Another subject that needs a “final word”. What is the best way to manage “Start”?
I feel like I’ve written tons of articles and delivered loads of presentations around this particular subject. Microsoft’s decision to remove the Start Menu in Windows 8 and 8.1 and then replace it with a hybrid of Start Menu and Live Tiles in Windows 10/Server 2016 remains a contentious maneouvre in the UI space. We all loved Windows 7/2008 R2…
and then came the abomination that was Windows 8/2012…
….followed by the “halfway house” between old and new that we now have in Windows 10/Server 2016.
The management on Windows 7 was easy, because it was simply done with flat filesystem entries backed up by GPOs. Windows 8 introduced the “Start Screen”, which was handled by binary files called appsfolder.itemdata-ms*, which made things infinitely harder. And in true Windows 10 fashion, we now have a mish-mash of the two, a combination of filesystem entries and the mysteries that compose the “Start Tiles”.
Naturally, Microsoft have even evolved their approach to handling the Start Tiles area of the Start Menu further as Windows 10 feature updates have progressed. Originally, they utilized a database called vedatamodel.edb, but have now eschewed this in favour of a Registry and filesystem approach. Additionally, the methods for managing this have also evolved. So we are going to do a write-up based around the management of the Start Menu and Start Tiles based around the Windows 10 and Server 2016 versions, fully patched as of 03/08/2018.
We are going to address two fundamental issues that come up a lot when speaking to members of the EUC community:-
- Providing customized default Start Menu/Tiles layouts to different groups of users, even those using the same devices
- Saving and persisting the configuration of a user’s Start Menu and Tiles between sessions and devices
We will handle the first issue (customization of the default) in part #1, and the second issue (saving and persistence) in part #2.
Customized default layouts
So for this article, let’s address how we can provide a customized layout to a user when they log on to a machine or session for the first time.
Out of the box, a Windows 10 Start Menu would look like this on the Enterprise version:-
Aside from being garish, most of the stuff appearing there is neither use nor ornament to an enterprise user. What we would like to do is customize this so that when users log on for the first time, they get useful shortcuts and pinned tiles instead of all of this cruft.
-
Apply a single default layout, and allow users to customize all of it
The layout of the Start Tiles (the region on the right, as opposed to the Start Menu on the left) is controlled (in vanilla Windows 10) by a file in c:\Users\Default\AppData\Local\Microsoft\Windows\Shell called DefaultLayouts.xml. This file can be updated by Microsoft, so that new users may get different things on their Start Tiles, dependent on who is paying Microsoft the most money at any particular period in time π
If you wish to override the DefaultLayouts.xml settings, you simply create the Start Tiles the way you want them to look, and then create an XML file called LayoutModification.xml which sits in the same folder as the DefaultLayouts.xml file. You create the file by using the Export-StartLayout cmdlet from PowerShell, as shown in the example below:-
Export-StartLayout -Path \\Path\To\Your\File.xml
You can then put this file in the relevant folder within the default profile in your image, or even deploy it (and update it) onto machines via a Group Policy File Preference such as that shown here:-
Note that there is actually an Import-StartLayout cmdlet, but this doesn’t do what you’d expect. It actually imports the Start Layout XML into the default profile on the device, rather than the active user profile, which is why we aren’t using it here (it can also be used to import into a mounted WIM as well). Essentially we are doing the same thing, exporting into the default profile, but we only need to use the one line of code π
So for very simple situations, where you just want to apply a specific Start Tiles layout to every user that logs on to the Windows 10 machine, this method works well. Once the initial layout is applied, the user is then free to change that as they wish. This method also works for Windows Server 2016 as well in exactly the same way.
However, what if you wanted to apply a Start Tiles layout that couldn’t be changed? Maybe for educational or kiosk areas?
2. Apply a default layout that users cannot change at all
This is achievable through Group Policy or, alternatively, InTune. The Group Policy setting sits here:-
User Config | Admin Templates | Start Menu and Taskbar | Start Screen Layout
and is simply a UNC or local path to the XML file you have generated using Export-StartLayout. As this is a user setting (from the 1607 version of Windows 10 onwards), you can use Security Filtering on the GPO to target specific Start Menu layouts to different groups of users.
Using InTune requires that your users and devices are enrolled into the InTune service, whether you are using this directly in Azure or via SCCM. For purposes of this demonstration we simply have them connected to the Azure service directly. You will need an XML file generated from Export-StartLayout to work with. Log onto Azure and choose Intune | Device Configuration | Create Profile and set Platform to Windows 10 and later and Profile Type to Device restrictions.
