- OpenVPN IPv6 and IPv4 configuration - Mon, Mar 1 2021
- 4sysops author and member competition 2020 - Fri, Jan 1 2021
- Assign an IPv6 address to an EC2 instance (dual stack) - Tue, Dec 15 2020
Considering that I’ve written three posts about the pinning of apps to the Taskbar, you might think everything has been said already. Well, almost. Let’s recap what we’ve learned so far. In my first post in this series, I described the official way of removing the Store app from the Taskbar, which essentially means that you have to disable the Windows Store app altogether. Then, I showed you how to pin and unpin apps on the Taskbar with a PowerShell script, and in another post I demonstrated how you can use this method in a logon script to unpin the Windows Store app.
These solutions all pertain to adding or removing a certain program to or from the Taskbar. However, the methods I discuss today allow you to configure the Taskbar with multiple pinned programs and ensure that users can’t change this setting. Such a configuration makes sense in an environment where all users log on with the same user name, such as on kiosk computers. Or perhaps some of your users work only with a few programs and you want to ensure that these apps are always pinned to the Taskbar without the possibility of users playing with these settings.
Of course, you can also deploy a particular Taskbar configuration with your OS image. But this is a different topic. Today, we just focus on how to change the Taskbar after you deploy Windows.
Taskbar Registry settings ^
The configuration of all pinned apps is stored in a Registry key: HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Explorer > Taskband.
Taskband - Registry settings of the pinned apps on the Taskbar
As you can see in the screenshot, the Registry entries are rather cryptic. Thus, you can’t just edit the Registry manually to configure the Taskbar. However, you can configure the Taskbar on a reference machine, export the Taskband Registry key, and then deploy the corresponding REG file.
Deploy with Group Policy Preferences ^
In a previous post, I explained how you can convert the REG file into an XML file and then import the Registry settings into Group Policy Preferences. This also works with the Taskband Registry key; however, your users will only get the new configuration after they log on the second time. The reason is that Group Policy Preferences deploys Registry settings after Windows Explorer is already loaded. If you restart File Explorer through the Task Manager after the first logon, the Taskbar will load the new settings right away.
Hence, one way to deploy your Taskbar configuration is to restart Explorer right after the user logs on with a logon script. You could do this with a little batch script:
taskkill /f /im explorer.exe start explorer.exe
You should use the Group Policy User Configuration > Policies > Administrative Templates > System > Logon for this purpose because the logon scripts in the Windows Settings Group Policy run too early in the logon process.
Run these programs at user logon
The procedure described so far only works with Modern apps. Windows handles shortcuts for desktop applications and Modern apps differently. Whenever you pin a desktop application to the Taskbar, Windows adds the corresponding shortcut to the folder %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\.
Thus, in addition to the Registry settings, you have copy the shortcut of the desktop application to this folder. If you don’t do this, users will see the application pinned to the Taskbar; however, when they click it, they will get the error message “Can’t open this item.” This problem doesn’t exist for Modern apps.
“Can’t open this item” message
You could copy the shortcut with Group Policy Preferences or in your logon script that restarts Explorer. The example below shows what your batch script might look like if you want to pin Notepad to the Taskbar:
xcopy /y "\\win2012r2\scripts\Notepad.lnk" "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\" taskkill /f /im explorer.exe start explorer.exe
In addition, you have to deploy Registry settings discussed above with Group Policy Preferences.
The solution has two downsides. One is that the user will see a command window pop up after logon. Perhaps even more problematic is restarting Explorer after the user logs on. If the user manages to start an application before your script runs, this can cause problems.
Deploy with a logon script only ^
A better solution is to work without Group Policy Preferences and to deploy the Registry settings in the logon script. In this case, you work with the logon script configuration under User Configuration > Windows Settings > Scripts (Logon/Logoff).
Windows Settings - Logon scripts
This is the corresponding sample batch script:
regedit.exe /s \\win2012r2\scripts\Taskband.reg xcopy /y "\\win2012r2\scripts\Notepad.lnk" "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\"
The first line deploys the Registry settings that contain the pinned apps of your Taskband configuration. The user won’t notice anything and will get the correct the Taskbar settings right after logon.
A problem with this method is that it only works if File Explorer is started after the Registry settings have been deployed. Hence, you should enable the Group Policy Run logon scripts synchronously, which you can find in User Configuration > Policies > Administrative Templates > System > Scripts. During my tests, the logon scripts always worked without this setting, but I wouldn’t count on it. A downside of this policy is that it can slow down the logon process.
Run logon scripts synchronously
I think this case demonstrates nicely that Group Policy Preferences can’t always replace logon scripts.
Freeze the Taskbar ^
Thus far, we only ensured that users will always get the same Taskbar configuration after they log on. They can still pin and unpin apps to the Taskbar during a session. In some environments, that might make sense. However, if you don’t want to frustrate your users because their Taskbar configuration always changes back to the original setting, you might want to prevent users from changing the pinned apps. This can be done with the Group Policy setting Do not allow pinning programs to the Taskbar, which you can find under User Configuration > Policies > Administrative Templates > Start Menu and Taskbar.
Do not allow pinning programs to the Taskbar
Note that this policy doesn’t change the programs currently pinned to the Taskbar. It just removes Pin this program to the Taskbar and Unpin this program from the Taskbar from the context menu when you right-click a Taskbar icon. Also note that the policy doesn’t interfere with the deployment methods described above. Thus, you can still deploy a new REG file with your Taskbar settings without disabling this policy.
If running logon scripts synchronously doesn’t cause slow logons in your environment, I would go for the method without Group Policy Preferences. In any case, I recommend testing the deployment process in the lab until you are sure you understand what you are doing. Pinning and unpinning programs to the Taskbar programmatically is not supported by Microsoft and can be quite tricky.