Management of Start Menu and Tiles on Windows 10 and Server 2016, part #1

Another subject that needs a “final word”. What is the best way to manage “Start”?

I feel like I’ve written tons of articles and delivered loads of presentations around this particular subject. Microsoft’s decision to remove the Start Menu in Windows 8 and 8.1 and then replace it with a hybrid of Start Menu and Live Tiles in Windows 10/Server 2016 remains a contentious maneouvre in the UI space. We all loved Windows 7/2008 R2…

and then came the abomination that was Windows 8/2012…

….followed by the “halfway house” between old and new that we now have in Windows 10/Server 2016.

The management on Windows 7 was easy, because it was simply done with flat filesystem entries backed up by GPOs. Windows 8 introduced the “Start Screen”, which was handled by binary files called appsfolder.itemdata-ms*, which made things infinitely harder. And in true Windows 10 fashion, we now have a mish-mash of the two, a combination of filesystem entries and the mysteries that compose the “Start Tiles”.

Naturally, Microsoft have even evolved their approach to handling the Start Tiles area of the Start Menu further as Windows 10 feature updates have progressed. Originally, they utilized a database called vedatamodel.edb, but have now eschewed this in favour of a Registry and filesystem approach. Additionally, the methods for managing this have also evolved. So we are going to do a write-up based around the management of the Start Menu and Start Tiles based around the Windows 10 and Server 2016 versions, fully patched as of 03/08/2018.

We are going to address two fundamental issues that come up a lot when speaking to members of the EUC community:-

  • Providing customized default Start Menu/Tiles layouts to different groups of users, even those using the same devices
  • Saving and persisting the configuration of a user’s Start Menu and Tiles between sessions and devices

We will handle the first issue (customization of the default) in part #1, and the second issue (saving and persistence) in part #2.

Customized default layouts

So for this article, let’s address how we can provide a customized layout to a user when they log on to a machine or session for the first time.

Out of the box, a Windows 10 Start Menu would look like this on the Enterprise version:-

Aside from being garish, most of the stuff appearing there is neither use nor ornament to an enterprise user. What we would like to do is customize this so that when users log on for the first time, they get useful shortcuts and pinned tiles instead of all of this cruft.

  1. Apply a single default layout, and allow users to customize all of it

The layout of the Start Tiles (the region on the right, as opposed to the Start Menu on the left) is controlled (in vanilla Windows 10) by a file in c:\Users\Default\AppData\Local\Microsoft\Windows\Shell called DefaultLayouts.xml. This file can be updated by Microsoft, so that new users may get different things on their Start Tiles, dependent on who is paying Microsoft the most money at any particular period in time 🙂

If you wish to override the DefaultLayouts.xml settings, you simply create the Start Tiles the way you want them to look, and then create an XML file called LayoutModification.xml which sits in the same folder as the DefaultLayouts.xml file. You create the file by using the Export-StartLayout cmdlet from PowerShell, as shown in the example below:-

Export-StartLayout -Path \\Path\To\Your\File.xml

You can then put this file in the relevant folder within the default profile in your image, or even deploy it (and update it) onto machines via a Group Policy File Preference such as that shown here:-

Note that there is actually an Import-StartLayout cmdlet, but this doesn’t do what you’d expect. It actually imports the Start Layout XML into the default profile on the device, rather than the active user profile, which is why we aren’t using it here (it can also be used to import into a mounted WIM as well). Essentially we are doing the same thing, exporting into the default profile, but we only need to use the one line of code 🙂

So for very simple situations, where you just want to apply a specific Start Tiles layout to every user that logs on to the Windows 10 machine, this method works well. Once the initial layout is applied, the user is then free to change that as they wish. This method also works for Windows Server 2016 as well in exactly the same way.

However, what if you wanted to apply a Start Tiles layout that couldn’t be changed? Maybe for educational or kiosk areas?

2. Apply a default layout that users cannot change at all

This is achievable through Group Policy or, alternatively, InTune. The Group Policy setting sits here:-

User Config | Admin Templates | Start Menu and Taskbar | Start Screen Layout

and is simply a UNC or local path to the XML file you have generated using Export-StartLayout. As this is a user setting (from the 1607 version of Windows 10 onwards), you can use Security Filtering on the GPO to target specific Start Menu layouts to different groups of users.

Using InTune requires that your users and devices are enrolled into the InTune service, whether you are using this directly in Azure or via SCCM. For purposes of this demonstration we simply have them connected to the Azure service directly. You will need an XML file generated from Export-StartLayout to work with. Log onto Azure and choose Intune | Device Configuration | Create Profile and set Platform to Windows 10 and later and Profile Type to Device restrictions.

Next click on Settings which will open another section of the portal window. Scroll down until you find Start and click on it, which will open a further window. From here, browse to the XML file you have created with Export-StartLayout and it will be loaded for you

If you scroll down you will see many more Start-related items that can be configured, but we will simply leave it at this and click on OK twice, and then Create

The next step is to assign the Profile to one or more Groups. Next time you log in, you should get the Start Tiles layout you have configured in your InTune environment.

Note that the GPO method will work for Server 2016, but obviously Server 2016 instances cannot be managed through InTune.

So, what if you wanted to lock some of the Start Tiles so they couldn’t be changed, but not all of them?

3. Applying a partially-locked layout, allowing users to customize some Tiles but not all

This is achievable through similar methods as specified in [2], just with some modifications to the XML used. You simply modify the XML file you exported using Export-StartLayout and make a modification to the <DefaultLayoutOverride> section.

