Month: March 2019

How to rein the Start Menu in Windows Server 2016

How to rein the Start Menu in Windows Server 2016

In this article I am going to show how to control or rein the start menu in Windows Server 2016. There are a lot of articles describing how to handle the start menu in Windows 10, but very few about Windows Server 2016.

Even though the steps are almost identical in Windows Server 2016 compared to Windows 10, there are a few differences. For instance in Windows Server 2016, you don’t have to remove all the “crap” applications, like Candy Crush, trial editions of Office etc. as they are simply not included with this operating system, as it is an LTSC edition of Windows Server.

Some of the best articles out there are written by James Kindon and James Rankin, I have followed these guys for quite a while, and they know what they are doing. Some of their guides can be found here:

James Kindon:

James Rankin:

James Rankins article is great because it focuses on how to persist, or roam, the start menu, if you haven’t read it yet, it’s highly recommendable.

Both James Rankin and James Kindon adresses the Start menu Tiles, and historically these tiles have been the source of all kinds of issues since they were first introduces in Windows Server 2012/2012R2, but the start menu is not just tiles, it’s also part “old school” start menu, like the one we have in Windows 7 and this part of the start menu, can be handled in a few different ways.

In this article I’ll will cover 3 ways on how to handle the “old-school” part of the start menu. The “old school” part is the part in the red box below, also know as All Programs or Programs, in the green box we have start menu tiles.

I’ll will not be covering the different ways to handle the start menu tile configuration, as both James Kindon and James Rankin have provided excellent guides for that part.

The technologies used are Group Policy, Group Policy Preferences and Citrix Workspace Environment Management, so you will need to have some knowledge of these technologies and a basic understanding of how a Windows profiles works is also recommended.

I’ll be focusing on 3 different scenarios. Each scenario provide certain levels of usability, or lack thereof, in the start menu and start menu tiles sections

Here is a “before” screenshot of how the start menu looks at the first logon with my test account:

This is a pretty default start menu, one I have seen in many Session Host setups. As you can see I have a range of different applications available to me in the Programs area of the start menu, and of course the default pinned application tiles.

Scenario 1 – Total lockdown

This configuration, is by far the easiest one to configure and requires next to no work at all and it will provide a clean start menu with no visible applications, other than Settings and Search, or tiles.

Isn’t this the cleanest start menu you have ever seen?

This configuration can be achieved by configuring the “Remove common program group from Start Menu” which can be found in:
User Configuration/Administrative Templates/Start Menu and Taskbar

You will also need to delete four folders in the user’s profile:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell
%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessibility

In this case I have configured each folder to be deleted via Citrix Workspace Environment Management like this:

Note that Citrix Workspace Environment Management doesn’t usually take Windows variables, like %APPDATA%, so in this case I have used the so called dynamic token ##UserAppData## which is the equivalent to %APPDATA%.

You will of course have to configure the “Delete Files/Folders” action type.

Repeat this process for the remaining three folders and don’t forget to assign the actions

One major downside with this scenario is that you are not able to pin anything to the start menu, basically everything around pinning to start menu has been disabled. The reason for this is that Windows is using the Programs part of the Start Menu to provide the ability to pin applications to the start menu.

A possible use case for this scenario could be your users have gotten used to accessing everything via desktop shortcuts and don’t have the need or demand for using the start menu or start menu tiles.

Scenario 2 – Moderate Lockdown

This configuration requires a bit more work. We will have to use another group policy setting and again delete some files in the All Users profile and also the folders mentioned above in scenario 1.
This scenario relies entirely of pinned applications.

Here you’ll notice that the Programs area of the start menu has disappeared

That can be achieved via the group policy setting:
“Remove All programs list from the Start menu” which can be found in:
User Configuration/Administrative Templates/Start Menu and Taskbar

Remove and disable setting, does what it says, removes and disables the Programs area of the Start Menu.

