Many of you who work in the area of desktop management are likely in the business of building or maintaining images. If you’re like me, you’ve come across the occasional Windows 10 appx package (like Edge or Contact Support) which is built-in to the OS and can’t be removed using PowerShell. One of those is called “Contact Support” which most corporate environments probably wouldn’t want their users doing (instead, asking them to call your local IT Service Desk).
There is a way to build an image and prevent these unwanted apps from even appearing on the Start Menu. ** AppLocker ** It’s a really easy 4-step process (thanks Jorgen Nilsson for the overview — the steps below are the shortened version of his original post):
- Enable “Application Identity” service on the OS (must be done with SC.exe from elevated command prompt”
- In GPEDIT –> Computer Configuration –> Windows Settings –> Security Settings –> Application Control Policies, right-click on AppLocker, select Properties, and enable “Configured” (with default set to “Enforce Rules”) for Packaged app Rules (remember to click OK to commit change)
- Right-click on Packaged app Rules and select “Create Default Rules” to create the “allow all signed apps” rule
- Lastly, right-click on Packaged app Rules and select “Create New Rule” (this opens a wizard)
- Select Deny and leave User or group set to Everyone
- Leave “Use an installed packaged app as a reference” enabled and click Select to choose the app you want to disable
- Click Next a couple times to get to the Name and Description page where you can name it accordingly (be specific, like “Disable Contact Support appx”)
- Finish by clicking “Create”
Once you’ve created your default rules and your specific rule or rules to block unwanted apps, you can create a GPO for implementation to all systems using Active Directory. To do so, right-click on the AppLocker node in GPEDIT and select Export Policy. This brings up a simple dialog box asking where to store it. On a computer running Group Policy Management Console, you can then import this XML into an existing GPO. Keep in mind that importing a GPO overwrites all other settings in the GPO… so don’t import it into your Default Domain policy, please… 🙂
Good luck. I hope this helps eases your workday with one more solution to make your life easier. Here’s a screen shot of GPEDIT after all is said and done.