How to use Intune manager uninstall Windows mail app

Iron Contributor

Dear all,
As per subject, does anyone have done this before?

Sk73_0-1649902576504.png

Will be grateful for any help you can provide.

Thanks.

 

16 Replies

Hi... thats easy Just make sure you add the microsoft store for business to Intune... ... open the Microsoft store for business... search for that Mail app... add it... Back in intune add the app but instead of requiring the app select uninstall... job done :) Sune is describing it here also https://blog.mindcore.dk/2021/05/remove-windows-10-built-in-apps-with.html

Thanks, @Rudy_Ooms_MVP   My organization is disabled. I have sent an email to the relevant team to ask for permission to enable it before taking any further action.

Sk73_0-1650005542573.png

 

@Sk-73 yeah users tend to click on the mail app instead of the Outlook. I would avoid removing native apps though not to break any basic functionality. I would instead prevent the users from using the app via CA policies or Applock. With some user Ed I always get them to use the browser for non work related mail accounts.

 

Plus MS is retiring MS store for business.

Hi,@aollivierre305 Thanks for replying this post. The reason why we need to remove is because to preventing user self adding not org email acc on corp laptop.


Do u have a diff way to achieve this?

Thanks Rudy for referring to our blog :)

Applocker CSP here PRICESLY that (instead of uninstalling you DENY access)

https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-using-applocker-to-create...

that article was from 2019 so here is the updated OMA-URI node and XML parts to use instead of the ones mentioned in the article but beside that follow everything in that article. You DO NOT need to start the App Identity service as it will automatically start (even though by default it is stopped and set to manual)

OMA-URI (CASE SENSITIVE) ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Grouping/StoreApps/Policy

XML part to use a string value

<RuleCollection Type="Appx" EnforcementMode="Enabled">
<FilePublisherRule Id="c3d7f207-377d-4512-bb18-d41c86063d54" Name="microsoft.windowscommunicationsapps, version 16005.14326.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="microsoft.windowscommunicationsapps" BinaryName="*">
<BinaryVersionRange LowSection="16005.14326.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>

Hey @aollivierre305 Thanks! I have just follow the instruction and created a configuration profile assign it to my self. I will update u again.  :smile:

Sk73_0-1650256479898.png

 

Hi @aollivierre305 Yesterday, I tried but not successful. Can I check with you, about the Mail app GUID?

I follow the guide and self export the Deny policy, and I notice the the GUID is diff. Please see the below attached. Wondering to know does this caused policy failed?

Sk73_1-1650334067183.png

Will be grateful for any advice you provide.

 

Hi, @aollivierre305 I just change the GUID, the reason why I change is because of now the sticky note and Company portal couldn't launch.

Sk73_0-1650335200813.png

Let's see how it goes.

I just learned this https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-con...

Try to use MDAC/WDAC instead of Applocker

if you still want to try with Applocker then model the policy via GUI using the secpol.msc then export the policy to XML and open the XML with VS Code and take a look at the XML structure.

Hi @aollivierre305 

Thanks for getting back with a diff method. I will check out the link and read thru later. Can I check with you, how to make it only block mail app? The reason why is because of I've managed to block the mail app but also blocking the sticky note and Company portal. 

 

OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Grouping/StoreApps/Policy

 

String value:

<RuleCollection Type="Appx" EnforcementMode="Enabled">
<FilePublisherRule Id="516ca83f-ea5f-43f2-82de-643153669ae8" Name="microsoft.windowscommunicationsapps, version 16005.14326.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="microsoft.windowscommunicationsapps" BinaryName="*">
<BinaryVersionRange LowSection="16005.14326.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>

@Sk-73 yeah I just noticed the same behavior where Stickynotes and Company Portal were also impacted by the policy which is a bizarre thing.

 

I would try then with alternative methods like MDAC/WDAC or the Uninstall option or both as it seems the Applocker method would require more testing at this point. 

Applocker and restricting the mail app is indeed difficult as it also blocks some other apps like the company portal indeed. We are also using applocker to restrict the store but that mail app... we use the uninstall to make sure its gone :)

@Rudy_Ooms_MVP 

Could you please share details on how you managed to uninstall it as I do not see an option for it once I have assigned the app. 

This worked for us for win10 Laptops. Any idea how to do this for Windows 10 Multisession AVD?