If you do not have the Remove and Disable setting available, you may need to get the latest Windows 10 adminstrative templates.

We are not quite there yet, because we are still having 4 tiles in the start menu that we need to get rid of. To remove these tiles we will have to delete the shortcuts, or .lnk files, in the the All Users start menu folder, please keep in mind that this affects ALL users logging on to the Session Host server, including administrative users.

The paths to the .lnk files in question:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Server Manager.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Task Manager.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Event Viewer.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk

How you go about and delete these files is entirely up to you. You could delete them within your Golden Image, or you could delete them via Group Policy Preferences, or a script:

Be aware that this procedure may only work on NEW windows profiles, if this is implemented when a user’s profile has already been created, you will most likely see this:

The only way I have managed to get rid of these white boxes, is to either manually unpin the tiles manually, or reset the user’s profile.

New users logging on should now see this:

A nice clean start menu, where the tiles area is active and ready for some pinning.

With a little help from Citrix Workspace Environment Manager we can populate the start menu with some application shortcut tiles:

If the user manages to pin an application to the start menu, the configuration of your current profile management solution will decide whether this is roamed or not. The guide from James Rankin covers how to configure different profile management solutions to roam the start menu tiles. Also keep in mind that the reason the pinning of the applications work is that the All Users Programs is still available in the file system, it’s just hidden in the start menu. So if you want to pin other applications you need to create the application shortcuts on the All Users Programs and then use Citrix Workspace Environment Management to pin them.

Scenario 3 – Minimal Lockdown

This solution is in my opinion the most flexible solution as it enables us to have more or less full control with the start menu and its appearance . With this solution we’ll use Citrix Workspace Environment Management to build a start menu, and group the different applications shortcuts.

Here we have a start menu without the shortcuts from the All Programs or any tiles, both areas are nice and clean. The Search and Settings shortcuts are, in my opinion, harmless as Search only opens the search bar in the start menu, and settings can be locked down via Group Policy or registry, and is also available via the gears button.

To achieve this, we have to clear out everything in the All Users start menu folder, this can be done within the Golden Image or via Group Policy Preferences. Again keep in mind that this affects every user logging on to the Session Host, administrative users included.
The folders mentioned in scenario 1 will also have to be removed in this step, in order to remove all start menu tiles.

The path to the All Users start menu is:

C:\ProgramData\Microsoft\Windows\Start Menu

In here you will need to delete everything i the Programs folder, or delete the Program folder itself, just remember to create the Programs folder again and leave it empty.

I have created two Folders GPPs. The first one deletes everything within the Programs folder and the Programs folder itself, the configuration looks like this:

And to make sure that it only runs once, I have checked “Apply once and do not reapply”

The second one creates an empty Programs folder.

Now we bring in Citrix Workspace Environment Management to populate the start menu with application shortcuts.

Just look at this! Doesn’t it bring tears to your eyes?

Citrix Workspace Environment Management is great at populating the start menu, and provides range of different possibilities of grouping application shortcuts etc.

You can also use Citrix Workspace Environment Management to populate the start menu with application tiles, however this is where things become is bit sketchy. As mentioned you can only pin applications to the start menu when the application shortcut exist in the start menu. So when we use Citrix Workspace Environment Management to populate or build the start menu, the tiles will not show up until the next logon because the application shortcuts is also being created during the logon.
You can configure the “Enforce Applications Processing” in the Citrix Workspace Environment Management console:

With that enabled you will see both start menu applications and applications tiles, during the first logon, however you will probably notice that the tiles move around in the start menu tile area after each logon. The reason for this is that we now enforce the application shortcut creation with every logon, so depending on which application shortcut gets created first, this will also be the one to get pinned first.

This concludes the article. Reining the start menu in Windows Server 2016 can be a daunting task, but if you have Group Policy, Group Policy Preferences AND Citrix Workspace Environment Management in your arsenal of tools, you will now be able to combine these to provide a great start menu configuration for your environment.