Policy-based in-box app removal

Policy-based in-box app removal in Windows allows IT administrators to remove certain preinstalled Microsoft Store apps via a static list and other MSIX/APPX-packaged apps via a dynamic app removal list. This feature is available on managed Enterprise and Education devices. IT administrators can use mobile device management (MDM) Configuration Service Provider (CSP) configuration profiles or Group Policy (GP). While the policy is active, removed apps remain blocked from reinstallation, ensuring a consistent and controlled device experience.

Prerequisites and considerations

• Windows version: Devices must be running Windows 11, version 24H2 or newer.
• Editions: Only Enterprise (ENT) and Education (EDU) editions support this feature.
• Administrative access: Requires either an MDM solution, such as Microsoft Intune, or access to GP management. Ensure you have the appropriate permissions to create or edit policies.
• Policy definitions:
  • If using Group Policy, update your administrative template XML-based (ADMX) templates to the latest Windows 11 version.
  • In Intune, settings appear once Intune Settings catalog ingests the new policy. If not immediately available, use a custom OMA-URI configuration as a workaround or for testing.
• Device enrollment/domain join: Devices must be MDM-enrolled to use the CSP policy or be domain-joined for Group Policy Object (GPO) to receive the policy.
• Targeting: Target devices (not users) with this device-level policy for it to take effect.

Known issues

The policy-based in-box app removal feature doesn't support multi-session environments.

Understanding the removal policy

RemoveDefaultMicrosoftStorePackages is a device-level policy that removes selected Microsoft-provisioned in-box apps and user-specified MSIX/APPX apps. It’s essentially an uninstall list built into Windows. Key points about this policy:

• It's opt-in. By default, Windows doesn't remove any apps. Admins must enable the policy and choose apps to remove.
• Removals occur at user sign-in or device provisioning time. Removed apps are blocked from reinstallation while they remain selected in the policy’s app list. If a user attempts to reinstall an app via Microsoft Store or through side loading, installation is prevented.
• The policy is configurable per app. Administrators can select which apps to remove from a predefined list.
• The same policy covers both Enterprise and Education editions.

Policy timing

The removal policy runs during these times:

• Out-of-box experience (OOBE)
• User sign-in after an OS upgrade
• User sign-in after an update to the policy

Note

Simply enabling the policy and selecting apps for removal doesn't immediately uninstall apps from an already-signed-in session. The removals occur when you create a new user profile. Existing user profiles retain their apps until a user signs out and back in after the policy is in place.

Important

Removing an app removes any associated on-disk app data. Before removing an app, notify users that local data for that app will be removed in case they want to save it.

Managing policy scope and exceptions

The removal policy is at the device level. If you enable removal of an app, all users on that device have that app removed when their profile is provisioned. If multiple users sign in to the same device, and some should have an app while others shouldn’t, you need to manage that by means other than this policy.

Enabling policy-based in-box app removal

The following instructions provide details about how to configure your devices. Select the option that best suits your needs.

For all options, to remove an app via the dynamic removal list you must add the app's Package Family Name (PFN) to the list. To find an app's PFN using PowerShell, use the following example, replacing “Notepad” with your desired app:

Get-AppxPackage *Notepad* | Select-Object PackageFamilyName

Intune

To configure devices with Microsoft Intune, create a Settings catalog policy and use the following settings:

Category	Setting name	Value
Administrative Templates\Windows Components\App Package Deployment	Remove default Microsoft Store packages from the system	Enabled

Important

Intune native support for the dynamic app removal setting is not yet available.

During rollout of the updated policy, devices in your environment might support different CSP versions. If a device receives a policy that doesn’t match its supported schema, the policy might fail to parse and not be applied.

To prevent this issue, maintain your existing policy for older devices. Once the dynamic app removal setting is available, create a separate policy that includes the new dynamic app removal list for newer devices. Use Intune assignment filters or targeting rules (such as OS version or update rings) to help ensure that each device receives a compatible policy.

Set the toggle to True for each app in the static app list to remove it.

Assign the policy to a group of devices that you want to configure. After devices sync with Intune, the policy will apply at the next user provisioning or sign-in.

Note

Intune only applies this policy to supported devices. Unsupported devices show a status of "Not applicable."

Windows Autopilot: Applying policy during device provisioning

For organizations using Autopilot to provision new devices, you can remove apps even before the user gets to desktop. Include the removal policy in the device’s configuration profiles and configure the Enrollment Status Page (ESP) to block until device configuration is complete. App removal should happen during the device setup phase if the policy arrives in time. If the policy isn't present at first sign-in, the apps might appear momentarily or until the following sign-in. Intune ESP can usually enforce device-targeted policies before ending, so enable ESP for a seamless experience.

CSP

You can configure devices with the RemoveDefaultMicrosoftStorePackages CSP policy. This ADMX-backed policy uses an XML payload to specify which apps to remove.