As an example, here’s an XML file which has been exported but not modified, so if this is applied by GPO it will be enforced and not be changeable by the user:-

Now here’s the same XML file with the modification made (highlighted)

So if you link the XML file to the Start Screen Layout GPO (for Win10 and Server 2016) or to the InTune configuration (for Win10 only) it will behave differently dependent on how you have configured the DefaultLayoutOverride section. If it is done with the “partial” lock enabled, it will look like this with the “locked” section at the top

Note that the locked layout has been merged with the default layout which the user can customize. If you wanted to merge it with a customized layout, you could also use the LayoutModification.xml file in the default user profile as described in section [1]

4. Applying a custom default layout for different user groups on the same device, and allowing users to customize all of it

Now this is extending a little beyond what we can do with Microsoft tools. As you read in section [1], the LayoutModification.xml file can be used to override the default garish layout when a new user logs in. However, this is specifically per-device, as it is one single file we are using to override the layout for all users. What if you had an environment – probably XenApp/XenDesktop/RDSH/VDI – where you wanted to apply different default layouts on a user-by-user or group-by-group basis? For instance, Finance users get Finance apps as the default, IT users get IT apps. You could do this by using the methods in [2] or [3], because these are per-user GPOs (although because they’re Security Filters you can only filter by user or group, nothing more granular). But obviously, these per-user GPOs or InTune only allow you to either do fully-locked or partially-locked Start Layouts. What if you wanted to do customized default layouts for different groups of users on the same device or image, without any locking at all?

You might be thinking the obvious way to do this would be to overwrite the LayoutModification.xml in the default user profile at logon of a particular user, using a Group Policy Preference File Action with Item-Level Targeting, which then overwrites the XML with a different file dependent on the user. However, this method is inconsistent, because the File Action must apply before the user profile is loaded otherwise it will fail. Also, to have the permissions to write to the default user profile, it needs to be a Computer Config Action, and in this area users and groups are not available as ILT. Additionally, this won’t work on Server 2016 because you could have multiple users logging in simultaneously. So using GPP to manage this, or even a WMI filter, is not going to work well, or indeed possibly at all.

There is a way to do it cleanly, which involves using a feature of FSLogix Apps called Redirection. The feature can redirect anything in the filesystem or Registry, so it can be really useful for lots of different problems. Essentially, we redirect the LayoutModification.xml file to a different file dependent on the group memberships of the user logging in

Firstly, you need to install the FSLogix Apps feature on your target devices, obviously, and then install the console somewhere so you can create some Redirection rules.

After this, we need to set the Start Tiles as you want them, and then create as many sets of XML files as you need using the Export-StartLayout PowerShell cmdlet, and save them in an appropriate location. Make sure each one is called LayoutModification.xml. Run the following script for each custom layout you want to create, obviously changing the path as appropriate!

Export-StartLayout -Path c:\StartLayouts\Set1\LayoutModification.xml

Once I’ve done this, I modify the Start Tiles again for my next group of users, and then export to a different location

Export-StartLayout -Path c:\StartLayouts\Set2\LayoutModification.xml

Then it’s just a case of setting up a couple of FSLogix Redirection rules to direct the file c:\users\Default\AppData\Local\Microsoft\Windows\Shell\LayoutModification.xml to the custom file we have created, and setting a rule so that the redirection is processed differently for different users or AD groups.

Note that we have selected “File/Registry Value” in the console and unticked the “Copy object” option for this.

Then we just need to assign each rule to a user (or an AD group) as below

The final step is to copy the rule files down to the endpoint. This is done simply by placing the rules files (.fxa and .fxr) into the C:\Program Files\FSLogix\Apps\Rules folder on the device. I normally do this using Group Policy Preferences or a script.  Once in there the FSLogix driver picks them up and processes them.

Once these rules are assigned to specific users or groups and then copied to the endpoint, we can now have a default Start Tiles layout applied on a per-user or per-group basis from the same base image. The two different layouts I applied are shown below

Obviously you can store the redirected LayoutModification.xml files locally to the image or on the network, however having them local provides redundancy in case the network share is unavailable.

Summary

So there we have it – those are the four ways you can deal with the default layout of the Start Tiles in Windows 10 1803 and Server 2016.

  • You can provide a single default layout specific to all users on the device, that they can customize as much as they want
  • You can provide multiple “locked-down” layouts to different groups of users, that can’t be customized at all
  • You can provide a default (OOBE) or customized default layout to different groups of users, in which specific sets of items are locked non-customizable and the reset are able to be customized
  • You can use FSLogix to provide multiple layouts to different groups of users on the same device or image, and that can be customized as much as the user wants

All the methods specified here work equally well on Windows 10 1803 and Server 2016, except for the InTune management which is for Windows 10 only.

Naturally, though, all of this lovely customization is for naught if we can’t save and persist these settings, so that’s what part #2 of this article will be discussing in the very near future.

5,048 total views, 2 views today

6 comments

  1. Great guide!
    What if, after say 6 months, you need to add more tiles to each user, in addition to what they already have customizes themselves. How can you do this without overwriting their existing customized tiles? Would you need to replace the entire xml and overwrite existing tiles?

    1. I think in that situation you would have to use the “partial Start Layout” GPO, which should merge with what they already have configured and/or saved. However if you just wanted to “add” some that they could then remove if they wanted to, that is a bit trickier. I guess you would have to enforce the “partial Start Layout” GPO to get them in, and then remove the user from the GPO scope afterwards, if that makes sense?

      1. Yeah.. I was afraid of this, that the startmenu was still hard to customize and not very flexible. I had hoped MS would make a better way to work with this. GPOs are legacy, less and less customers will use it on these intune days.

        We will have to stick with building tiles with this 3rd party tool untill MS comes up with something better.
        http://www.technosys.net/products/utils/pintotaskbar

Leave a Reply

Your email address will not be published. Required fields are marked *