Random brain dump around Apps, Windows 10, and management options

What are Windows/Modern/UWP apps?

The official term (at the time of this post ;) ) is Windows Apps. These apps started in Windows 8 and can be added via the Store.  They do not have an old school msi or a homegrown 'opps I installed spycrap' installer, they follow a completely different set of APIs, they usually have a cute basic icon.  UWP apps are built to work cross several platforms (thus the Universal Windows Platform name) and can be installed on Desktop, Phone or Xbox etc.  UWP apps are Windows apps, but not all Windows apps were built to be UWP apps.


Today I'm going to focus on the Windows Apps that come with Windows 10 Enterprise builds.


First, it's good to call out that there are a few flavors of Windows Apps on Windows 10. Here is how I define them.

  • System Apps - Appx items that reside in the C:\Windows\*
  • Apps - Appx items installed in C:\Program Files\WindowsApps and have two subcategories
    • Provisioned - Installed after 1st Logon
    • Installed - Installed as part of the OS
  • Other - Appx items that do not have a direct tile or UI (background apps like the Print UI or payment UI)
  • And the odd ducks that dance to their own music - Apps that you can remove from Settings App but do not appear elsewhere.

Don’t wanna see them options:

Many companies and users want to remove or hide extra apps to avoid internal support calls, end user confusion, etc.  It’s the "No Mom! You don’t need to click that… no…sigh" Just kidding, we're here to work and not play Candy Crush.  I get it.


There are several possibilities I like to call out for managing Windows Apps that don’t have to follow the nuke 'em all! option:

First - Rules! (mainly my rules, but overall great guidelines)

Rule 1: Leave anything in C:\Windows\* alone.  Not worth it, nope, nada, pain in the wrong place, leave them be, please. Just, no. Not at this time.

Rule 2: Do not uninstall the Store, hide it, yes. Uninstall = unsupported = Reset or reinstall.

Rule 3: If there's an Appx Package with no App tile on Start or direct UI access - leave it alone. It's not hurting anyone. Wooosaaaa. Namaste.

Rule 4: Test test test before deploy. Test in a blocked OU and then test again in a normal OU. I've seen several cases where old policies cause unintended results.**



Option 1:

Use Group Policy to customize Start menu to show only the App Tiles you choose.  Additionally, you can use Group Policy to Hide All Apps list.

  • This can be implemented any time after deployment so you don’t have to worry about reimaging the machine.
  • Editing XML can be fussy.  Make sure to use a plain text editor, avoid adding extra spaces and keep the formatting UTF-8.
  • Be mindful of old Windows 7 or earlier Group Policies that were for Start menu. They do not apply to Windows 10 unless specifically stated in the Policy Description.


 Computer configuration\Administrative Templates\Start Menu and Taskbar\Start Layout
User Configuration\Administrative Templates\Start Menu and Taskbar\Remove All Programs list from the Start menu


Tons of details:




Option 2:

Use Applocker to block users from accessing certain apps

  • Caveat - You will still see the app icon - not ideal. But users will be told this is purposefully blocked so should not generate calls.
  • Use this option for any apps installed to C:\Windows\*.

Tons of details:




Option 3:

The Store - You can use Group Policy to block users from accessing the Store, additionally you can then use the Business Store to control apps that are offered or turn off Store updates.

  • Feature Plug - Store for Business is a great option to control the apps the users has available.



 Computer Configuration\Administrative Templates\Windows Components\Store\Turn off the Store Application 
Computer Configuration\Administrative Templates\Windows Components\Store\Disable all apps from the Windows Store 
Computer Configuration\Administrative Templates\Windows Components\Store\Turn off Automatic Download and install of updates


Tons of details:

https://docs.microsoft.com/en-us/windows/configuration/stop-employees-from-using-the-windows-store https://docs.microsoft.com/en-us/microsoft-store/windows-store-for-business-overview



Option 4:

Use LTSB versions of Windows 10, which does not have any Apps.  This is only available for Volume License customers and any environment would have to weigh the options to see if this is a viable solution for the needs, but I did want to call this out as a No-Apps option. More Info: https://www.microsoft.com/Licensing/servicecenter/default.aspx https://technet.microsoft.com/en-us/windows/release-info.aspx https://blogs.technet.microsoft.com/mniehaus/2016/08/04/windows-10-1607-downloads-available-on-vlsc/



Option 5:

Uninstall the Installed or Provisioned Appx items.