Setting

- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/RemoveDefaultMicrosoftStorePackages. - Data type: string - Value: <enabled/> <data id="WindowsFeedbackHub" value="false"/> <data id="MicrosoftOfficeHub" value="false"/> <data id="Clipchamp" value="false"/> <data id="Copilot" value="false"/> <data id="BingNews" value="true"/> <data id="Photos" value="false"/> <data id="MicrosoftSolitaireCollection" value="true"/> <data id="MicrosoftStickyNotes" value="true"/> <data id="MSTeams" value="false"/> <data id="Todo" value="false"/> <data id="BingWeather" value="true"/> <data id="OutlookForWindows" value="false"/> <data id="Paint" value="false"/> <data id="QuickAssist" value="false"/> <data id="ScreenSketch" value="false"/> <data id="WindowsCalculator" value="false"/> <data id="WindowsCamera" value="false"/> <data id="MediaPlayer" value="false"/> <data id="WindowsNotepad" value="false"/> <data id="WindowsSoundRecorder" value="false"/> <data id="WindowsTerminal" value="false"/> <data id="GamingApp" value="true"/> <data id="XboxGamingOverlay" value="true"/> <data id="XboxIdentityProvider" value="true"/> <data id="XboxSpeechToTextOverlay" value="true"/> <data id="XboxTCUI" value="true"/> <data id="DynamicRemovalList" value=""/>

Note

The XML payload includes a static list of app names (preceded by “data id”) and corresponding values. Apps with the value of true will be removed. Apps with the value of false won’t be removed. Update the package values based on your organization's requirements. You can remove additional apps by adding their PFNs to the value field of the “DynamicRemovalList” at the end of the payload. Separate multiple PFNs by the HTML-encoded carriage return + line feed characters ( 
), indicating a new line between each PFN.

Assign the policy to a group that contains devices that you want to configure. After devices sync with your MDM provider, the policy will apply at the next user provisioning or sign-in.

Important

Due to an OMA-URI limitation, if you create a custom OMA-URI that includes app PFNs in the dynamic list, you must open the dynamic list entry in the registry once on each device to which the policy is targeted. Opening the registry helps ensure the correct format for the items in the dynamic list. Here's the entry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\RemoveDefaultMicrosoftStorePackages

Due to this limitation, using the dynamic list to remove apps via custom OMA-URI is only practical for testing purposes.

If you are not adding app PFNs to the "DynamicRemovalList" entry, you don't need to open the device entry list in the registry.

GPO

To configure a device with group policy, use the Local Group Policy Editor. To configure multiple devices joined to Active Directory, create or edit a group policy object (GPO) and use the following settings:

Group policy path	Group policy setting	Value
Computer Configuration\Administrative Templates\Windows Components\App Package Deployment	Remove Default Microsoft Store packages from the system	Enabled

Group policies can be linked to domains or organizational units, filtered using security groups, or filtered using WMI filters.

Select the apps to remove from the static list. By default, a curated list of consumer-focused apps is preselected for removal, but tailor it to your organization's requirements. To remove additional MSIX/APPX-packaged apps, follow these steps:

1. Find the app's PFN using PowerShell. Use the following example, replacing “Notepad” with your desired app:

Get-AppxPackage *Notepad* | Select-Object PackageFamilyName

2. Open Group Policy Editor (gpedit.msc). Navigate to Computer Configuration > Administrative Templates > Windows Components > App Package Deployment > Remove default Microsoft Store packages from the system.
3. Add the PFN to the multi-text list under "Specify additional package family names to remove." Enter one package family name per line.

Apply and deploy the GPO as needed. If editing a local policy, the changes apply to that device. If using a domain GPO, link it to the target OU containing your Windows 11, version 24H2 ENT/EDU devices.

Enabling the policy sets registry keys under HKLM\SOFTWARE\Policies\Microsoft\Windows\Appx\RemoveDefaultMicrosoftStorePackages. The presence of configured values here indicates that the policy is active.

Note

Avoid applying both an Intune and a GPO removal policy to the same device (especially if hybrid joined). They could conflict. Generally, if a device is Intune-managed (MDM) and domain-joined with GPO, whichever policy arrives last takes effect. This order precedence makes policy application unpredictable. Choose one method of management for this setting per device.

Verifying the feature is enabled

Intune

Navigate to Device configuration > Profiles > <Your_Removal_Policy> > Device status. A device on Windows 11, version 24H2 or later should show successful deployment. If it shows "Not applicable," double-check the OS version or assignment scope.

Client Side

Registry - The presence of keys under the following path confirms the device received the policy:

HKEY\LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\RemoveDefaultMicrosoftStorePackages

PowerShell - Run the following command before and after user sign-in to verify the removal of targeted apps:

Get-AppxPackage -AllUsers | Select Name, IsPartOfSystem

Reinstalling a removed app

You can't reinstall a removed app by deselecting the app in the policy’s app list or dynamic list. After an app is removed from a device via this policy, you need to reprovision the app on the device.

