When updating Microsoft Teams to the latest version you receive an Admin Approval message like the one below.
Customer has enabled AA + Enforce Admin Approval for installers …
But when MS Teams attempts to update, Windows runs a helper process (msiexec.exe without any arguments as SYSTEM). This msiexec.exe creates another child process (msiexec -embedding {GUID}), and Admin Approval correctly classifies it as installer and intercepts it as expected.
Using PolicyPak Least Privilege Manager, now has a parent process condition to the PolicyPak Least Privilege Manager explicit policy. Therefore you can instruct PolicyPak Least Privilege Manager to securely to elevate a command like msiexec -embedding *, if it is known that its parent is also msiexec.exe, and signed by Microsoft.
The manual steps to generate the XML are:
Additionally, you will need a PolicyPak Least Privilege Manager UWP Policy which specifies that “Any UWP app allowed” as follows…
Or you can specify some applications which appear to be required during a Teams upgrade.
You can use this XML which is coded for Computer-side policy to accomplish the goals stated in this Workaround #1.
Using PolicyPak Scripts and Triggers, create the 2 separate PowerShell policies as shown in the screenshots below.
Note: If you are not licensed for PolicyPak Scripts & Triggers you can still use Workaround 1 by creating the policies below in Microsoft Group policy using regular computer or user side scripts.
Policy 1: PowerShell script scoped to MACHINE that remove all versions of MS Teams that are currently installed on endpoint.
Policy 2: PowerShell script scoped to USER that Installs the latest version of MS Teams.
Note: You will need to update the path to the latest version of MS Teams file for your environment in policy #2, see below.
PolicyPak Scripts & Triggers policy XML is attached.
Using PolicyPak Least Privilege Manager create the 2 separate policies as shown in the screenshots below.