In Windows 10 1511, Microsoft added a great new feature that allows admins to lock down a section of the Start menu. The user can then configure a particular part of the Start menu.

Jörgen Nilsson

Jörgen is a principal consultant at Onevinn in Sweden. His work focuses on enterprise client management and system management. He is a Microsoft Certified Trainer and a Microsoft Most Valuable Professional (MVP) in Enterprise Mobility. He also speaks at events such as Microsoft TechDays, Microsoft Management Summits, and TechEd.

Michael wrote a great post about how to deploy a Start menu on Windows 10 machines. A downside of this method was that the Start menu was locked; that is, the user could not add or remove tiles. In Windows 10 1511, Microsoft has changed this. In my example, the "Corporate shortcuts" section is locked down (signified by the lock), and the user can modify the "My shortcuts" section.

Locked and user configurable Start menu

Locked and user configurable Start menu

To configure the Start menu, we used an exported XML file containing the Corporate shortcuts section, which we placed on a file share. We then deployed the XML file with the help of Group Policy to the Windows 10 clients. It is possible to deploy an XML file that contains more than one section that we want to lock down.

The user can then select an application under All apps, right-click it, and select "Pin to Start". Users can also create new groups and re-size or re-arrange them.

Users can pin shortcuts to the Start menu

Users can pin shortcuts to the Start menu

How to deploy the Start menu ^

The procedure below describes how to deploy the Start menu via Group Policy:

  1. Begin by creating a Start menu that you want to use for the Corporate shortcuts by arranging the tiles on a master computer.
  2. Then run the PowerShell command Export-StartLayout -Path C:\temp\startlayout.xml to create the XML file with the current Start menu layout.
  3. To use the new feature introduced in Windows 10 1511 that allows you to configure different sections in the Start menu, you have to edit the XML file. By default, the exported XML file contains the commands to totally lock the Start menu. The following line needs to be changed to modify the behavior:
    <DefaultLayourOverride>
    Replace this line with the following string:
    <DefaultLayoutOverride LayoutCustomizationRestrictionType="OnlySpecifiedGroups">
    The screenshot below show a sample XML file used to deploy a partially locked-down Start menu.

    Sample XML file

    Sample XML file

  4. Next, copy the XML file to a file share that the domain computers in your network can access.
  5. Now use the Group Policy setting Start Layout, which is located under Computer Configuration > Policies > Administrative Templates > Start Menu and Taskbar.
    The Start Layout Group Policy

    The Start Layout Group Policy

  6. Configure the Group Policy with the path to the XML file that you copied to the file share.
    Path to XML file in the Strat Layout Group Policy

    Path to XML file in the Strat Layout Group Policy

The Group Policy will be applied after the user logs in in the next time.

How to add a new icon to the Start menu ^

Whenever you want to add a new tile to the controlled part of the Start menu, you have to follow this procedure:

  1. Add a new tile to the Start menu (Calculator in the example).
  2. Open a PowerShell console and export the Start menu as a standard user (NOT on an elevated command prompt) with the same PowerShell command as described above.
    Exporting the Start menu with PowerShell

    Exporting the Start menu with PowerShell

  1. Open this new XML file and copy the newly added application to the XML file you used in the Group Policy. The line with the AppuserModeID contains all the required information.
    Exported Start menu with Calculator added

    Exported Start menu with Calculator added

Important notes ^

Before you deploy the Windows 10 Start menu, you have to consider a few things:

  • Only Windows 10 Enterprise supports the Start Layout Group Policy.
  • If you apply this Group Policy after the user has modified the Start menu, the Group Policy will remove this setting.
  • If the Group Policy doesn’t target the computer anymore, the locked part of the Start menu will be unlocked. As you can see in the screenshot below, the lock from the Corporate shortcuts section has been removed.
    The Start menu is unlocked when the Group Policy is no longer applied

    The Start menu is unlocked when the Group Policy is no longer applied

  • If an application has already been added to the user's Start menu and we add it to the Group Policy, the tile moves from the part controlled by the user to the part controlled by the policy.

Also read: Partially lock the Windows 10 Start menu layout with Group Policy

Are you an IT pro? Apply for membership!

1+
Share
21 Comments
  1. Padraig Rocks 3 years ago

    A pity that some of the corporate type group policies are not available in the Pro Windows versions - hard to understand why this should be so.

    1+

    • Author
      Jörgen Nilsson 3 years ago

      I assume it is to push more organisations to use Enterprise, so more and more features requires Enterprise like modifying the Start Menu, Block the Store App, Applocker and so on. It is a pitty though.

      /Jörgen

      1+

  2. Evan 3 years ago

    Is it possible to add mapped drives to the StartLayout? A lot of our users have a mapped "F:" drive that points to a network location unique to their user ID. It'd be great to have that in their Start Menu automatically. But, Windows seems to just ignore it even though I have it in the XML.

    The line looks like this:

    <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="F:\" />

    Seems like there should be a better way of going about it. In the actual Start Menu it just leaves a blank spot.

