Policy-based in-box app removal

Policy-based in-box app removal in Windows allows IT administrators to remove preinstalled Microsoft Store apps from managed Enterprise and Education devices. This can be done using mobile device management (MDM), Configuration Service Provider (CSP) configuration profiles, or Group Policy (GP). This feature helps organizations streamline deployments by removing in-box apps that aren’t needed in their environments. While the policy is active, removed apps remain blocked from reinstallation, ensuring a consistent and controlled device experience.

Prerequisites and considerations

• Windows version: Devices must be running Windows 11, version 25H2 or newer.
• Editions: Only Enterprise (ENT) and Education (EDU) editions support this feature.
• Administrative access: Requires either an MDM solution, such as Microsoft Intune, or access to GP management. Ensure you have the appropriate permissions to create or edit policies.
• Policy definitions:
  • If using Group Policy, update your administrative template XML-based (ADMX) templates to the latest Windows 11 version.
  • In Intune, settings appear once Intune Settings catalog ingests the new policy. If not immediately available, use a custom OMA-URI configuration as a workaround.
• Device enrollment/domain join: Devices must be MDM-enrolled to use the CSP policy or be domain-joined for Group Policy Object (GPO) to receive the policy.
• Targeting: Target devices (not users) with this device-level policy for it to take effect.

Known issues

The policy-based in-box app removal feature doesn't support multi-session environments.

Understanding the removal policy

RemoveDefaultMicrosoftStorePackages is a device-level policy that removes selected Microsoft-provisioned in-box apps. It’s essentially an uninstall list built into Windows. Key points about this policy:

• It's opt-in. By default, Windows doesn't remove any apps. Admins must enable the policy and choose apps to remove.
• Removals occur at user sign-in or device provisioning time. Removed apps are blocked from reinstallation while they remain selected in the policy’s app list. If a user attempts to reinstall an app via Microsoft Store or through side loading, installation is prevented.
• The policy is configurable per app. Administrators can select which apps to remove from a predefined list.
• The same policy covers both Enterprise and Education editions.

Policy timing

The removal policy runs during these times:

• Out-of-box experience (OOBE)
• User sign-in after an OS upgrade
• User sign-in after an update to the policy

Note

Simply enabling the policy and selecting apps for removal doesn't immediately uninstall apps from an already-signed-in session. The removals occur when you create a new user profile. Existing user profiles retain their apps until a user signs out and back in after the policy is in place.

Important

Removing an app removes any associated on-disk app data. Before removing an app, notify users that local data for that app will be removed in case they want to save it.

Managing policy scope and exceptions

The removal policy is at the device level. If you enable removal of an app, all users on that device have that app removed when their profile is provisioned. If multiple users sign in to the same device, and some should have an app while others shouldn’t, you need to manage that by means other than this policy.

Enabling policy-based in-box app removal

The following instructions provide details about how to configure your devices. Select the option that best suits your needs.

Intune

To configure devices with Microsoft Intune, create a Settings catalog policy and use the following settings:

Category	Setting name	Value
Administrative Templates\Windows Components\App Package Deployment	Remove default Microsoft Store packages from the system	Enabled

Set the toggle to True for each app to remove it.

Assign the policy to a group of devices that you want to configure. After devices sync with Intune, the policy will apply at the next user provisioning or sign-in.

Note

Intune only applies this policy to supported devices. Unsupported devices show a status of "Not applicable."

Important

Intune native support for the in-box app removal policy may lag behind the Windows release. Initially, you might not see a UI for the new policy. In such cases, use the OMA-URI method as a temporary solution.

Windows Autopilot: Applying policy during device provisioning

For organizations using Autopilot to provision new devices, you can remove apps even before the user gets to desktop. Include the removal policy in the device’s configuration profiles and configure the Enrollment Status Page (ESP) to block until device configuration is complete. App removal should happen during the device setup phase if the policy arrives in time. If the policy isn't present at first sign-in, the apps might appear momentarily or until the following sign-in. Intune ESP can usually enforce device-targeted policies before ending, so enable ESP for a seamless experience.