Update the removal policy

Intune

• From the Intune admin center, navigate to Devices > Manage devices > Configuration > Policies.
• Locate the app removal policy.
• If the app is in the static app list, toggle the app’s removal flag to False.
• If the app PFN is in the dynamic app removal list, remove the app's PFN.
• Trigger a sync so that the device knows that the app is no longer blocked.

CSP

• Locate the OMA-URI for the custom app removal policy.
• If the app is in the list of apps, set value="false" for the app you wish to reinstall.
• If the app PFN is in the "DynamicRemovalList", remove the app PFN from the associated value text.
• Trigger a sync so that the device knows that the app is no longer blocked.

GPO

• Navigate to Computer configuration > Administrative templates > Windows components > App package deployment.
• Select Remove default Microsoft Store packages from the system.
• If the app is in the app list, deselect the app you wish to reinstall.
• If the app PFN is in the dynamic app removal list, delete the app PFN from the list.
• Run a Group Policy update (gpupdate /force) so that the device knows that the app is no longer blocked.

Reinstall the app

Reinstall apps via:

• Microsoft Store
• ISO
• Other management tools, such as Intune Win32 app or provisioning package

Troubleshooting guide

Even with careful setup and configuration, you might encounter scenarios where the removal policy doesn't behave as expected. This guide covers common scenarios and recommendations.

1. Policy not applying to devices

Symptom: You enabled the policy, but there's no sign of it on target devices. The apps remain. In Intune, the profile might show as "not applicable" or simply show no change on the client. In GPO, you don't see the expected outcome.

Possible reasons and solutions:

• Policy targeted to users instead of devices: You must apply the app removal policy in a device context. Create a Device configuration policy and assign it to device groups (not user groups). For GPO, it should be under Computer configuration.
• Policy not synced/applied yet: It's possible that the device didn't get the policy update. Trigger a manual sync or run gpupdate /force for GPO.
• Unsupported OS version: This feature is only available on Windows 11, version 24H2 and above. Upgrade the device to a supported OS version.

2. App not removed as expected

Symptom: You enabled removal for certain apps, but some or all of them still appear on the device for new users.

Possible reasons and solutions:

• App reappears after reset or upgrade: If you reset the device to factory settings and don't immediately re-enroll or domain-join it, the app is reinstalled. The policy isn't active during OOBE until the device gets policy from Intune/AD.
• A particular app consistently doesn't get removed: Gather logs and consider filing a support ticket or feedback with Microsoft. If using the dynamic removal list to remove the app, confirm you added the correct app PFN to the list and that PFNs in the list are separated with new lines.

3. Placeholder tiles at app reinstallation attempts

Symptom: The Start Menu shows a grayed-out or placeholder icon for the app.

Possible reasons and solutions:

• User attempt at reinstalling an installed app: After an app is removed by policy, a user goes to the Microsoft Store and tries to install the app. The installation doesn't complete. If you want to help users reinstall a removed app, deselect the app in the policy's app removal list, sync the policy, and then install it from the Store. To help users in this scenario:
  • Educate users that the apps removed by this policy are intentionally blocked.
  • Inform users that they can manually remove the placeholder tile.

4. Blocked reinstallation or error messages

Symptom: You get an error message when reinstalling an app.

Possible reasons and solutions: You tried to manually add an app back and got blocked. If you want to reinstall a removed app, deselect the app in the policy's static app removal list or remove the app's PFN from the dynamic removal list. Then sync the policy and install the app.

5. Policy conflicts (GPO vs. MDM or multiple policies)

Symptom: Multiple policies are in conflict.

Possible reasons and solutions: In a hybrid environment, if you configure both an Intune policy and a GPO for in-box app removal, you don't know which one is taking effect. Avoid dual configuration. Pick one management channel for the removal policy.

Using logs and data for troubleshooting

Method	Description
Intune logs	On an Intune-managed device, collect the MDM diagnostic log.
Event Viewer	Go to Applications and services logs > Microsoft > Windows > AppxDeployment-Server > Operational and review the following Event IDs: Event ID 762: This event is logged when a package installation is triggered when a policy to remove the package is in place. The result is that the package isn't installed. Event ID 606: This event is logged during first user logon after out-of-box experience (OOBE) for the package/s that the remove policy successfully removed. Event ID 614: This event is logged during first user logon after OOBE for the package/s that the removal policy failed to remove. Event ID 873: This event is logged when a PFN in the dynamic removal list is a system component and was not removed. Event ID 874: This event is logged when a PFN is part of an AI component that is not removable. Event ID 875: This event is logged when a PFN in the dynamic removal is malformed, resulting in no removal action.
Registry	HKLM\Software\Policies\Microsoft\Windows\Appx\RemoveDefaultMicrosoftStorePackages. Confirm which apps are marked by the presence of subkeys or values.
GPResult	Run gpresult /h report.html on a client to show the policy RemoveDefaultMicrosoftStorePackages under Computer policies if applied.

Demos on how to use the policy

Using Group Policy

Using Intune