Deployment Solution

So I can perform in place upgrades to win 10 71709 without issue but my question is how are people removing the bloatware apps after it upgrades? I have tried using the script located at https://gallery.technet.microsoft.com/Removing-Built-in-apps-65dc387b#content to edit the install.wim and then load that back into my upgrade package but after the in place runs all of the apps are still there. Anyone have advice on how they are addressing in place upgrades?

Hey Cody,

Wondering if you could give me some insight on how you are doing your in-place upgrade to Win10. Currently working on a Win7 > Win10 upgrade project. Are you going from Win7/8 to Win10 or Win10 1703 to 1709?

We used the instructions that came with the whitepaper https://www.symantec.com/connect/blogs/symantec-windows-10-migration-best-practices

We just have a drive created on the NS that the whitepaper in place policy is pointing at to the grab the OS files from.

We are doing windows 7 64 bit pro to win 10 1709 enterprise, I have some 1706 pro out there and the in place does work to upgrade those to enterprise, but all of this does nothing for me if I can't figure out how to make the inplace match the fresh install on new devices.

Hi Cody,

Apologies, I'm not aware of a method of removing these from the WIM off the top of my head, but the below article provides the details of the pre-req tasks you should follow:

https://support.symantec.com/en_US/article.TECH223595.html

Thanks

I've tested pushing out 1709 via software portal or a managed delivery policy.  Worked ok.

I would not recommend running powershell tasks to remove stuff that's going to continue to come back through upgrades.  Just block the apps via group policy instead.  Much easier to maintain over time IMO.

This is my article for creating a win10 image (i don't run any powershell tasks, disable UAC, etc).  I also don't have any of the bloatware or windows apps I don't want because I block them via applocker.

Maybe I'm missing something, but so far so good (in testing) here.

How are you getting rid of things like "get office"? I have 10k computers and the last thing I want is user trying to open up the bonus mail client MS puts on there. I already have a a version of onenote that we push but win 10 comes with a whole other version, this where you end up having to run powershells to remove this stuff.

I started playing with applocker since forgot with the enterprise version we now have access to this, may end up being the best solution

So applocker is mess, it seems to have bugs in it so what GPO policies are using Sally to block the apps from running?

I manage applocker win10 packaged app rule policies from a win 2016 server.  It's been awhile since i set it up, but I believe what I did was export my existing applocker rules before there were any packaged app rules (right click applocker in screenshot, export policy).  This gives you an xml file.

Then I opened up group policy management editor and imported that xml on a win10 1709 client running the group policy management editor in the same applocker location placing a local copy of my rules on that client.  I edited the packaged app rules on the client to block all the things I wanted to block, and then exported the new xml from the client and imported it into the server setting up those rules for the whole OU.

Unfortunately, you can't just edit packaged app rules on the server because win 2016 server doesn't have the packaged apps to point the server to block it.  The export/import/export/import definitely makes it more time consuming that it should be, but if you block the app store (we do), it should only change with windows feature updates.

See my screenshot for the app rules.  I believe you could also just edit the xml with the app names you're trying to block if you're very careful, but one typo could make that hard to maintain.

Please see attached screenshot and mark this as a solution if it helps you.
 

I run this during the imaging process before a user ever logs in:

$ProvisionedAppxPackages = Get-AppXProvisionedPackage -online
$ProvisionedAppxPackages | ? {$_.DisplayName -match "people"} | Remove-AppxProvisionedPackage -online
$ProvisionedAppxPackages | ? {$_.DisplayName -match "Solitaire"} | Remove-AppxProvisionedPackage -online
$ProvisionedAppxPackages | ? {$_.DisplayName -match "officeHub"} | Remove-AppxProvisionedPackage -online
$ProvisionedAppxPackages | ? {$_.DisplayName -match "SkypeApp"} | Remove-AppxProvisionedPackage -online
$ProvisionedAppxPackages | ? {$_.DisplayName -match "Microsoft.Office.OneNote"} | Remove-AppxProvisionedPackage -online
Get-AppxPackage -AllUsers Microsoft.People | Remove-AppxPackage
Get-AppxPackage -AllUsers Microsoft.MicrosoftSolitaireCollection | Remove-AppxPackage
Get-AppxPackage -AllUsers Microsoft.MicrosoftOfficeHub | Remove-AppxPackage
Get-AppxPackage -AllUsers Microsoft.SkypeApp | Remove-AppxPackage
Get-AppxPackage -AllUsers Microsoft.Office.OneNote | Remove-AppxPackage

We had planned on running something like above but from what I have heard from other people is you remove it from 1709 but once the next windows version comes out for 10 it will just readd what you removed so it's better to just block it