While many are of the opinion that organizations should not customize the start menu during Windows 10 deployments, it’s happening almost in every Windows 10 project anyway. There are several blog posts created by the community and documentation from Microsoft outlining the different methods how to accomplish a customized start menu and even task bar configuration during deployment of Windows 10.

Using the method to define a partially locked start menu is what I usually recommend my customers, but to keep it to a minimum where it mainly contains applications or tools that can be references by the help desk for easy access during a support case. A partially locked start menu basically means that certain defined part of the start layout area of the start menu is locked down and doesn’t the end user to unpin what’s defined by the administrator.

Read more about using a partially locked start menu from the documentation below:


Something that may not be spoken about too often is the fact that when customizing Windows 10, an organization may want to make the start menu more visually appealing for the end user upon the first logon. A scenario here could be that an organization would want to leverage the partially locked section of the start layout, but provide a set of pinned items that the end user can decide themselves if they want to remove them or not.  This is however not possible today with the built-in functions and tools provided by Microsoft.

Let me try and explain what I’m talking about with an example.

We have an organization that are currently using group policies to configure a partially locked start menu. This section is controlled by the organization and the end user cannot modify what has been added here. The organization would also want the end user to have Outlook, Word and Excel pinned right below the locked section of the start menu, but the end user should be able to remove these pinned items.

So how can we accomplish this scenario – continue to read for a solution on how to configure a what I call a user-defined or dynamic start menu customization that can be deployed with ConfigMgr during operating system deployment of Windows 10.

Pinning applications in user context

The problem we have to overcome here is that the start menu is designed to be customized by the end user. A user pins tiles, re-arranges them and so on from time to time. We as administrators can make customizations that are either set in stone or partially locked. Moral of the story here is, in order to pin applications to the start menu for the user without using any of the built-in tools like a group policy, it has to be invoked in the context of the user.

While researching this, I stumbled upon a way to invoke the actual pin and unpin methods utilized when a user for instance right clicks on an application in the start menu list of applications. Below is a simplistic way to pin an application in the context of the user using PowerShell:

((New-Object -ComObject Shell.Application).NameSpace("shell:::{4234d49b-0245-4df3-b780-3893943456e1}").Items() | Where-Object { $_.Name -like "Command prompt" }).verbs() | Where-Object { $_.Name.replace('&', '') -match 'Pin to Start' } | ForEach-Object { $_.DoIt() }

What happens here when this is invoked in the context of a user currently logged on, is that the Command prompt is added to the start menu. With this information I put together a script that extends the functionality to check if the application is already pinned, or if it’s an approved application, meaning that the application is capable of being pinned.

So which applications can be pinned using this method? A good rule of thumb is anything you see in the start menu, and the name it has should be the one you use like with the example above where we used Command prompt.

This script can be found on our SCConfigMgr github repository here:


Extending the solution to operating system deployment

Now comes the tricky part, how should we run a script to add a set of applications to the start menu of the user that logs on. What about multiple users logging on to the same device?

This is not a new problem frankly, and you have probably heard of the solution already, Active Setup. For this solution, we don’t want to use other methods such a user logon scripts. We want to ensure that our script to pin the desired applications to the start menu of the user is only executed once per user that logs on. For this requirement, Active Setup is the prime candidate.

What I’m sharing in this blog post is a single script that can be executed during operating system deployment using ConfigMgr. The script is designed to perform the following actions when executed during operating system deployment:

  • Stage itself into the C:\Windows folder
  • Prepare the required Active Setup registry keys

At this point the script all about done. The task sequence will continue and complete eventually. When the first user then successfully has entered the credentials and the user logon sequence begins, the script then invoked again by Active Setup and the following happens:

  • Create a new PowerShell process that invokes itself again, this time in another process that’s not causing Active Setup to wait until the initial process it launched has completed
  • Main logic for adding pinned applications, taken from the original script mentioned above, is executed and the applications are pinned for the user that is logging in

Let’s take a look at how this is configured in a task sequence in ConfigMgr.

Implement the solution in your task sequence

First you’ll need to download the script from the following location:


  • Edit the Set-StartMenuUserTiles.ps1 and locate row 154-155.
  • Amend the $AppList string array with the application you would want the end user to have pinned.

  • Create a regular package without a program and distribute it to your distribution points.
  • Edit your task sequence and locate a suitable place after the Setup Windows and ConfigMgr step.
  • Add a new Run PowerShell Script step in this location.
  • Configure the step accordingly to the image below:

  • Apply the changes made to your task sequence.

End user experience

Once the deployment of a new machine has completed and the user has logged on for the first time, the applications defined in the Set-StartMenuUserTiles.ps1 script will be pinned to the start menu for that user like shown in the picture below.

Additionally, we can see that the end user can manage these pinned applications, but not the ones added in the locked down section of the start menu.


Using this solution we can now control exactly what’s pinned to the start menu for the end user after operating system deployment and we’re not bound to a set of rules that comes with the different methods currently available. You could practically extend this solution to dynamically pin any set of available applications on the machine, depending various variables or group memberships and so on, the choice is yours.


Nickolaj Andersen

Principal Consultant and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Currently working for TrueSec as a Principal Consultant. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences and user groups.

There are no comments.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.