While many are of the opinion that organizations should not customize the start menu during Windows 10 deployments, it’s happening almost in every Windows 10 project anyway. There are several blog posts created by the community and documentation from Microsoft outlining the different methods how to accomplish a customized start menu and even task bar configuration during deployment of Windows 10.

Using the method to define a partially locked start menu is what I usually recommend my customers, but to keep it to a minimum where it mainly contains applications or tools that can be references by the help desk for easy access during a support case. A partially locked start menu basically means that certain defined part of the start layout area of the start menu is locked down and doesn’t the end user to unpin what’s defined by the administrator.

Read more about using a partially locked start menu from the documentation below:

https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout#configure-a-partial-start-layout

Something that may not be spoken about too often is the fact that when customizing Windows 10, an organization may want to make the start menu more visually appealing for the end user upon the first logon. A scenario here could be that an organization would want to leverage the partially locked section of the start layout, but provide a set of pinned items that the end user can decide themselves if they want to remove them or not.  This is however not possible today with the built-in functions and tools provided by Microsoft.

Let me try and explain what I’m talking about with an example.

We have an organization that are currently using group policies to configure a partially locked start menu. This section is controlled by the organization and the end user cannot modify what has been added here. The organization would also want the end user to have Outlook, Word and Excel pinned right below the locked section of the start menu, but the end user should be able to remove these pinned items.

So how can we accomplish this scenario – continue to read for a solution on how to configure a what I call a user-defined or dynamic start menu customization that can be deployed with ConfigMgr during operating system deployment of Windows 10.

Pinning applications in user context

The problem we have to overcome here is that the start menu is designed to be customized by the end user. A user pins tiles, re-arranges them and so on from time to time. We as administrators can make customizations that are either set in stone or partially locked. Moral of the story here is, in order to pin applications to the start menu for the user without using any of the built-in tools like a group policy, it has to be invoked in the context of the user.

While researching this, I stumbled upon a way to invoke the actual pin and unpin methods utilized when a user for instance right clicks on an application in the start menu list of applications. Below is a simplistic way to pin an application in the context of the user using PowerShell:

((New-Object -ComObject Shell.Application).NameSpace("shell:::{4234d49b-0245-4df3-b780-3893943456e1}").Items() | Where-Object { $_.Name -like "Command prompt" }).verbs() | Where-Object { $_.Name.replace('&', '') -match 'Pin to Start' } | ForEach-Object { $_.DoIt() }

What happens here when this is invoked in the context of a user currently logged on, is that the Command prompt is added to the start menu. With this information I put together a script that extends the functionality to check if the application is already pinned, or if it’s an approved application, meaning that the application is capable of being pinned.

So which applications can be pinned using this method? A good rule of thumb is anything you see in the start menu, and the name it has should be the one you use like with the example above where we used Command prompt.

This script can be found on our SCConfigMgr github repository here:

https://github.com/SCConfigMgr/Windows/blob/master/Start%20Menu/Add-StartMenuTile.ps1

Extending the solution to operating system deployment

Now comes the tricky part, how should we run a script to add a set of applications to the start menu of the user that logs on. What about multiple users logging on to the same device?

This is not a new problem frankly, and you have probably heard of the solution already, Active Setup. For this solution, we don’t want to use other methods such a user logon scripts. We want to ensure that our script to pin the desired applications to the start menu of the user is only executed once per user that logs on. For this requirement, Active Setup is the prime candidate.

What I’m sharing in this blog post is a single script that can be executed during operating system deployment using ConfigMgr. The script is designed to perform the following actions when executed during operating system deployment:

  • Stage itself into the C:\Windows folder
  • Prepare the required Active Setup registry keys

At this point the script all about done. The task sequence will continue and complete eventually. When the first user then successfully has entered the credentials and the user logon sequence begins, the script then invoked again by Active Setup and the following happens:

  • Create a new PowerShell process that invokes itself again, this time in another process that’s not causing Active Setup to wait until the initial process it launched has completed
  • Main logic for adding pinned applications, taken from the original script mentioned above, is executed and the applications are pinned for the user that is logging in

Let’s take a look at how this is configured in a task sequence in ConfigMgr.

Implement the solution in your task sequence

First you’ll need to download the script from the following location:

https://github.com/SCConfigMgr/ConfigMgr/blob/master/Operating%20System%20Deployment/Set-StartMenuUserTiles.ps1

  • Edit the Set-StartMenuUserTiles.ps1 and locate row 154-155.
  • Amend the $AppList string array with the application you would want the end user to have pinned.

  • Create a regular package without a program and distribute it to your distribution points.
  • Edit your task sequence and locate a suitable place after the Setup Windows and ConfigMgr step.
  • Add a new Run PowerShell Script step in this location.
  • Configure the step accordingly to the image below:

  • Apply the changes made to your task sequence.

