|
#powershell #security #sysadmin #windows #automation

Uninstalling WhatsApp Desktop (Store Version) with PowerShell

WhatsApp Desktop via Microsoft Store can bypass standard software controls. Use this PowerShell script to remotely uninstall it from all users at scale.

WhatsApp is a widely used personal messaging app, but in a corporate environment, it introduces serious security and compliance risks. Unlike approved collaboration platforms like Microsoft Teams, WhatsApp lacks centralized control, audit logging, data retention, and integration with enterprise DLP policies. This makes it an easy vector for intentional or accidental data leaks.

The Problem: Bypassing Control

We discovered that the WhatsApp Desktop application, when installed via the Microsoft Store, does not require administrative privileges. This allowed users to install it freely on corporate devices, bypassing standard software control measures.

Conventional web filtering failed to block it effectively. While we managed to block WhatsApp media transfers using known URLs, the application continued to function for text messaging. This is because it communicates through Microsoft Store-related traffic, not directly via typical WhatsApp web domains.

Although this behavior seemed harmless to some users, it still posed a serious data exfiltration risk. Company information could be copied and sent externally without detection or control. To mitigate this, we initially blocked the app’s execution—a topic I’ll cover in a future post.

But that wasn’t enough. I wanted the application gone entirely from all endpoints. That’s when I turned to PowerShell to remotely uninstall it—cleanly, efficiently, and at scale.

What the PowerShell Script Does

  1. Enumerates all installed WhatsApp-related Appx packages.
  2. Attempts to uninstall each one using Remove-AppxPackage for all users.
  3. Outputs the result for each attempt (success or failure).
  4. Uses a background job with a 5-minute timeout to prevent hangs during remote runs via RMM or PDQ.

The Remediation Script

$scriptBlock = {
    $found = $false

    # Grab all WhatsApp-related packages (regular and beta)
    $packages = Get-AppxPackage -AllUsers | Where-Object {
        $_.Name -like "*WhatsApp*" -or $_.PackageFullName -like "*WhatsApp*"
    }

    if ($packages) {
        foreach ($pkg in $packages) {
            Write-Output "Found package: $($pkg.PackageFullName)"
            try {
                Remove-AppxPackage -Package $pkg.PackageFullName -AllUsers -ErrorAction Stop
                Write-Output "Successfully uninstalled: $($pkg.PackageFullName)"
                $found = $true
            } catch {
                Write-Output "Failed to uninstall $($pkg.PackageFullName): $_"
            }
        }
    }

    if (-not $found) {
        Write-Output "No WhatsApp packages found. Nothing to uninstall."
    }
}

# Run with 5-minute timeout
$job = Start-Job -ScriptBlock $scriptBlock
if (Wait-Job -Job $job -Timeout 300) {
    Receive-Job -Job $job
} else {
    Write-Output "Script timed out after 5 minutes. Stopping job."
    Stop-Job -Job $job
    Remove-Job -Job $job
}

Final Thoughts

In a secure enterprise environment, unauthorized communication tools are a liability. If your users are running WhatsApp Desktop via Microsoft Store, this script offers a simple and effective way to clean house without manual intervention.