     

    1+

    • Michael Pietroforte 3 years ago

      Evan, you are right, shortcuts to mapped drives are ignored. I just tried it myself. I didn't find a workaround right away. Please let us know, if you do.

      1+

      • Boris 3 years ago

        Hello Michael,

        Here is an idea:

        Windows probably needs shortcut to point to a "valid object" while it is deployed.

        The plan could be:

        Preparation:

        1) Create a "drive"

        subst X: "Some_Directory"

        2) Create and save a shortcut pointing to "X:"

        To deploy your shortcut:

        1) Create a "drive"

        subst X: "Some_Directory"

        2) While X: exists pin your shortcut;

        3) X: is no longer needed:

        subst X: /D

        4) Map the required shared directory with

        net use ........

        Best Regards,

        Boris

        1+

        • Michael Pietroforte 3 years ago

          And did your plan work? Did you try it?

          1+

          • Boris 3 years ago

            Hello Michael,

            Have not tried it as came across the problem yesterday reading this blog.

            I used a similar technic to deploy our application icons in on W7, W2008,W2012 (W10 is on the way) before the application been installed.

            Why icons before the application?

            - I am getting Customer's Servers and PC's in the boxes and have to prepare them for the application installation. There is a variety of settings like IIS and etc. that need to be done exactly the same way for each computer. So it is easier to do all preparation by running one script.

            Best Regards,

            Boris

             

            1+

  3. Evan 3 years ago

    I just wanted to update, I haven't been able to find a workaround for this.

    1+

  4. Author
    Jörgen Nilsson 3 years ago

    Thanks for the Update, I haven't either.

    /Jörgen

    1+

  5. Peter Cruijs 3 years ago

    Indeed too bad these policies won't work with Windows 10 Pro. Actually a shame. Again MS is (ab)using their market monopoly by harshly pushing SMB customers over to cloud solutions like InTune or Enterprise VL's which both lead to increased monthly costs and of course more profits for M$, because recurring every year. I'm not surprised anymore after they pulled out the SBS plug a few years ago. I personally think it's illegal practice as well as abuse of their dominant market position.

    The solution for drive mappings in the start menu is fairly simple. In order to be able to add a drive mappings to the start menu you will need to make shortcuts for them first. Same as the start layout policy done by using the Group Policy Editor and best together with the needed drive mappings policies (if you're not applying them through a GPO yet), because through GPO you can control the drive mapping names as well, which is also used as fast access name when pinning there. E.g. in order to make DesktopApplicationID="F:\" work you will need to create a shortcut with target set as F:\ below path %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs. Just test it out and of course apply the policies in the right order. For any other kind of shortcut, just pin it to the start menu by right clicking, then export the start menu layout and look up the pinned shortcut in the above location. To make this process more clear and easy you can always start with an empty one to gather the XML connected with shortcut piece in detail.

    FYI. You can of course pin any existing shortcut to the start menu, but very recently I discovered that some shortcuts just can't be pinned to the taskbar depending on the application. So pinning to taskbar can be disabled by design.

    And unless using a DFS solution, wouldn't %LOGONSERVER%\NETLOGON\ or %USERDNSDOMAIN%\NETLOGON\ be the perfect place to store those start menu layout templates?
    All domain authenticated users (and SYSTEM) can read there and the same layout(s) will replicate across all login domain controllers in the organization and so be available at all user login places/locations.

    2+

    • Michael Pietroforte 3 years ago

      It appears the Start layout feature sometimes also work on Window 10 Pro. I tried it on Windows 10 Pro 1511 and 1607 and it worked.

      1+

      • Peter Cruijs 3 years ago

        That's really strange. It either should work or not.

        Conform the policy description it can be applied to Windows 10 Server (2016), Windows 10. That description is very general and has a wide scope. They don't eplicitly state it's meant for Windows 10 Enterprise only. But some other policies do mention they only work with Windows 10 Enterprise/Education.

        A few days ago I tried to implement an empty layout at customers site through GPMC for a bunch of to Windows 10 Pro 1511 upgraded workstations, but except for locking up the startmenu the empty template itself wasn't applied to the workstations. All tiles were still there. Even after gpupdate, checking if the policy had been applied with GP result and rebooting several times to really make sure all I got was a locked start menu with all current items still residing inside.

        Could it be that the registry tweak method always works and using GPMC/GPO doesn't?

        I didn't have the time yet to check out the direct registry tweak method, but if the start menu layout really doesn't work through GPO on Windows 10 Pro that option looks very promising to me. Although indeed the (different) GPO filtering in Windows 10 Pro could block those kind of policies defined through GPO, the common DLL's of the Windows 10 system in general could still be able to pick up these manual registry changes. That actually would be a giant black hole in terms of system security (start menu hijacking with read only xml and some kind of nasty injector e.g.)!

        Now next time I will check the registry location to make sure if the Start Layout policy effectively had been applied to the system by GPO. That could clarify some things. And also check if the registry tweak can be applied on Windows 10 Home editions too.

