Wednesday, February 8, 2017

Disabling Modern App Bloatware on Windows 10 Image

Windows 10 comes with much unwanted bloatware in the form of "ModernApps".  These apps include:
  • Netflix
  • Pandora
  • Skype Preview
  • Paid WiFi & Mobile
  • Xbox
  • Get Office
  • Microsoft Solitaire Collection
  • Groove Music
  • Adobe Photoshop Express
  • 3D Builder
Many more unwanted apps... some regions even get Mimecraft!

What is very annoying is Microsoft believes these applications are required "by default" even in Windows 10 Enterprise Edition which is targeted at corporations.

If a user removes these applications, they automatically reinstall by default making it more frustrating.

So - you want to build your corporate image but and remove all Windows 10 Bloatware and modern applications which Microsoft deem necessary for all users?  Here what we needed to do on our Windows 10 Enterprise anniversary update 1607.

First of all don't join your Windows 10 image to the domain.  If you join the Windows 10 Enterprise 1607 image to an Active Directory domain (even if you isolate the computer so it does not receive policy), sysprep fails with the following.

Sysprep was not able to validate your Windows installation.

 
In the setupact.log on the server the following error is generated from domain joining.  I believe this is a bug and I will be raising it with MS.
 
2017-02-07 16:45:40, Error     SYSPRP Failed to remove apps for the current user: 0x80073cf2.
2017-02-07 16:45:40, Error     SYSPRP Exit code of RemoveAllApps thread was 0x3cf2.
2017-02-07 16:45:40, Error[0x0f0082] SYSPRP ActionPlatform::LaunchModule: Failure occurred while executing 'SysprepGeneralizeValidate' from C:\Windows\System32\AppxSysprep.dll; dwRet = 0x3cf2
2017-02-07 16:45:40, Error     SYSPRP SysprepSession::Validate: Error in validating actions from C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml; dwRet = 0x3cf2
2017-02-07 16:45:40, Error     SYSPRP RunPlatformActions:Failed while validating SysprepSession actions; dwRet = 0x3cf2
2017-02-07 16:45:40, Error[0x0f0070] SYSPRP RunExternalDlls:An error occurred while running registry sysprep DLLs, halting sysprep execution. dwRet = 0x3cf2
2017-02-07 16:45:40, Error[0x0f00d8] SYSPRP WinMain:Hit failure while pre-validate sysprep generalize internal providers; hr = 0x80073cf2
2017-02-07 16:46:54, Info [0x0f0052] SYSPRP Shutting down SysPrep log
2017-02-07 16:46:54, Info [0x0f004d] SYSPRP The time is now 2017-02-07 16:46:54
Make all changes to the image in "WORKGROUP" mode to ensure it never touches the Active Directory domain so sysprep will run.
 
Stop Bloatware from Re-downloading from MS Cloud
 
Next we want to stop Windows 10 from automatically "redownloading" bloatware apps after we remove them.
 
Method 1
 
Add 32-bit DWORD value named DisableWindowsConsumerFeatures
 
to:
 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent 
 
Note: You will want to create the CloudContent Key.
 
Method 2
 
Method 2 involves deploying the regkey via you AD Domain/local policy.  During image creation as your machine is workgroup, it wont be able to get this policy from the domain.
 
Computer Configuration –> Administrative Templates –> Windows Components –> Cloud Content
 
“Turn off Microsoft consumer experiences”
 
Note: I recommend deploying Method 1 on the image itself immediately after being built as the image will start downloading bloatware as your configuring your base SOE.
 
Remove the Default Bloatware
 
Next you will want to remove all default Windows 10 Bloatware "Modern Apps".  To remove this from your image from an elevated PowerShell command prompt run:
 
Get-ProvisionedAppxPackage -Online | Remove-ProvisionedAppxPackage -Online
 
If you want to review the list of bloatware before running the above command, run this:
 
Get-AppXProvisionedPackage -Online | Select PackageName
After you remove the bloatware, make sure you run the following command from the user account you want to sysprep from, or sysprep will fail once again as per https://support.microsoft.com/kb/2769827
 
Get-AppxPackage | Remove-AppxPackage

Classic Shell
 
In this image I installed the classic shell App to give all users the standard Windows 7 start menu and remove the modern app interface all together.  This was downloaded from:
 
 
We only installed Classic Start Menu, not Classic Explorer, Classic IE or any of the other options from this download.
 
Default Profile
 
Items such as Edge cannot be removed from Windows 10 just like IE cannot be removed from Windows 7. We created a new Default Profile and removed the Edge icon from the task bar, configured the taskbar classic shell and setup default wallpaper etc.
 
Other Important Policies We Applied

Other important policies we deployed to the Active Directory Domain Group Policy for Windows 10 machines include:
 
Disabling the Windows Store:
 
Computer Configuration, Administrative Templates,  Windows Components, and then click Store.
In the Setting pane, click Turn off Store application
 
Disable OneDrive
 
Computer Configuration > Administrative Templates > Windows Components > OneDrive
 
Prevent the usage of OneDrive for file storage
 
Disable Cortana
 
Computer Configuration > Administrative Templates > Windows Components > Search
 
"Allow Cortana" --> Set to disabled.
 
Default Apps
 
Configure Windows 10 to use Windows Media Player and Internet Explorer as default apps (or alternative) and export the default App config with:
 
dism /online /export-defaultappassociations:\\localhost\c$\AppAssoc.xml
 
Deploy the xml file with Group Policy from a file share:
 
Administrative Templates\Windows Components\File Explorer\Set a default associations configuration file
 
Tip for Creating the Image
 
We wanted to create a driver independent image as we are deploying with SCCM and we need to layer the drivers based on the various client hardware.  As a result, we do not want any drivers incorporated in the image.
 
I built the image on VMWare using E1000 NIC (as its natively supported by Windows 10) and did not install VMware Tools during the build process to keep the image clean.
 
I also had numerous issues with sysprep failing due to numerous changes (many which I did not document here).  As a result, I recommend snapshotting your progress numerous times throughout the SOE build and attempting to run sysprep numerous times during your build process to ensure when you get to the end it will not fail!

Hope this information is helpful to anyone wanting to upgrade to Windows 10 as part of a corporate SOE.

No comments:

Post a Comment