Jaa


Windows 10 1607: Keeping apps from coming back when deploying the feature update

For those of you that have deployed Windows 10 1511, you're probably already starting to work with Windows 10 1607, getting ready for initial pilot deployments so that you’re ready for broad deploying of Windows 10 1607 in the coming months.  As part of that work, you would notice that apps you had removed from Windows 10 1511, e.g. Xbox and Sports, come back as part of the feature update installation process (regardless of how you install it – WU, WSUS, ConfigMgr, MDT, media, etc. all behave the same).

We’re working on solving this particular issue in a future feature update.  But for now, there are some workarounds that you can use.  First, let’s look at the two main scenarios for feature updates:

  • Those that leverage VL media, e.g. ISOs downloaded from VLSC.  These are the simplest, as you can modify the INSTALL.WIM file to remove the apps you don’t want, then use the modified image to do the upgrades.  This works well with ConfigMgr task sequences, MDT task sequences, and other installations where you run SETUP.EXE with command-line switches.
  • Those that leverage update packages published via WU or WSUS.  These are harder, because you can’t modify the ESD files that are being used.  So as an alternative, you need to remove the apps (again) after the new OS is installed, but ideally before the first user logs into the device.  This works well with Windows Update for Business, WSUS, and ConfigMgr current branch Windows 10 Servicing deployments.

Let’s look at both of those in a little more detail.

 

Modifying the INSTALL.WIM

To make the needed modifications to the INSTALL.WIM, first you need to extract the contents of the .ISO file that you downloaded from VLSC and make sure that the files aren’t marked read-only (since you need to make changes to them).  That can be done by mounting the .ISO in Explorer (assuming you’re running Windows 10 already, since it supports that).  Then from an elevated PowerShell session, you can run the following commands (substituting your own paths):

Mount-WindowsImage -Path C:\Mount -ImagePath c:\media\sources\install.wim -Index 1
Remove-AppxProvisionedPackage -Path C:\Mount -PackageName Microsoft.XboxApp_2016.728.453.0_neutral_~_8wekyb3d8bbwe
Dismount-WindowsImage -Path C:\Mount -Save

In this example, C:\Mount is an empty folder where the WIM will be mounted.  Since I’m using a Windows 10 Enterprise 1607 WIM, there is only one image index, so I can specify index 1.  And I’m removing the Xbox app.  I can repeat the Remove-AppxProvisionedPackage command as many times as needed.  Use “Get-AppxProvisionedPackage -Path C:\Mount” to get a list of apps.  Or if you want to use something a little more dynamic, see the example script in the Removing Windows 10 in-box apps during a task sequence blog post.

 

Cleaning up apps after installing the feature update

So what options are available for after-the-fact cleanup of the apps, given that the goal is to remove the provisioned apps before a user first logs in (which would result in the apps installing for that user)?  There are probably a few, but there are two that stand out:

  • Create a scheduled task that runs a PowerShell script that removes the unwanted apps at startup.  The simplest option is to try to remove the extra apps each time the computer restarts.  If the apps aren’t there, the script doesn’t need to do anything.
  • Create a batch file that is run right after the upgrade successfully completes.  For that to work, you have to create a SetupConfig.ini file that specifies:

[SetupConfig]
PostOOBE=C:\Cleanup.cmd

In either case, it would be good to run a PowerShell script that issues a command like:

Remove-AppxProvisionedPackage -Online -PackageName Microsoft.XboxApp_2016.728.453.0_neutral_~_8wekyb3d8bbwe

repeating that for each app that you want to remove.  (And again, see Removing Windows 10 in-box apps during a task sequence for more sophisticated scripts.)

 

Summary

Those are the high-level steps needed to remove the apps.  If you need more details, let me know and I can provide more complete examples.

Also remember that some apps aren’t in-box but are instead installed from the Windows Store when a user signs on for the first time.  See https://blogs.technet.microsoft.com/mniehaus/2015/11/23/seeing-extra-apps-turn-them-off/ for more details on that, and keep in mind that some of the policies related to this aren’t supported in Windows 10 Pro version 1607 and later; see https://technet.microsoft.com/en-us/itpro/windows/manage/group-policies-for-enterprise-and-education-editions for the specifics.

Comments

  • Anonymous
    August 23, 2016
    Michael- Great advice as always. Any thoughts on the Paid Wifi & Cellular app? Does not show up under the Get-AppxProvisionedPackage listing and the Turn off Microsoft consumer experiences GPO is not disabling it.
    • Anonymous
      August 23, 2016
      Great article Michael - was wondering if this was something that would be coming around for Enterprise customers. I'd love to see some examples of this being used for circumstances where the original WIM was not modified. Would I be assuming correctly that in using the "Windows 10 Servicing" model in SCCM Current Branch that apps would be restored?Dutch - I believe the "Paid WiFi & Cellular" app is Microsoft.OneConnect. Give that a try and see if it works.
      • Anonymous
        August 24, 2016
        Matt- You are correct, thank you!
  • Anonymous
    August 23, 2016
    What about laptops that are used remotely and get upgraded to 1607 via WUB or WSUS and not a customized WIM file?How can we get the apps removed remotely?We would need the apps removed as soon as the upgrade completes?Would configuring an AppLocker policy to deny access to these apps before the laptops get upgraded prevent the apps from getting provisioned after the upgrade?
  • Anonymous
    August 23, 2016
    The comment has been removed
  • Anonymous
    August 25, 2016
    The comment has been removed
  • Anonymous
    August 29, 2016
    The comment has been removed
  • Anonymous
    September 02, 2016
    This is a good solution, but i will stick to using applocker for blocking apps. I still have to deploy my custom start menu using the task sequence though, any news on the ability to use group policy to deploy user configurable start menus that include IE11?
  • Anonymous
    September 07, 2016
    Michael, as always thanks for providing useful information.I have to take a minute to vent however and ask why in the world the developers are insistent on trying to force these apps down our throat on Enterprise versions while not providing a clean way for us to manage these kind of "features" in the upgrade options? We went through the trouble of removing these apps from our Enterprise build (using your script no less, thanks again!) only to have to figure out a new way to remove them yet again just to update the build on existing machines. It is extremely frustrating to feel like enterprise usage is an afterthought with some of these design choices Microsoft is making recently.Anyway, I appreciate your hard work in trying to look out for us MDT administrators and providing helpful tips to work around these "features". Do try to pass these frustrations along if you have the opportunity though. :)
    • Anonymous
      September 08, 2016
      The comment has been removed
  • Anonymous
    September 09, 2016
    Great article, thanks. From this we can see that using a TS to perform the 1511 to 1607 seems most practical but it isn't so friendly from an end user perspective, especially as the warning still says it will remove all user data resulting in many people hitting cancel. I think I'll try with the scheduled task option or use other UEM tools to run the removal at startup.
  • Anonymous
    September 12, 2016
    Thank you, Michael. You are one of the good ones.However, your employer needs to get a clue about how companies work. Some executives are seriously discussing tossing Windows after 2019. That's not my speculation. I have heard it first-hand.These sort of issues needed to be worked out before you released Windows 10. I am tired of trying to defend Microsoft. A year ago I could point to the newness of Windows 10 as an excuse. A year later, and that excuse starts to wear thin.I want to stay with Windows products, but unless you guys straighten up, the decision to go to Chromebooks will be out of my hands.