive security hole, but whitelisting by application ID is no way to permit it to run as this can change. Please stop ignoring the feedback on user voice and change the way the installer works so that the application is installed to Program Files. AppData should be for just that - data relating to applications.
Just testing this in a school environment and it's a shambles.
We NEED an enterprise solution with a regulated update stream. Just like every other Office product.
Dan Kellett commented
Another pain the current solution causes is disk space usage. Teams uses a non trivial amount of disk space.
Jude De Souza commented
Please could somebody send me the link to the EUD NCSC Guidance article that references why using AppData rather than Program Files means the Teams application is not Enterprise ready or why there is cause for concern? Thank you.
What's the point? commented
This initiative is never going to get up... first Warren closed the original as completed even though it was not even close to the mark, then everywhere else it gets mentioned MS either point to newly created requests or ask people to create a new request.
Why are all of these requests for the same functionality not consolidated? Is it a deliberate approach to make it appear a less desirable option, to help drive your own agenda?
I was really frustrated to see that the previous feedback was closed. Even more frustrated to find there is no way to query the closure/resolution.
Reading the feedback, it was clear what was being asked for. Admins do not want installations into user profiles. I would love to hear Microsoft's reasoning behind this!!
Not only does it consume unnecessary space in a users' profile, consume additional bandwidth for every download/update, it's just not manageable from an admin perspective.
If someone uninstalls the app after it has been deployed via MSI, and then they want to start using it, we have to **** about with cleanup scripts on a per user basis? Why?
What's wrong with a traditional program files installation?
We are only just testing Teams, and before I'd even looked at deployment options, you know how I found out about it's install process? I was shadowing a user on a server that did not have it installed, and I saw they were running Teams! I had a look at the file location and it turned out it was in their profile. I was disgusted to see that this had been installed and used without our knowledge. Google saw the error of their ways with this and gave enterprises a proper MSI installer, why can Microsoft not do the same?
Agree. The original request was not completed. This is so egregious it is borderline willful misconduct. A per-machine installation of the application, with no executables in program files, to support VDI environments, Configuration Manager inventory, with an MSI installation, as per industry standards. Microsoft Office does not have a Per-User installation. Neither should Microsoft Teams.
Martin Godfrey commented
I agree with all of the statements I've read. Teams will be a valuable communications to our Business, however I cannot stress the pathetic way it is installed. We use Citrix with Appsense (Ivanti) Application Control. All users are users, not admins, yet the Teams install wants to punch its way through all the security procedures we have in place. And we all wonder why how Malware is installed. Left Microsoft ruin your security strategy and allow these holes from the malware to be installed. Come on Microsoft - you need to rethink how Teams is installed. This is a great tool but you are so spoiling the experience for admins. Address the installation as soon as possible.
How could they close the original request and call it done? Either stupidity or arrogance... I'm going with arrogance given their recent track record.