Windows 11 Intune Updates

by

Windows 11 is here and it’s time to start preparing for deployments and management.

I have now updated my build environment to include some Windows 11 specific tweaks which I will outline below.

To use my base environment you can use the script from powershell gallery or grab directly from github here

Install-Script -Name BuildIntuneEnvironment

The first change is to the debloat script which can be found here and also deploys automatically with the scripted environment

The additions are to remove the newly added packages for Cortana, Xbox services etc.

#Windows 11 Customisations

    #Remove XBox Game Bar
    Get-AppxPackage Microsoft.XboxGamingOverlay | Remove-AppxPackage
    Get-AppxPackage Microsoft.XboxGameCallableUI | Remove-AppxPackage

    #Remove Cortana
    Get-AppxPackage -allusers Microsoft.549981C3F5F10 | Remove-AppxPackage

    #Remove GetStarted
    Get-AppxPackage *getstarted* | Remove-AppxPackage

    #Remove Parental Controls
   Get-AppxPackage Microsoft.Windows.ParentalControls | Remove-AppxPackage 

   #Remove Teams 'Chat'
$MSTeams = "MicrosoftTeams"

$WinPackage = Get-AppxPackage | Where-Object {$_.Name -eq $MSTeams}
$ProvisionedPackage = Get-AppxProvisionedPackage -Online | Where-Object { $_.DisplayName -eq $WinPackage }
If ($null -ne $WinPackage) 
{
    Remove-AppxPackage -Package $WinPackage.PackageFullName
} 

If ($null -ne $ProvisionedPackage) 
{
    Remove-AppxProvisionedPackage -online -Packagename $ProvisionedPackage.Packagename
}

$WinPackageCheck = Get-AppxPackage | Where-Object {$_.Name -eq $MSTeams}
$ProvisionedPackageCheck = Get-AppxProvisionedPackage -Online | Where-Object { $_.DisplayName -eq $WinPackage }
If (($WinPackageCheck) -or ($ProvisionedPackageCheck))
{
    throw
}

On top of this, removing the Teams Chat icon requires a Custom-URI and can’t be done in any other way currently:

OMA-URI is:

./Device/Vendor/MSFT/Policy/Config/Experience/ConfigureChatIcon

I’ve also added an Applicability Rule so it only applies to Win11 machines:

Finally, the start menu config has also changed from xml to json (again, Custom-URI)

First I’ve added a rule on the old Win10 start menu so it doesn’t apply to Win11:

<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification" xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout">
  <LayoutOptions StartTileGroupCellWidth="6" />
  <DefaultLayoutOverride LayoutCustomizationRestrictionType="OnlySpecifiedGroups">
    <StartLayoutCollection>
      <defaultlayout:StartLayout GroupCellWidth="6">
        <start:Group Name="">
          <start:DesktopApplicationTile Size="2x2" Column="4" Row="0" DesktopApplicationID="Microsoft.Office.EXCEL.EXE.15" />
          <start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationID="Microsoft.Office.POWERPNT.EXE.15" />
          <start:DesktopApplicationTile Size="2x2" Column="0" Row="4" DesktopApplicationID="MSEdge" />
          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="Microsoft.Office.OUTLOOK.EXE.15" />
          <start:DesktopApplicationTile Size="2x2" Column="2" Row="4" DesktopApplicationID="Microsoft.Office.ONENOTE.EXE.15" />
          <start:DesktopApplicationTile Size="2x2" Column="4" Row="4" DesktopApplicationID="com.squirrel.Teams.Teams" />
          <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="Microsoft.Office.WINWORD.EXE.15" />
          <start:Tile Size="2x2" Column="0" Row="2" AppUserModelID="Microsoft.CompanyPortal_8wekyb3d8bbwe!App" />
          <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.WindowsStore_8wekyb3d8bbwe!App" />
        </start:Group>
      </defaultlayout:StartLayout>
    </StartLayoutCollection>
	</DefaultLayoutOverride>
    <CustomTaskbarLayoutCollection PinListPlacement="Replace">
      <defaultlayout:TaskbarLayout>
        <taskbar:TaskbarPinList>
   <taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer"/>
	<taskbar:DesktopApp DesktopApplicationID="Microsoft.Office.OUTLOOK.EXE.15"/>
	<taskbar:DesktopApp DesktopApplicationID="MSEdge"/>
        </taskbar:TaskbarPinList>
      </defaultlayout:TaskbarLayout>
    </CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>

Then we have a new Win11 Start Menu profile (again, pinning the basic Office apps which I would usually deploy in a commercial environment, feel free to amend)

This is a custom one with json

OMA-URI:

./Vendor/MSFT/Policy/Config/Start/ConfigureStartPins

JSON:

{ 
  "pinnedList": [ 
    { "desktopAppId": "MSEdge" }, 
    { "desktopAppId": "Microsoft.Office.EXCEL.EXE.15" }, 
    { "desktopAppId": "Microsoft.Office.POWERPNT.EXE.15" }, 
    { "desktopAppId": "Microsoft.Office.OUTLOOK.EXE.15" }, 
    { "desktopAppId": "Microsoft.Office.ONENOTE.EXE.15" }, 
    { "desktopAppId": "Microsoft.Office.com.squirrel.Teams.Teams" }, 
    { "desktopAppId": "Microsoft.CompanyPortal_8wekyb3d8bbwe!App" }, 
    { "desktopAppId": "Microsoft.Office.WINWORD.EXE.15" }, 
    { "packagedAppId": "Microsoft.WindowsStore_8wekyb3d8bbwe!App" }, 
    { "packagedAppId": "desktopAppId":"Microsoft.Windows.Explorer" } 
  ] 
}

And finally, restrict to Win11

That’s it for now, I’ll keep amending the environment as I come across any other amendments needed for Windows 11

I’ve also added some basic configurations for AppLocker because it can be tricky to grab if you don’t have an on-prem AD to export from

Leave a Comment