Windows 10 1607: Keeping apps from coming back when deploying the feature update


For those of you that have deployed Windows 10 1511, you're probably already starting to work with Windows 10 1607, getting ready for initial pilot deployments so that you’re ready for broad deploying of Windows 10 1607 in the coming months.  As part of that work, you would notice that apps you had removed from Windows 10 1511, e.g. Xbox and Sports, come back as part of the feature update installation process (regardless of how you install it – WU, WSUS, ConfigMgr, MDT, media, etc. all behave the same).

We’re working on solving this particular issue in a future feature update.  But for now, there are some workarounds that you can use.  First, let’s look at the two main scenarios for feature updates:

  • Those that leverage VL media, e.g. ISOs downloaded from VLSC.  These are the simplest, as you can modify the INSTALL.WIM file to remove the apps you don’t want, then use the modified image to do the upgrades.  This works well with ConfigMgr task sequences, MDT task sequences, and other installations where you run SETUP.EXE with command-line switches.
  • Those that leverage update packages published via WU or WSUS.  These are harder, because you can’t modify the ESD files that are being used.  So as an alternative, you need to remove the apps (again) after the new OS is installed, but ideally before the first user logs into the device.  This works well with Windows Update for Business, WSUS, and ConfigMgr current branch Windows 10 Servicing deployments.

Let’s look at both of those in a little more detail.

 

Modifying the INSTALL.WIM

To make the needed modifications to the INSTALL.WIM, first you need to extract the contents of the .ISO file that you downloaded from VLSC and make sure that the files aren’t marked read-only (since you need to make changes to them).  That can be done by mounting the .ISO in Explorer (assuming you’re running Windows 10 already, since it supports that).  Then from an elevated PowerShell session, you can run the following commands (substituting your own paths):

Mount-WindowsImage -Path C:\Mount -ImagePath c:\media\sources\install.wim -Index 1
Remove-AppxProvisionedPackage -Path C:\Mount -PackageName Microsoft.XboxApp_2016.728.453.0_neutral_~_8wekyb3d8bbwe
Dismount-WindowsImage -Path C:\Mount -Save

In this example, C:\Mount is an empty folder where the WIM will be mounted.  Since I’m using a Windows 10 Enterprise 1607 WIM, there is only one image index, so I can specify index 1.  And I’m removing the Xbox app.  I can repeat the Remove-AppxProvisionedPackage command as many times as needed.  Use “Get-AppxProvisionedPackage -Path C:\Mount” to get a list of apps.  Or if you want to use something a little more dynamic, see the example script in the Removing Windows 10 in-box apps during a task sequence blog post.

 

Cleaning up apps after installing the feature update

So what options are available for after-the-fact cleanup of the apps, given that the goal is to remove the provisioned apps before a user first logs in (which would result in the apps installing for that user)?  There are probably a few, but there are two that stand out:

In either case, it would be good to run a PowerShell script that issues a command like:

Remove-AppxProvisionedPackage -Online -PackageName Microsoft.XboxApp_2016.728.453.0_neutral_~_8wekyb3d8bbwe

repeating that for each app that you want to remove.  (And again, see Removing Windows 10 in-box apps during a task sequence for more sophisticated scripts.)

 

Summary

Those are the high-level steps needed to remove the apps.  If you need more details, let me know and I can provide more complete examples.

Also remember that some apps aren’t in-box but are instead installed from the Windows Store when a user signs on for the first time.  See https://blogs.technet.microsoft.com/mniehaus/2015/11/23/seeing-extra-apps-turn-them-off/ for more details on that, and keep in mind that some of the policies related to this aren’t supported in Windows 10 Pro version 1607 and later; see https://technet.microsoft.com/en-us/itpro/windows/manage/group-policies-for-enterprise-and-education-editions for the specifics.

Comments (12)
  1. Dutch says:

    Michael- Great advice as always. Any thoughts on the Paid Wifi & Cellular app? Does not show up under the Get-AppxProvisionedPackage listing and the Turn off Microsoft consumer experiences GPO is not disabling it.

    1. Great article Michael - was wondering if this was something that would be coming around for Enterprise customers. I'd love to see some examples of this being used for circumstances where the original WIM was not modified. Would I be assuming correctly that in using the "Windows 10 Servicing" model in SCCM Current Branch that apps would be restored?

