Office productivity suites, web browsers and their extensions, email clients, PDF applications, Adobe Flash Player, and security products that are no longer supported by vendors are removed.

Property	Value
ISM Control	ISM-1704
Revision	3
Updated	Jun-25
Guideline	Not provided
Section	System patching
Topic	Cessation of support
Essential Eight	ML1, ML2, ML3
PSPF Levels	NC, OS, P, S, TS

Summary

Removes software that is no longer supported by vendors from devices to reduce exposure to unpatched vulnerabilities and compatibility issues. Regularly review the detected application inventory via the Microsoft Defender admin portal and remove the identified applications using the current deployment mechanism.¹²

Justification

End-of-life (EOL) software receives no security patches from the vendor, meaning any newly discovered vulnerability will remain permanently unpatched. This makes EOL software a permanently exploitable condition rather than a temporary remediation gap.

Key examples relevant to this control:

Software	EOL date	Risk if retained
Adobe Flash Player	December 2020	Permanently unpatched; browser and Windows updates actively block it
Internet Explorer 11	June 2022	MSHTML engine issues persist (see ISM-1654); Flash host remains
Office 2016/2019	October 2025/2026	After EOL, no macro, parsing or OLE vulnerabilities patched
Acrobat DC pre-2020	Various	High-CVE-density product; EOL versions ship with unpatched parser vulns

Microsoft Defender Vulnerability Management surfaces end-of-support software as a distinct recommendation category, making inventory and identification straightforward.

Design Decision

[!NOTE] The Microsoft Defender admin portal will be used to review the detected applications on all devices, focusing on items no longer supported by vendors. The current deployment mechanism will be used to remove the identified applications as required.

Prerequisites

Permissions/Roles
- Access to the Microsoft Intune Admin Center to manage app deployment and removal. ¹
- End-users may uninstall apps via the Windows Company Portal if the apps were assigned as available and installed on-demand. ¹
Dependencies
- Microsoft Intune required for app deployment and removal. ¹
- Use of policy-based in-box app removal mechanisms via:
  - Settings Catalog policy
  - CSP RemoveDefaultMicrosoftStorePackages
  - Group Policy (GPO) ³
- Autopilot provisioning path to apply removal policy during device provisioning. ³

Implementation Steps

Inventory review and deployment-based removal

Sign in to the Microsoft Intune admin center. ¹
Go to Apps > All Apps > the app > Assignments > Add group. ¹
In the Add group pane, select Uninstall. ¹
Select Included Groups to choose the groups of users affected by this uninstall. ¹
Select the groups to apply the uninstall assignment. ¹
Click Select on the Select groups pane. ¹
Click OK on the Assign pane to set the assignment. ¹
If you want to exclude any groups, select Exclude Groups. ¹
If you have chosen to exclude groups, in Select groups, select Select. ¹
Click OK in the Add group pane. ¹
Click Save in the app Assignments pane. ¹

Policy-based in-box app removal

In Intune, configure devices by creating a Settings catalog policy and use the following settings. ³

Administrative Templates\Windows Components\App Package Deployment

Remove default Microsoft Store packages from the system

Enabled. ³

Set the toggle to True for each app to remove it. ³
Assign the policy to a group of devices you want to configure. After devices sync with Intune, the policy will apply at the next user provisioning or sign-in. ³
Windows Autopilot: For Autopilot deployments, include the removal policy in the device’s configuration profiles and configure Enrollment Status Page (ESP) to block until device configuration is complete. App removal should happen during device setup if the policy arrives in time. ³

Policy-based in-box app removal (CSP/OMA-URI alternative)

You can configure the RemoveDefaultMicrosoftStorePackages CSP policy to remove store packages. This ADMX-backed policy uses an XML payload. ³
The policy payload can specify which apps to remove by including data blocks with app identifiers set to true to remove and false to keep. ³
Assign the policy to the target group; after devices sync, the policy applies at next provisioning or sign-in. ³

IE11 and in-box app removal using a PowerShell script (optional)

Add the UserApplicationHardening-RemoveFeatures.ps1 as a PowerShell script with the following options:
- Run this script using the logged on credentials: No
- Enforce script signature check: No
- Run script in 64-bit PowerShell Host: No ⁴
Assign the script to a deployment group. ⁴
This script also disables .NET Framework 3.5 (includes .NET 2.0 and 3.0) and Windows PowerShell 2.0. ⁴

WDAC policy deployment guidance helps enforce application control by deploying Defender Application Control policies via Intune Essential Eight application control
Microsoft Security Bulletin MS16-050 - Critical provides workarounds to prevent Adobe Flash Player from running in Internet Explorer and related contexts Microsoft Security Bulletin MS16-050 - Critical
Microsoft Security Bulletin MS17-005 - Critical summarizes mitigations to block Adobe Flash and related guidance Microsoft Security Bulletin MS17-005 - Critical
Remote device action: retire (macos) describes how to retire a macOS device from the Intune admin center Remote device action: retire (macos)

🛡️ Essential 8 Guide