In previous versions of Windows 10, before 1703 built-in apps that couldn’t be uninstalled could still be blocked with Applocker so that they never got installed and it has worked great! With Windows 10 1703 there are two apps that I have identified as not being able to uninstall, it is not a Windows Capability which we can block that way. The result I am seeing when blocking for instance and Connect and Mixed reality portal using Applocker is this.
NOTE: This should NOT be used with Windows 10 1709 as it will block installation of Cumulative Updates!!
To make it possible to install the Cumulative update we need to put back the files we removed, then the KB4051963.
Here is a script that be run before applying the update to copy back the files needed.
#Script to put back stuborn apps
#
$FolderExist = Test-Path C:\Windows\Systemapps\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy
If ($FolderExist -eq $True) { takeown /f C:\Windows\SystemApps\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\*.*
icacls C:\windows\systemapps\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\*.* /grant ‘System:(F)’
Remove-Item -Path C:\Windows\SystemApps\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy -Recurse }
$me = $MyInvocation.MyCommand.Name
Copy-Item -Path “$($PSScriptRoot)\*” -Destination “C:\Windows\SystemApps” -Recurse -Force -Exclude “$($me)” -ErrorAction Stop
Place the folders that we remove from another Windows 10 1709 machine. So it looks like this, then it can be deployed by using a package/program
*******************************************************************
Me and Johan Schewelius wrote a small .cmd file that simply deletes the app after the image has been applied on the disk during OS deployment and then the app is simply never installed.
This is highly unsupported so use it at your own risk!
And from the Task Sequence we call it after the Operating System has been applied.
Then the app cannot be installed during setup.
Again this is unsupported use at your own risk!!
Hi Jörgen
Neither Remove-AppxPackage, remove-windowscapability nor AppLocker to disable or prevent to start these built in apps.
Your way/solution would work… technically. But it could be a supported way from MSFT as well. Did you hear something at MMSMOA, Techorama conferences? 😉
Cheers from SUI, Akos
Hi,
In 1607 I was able to block the Connect-app from appearing on the startmenu using Applocker and denying the application. Sadly the Applocker-GUI is broken in 1703(crashes when you try to create the rules) but hopefully they’ll fix it sometime soon, still not fixed in the latest CU for 1703.
So my theory is that Applocker in 1703 is not working as intended right now, do you know if it works even if the Applocker-GUI in 1703 is broken? I have a GPO with rules made in 1607 that is applied to my 1703-machines aswell.
In 1703 Apps are installed in a different way to support the fact in 1709 that admin uninstalled builtin apps don’t come back when you do an inplace upgrade. So Applocker doesn’t work anymore.
Regards,
Jörgen
Well that sucks. Means there’s no easy way of blocking Apps anymore, other than using your method which probably works the best.
Thanks guys, I am not alone. It’s a nightmare to check on every build what is not working anymore :'(
Definitely believe that which you said. Your favorite
reason appeared to be on the net the easiest thing to be aware of.
I say to you, I definitely get annoyed while people consider worries that
they just do not know about. You managed to hit the
nail upon the top and defined out the whole thing without having side
effect , people could take a signal. Will probably be back to get more.
Thanks
Can you run this in MDT? If so, where would the drop-in be? State Restore?
Jörgen, first of all thanks for all the great work & content you and Johan publish. I was wondering if you comment on current situation on 1703 and best way to simply get a clean _business_ Operating System. I’ve been playing around with various scripts, most recent one I tried is from Nickolaj Andersen on scconfigmgr.com (http://www.scconfigmgr.com/2016/03/01/remove-built-in-apps-when-creating-a-windows-10-reference-image/). I’m still stuck with way too much. Some of the things I am stuck with can be removed with the approach in this post (thanks!) although a lot of the stuff is not located there.
My Get-AppXpackage results are below.. Along with these I have Sway, Code Writer, Alarm and Clock, Connect, Get Help, Power BI, Network Test, Mixed Reality Portal – a fantastic app suggestion feature wondering if I want Karaoke(!) on a business OS. I am not able to remove the annoying welcome animations and from what I can tell the XML approach to set file extensions no longer work? Edge just snagged back .PDF on my Test-VM.
Would be GREAT if someone can write a blog with updated info in one post on the various ways to get a normal looking business OS. It’s very time consuming to run through different approaches is various blogs/newsgroups (many are outdated) then try to google each annoying app you still are stuck with individually.
Any ideas or tips would be much appreciated.
Get-AppXPackage results:
46928bounde.EclipseManager
AdobeSystemsIncorporated.AdobePhotoshopExpress
D5EA27B7.Duolingo-LearnLanguagesforFree
Microsoft.BingNews
Microsoft.BingWeather
Microsoft.MSPaint
Microsoft.StorePurchaseApp
Microsoft.Windows.Photos
Microsoft.WindowsAlarms
Microsoft.WindowsCalculator
Microsoft.WindowsStore
Even though this works as far as the removal goes, but it seems it would leave two non functioning icons at the bottom of the Start menu that I can’t figure out how to remove.
https://www.dropbox.com/s/76aoi6fprixwgb6/StartMenu.JPG?dl=0
Any help with removing this is much appreciated.
Thank you,
Amir
AppLocker is working for me on 1709. We skipped 1703 entirely and are doing in place upgrades from 1607 to 1709. “Mixed Reality Portal” never installs in an upgrade scenario. If I apply the gpo to a virgin 1709 install, I get the normal “app has been blocked by system administrator” message when I click on it.
Hey Guys,
I ran this in my task sequence worked a treat, but when the latest cumulative update KB4051963 tried to install it would not complete the install and rollback. Has anyone else seen this issue?
Hi,
Copying back the folder and files the script removed will make the Cumulative update install again, and the Mixed reality portal will be installed again. I am testing right now will write a post as soon as I can.
Regards,
Jörgen
Hi Jorgen,
Do you have any guidance for Windows 10 1709 for removing the Mixed Reality Portal. Removing would be optimal, hiding it from the Start Menu would be sufficient. Thanks in advance.
This can be easily done in Offline-Image mode:
Load the HKLM Hive and remove the following RegHives:
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.PPIProjection_10.0.17134.1_neutral_neutral_cw5n1h2txyewy]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.HolographicFirstRun_10.0.17134.1_neutral_neutral_cw5n1h2txyewy]
Once these keys are removed, which can be done with a normal Admin, no need to change ACLs, Windows 10 will install without Miracast and Mixed Reality Portal, no shortcuts in the StartMenu, and no errors. Can also be done in a SCCM task sequence.
Tested on 1703, 1709, 1803, 1809 🙂
Good Luck creating the ultimate Windows 10 Image 🙂
No Word Wrap on this site 🙁
Location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplication
RegKeys to remove:
Microsoft.PPIProjection_10.0.17134.1_neutral_neutral_cw5n1h2txyewy
Microsoft.Windows.HolographicFirstRun_10.0.17134.1_neutral_neutral_cw5n1h2txyewy
Just remove the complete hives, create a new Install.wim, make an ISO and install 🙂