Back to Intelligence

Windows 11 In-Box App Removal: Hardening Strategy and Configuration Guide

SA
Security Arsenal Team
May 2, 2026
4 min read

Introduction

Microsoft has updated the Windows 11 in-box app removal policy, extending capabilities introduced in October. This update enables IT administrators to specify a dynamic list of pre-installed Store apps for uninstallation across managed endpoints. For defenders, this is a critical hygiene improvement. Pre-installed bloatware often runs background processes, maintains active network connections, and introduces an unnecessary attack surface through unpatched vulnerabilities. By granularly removing non-essential applications, security teams can enforce a minimal footprint, reducing the potential vectors for initial access and supply-chain compromises.

Technical Analysis

  • Affected Products: Windows 11 (Enterprise, Education, and Professional editions managed via MDM).
  • Policy Mechanism: The update leverages the RemoveWindowsInBoxApps policy within the Application Management framework. Previously, removal options were binary or static. The new configuration supports a dynamic list of Application User Model IDs (AUMIDs).
  • Defensive Impact: Many pre-installed apps (e.g., specific Cortana components, third-party news aggregators, or consumer-focused games) have extensive permissions and auto-update mechanisms. If these apps are abandoned by vendors or contain vulnerabilities, they become backdoors. Removing them eliminates this risk class entirely.
  • Implementation Context: This policy is typically delivered via Microsoft Intune (Settings Catalog) or Group Policy, syncing the removal list to the AppManagement CSP (Configuration Service Provider).

Executive Takeaways

  • Audit for Business Necessity: Don't just remove everything; perform a functional audit to identify which "in-box" apps are strictly required for business operations (e.g., Calculator, Notepad) versus those that are purely consumer-grade (e.g., Xbox app, TikTok).
  • Standardize the Gold Image: Integrate the new removal policy into your standard Golden Image configuration. Ensure that as soon as a device enrolls into MDM, it sheds unnecessary bloatware immediately, rather than waiting for a remediation cycle.
  • Test for Dependency Breakage: Some deeply integrated Windows components (like the Photos app) may have hooks in the OS shell. Pilot your removal list in a non-production environment to ensure you aren't breaking default file association handlers or critical system notification flows.
  • Update Baseline Security Policies: This feature change should trigger a review of your CIS Benchmarks or NIST-based baselines. Explicitly document which AUMIDs are banned in your environment to satisfy compliance requirements for "minimizing installed software."

Remediation

To utilize this new capability, administrators must configure the policy via Intune or similar MDM solutions. The following steps outline the implementation and a PowerShell script to help identify the AUMIDs of installed applications for your removal list.

Implementation Steps:

  1. Navigate to Microsoft Intune Admin Center > Devices > Configuration profiles.
  2. Create a new profile: Platform: Windows 11 > Profile type: Settings Catalog.
  3. Search for and add the setting RemoveWindowsInBoxApps.
  4. Enter the comma-separated list of AUMIDs for the applications you wish to block or remove.

Discovery Script: Use the PowerShell script below to enumerate the provisioned apps and their AUMIDs on a target machine. This allows you to build your dynamic removal list accurately.

PowerShell
# Discovery Script: Enumerate Provisioned Windows Apps for Removal Policy
# Run this on a reference Windows 11 machine to identify AUMIDs.

Write-Host "[+] Retrieving Provisioned App Packages..." -ForegroundColor Cyan

# Get all provisioned packages (installed for all users)
$provisionedApps = Get-AppxProvisionedPackage -Online

# Get packages installed for the current user (useful for comparison)
$userApps = Get-AppxPackage

$outputList = @()

foreach ($app in $provisionedApps) {
    $packageName = $app.PackageName
    
    # Attempt to resolve the DisplayName for better readability
    $displayInfo = $userApps | Where-Object { $_.PackageFullName -like "$packageName*" } | Select-Object -First 1
    
    if ($displayInfo) {
        $displayName = $displayInfo.Name
    } else {
        $displayName = "Unknown (Resolve via manifest)"
    }

    $outputList += [PSCustomObject]@{
        AppName      = $displayName
        PackageName  = $packageName
        AUMID        = ($displayInfo -and $displayInfo.PackageFamilyName) ? "$($displayInfo.PackageFamilyName)!App" : "N/A"
    }
}

# Output the results
$outputList | Format-Table -AutoSize

# Export to CSV for policy creation
$outputList | Export-Csv -Path "C:\Temp\Windows11_App_Audit.csv" -NoTypeInformation
Write-Host "[+] Audit complete. Results saved to C:\Temp\Windows11_App_Audit.csv" -ForegroundColor Green

After running the script, import the CSV into your policy documentation to decide which AUMIDs to add to the RemoveWindowsInBoxApps configuration string.

Official Vendor Advisory: For detailed configuration parameters, refer to the latest Microsoft Intune documentation regarding the Application Management CSP.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemmicrosoftwindows-11endpoint-hardening

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action