Next click on Settings which will open another section of the portal window. Scroll down until you find Start and click on it, which will open a further window. From here, browse to the XML file you have created with Export-StartLayout and it will be loaded for you
If you scroll down you will see many more Start-related items that can be configured, but we will simply leave it at this and click on OK twice, and then Create
The next step is to assign the Profile to one or more Groups. Next time you log in, you should get the Start Tiles layout you have configured in your InTune environment.
Note that the GPO method will work for Server 2016, but obviously Server 2016 instances cannot be managed through InTune.
So, what if you wanted to lock some of the Start Tiles so they couldn’t be changed, but not all of them?
3. Applying a partially-locked layout, allowing users to customize some Tiles but not all
This is achievable through similar methods as specified in [2], just with some modifications to the XML used. You simply modify the XML file you exported using Export-StartLayout and make a modification to the <DefaultLayoutOverride> section.
As an example, here’s an XML file which has been exported but not modified, so if this is applied by GPO it will be enforced and not be changeable by the user:-
Now here’s the same XML file with the modification made (highlighted)
So if you link the XML file to the Start Screen Layout GPO (for Win10 and Server 2016) or to the InTune configuration (for Win10 only) it will behave differently dependent on how you have configured the DefaultLayoutOverride section. If it is done with the “partial” lock enabled, it will look like this with the “locked” section at the top
Note that the locked layout has been merged with the default layout which the user can customize. If you wanted to merge it with a customized layout, you could also use the LayoutModification.xml file in the default user profile as described in section [1]
4. Applying a custom default layout for different user groups on the same device, and allowing users to customize all of it
Now this is extending a little beyond what we can do with Microsoft tools. As you read in section [1], the LayoutModification.xml file can be used to override the default garish layout when a new user logs in. However, this is specifically per-device, as it is one single file we are using to override the layout for all users. What if you had an environment – probably XenApp/XenDesktop/RDSH/VDI – where you wanted to apply different default layouts on a user-by-user or group-by-group basis? For instance, Finance users get Finance apps as the default, IT users get IT apps. You could do this by using the methods in [2] or [3], because these are per-user GPOs (although because they’re Security Filters you can only filter by user or group, nothing more granular). But obviously, these per-user GPOs or InTune only allow you to either do fully-locked or partially-locked Start Layouts. What if you wanted to do customized default layouts for different groups of users on the same device or image, without any locking at all?
You might be thinking the obvious way to do this would be to overwrite the LayoutModification.xml in the default user profile at logon of a particular user, using a Group Policy Preference File Action with Item-Level Targeting, which then overwrites the XML with a different file dependent on the user. However, this method is inconsistent, because the File Action must apply before the user profile is loaded otherwise it will fail. Also, to have the permissions to write to the default user profile, it needs to be a Computer Config Action, and in this area users and groups are not available as ILT. Additionally, this won’t work on Server 2016 because you could have multiple users logging in simultaneously. So using GPP to manage this, or even a WMI filter, is not going to work well, or indeed possibly at all.
There is a way to do it cleanly, which involves using a feature of FSLogix Apps called Redirection. The feature can redirect anything in the filesystem or Registry, so it can be really useful for lots of different problems. Essentially, we redirect the LayoutModification.xml file to a different file dependent on the group memberships of the user logging in
Firstly, you need to install the FSLogix Apps feature on your target devices, obviously, and then install the console somewhere so you can create some Redirection rules.
After this, we need to set the Start Tiles as you want them, and then create as many sets of XML files as you need using the Export-StartLayout PowerShell cmdlet, and save them in an appropriate location. Make sure each one is called LayoutModification.xml. Run the following script for each custom layout you want to create, obviously changing the path as appropriate!
Export-StartLayout -Path c:\StartLayouts\Set1\LayoutModification.xml
Once I’ve done this, I modify the Start Tiles again for my next group of users, and then export to a different location
Export-StartLayout -Path c:\StartLayouts\Set2\LayoutModification.xml
Then it’s just a case of setting up a couple of FSLogix Redirection rules to direct the file c:\users\Default\AppData\Local\Microsoft\Windows\Shell\LayoutModification.xml to the custom file we have created, and setting a rule so that the redirection is processed differently for different users or AD groups.