  • Follow Rules above.
  • Some apps will not uninstall. Because. They. Don’t. Stop asking. Dont make me turn the car around! But seriously. If PowerShell does not remove them,the app is specifically blocked from uninstall, likely because the OS is dependent on them.
  • Test on VMs before deploying in a live environment
  • Be surgical.  There are several scripts out there that will try to rip everything off the machine. I prefer to be more precise and remove just the specific ones. (sorry - not a fan of any delete *.* type scripts)

5a. Scripted uninstall:

Michael Niehaus put this out there - good stuff!  Attached to the blog are his scripts. There is a part two update listed also. https://blogs.technet.microsoft.com/mniehaus/2015/11/11/removing-windows-10-in-box-apps-during-a-task-sequence/

5b. Provisioned Apps:

Here's how Provisioned apps appear immediately after 1st logon (everything listed as "Pending" in 1511 or with a Download arrow in 1607).  With a network connection you will see those eventually populate with the real icon. Usually takes 20-30 minutes. Windows 10 1511 Provisioned apps at first boot

Windows 10 1607 Provisioned apps at first boot

If you are deploying an image, you can use Michael's blog above or DISM prior to deployment to remove provisioned packages: https://technet.microsoft.com/en-us/itpro/powershell/windows/dism/remove-appxprovisionedpackage (Fully disclosure, DISM and deployment are not my jam. Still learning that world!)


Or you can uninstall any provisioned app via PowerShell after its installed. Just remember:

  • Use the Package name from the Get-AppxProvisionedApps
  • Package name contains the version number which will be different for each build.
  • Use the Remove-AppxProvisionedPackage cmdlet and not Remove-AppxPackage
  • Provisioned Apps uninstalled while online are for that user profile only.


Remove-AppxProvisionedPackage -Online -PackageName Microsoft.Microsoft3DViewer_1.1702.21039.0_neutral_~_8wekyb3d8bbwe


5c. Installed apps:

Installed apps just need to use the UI to uninstall or the non-provisioned PowerShell cmdlet:

Remove-AppxPackage -package Microsoft.BingNews_8wekyb3d8bbwe



Some apps ride the special bus:

  1. Contact Support/Get Help - This is removable via  "Manage Optional features" in Settings App Listed as "Contact Support"
  2. Feedback changed to Feedback Hub in 1607 and changed from a System app to Windows app
  3. News and Sway changed from provisioned to installed in 1607
  4. Sport and Finance changed from provisioned to installable from Store in 1607
  5. It might not be a Windows App - You might think some apps are Modern/UWP apps, but they're really Win32.

To see this, run Procmon against Quick Assist (win32 on 1607) and Groove(Windows App) music.



How to learn more about Windows 10 apps:

You'll need:

  1. Virtual Machine(s) of each build
  2. Settings App-> Apps list view
  3. Two PowerShell scripts.
 get-appxpackage | select name,version,Packagefamilyname,installlocation|export-csv c:\users\  <user>  \desktop\GetApps.txt 

get-appxprovisionedpackage -online | select displayname,version,packagename|export-csv c:\users\  <user>  \desktop\GetProvisionedApps.txt


If you don’t want to import into Excel you can format the output as a table in PowerShell

 Get-AppxPackage |Select Name,PackageFamilyName 

Get-AppxProvisionedPackage -Online | select displayname,packagename


*Note the output:

GetAppx grabs "Package Family Name" -  this is what you use to remove Installed apps

Get-AppxProvisionedpackage grabs "PackageName" - this is what you use to remove Provisioned apps



Big Picture Time:

Let's say I did this….

  1. Built a vanilla VM for each major Windows 10 release based off a standard Enterprise ISO, install the latest updates for each.
  2. Let provisioning finish
  3. Ran the two PowerShell commands on each VM
 get-appxpackage | select name,version,Packagefamilyname,installlocation|export-csv d:\users\  <user>  \desktop\GetApps.txt 

get-appxprovisionedpackage -online | select displayname,version,packagename|export-csv d:\users\  <user>  \desktop\GetProvisionedApps.txt

4.  Import both files as CSV into Excel and do a few hours of cut and paste magic to compare each build. The end result might be (very) similar to the results here:





  • There are several less intrusive methods to controlling apps.
  • Not all apps are bad.
  • Apps do change per Windows 10 version.
  • Feedback hub does work as a voice for changing apps from System to Installed or Provisioned.  Check for requests/issues and vote up if you agree with the request!