CSP

You can configure devices with the RemoveDefaultMicrosoftStorePackages CSP policy. This ADMX-backed policy uses an XML payload to specify which apps to remove.

Setting

- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/RemoveDefaultMicrosoftStorePackages. - Data type: string - Value: <enabled/> <data id="WindowsFeedbackHub" value="false"/> <data id="MicrosoftOfficeHub" value="false"/> <data id="Clipchamp" value="false"/> <data id="Copilot" value="false"/> <data id="BingNews" value="true"/> <data id="Photos" value="false"/> <data id="MicrosoftSolitaireCollection" value="true"/> <data id="MicrosoftStickyNotes" value="true"/> <data id="MSTeams" value="false"/> <data id="Todo" value="false"/> <data id="BingWeather" value="true"/> <data id="OutlookForWindows" value="false"/> <data id="Paint" value="false"/> <data id="QuickAssist" value="false"/> <data id="ScreenSketch" value="false"/> <data id="WindowsCalculator" value="false"/> <data id="WindowsCamera" value="false"/> <data id="MediaPlayer" value="false"/> <data id="WindowsNotepad" value="false"/> <data id="WindowsSoundRecorder" value="false"/> <data id="WindowsTerminal" value="false"/> <data id="GamingApp" value="true"/> <data id="XboxGamingOverlay" value="true"/> <data id="XboxIdentityProvider" value="true"/> <data id="XboxSpeechToTextOverlay" value="true"/> <data id="XboxTCUI" value="true"/>"

Note

The packages with a value of True will be removed. Update the package values to False or True, based on your organization's requirements.

Assign the policy to a group that contains devices that you want to configure. After devices sync with your MDM provider, the policy will apply at the next user provisioning or sign-in.

GPO

To configure a device with group policy, use the Local Group Policy Editor. To configure multiple devices joined to Active Directory, create or edit a group policy object (GPO) and use the following settings:

Group policy path	Group policy setting	Value
Computer Configuration\Administrative Templates\Windows Components\App Package Deployment	Remove Default Microsoft Store packages from the system	Enabled

Group policies can be linked to domains or organizational units, filtered using security groups, or filtered using WMI filters.

Select the apps to remove. By default, a curated list of consumer-focused apps is preselected for removal, but tailor it to your organization's requirements.

Apply and deploy the GPO as needed. If editing a local policy, the changes apply to that device. If using a domain GPO, link it to the target OU containing your Windows 11, version 25H2 ENT/EDU devices.

Enabling the policy sets registry keys under HKLM\SOFTWARE\Policies\Microsoft\Windows\Appx\RemoveDefaultMicrosoftStorePackages. The presence of configured values here indicates that the policy is active.

Note

Avoid applying both an Intune and a GPO removal policy to the same device (especially if hybrid joined). They could conflict. Generally, if a device is Intune-managed (MDM) and domain-joined with GPO, whichever policy arrives last takes effect. This makes policy application unpredictable. Choose one method of management for this setting per device.

Verifying the feature is enabled

Intune

Navigate to Device configuration > Profiles > <Your_Removal_Policy> > Device status. A device on Windows 11, version 25H2 or later should show successful deployment. If it shows "Not applicable," double-check the OS version or assignment scope.

Client Side

Registry - The presence of keys under the following path confirms the device received the policy:

HKEY\LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\RemoveDefaultMicrosoftStorePackages

PowerShell - Run the following command before and after user sign-in to verify the removal of targeted apps:

Get-AppxPackage -AllUsers | Select Name, IsPartOfSystem

Reinstalling a removed app

You can't reinstall a removed app by deselecting the app in the policy’s app list. After an app is removed from a device via this policy, you need to reprovision the app on the device.

Update the removal policy

Intune

• From the Intune admin center, navigate to Devices > Manage devices > Configuration > Policies.
• Locate the app removal policy.
• Toggle the app’s removal flag to False.
• Trigger a sync so that the device knows that the app is no longer blocked.