Note that we have selected “File/Registry Value” in the console and unticked the “Copy object” option for this.
Then we just need to assign each rule to a user (or an AD group) as below
The final step is to copy the rule files down to the endpoint. This is done simply by placing the rules files (.fxa and .fxr) into the C:\Program Files\FSLogix\Apps\Rules folder on the device. I normally do this using Group Policy Preferences or a script. Once in there the FSLogix driver picks them up and processes them.
Once these rules are assigned to specific users or groups and then copied to the endpoint, we can now have a default Start Tiles layout applied on a per-user or per-group basis from the same base image. The two different layouts I applied are shown below
Obviously you can store the redirected LayoutModification.xml files locally to the image or on the network, however having them local provides redundancy in case the network share is unavailable.
Summary
So there we have it – those are the four ways you can deal with the default layout of the Start Tiles in Windows 10 1803 and Server 2016.
- You can provide a single default layout specific to all users on the device, that they can customize as much as they want
- You can provide multiple “locked-down” layouts to different groups of users, that can’t be customized at all
- You can provide a default (OOBE) or customized default layout to different groups of users, in which specific sets of items are locked non-customizable and the reset are able to be customized
- You can use FSLogix to provide multiple layouts to different groups of users on the same device or image, and that can be customized as much as the user wants
All the methods specified here work equally well on Windows 10 1803 and Server 2016, except for the InTune management which is for Windows 10 only.
Naturally, though, all of this lovely customization is for naught if we can’t save and persist these settings, so that’s what part #2 of this article will be discussing in the very near future.
Great guide!
What if, after say 6 months, you need to add more tiles to each user, in addition to what they already have customizes themselves. How can you do this without overwriting their existing customized tiles? Would you need to replace the entire xml and overwrite existing tiles?
I think in that situation you would have to use the “partial Start Layout” GPO, which should merge with what they already have configured and/or saved. However if you just wanted to “add” some that they could then remove if they wanted to, that is a bit trickier. I guess you would have to enforce the “partial Start Layout” GPO to get them in, and then remove the user from the GPO scope afterwards, if that makes sense?
Yeah.. I was afraid of this, that the startmenu was still hard to customize and not very flexible. I had hoped MS would make a better way to work with this. GPOs are legacy, less and less customers will use it on these intune days.
We will have to stick with building tiles with this 3rd party tool untill MS comes up with something better.
http://www.technosys.net/products/utils/pintotaskbar
Just with FSLogix and no further tool I plan it like this:
1. Default LayoutModification.xml for all. Users may customize the start menu.
2. I use a user logon script anyway. This works with server 2016 and server 2019:
# pin-to-start.ps1
$obj = New-Object -ComObject Shell.Application
$folder = $obj.NameSpace(“shell:appsfolder”)
$item = $folder.Items() | ? {$_.Name -match “outlook”}
$verb = $item.Verbs() | ? {$_.Name -match “start.*heften”}
$verb.DoIt()
3. With FSLogix specify registry value rules for each App use a custom key in HKLM and fill with items. Then from the Login Script enumerate this items and pin them to start.
4. We could write a corresponding key in HKCU to leave the start menu as is once the item was pinned. So users may remove them. (just like Active Setup but i guess Active Setup is too early for pinning since the shell is not started)
Then userA belongs to App1 and App3 userB to App1 and App2 and both will receive pinned Items via the assignments of the FSLogix registry value rules.
I’m keen see part 2 of this article, do you know when you will release it? π
Thanks
P
Hi Paul, I have almost completed it but have been on holiday, hopefully have it done in the next day or so.
Also, re-directed Start Menu for all users (to same, read-only location).
Do you have the XML files available for download somewhere ?
I really loathe typing π
I will see if I can put them in DropBox later.
I’m attempting to use the ‘locked down’ method via InTune, but had a question and wasn’t sure if anyone had experienced this. I have created the xml that includes all the links I’d like to include in this custom group, however I seem to have a problem with any of the programs that are installed on the PC *after* it has been enrolled via InTune/Autopilot.
As an example, I want to create a locked start menu group that contains links to both Google products and MS Office. The Google products are pre-installed and are a part of the image itself. MS Office gets installed on the PC via InTune after the device is enrolled and a user has signed into it.
I’ve noticed this: if I create a start menu group with both Google and Office links and that group is *locked*, the links for Office will never appear. If I modify the xml to make this group *unlocked*, then the Office links show up correctly after the Office suite has been installed, but then the group is not locked and can be modified by a user.
