Enterprise IT administrators can now strip out far more of Windows 11’s preinstalled Microsoft Store apps with a single policy. Microsoft has expanded the RemoveDefaultMicrosoftStorePackages setting to cover additional MSIX and AppX packages on Windows 11 Enterprise and Education editions running version 24H2 or the forthcoming 25H2. The change closes a long-standing gap that forced admins to rely on fragile post-install scripts or custom provisioning packages.

For years, Windows 11 shipped with a clutch of apps—Candy Crush Soda Saga, Spotify, TikTok, Disney+ and others—that enterprises neither wanted nor needed. These consumer-oriented packages cluttered the Start menu, consumed storage and presented a management headache. Microsoft introduced the RemoveDefaultMicrosoftStorePackages policy back in Windows 11 22H2, but its initial reach was limited to only a handful of app packages. Now, for compatible versions, the policy removes “a broader set of preinstalled MSIX and App packages,” according to Microsoft’s own documentation. The update means that IT pros can achieve a cleaner Windows 11 desktop straight out of the box, without touching a single PowerShell cmdlet.

A policy that actually deletes bloatware

The RemoveDefaultMicrosoftStorePackages policy lives under Computer Configuration > Administrative Templates > Windows Components > Store in Group Policy. Its job is simple: when enabled, Windows will not install the specified default Microsoft Store apps during initial setup (OOBE) or after a feature update. It’s not retroactive—it won’t magically uninstall apps that are already sitting on existing user profiles—but it prevents them from appearing on newly imaged devices or fresh user logins.

What counts as a “default” app? Microsoft maintains a curated list of MSIX and AppX packages that the policy targets. With the latest expansion, that list has grown substantially. While Microsoft hasn’t published an exhaustive public manifest, testing indicates that perennial bloatware candidates like Spotify, TikTok, Disney+, Instagram, and various HP or Lenovo companion apps are now eligible for removal. Crucially, the policy only works on Enterprise and Education SKUs; Windows 11 Pro and Home remain excluded—a deliberate move to keep the setting from disrupting the consumer experience.

How to deploy it: Group Policy and Intune

Organizations can push the policy through two primary channels: traditional on-premises Group Policy or cloud-based MDM via Microsoft Intune.

Group Policy (on-premises)
Open the Group Policy Management Console, create or edit a GPO linked to your Windows 11 Enterprise/Education devices, and navigate to:
Computer Configuration > Administrative Templates > Windows Components > Store
Find RemoveDefaultMicrosoftStorePackages, set it to Enabled, and click OK. Once the GPO applies, the next time Windows provisions a new user or installs a feature update, those default store packages won’t appear.

Microsoft Intune (MDM)
In the Intune admin center, create a Settings catalog profile targeting Windows 11 devices. Search for “ApplicationManagement/RemoveDefaultMicrosoftStorePackages” and set it to True. Assign the profile to a device group containing the relevant Enterprise or Education endpoints. For best results, deploy this configuration alongside Windows Autopilot enrollment—the policy will then be enforced before the user ever sees the desktop.

Even with the policy enabled, IT admins might still spot a few lightweight system components hanging around (e.g., Microsoft Store itself, Widgets, or the Xbox app). Those are not considered “default store packages” in the same sense and are managed via separate policies. Still, the expanded list wipes out the most egregious third-party placements that have irked enterprise customers since Windows 10.

Why it matters for the modern workplace

Removing unwanted apps isn’t just cosmetic. Those packages consume disk space, can generate telemetry noise, and occasionally introduce stale security vulnerabilities. In regulated industries, every unnecessary application is a potential audit finding. Worse, some preinstalled apps launch background processes that drain laptop battery and compete for CPU cycles. By cutting them off at the provisioning stage, IT teams reduce their endpoint attack surface and help users focus on the line-of-business tools that actually matter.

The expansion also aligns with Microsoft’s “Secure by Default” ethos. Rather than asking admins to run bespoke debloat scripts—often downloaded from third-party GitHub repositories with no supply-chain guarantees—the official policy provides a supported, version-aware mechanism that won’t break after the next cumulative update. For larger shops moving toward zero-touch provisioning with Windows Autopilot, this is a cornerstone capability.

What the community is saying (and what’s still missing)

Early feedback from IT professionals has been overwhelmingly positive, tempered by a few sharp criticisms. “Finally, I can stop explaining to my CISO why Candy Crush appears on our gold image,” one admin posted on our forums, echoing a sentiment widely shared. Others praised the move but noted that the policy still doesn’t cover all preinstalled packages, particularly some promotional apps that Microsoft classifies as “experiences” rather than standalone packages.

The most requested improvement? A way to extend the policy to Windows 11 Pro. Many small and mid-size businesses run Pro SKUs and feel left out of this much-needed cleanup tool. Microsoft has not indicated any plans to backport the feature, so those shops must continue relying on AppLocker policies or custom deployment scripts.

Another gap is that the policy only prevents new installations; if a user already has Spotify pinned to the Start menu because it was installed before the GPO took effect, that shortcut stays put. For existing devices, admins may need to combine RemoveDefaultMicrosoftStorePackages with a one-time remediation script that calls Remove-AppxPackage. The combination gives a clean baseline going forward.

A side effect worth watching: the Store app itself

Some early adopters have noticed that enabling the policy can interfere with the Microsoft Store’s own update mechanism. Since the policy suppresses default packages, the Store may show pending downloads that never complete, or it might erroneously report that certain apps are “not installed.” Microsoft’s guidance recommends leaving the Store app itself intact (do not block it via policy) to ensure proper license synchronization and background updates for LOB Store apps. Testing the configuration in a pilot ring before broad deployment is essential.

Looking ahead to Windows 11 25H2 and beyond

Windows 11 25H2, expected later this year, will carry the expanded policy natively. Microsoft hasn’t ruled out further additions, and there’s speculation that the list could eventually become configurable via a simple JSON blob—giving admins fine-grained control over which specific packages get blocked. Such a feature would plug the last remaining flexibility gap and let organizations tailor the experience to their exact needs while still using a supported policy path.

For now, the expanded RemoveDefaultMicrosoftStorePackages policy is a significant win for enterprise Windows management. It reduces clutter, improves security, and spares IT teams from maintaining brittle cleanup scripts. If you manage Windows 11 Enterprise or Education devices, this is one Group Policy or Intune setting you’ll want to enable before your next round of imaging.