We have updates for Webex Meetings pushed to all devices, so I was surprised to get a ping from our Security Team because we have a significant number of vulnerable devices flagged in Microsoft Defender for Endpoint.
After digging into it, I can see that all of the impacted PCs have Webex Meetings installed under a user profile rather than as a system-wide installation. The uninstall information is stored under `HKEY_USERS\<User>\Software\Microsoft\Windows\CurrentVersion\Uninstall\ActiveTouchMeetingClient`, and I've yet to find any affected devices where it's installed under HKLM.
I can also see that the PMPC Webex Meetings updates are configured to install in the **System** context in the Portal, and there doesn't appear to be a **User** option.
Has anyone come across this before, or have any suggestions on the best way to deal with it?
One thing I considered was deploying the latest version to these devices and using `Uninstall-Software.ps1` as a pre-install script. However, from reviewing the script it looks like you can search HKCU, but surely that won't work when Intune runs it as **SYSTEM**, as the current user would be SYSTEM rather than the affected user profile?
Unfortunately, the Webex user install will still register itself in HKLM when installed as system. We do have a workaround, and it is similar to what you suggested. We have a pre-install script that uses PSADT to uninstall the user-based versions.
https://github.com/PatchMyPCTeam/Community-Scripts/tree/main/Install/Pre-Install/Remove-WebexSystemUser