      Dutch - I believe the "Paid WiFi & Cellular" app is Microsoft.OneConnect. Give that a try and see if it works.

      1. Dutch says:

        Matt- You are correct, thank you!

  2. MyGposts says:

    What about laptops that are used remotely and get upgraded to 1607 via WUB or WSUS and not a customized WIM file?
    How can we get the apps removed remotely?
    We would need the apps removed as soon as the upgrade completes?

    Would configuring an AppLocker policy to deny access to these apps before the laptops get upgraded prevent the apps from getting provisioned after the upgrade?

  3. I actually attended Windows 10 Setup and Deployment Internals event a few weeks ago when Michael first brought this issue up. Since then I took the liberty to modify his RemoveApps.ps1 script for a customer to serve the exact same purpose. While the whole process is very simple, I am attaching the script below in case anybody is looking for a "ready to go" solution

    https://www.dropbox.com/s/xeahun3fjf0yhxe/MDT-WIMServicing.ps1?dl=0

    @Dutch: if a provisioned app does not show app, you may need to use Applocker to get rid of it (if you are using an Enterprise SKU that is).

    @Matt: correct, using W10 Servicing in SCCM would restore all in-box apps (and possibly add new ones). You will need to remove apps "online" after the initial upgrade and then possibly deploy a customized start screen layout. From my own experience Applocker might block Installation of those apps, but you might still get the tiles in the start menu plus numerous errors in the event logs related to failed app Installation.

  4. EricE says:

    Thanks for removing the ability to control apps via GPO for Windows Pro users! What a convenient "bug" to really pour some salt in there and just grind on it. Ugh...

  5. G says:

    Micheal, as always great article!! I am having a hell of a time trying to create ref image of Win10v1607. I would prefer to use the MDT option you described here: https://blogs.technet.microsoft.com/mniehaus/2015/12/31/updated-remove-apps-script-and-a-workaround/. PS1 script is not running in offline mode so i have added step to my TS to copy the powershell.exe.config file, but where do i get that .config file from?
    Also having issues with Search once the apps have been removed and .wim is created (in mDT). For ALL new users, the search bar is not working. Any help would be appreciated!

  6. TribleTrouble says:

    This is a good solution, but i will stick to using applocker for blocking apps. I still have to deploy my custom start menu using the task sequence though, any news on the ability to use group policy to deploy user configurable start menus that include IE11?

  7. Ian says:

    Michael, as always thanks for providing useful information.

    I have to take a minute to vent however and ask why in the world the developers are insistent on trying to force these apps down our throat on Enterprise versions while not providing a clean way for us to manage these kind of "features" in the upgrade options? We went through the trouble of removing these apps from our Enterprise build (using your script no less, thanks again!) only to have to figure out a new way to remove them yet again just to update the build on existing machines. It is extremely frustrating to feel like enterprise usage is an afterthought with some of these design choices Microsoft is making recently.

    Anyway, I appreciate your hard work in trying to look out for us MDT administrators and providing helpful tips to work around these "features". Do try to pass these frustrations along if you have the opportunity though. 🙂

    1. ConfigMatt says:

      @Michael and everyone else thank you! @Ian you are correct in your vent, this App push on the Enterprise site has made my C-suite shake their head in disapproval of Windows 10. Please don't let Windows Server 2016 RTM appear with a bunch of consumer apps too.

  8. Alan Dooley says:

    Great article, thanks. From this we can see that using a TS to perform the 1511 to 1607 seems most practical but it isn't so friendly from an end user perspective, especially as the warning still says it will remove all user data resulting in many people hitting cancel. I think I'll try with the scheduled task option or use other UEM tools to run the removal at startup.

  9. Dave S. says:

    Thank you, Michael. You are one of the good ones.

    However, your employer needs to get a clue about how companies work. Some executives are seriously discussing tossing Windows after 2019. That's not my speculation. I have heard it first-hand.

    These sort of issues needed to be worked out before you released Windows 10. I am tired of trying to defend Microsoft. A year ago I could point to the newness of Windows 10 as an excuse. A year later, and that excuse starts to wear thin.

    I want to stay with Windows products, but unless you guys straighten up, the decision to go to Chromebooks will be out of my hands.

Comments are closed.

Skip to main content