Full Report
Microsoft has updated a Windows 11 in-box app removal policy introduced in October to include a dynamic list that lets IT admins choose which preinstalled Store apps to uninstall. [...]
Analysis Summary
# Best Practices: Windows 11 In-Box App Management
## Overview
These practices address the reduction of the "attack surface" and "bloatware" on corporate Windows 11 devices. By utilizing the updated **RemoveDefaultMicrosoftStorePackages** policy, IT administrators can systematically remove preinstalled MSIX/APPX applications that are unnecessary for business functions, potentially mitigating risks associated with unpatched non-critical software and improving system performance.
## Key Recommendations
### Immediate Actions
1. **Inventory App Packages:** Run the PowerShell command `Get-AppxPackage | Select-Object PackageFamilyName` on a standard gold image to identify currently installed PFNs.
2. **Audit for Restricted Apps:** Specifically identify and target high-visibility apps like Copilot (using the separate `RemoveMicrosoftCopilotApp` policy) if they do not meet organizational compliance.
3. **Deploy Pre-requisite Updates:** Ensure all fleet devices are updated to at least the **April 2026 Windows non-security update** to enable policy compatibility.
### Short-term Improvements (1-3 months)
1. **Pilot Dynamic Removal:** Apply the `RemoveDefaultMicrosoftStorePackages` GPO to a Test OU (Organizational Unit) to verify that removing specific PFNs doesn't break OS dependencies.
2. **Define "Standard Business Image":** Create an approved list of allowed vs. removed Store apps based on department requirements.
3. **Modernize for 24H2:** If running Windows 11 Enterprise/Education 24H2, backport these removal policies now that support has been extended to this version.
### Long-term Strategy (3+ months)
1. **Transition to Intune (MDM):** Monitor the Intune settings picker for the "Remove Default Microsoft Store packages" general availability to move away from GPOs toward cloud-native management.
2. **Automated Cleanup:** Script the PFN extraction and policy update process to include new preinstalled apps that Microsoft may introduce in future OS feature updates (e.g., 25H2).
## Implementation Guidance
### For Small Organizations
- Use the **Local Group Policy Editor (gpedit.msc)** on a master image before cloning or manually apply on a per-device basis for small fleets (<25 devices).
- Focus on removing the most high-risk or distracting apps first to minimize management overhead.
### For Medium Organizations
- Implement via **Active Directory Group Policy Objects (GPO)**.
- Use PowerShell to generate a CSV of PFNs across different hardware models to ensure the "Dynamic List" covers all variations.
### For Large Enterprises
- Utilize **Custom OMA-URI** for MDM/Intune deployment to manage remote and hybrid workforces.
- Align app removal with **Tiered Administration**; for example, remove social/gaming apps for all users, but retain specialized Store apps (like Whiteboard) for creative teams.
## Configuration Examples
### Identifying a Package Family Name (PFN)
powershell
# Example: Identifying the PFN for Microsoft Notepad
Get-AppxPackage *Notepad* | Select-Object PackageFamilyName
### Group Policy Configuration
1. **Path:** `Computer Configuration > Administrative Templates > Windows Components > App Package Deployment`
2. **Setting:** `Remove default Microsoft Store packages from the system`
3. **Action:** Select **Enabled**.
4. **Value:** Under **Specify additional package family names to remove**, enter PFNs (one per line):
* *Example:* `Microsoft.WindowsNotepad_8wekyb3d8bbwe`
* *Example:* `Microsoft.BingNews_8wekyb3d8bbwe`
## Compliance Alignment
- **NIST SP 800-53:** CM-7 (Least Functionality) - Configure systems to provide only essential capabilities by removing prohibited/unnecessary software.
- **CIS Controls (v8):** Control 2 - Inventory and Control of Software Assets (Ensuring only authorized software is installed).
- **ISO/IEC 27001:** A.12.5.1 - Installation of software on operational systems.
## Common Pitfalls to Avoid
- **Dependency Breaks:** Removing a PFN that another business-critical app relies on (e.g., removing the Store framework itself may prevent updates to required apps).
- **Version Mismatch:** Attempting to use the dynamic list on versions older than Windows 11 24H2 (ensure the April 2026 update is installed).
- **Wait for Intune GA:** Using the standard Intune UI before the dynamic list feature is fully integrated; use OMA-URI as a workaround in the interim.
## Resources
- **Microsoft Documentation:** `https://learn[.]microsoft[.]com/windows/configuration/policy-based-inbox-app-removal/`
- **Windows Release Health:** `https://learn[.]microsoft[.]com/en-us/windows/release-health/windows-message-center`
- **Official PFN Guidance:** `https://techcommunity[.]microsoft[.]com/blog/windows-itpro-blog/`