CSP

• Locate the OMA-URI for the custom app removal policy. In the XML list of app, set value="false" for the app you wish to reinstall.
• Trigger a sync so that the device knows that the app is no longer blocked.

GPO

• Navigate to Computer configuration > Administrative templates > Windows components > App package deployment.
• Select Remove default Microsoft Store packages from the system.
• Deselect the app you wish to reinstall.
• Run a Group Policy update (gpupdate /force) so that the device knows that the app is no longer blocked.

Reinstall the app

Reinstall apps via:

• Microsoft Store
• ISO
• Other management tools, such as Intune Win32 app or provisioning package

Troubleshooting guide

Even with careful setup and configuration, you might encounter scenarios where the removal policy doesn't behave as expected. This guide covers common scenarios and recommendations.

1. Policy not applying to devices

Symptom: You enabled the policy, but there's no sign of it on target devices. The apps remain. In Intune, the profile might show as "not applicable" or simply show no change on the client. In GPO, you don't see the expected outcome.

Possible reasons and solutions:

• Policy targeted to users instead of devices: You must apply the app removal policy in a device context. Create a Device configuration policy and assign it to device groups (not user groups). For GPO, it should be under Computer configuration.
• Policy not synced/applied yet: It's possible that the device didn't get the policy update. Trigger a manual sync or run gpupdate /force for GPO.
• Unsupported OS version: This feature is only available on Windows 11, version 25H2 and above. Upgrade the device to a supported OS version.

2. App not removed as expected

Symptom: You enabled removal for certain apps, but some or all of them still appear on the device for new users.

Possible reasons and solutions:

• App reappears after reset or upgrade: If you reset the device to factory settings and don't immediately re-enroll or domain-join it, the app is reinstalled. Note that the policy isn't active during OOBE until the device gets policy from Intune/AD.
• A particular app consistently doesn't get removed: Gather logs and consider filing a support ticket or feedback with Microsoft.

3. Placeholder tiles at app reinstallation attempts

Symptom: The Start Menu shows a grayed-out or placeholder icon for the app.

Possible reasons and solutions:

• User attempt at reinstalling an installed app: After an app is removed by policy, a user goes to the Microsoft Store and tries to install the app. The installation doesn't complete. If you want to help users reinstall a removed app, deselect the app in the policy's app removal list, sync the policy, and then install it from the Store. To help users in this scenario:
  • Educate users that the apps removed by this policy are intentionally blocked.
  • Inform users that they can manually remove the placeholder tile.

4. Blocked reinstallation or error messages

Symptom: You get an error message when reinstalling an app.

Possible reasons and solutions: You tried to manually add an app back and got blocked. If you want to reinstall a removed app, deselect the app in the policy's app removal list, sync the policy, and then install the app.

5. Policy conflicts (GPO vs. MDM or multiple policies)

Symptom: Multiple policies are in conflict.

Possible reasons and solutions: In a hybrid environment, if you configure both an Intune policy and a GPO for in-box app removal, you don't know which one is taking effect. Avoid dual configuration. Pick one management channel for the removal policy.

Using logs and data for troubleshooting

Method	Description
Intune logs	On an Intune-managed device, collect the MDM diagnostic log.
Event Viewer	Go to Applications and services logs > Microsoft > Windows > AppxDeployment-Server > Operational and review the following Event IDs: Event ID 762: This event is logged when a package installation is triggered when a policy to remove the package is in place. The result is that the package is not installed. Event ID 606: This event is logged during first user logon after out-of-box experience (OOBE) for the package/s that the remove policy successfully removed. Event ID 614: This event is logged during first user logon after OOBE for the package/s that the removal policy failed to remove.
Registry	HKLM\Software\Policies\Microsoft\Windows\Appx\RemoveDefaultMicrosoftStorePackages. Confirm which apps are marked by the presence of subkeys or values.
GPResult	Run gpresult /h report.html on a client to show the policy RemoveDefaultMicrosoftStorePackages under Computer policies if applied.

Demos on how to use the policy

Using Group Policy

Using Intune