How To: Remove unused default apps with Intune
Updated: May 15, 2020
Have you ever thinked and searched on how you can easy uninstall/remove the Windows 10 default apps from the devices in an Intune managed environment using Windows Autopilot?
Many of my customers have solved this as well as in the environment where System Center Configuration Manager (SCCM) is in place. They did it with PowerShell Scripts, which delete the apps from the device.
But what if suddenly one of these default apps is needed? Or if the default apps are reinstalled by an update or new apps are added?
I will show you how I do this in my Intune and Windows Autopilot environments. For this example we use the default app "Xbox Console Companion", which is installed on Windows 10 by default (see screenshot from start menu).
Note: To find all default apps, I recommend you to install a current Windows 10 build on a test VM.
Sign in to the Microsoft Store for Business (https://businessstore.microsoft.com) with the Administrator account. Enter the name of the default app we want to search in the search field on the top right. In our example "Xbox Console Companion".
In the search result, we select the appropriate default app we were looking for.
As soon as we are on the side of the default app, we simply need to "buy" it (Get the app).
Once we have bought these app, we switch to Intune (do not click on install!). The easiest way to get on Intune is via the URL https://devicemanagement.microsoft.com
In the device management dashboard we switch to the applications, there to Microsoft Store for Business and start a sync. This way, the newly acquired applications are synchronized from the Store for Business into our Intune (this can take a few minutes).
When the sync has finished, we will find the recently purchased app "Xbox Console Companion" among the apps.
Note: I recommend that you create appropriate groups in Azure Active Directory (AAD) for each app you want to install, uninstall, or simply make available in the Company Portal. This simplifies management and allows you to give the support or service desk agent only the permissions needed to change members in the Azure Active Directory Groups.
I will show you on our example "Xbox Console Companion", how I create these groups in the Azure Active Directory.
To do this we switch to Groups on the left side in the Device Management Dashboard and create a new group by clicking on "New Group".
I always create 3 groups where only the ending and the description are adjusted (of course you can do this according to your naming conventions and concepts - this is just a suggestion):
Available = For this group, the app is available in the Company Portal
Required = For this group, installation is required - user cannot choose
Uninstall = For this group, the app will be uninstalled on the device
Next, let's go back to the apps and assign the created Azure Active Directory groups to the "Xbox Console Companion" app in Intune. For that, we select the app.
Under Assignments we now add the 3 previously created Azure Active Directory groups.
If we set the selection for Assignment type to "Available for enrolled devices", the group with the extension Available need to be selected.
For Required we choose Required and for Uninstall we will have to choose Uninstall.
Once we have added all the groups, before we click on save, the view should look like in the following picture.
Now the preparations are done. We only have to add those users to the corresponding Azure Active Directory group, for which e.g. the app should be uninstalled (as is the case in our example). So we add the user to the group AAD-User-SW-XboxConsoleCompanion_Uninstall.
After the synchronisation of the Company Portal has been completed, the app should no longer appear in the start menu of the corresponding user.
Note: You can speed up the synchronization by clicking on Sync under Settings in the Company Portal of the corresponding users device.
What is the advantage of this method?
If at some point an app is needed by individual employees/users, the installation of the app can easily be made by changing the membership of the Azure Active Directory group.
If the app is removed using PowerShell Script, a new installation of the app is only possible with difficutly and with great effort (if at all).
Leave a comment and discuss
What do you think about my method? Is this workable and helpful?
How about you, how do you remove the unnecessary default apps from your customers Intune managed Windows 10 devices?