If a group is configured as *locked* in the xml, is it unable to add links to programs that are included in the xml but are not already in the image? If that’s the case, is there any known workaround for this? Thanks!
Hi James,
I have tried implementing solution 3 and 1, so there is both a locked and customizable area.
The locked part works perfectly.
But as soon as I implement the customized layout with LayoutModification.xml in the folder c:\Users\Default\AppData\Local\Microsoft\Windows\Shell – then the users gets no layout.
Not even the locked layout.
I am testing on a Windows Server 2016 VDA.
Have you experienced this issue?
This would be for *new* users only, yes? Those without a profile pre-existing on the device or in a profile store?
I am migrating from w2k8r2 to windows 2016, using XenApp 7.15 and UPM. Most icons in our start menu are created by Citrix Receiver (to be dynamic – using the ‘prefer’ keyword), and it seems like the icons we add to our LayoutModification.xml cannot really be these types of icons. I assume this is because those icons don’t even exist until a few seconds pass after they logon. Amy I missing something here, or is this scenario just a dead end ? Thanks
I used this before (menu through GPO) in RDS 2012R2. Worked great.
Now I have a 2016 RDS farm and it’s not working. User gets no menu at all, it’s black. No errors.
testmenu:
–
–
–
–
–
–
–
–
Latest ADMX files?
Hello,
work Solution 1. Apply a single default layout, and allow users to customize all of it
for already existing Users too if i Paste the LayoutModification.xml in the UserProfile Path of each exisiting User and not in the default User Path?
I tried it with Windows 10 1809 Enterprise and nothing happend after i paste the XML in the right User Folder. Computer restart doesnt change anything too.
It only works on new users without a profile, which is why it needs to go in the Default area.
Very useful ! Thanks for sharing this, James.
I combined your article with the following from Microsoft , https://docs.microsoft.com/en-us/windows/configuration/configure-windows-10-taskbarto build a customized Win 10 start menu + taskbar pinned list for a client recently
Nice article – thank you.
So how do we customise the start menu ‘after’ a user has logged on for the first time? Let’s say I want to add one more tile; I update the XML file, GPO copies it to clients succesfully, but the users don’t see it in their start menu’s.
Hi did you get a solution to this, I have the same issue, Thanks
Hi James, Here is another option that may be of interest to your visitors
If you would like to apply a default start menu to all users but also allow them edit it there is another method. It uses the same registry keys that are set when the GPO for “User – Policies – Administrative Templates – Start Menu and Taskbar” is set.
These keys are:
HKCU\Software\Policies\Microsoft\Windows\Explorer\LockedStartLayout DWORD 1
and
HKCU\Software\Policies\Microsoft\Windows\Explorer\StartLayoutFile String \\domain\some-share\startmenu.xml
The GPO “Start Menu and Taskbar” sets both these keys to apply custom start menu as read-only.
You would think setting LockedStartLayout to 0 would be the solution but if this value is not 1 then custom start menu will not apply at all. So the trick to make the start menu modifiable is to set both these keys once then set LockedStartLayout to 0.
To do this, use a GPO for registry setting “User Configuration > Preferences > Windows Settings > Registry” and create 3x registry entries with the following order
1. HKCU\Software\Policies\Microsoft\Windows\Explorer\StartLayoutFile with a string value pointing to a share with your start menu xml file
2. HKCU\Software\Policies\Microsoft\Windows\Explorer\LockedStartLayout 0
3. HKCU\Software\Policies\Microsoft\Windows\Explorer\LockedStartLayout 1 with the box “apply once and do not re-apply” checked
Now when the user logs in, the xml and LockedStartLayout=1 will apply the start menu in read-only mode but the next time they log in LockedStartLayout will be 0 and they can modify the start menu.
Nice article well done James !!!
Question though.
How do I completely remove the Task View and Search options from Task Bar on windows 2016?
Have you had a chance to post 2nd part of this article and how about sharing those customized .xml files?
Very nice article, but keep in mind that modifycation of HKCU\Software\Policies registry hive is permited only to Admins not user it self (check security permissions).
I don’t know why Microsoft tries to do things more and more complicated, like a Start Menu π
Looking for some help on how to manually modify the xml file to force tablet mode for all users. I need to push this out via Intune and the tablet mode setting didn’t carry over when I exported the xml from the device I was configuring. Thanks