End user experience

Once the deployment of a new machine has completed and the user has logged on for the first time, the applications defined in the Set-StartMenuUserTiles.ps1 script will be pinned to the start menu for that user like shown in the picture below.

Additionally, we can see that the end user can manage these pinned applications, but not the ones added in the locked down section of the start menu.

Summary

Using this solution we can now control exactly what’s pinned to the start menu for the end user after operating system deployment and we’re not bound to a set of rules that comes with the different methods currently available. You could practically extend this solution to dynamically pin any set of available applications on the machine, depending various variables or group memberships and so on, the choice is yours.

(4608)

Nickolaj Andersen

Principal Consultant and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Currently working for TrueSec as a Principal Consultant. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences and user groups.

comments
  • Ram
    Posted at 16:30 September 25, 2018
    Ram
    Reply
    Author

    Hi – The script at GitHub – is it a complete script? When I open the script it has 97 lines in total. On the contrary you say to edit the script from line 154-155. Maybe I am missing something or the script at GitHub is incomplete. Appreciate your response.

    I would like to test the script during this weekend on Win 10 TS.

    Thanks for sharing the script.

    RL

  • Janek
    Posted at 16:53 September 25, 2018
    Janek
    Reply
    Author

    Hey Nickolaj,

    this is a nice solution. i will try it in my next windows 10 migration project in october.
    Do you know if this als can be adapted to the task bar?
    if you configure the task bar during the os deployment with the default way the user is also unable to unpin the predefined items.

    Regards,
    Janek

    • Nickolaj Andersen
      Posted at 02:57 December 5, 2018
      Nickolaj Andersen
      Reply
      Author

      Hi Janek,

      It probably could, but I’ve not tested it. Obviously you’d need to modify the script to find a way of adding the tiles to the taskbar instead.

      Regards,
      Nickolaj

  • Thomas Ehler
    Posted at 08:54 September 26, 2018
    Thomas Ehler
    Reply
    Author

    Hi Nickolaj

    In my humble opinion that is “like passing over the stream to get water” (danish saying) 🙂

    Can you elaborate in what way the above is easier or more functional than just:
    powershell -executionpolicy bypass Import-StartLayout -LayoutPath ‘.\StartmenuLayout\LayoutModification.xml’ -MountPath c:\ -verbose

    With kind regards
    Thomas

    • Nickolaj Andersen
      Posted at 02:55 December 5, 2018
      Nickolaj Andersen
      Reply
      Author

      Hi Thomas,

      I tend not to agree with you here. Have a read at the post again, because I get the feeling that you’re not understanding the scenario. But let me try to explain:

      Imagine a scenario where you already have a GPO for instance in place that’s already applying a start layout exported from a reference machine. With this, depending on how it’s configured, you might have a partially locked down start layout being applied through GPO (at least that’s what I’d recommend you to have). Let’s say that you want to add additionally tiles to the start menu for users that login to a new machine for the first time, or perhaps an existing machine but it’s still the first time they login to that machine. This doesn’t work with any currently implementation today, being GPO or doing it through PowerShell during OSD for instance. With the method mentioned in this post, it now works.

      Makes sense?

      Regards,
      Nickolaj

  • Trond
    Posted at 17:31 October 10, 2018
    Trond
    Reply
    Author

    Hi Nikolaj.

    Thanks for posting the script.

    I tested the script but seems like nothing happens when I log on (-RunMode Stage – W10 Task Sequence). The script is copied to C:\Windows and the Active Setup registry settings are created. Is Active Setup or the script logging somewhere ?

    When you add the applications to the $AppList do you add them in English or local W10 language

    Regards
    Trond

    • Nickolaj Andersen
      Posted at 02:48 December 5, 2018
      Nickolaj Andersen
      Reply
      Author

      Hi Trond,

      No logging as of now. It’d have to be with what’s visible in the start menu for the localization of the device. I’ve only tested this with an English US version of Windows 10 so far.

      Regards,
      Nickolaj

      • Trond
        Posted at 10:02 December 5, 2018
        Trond
        Reply
        Author

        The issue was related to the windows Language, so we had to re-Write the script to support the Norwegian Language. Now it’s working for us 🙂

        Wishlist for next version :
        – Possibility to add TileGroup names
        – Possibility to configure the tile size

        Thanks

        Trond

  • Murat
    Posted at 15:33 November 7, 2018
    Murat
    Reply
    Author

    Hi Nicolaj

    I use partial lock .xml via gpo, can I still use your script?

    I have tried to setup your script, but no icons are showing, only my partial locked icon are showing.

    • Nickolaj Andersen
      Posted at 00:22 December 8, 2018
      Nickolaj Andersen
      Reply
      Author

      Hi Murat,

      Yes, that’s the whole point. I’d try to add some logging to the script to see where it’s failing. This version doesn’t include any logging by default, so you’d have to add it yourself.

      Regards,
      Nickolaj

  • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.