        Like some organisations use WPKG without any GPO's applied (BYOD). In general it's wiser to stay as much as possible out the GPO swamp anyway and use it very minimalistic.

        Maybe they realized that you really can't sell a product as Professional version that has less management options than the Education or Enterprise version. Or by changing their terms after the upgrade. M$ should not repeat their mistakes again like they made with GFWL (and more of their products) otherwise their precious Windows Store will end up the same.

        For companies they should make it as easy as possible to manage this part of Windows 10 for free and then possible release a Windows 10 Community Edition, which really only runs MS approved apps and Appx packages. Sooner or later they will have to anyway, because Linux is gaining into the market more and more.

        Yep they are in need of new management and visions, but got stuck with their heads into the cloud. 😉

        1+

        • Michael Pietroforte 3 years ago

          Group Policy does not nothing else than changing the Registry. Thus, if the feature works if you change the Registry, the corresponding GPO should work too. You could put a machine that runs the Enterprise edition in the same OU and see if it works there. Maybe you have a Group Policy problem that is unrelated to the Start layout feature.

          1+

  6. Peter Cruijs 3 years ago

    It could be a GP problem, but that was not the issue here as it was a fresh installation.

    Finally it turns out that you can't use an empty Start layout. There needs to be at least one tile defined and available in the Start layout file to have it applied. So there's no easy way yet to start with an empty Start layout by default.

    Also missing shortcut(s) or any not installed application(s) will automatically disable (not show) the corresponding tile(s), which could be of use actually when using locked down access permissions (Administrative Tools e.g.).

    Still I'm confused about if the policy only merges with the users already existing tiles when using the attribute LayoutCustomizationRestrictionType=”OnlySpecifiedGroups” and/or if it replaces the Start menu layout fully when not using that attribute and the Lock Down registry tweak's behavior on this all.

    So finally I can confirm too it does work, but much more detailed information and explanation is still needed on this matter. Just some trial and error testing now and gather the results.

    Thanks for your help and all the good articles posted here.

    1+

  7. Author
    Jörgen Nilsson 3 years ago

    Hi, if you apply the Start Menu to a user/machine where the use already have modified the Start Menu, it will replace all the users tiles even if you use LayoutCustomizationRestrictionType=”OnlySpecifiedGroups”

    that is a one time behaviour so after that you can modify it and it will only update the "corporate controlled" groups and not the groups that users have created.

    /Jörgen

    1+

  8. Carl Stephens 3 years ago

    Does this work in 1607  i can't seem to get it to work  do you have an actual document ?

    1+

  9. Author
    Jörgen Nilsson 3 years ago

    It works just fine in 1607, it will not work on Windows 10. Could it be that you have a syntax error in your .xml file? in that case it is ignored.

    Regards,

    Jörgen

    1+

  10. Jose 3 years ago

    Hi All,

    i'v had that working until I tried to replace an entry. this for new users work, but for some that already have a profile created sometimes works and sometimes I end up with a hole instead of the new link.

    All I did was replace the entry on the xml file for another shortcut. I'm pretty sure the shortcut exists because the same gpo is creating it. Tried to restart many times but it doesn't seem to work always.

    1+

  11. Jim Schezlick 3 years ago

    There is no "Policies" in the location:

    Computer Configuration > [Policies] > Administrative Templates > Start Menu and Taskbar

    1+

  12. gene 3 years ago

    Hi I been going through your resources here. Doing this with GPO in our small company.

    We are  windows 10 pro, 1511, 1607 and eventually all at 1703 for the layout of tiles and taskbar company wide.

    A number of our office suite apps show up fine; however, I have been trying to pin the 'windows media player' to the taskbar, Using the lnk in the allusersprofile startmenu, but it doesn't show up.

    it looks correct, I don't see any errors, using <taskbar:DesktopApp DesktopApplicationLinkPath=

    Is the location %appdata% or %alluserprofiles% at issue? What are the mechanics of using those locations as the source for the lnk files.

    i was reading your other entries and someone or you mentioned that some app links are not specifically "located' until after windows boots?

    one solution presented was to put a link in another location and point to that.

    or is there something about the media player that I am missing?

     

    1+

  13. LBX Computer Services 2 years ago

    We've allowed users to specify their own layout but now want to apply a partially locked layout via GPO. Users who have established profiles and pinned their own Word, Outlook, Excel icons etc now end up with two Word, Outlook, Excel icons pinned once the partial layout is applied.

    As Word/Outlook/Excel is in the partially locked sections of the layout, but their personally pinned icons are not, you can "unpin" their version but when you do so it actually unpins both thus breaking the partially locked section. We then thought, at least we can just update the timestamp of the XML file but doing this re-applies the partially locked portions and restores the previously unpinned Word/Outlook/Excel icons.

    What we ideally need is a way to apply a partially locked layout which clears any previously pinned icons.

    I've tried playing with the TileDataLayer folder in APPDATA Local to no avail.

    3+

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account