0

My SOE builds have included a script to get rid of all but a few of the user based apps. The script has worked perfectly in all my builds up until Windows10 20H2. If I log into the workstation once the deployment has completed on a 20H2 build, all the user apps are still there... I can execute my script manually on the new target and it kills them off without issue. I hope MS are not forcing me down the app locker GPO path...

This is the script

# Remove most user provisioned apps

Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope LocalMachine
Get-AppxPackage -AllUsers | where-object {($_.name –notlike “*store*”) -and ($_.name –notlike "*Calc*") -and ($_.name –notlike "*alarms*") -and ($_.name –notlike "*Camera*") -and ($_.name –notlike "*Sticky*")} | Remove-AppxPackage
Get-appxprovisionedpackage –online | where-object {($_.packagename –notlike “*store*”) -and ($_.packagename –notlike  "*Calc*") -and ($_.packagename –notlike  "*alarms*") -and ($_.packagename –notlike "*Camera*") -and ($_.packagename –notlike "*Sticky*")} | Remove-AppxProvisionedPackage -online

Anyone having the same or similar issue and can offer a work around?

Thanks in advance..

paul.sanders
  • 51
  • 2
  • 1
    What is your SOE build, a Windows 10 20H2 with the apps already removed before deployment or something? If you are upgrading to 20H2, then you are likely going to have to run the removal tasks post the update as it could put them back on. You say "*I can execute my script manually on the new target and it kills them off without issue*" so it sounds like you are saying you have to remote those again post update. How are you deploying the 20H2, via an upgrade process or via a straight image push sysprep'd? You might need your deployment phase to reboot and run after first reboot somehow? – Vomit IT - Chunky Mess Style Feb 22 '21 at 03:17
  • The deployment is a fully scripted bare metal push from SCCM. The only change that has been made is updating the task sequence to use the new image package. – paul.sanders Feb 22 '21 at 03:46
  • oh, and should mention the previous image package had no tweaks baked in.. – paul.sanders Feb 22 '21 at 04:16
  • Please use -notmatch operator and use | to delimit the keywords (e.g. -notmatch 'store|calc|alarms' and modify group policy to set execution policy unrestricted so that you don't need to use -ExecutionPolicy Bypass – Ξένη Γήινος Feb 23 '21 at 15:51
  • Changing the powershell execution policy in the task sequence rather than using the scripted option does not change the symptom. I'm digging through the logs atm. – paul.sanders Feb 23 '21 at 22:40
  • I have a tech looking at it and will post his findings. – paul.sanders Feb 24 '21 at 05:08
  • no word from the tech so did a bit more digging and got it over the line by explicitly naming the apps and removing them, much like a black list. So it appears the broader delete 'all except' methodology will not work on the later release? Would be interested to hear if others find the same. `Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope LocalMachine Get-AppPackage -AllUsers | Select-Object -Property name | Where-Object {$_.name -like "*xbox*"} | Remove-AppxPackage Get-appxprovisionedpackage -online | where-object {$_.packagename -like "*xbox*"} | Remove-AppxProvisionedPackage -online` – paul.sanders Mar 03 '21 at 02:18
  • 1
    Here is MS guidance on how to do it in a MDT/SCCM task sequence. I can't open script to confirm now, but it seems to be a whitelist-method you want: https://techcommunity.microsoft.com/t5/windows-blog-archive/removing-windows-10-in-box-apps-during-a-task-sequence/ba-p/706582 – gregg Mar 03 '21 at 04:10
  • I originally yanked them directly from the install.wim because I loved the idea starting fresh, but that's alot of repeated work for each new Win10 WIM so automation is key – gregg Mar 03 '21 at 04:13

1 Answers1

0

Explicit naming of the apps (as per previous comment) seems to be the only way that works for 20H2 user based apps.

paul.sanders
  • 51
  • 2
  • 1
    Well the issue is likely an error with a particular app then more than likely. When you do the `-notlike` statements, it gets all the rest and tries to remove all of those not like that ones you list (I know you know this) so when all those got to be removed, then SCCM is not allowing some of them I suspect. If explicitly removing the apps you need to remove works rather than all except the ones you want to keep, that may be better. I'd have to dig more but some of the apps have dependencies from other apps so removing the original way [`-notlike`] could be a problem there too. – Vomit IT - Chunky Mess Style Mar 03 '21 at 03:19
  • 1
    Check the answer posted here for example: https://superuser.com/questions/1481644/windows-10-uwp-apps-launch-and-then-disappear-immediately I used this PS logic with that Windows 10 version to reinstall the dependency packages that caused those apps to not work properly. In case that helps, I wanted to share but look over the answer provided there to that question and that logic for the example I am referring to. – Vomit IT - Chunky Mess Style Mar 03 '21 at 03:21