The Windows Server 2019 Start Menu is playing nice

The Windows Server 2019 Start Menu is playing nice

A couple of months ago I penned an article about how to rein the start menu in Windows Server 2016 mostly because I couldn’t find much information, on how to handle the start menu in Windows Server 2016.

I am always aiming at providing the best possible user experience in Session Host scenarios and that, among other things, implies cleaning up the start menu, as it, from a user’s point of view, contains a lot of irrelevant tiles, folders and application shortcuts. In the article 3 different scenarios are described, in each scenario you can achieve certain levels of “lockdown” or clean up of the start menu.

Unlike Windows Server 2016, the start menu in Windows Server 2019 is no longer driven by a mini database, actually Microsoft have deprecated the Tile Data Layer (the mini database feature) , but keeping it alive in Windows Server 2016, probably because it’s an LTSC edition of Windows.

This means that with Windows Server 2019 it’s now a whole lot easier to roam the start menu and customize the tile layout. However considering that we are all now switching to disk based profiles with FSLogix, roaming is a thing in the past.

In this article I’ll be focusing on how to clean up the start menu in Windows Server 2019 using scenario 3 as a baseline. The reason for this is that it provides the highest level of flexibility and customization with the start menu, as you see further on in this article. However scenario 1 and 2 are also possible in Windows Sevrer 2019.

Now, let’s get to it!

In scenario 3, I configure this group policy setting:

I also delete these 4 folders using Citrix Workspace Environment Management:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell
%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessibility

Using these steps, the start menu in Windows Server 2019 ends up looking like this:

So, besides the Windows Security app, this is looking pretty good. At the moment, I haven’t found any way to hide or remove the Window Security app, it’s an immersive app aka. a Universal App, so there’s no actual shortcut, like other apps and folders in the start menu.

/StartofUpdate
Update – 16-07-2019:
I was doing some additional testing and came across something that looks like a timing issue. During my testing I started seeing different variants of tiles not getting deleted/removed correctly. The folders where the tile shortcuts are located are deleted, but the tiles themselves are not.

These are some of the different variants of the start menu I have come across:

This is really strange. I tried configuring Group Policy Preferences to delete the folders in the user Programs folder, that didn’t make any difference at all.
This forces me down a path that I was really hoping to avoid, but at the moment I don’t see any other alternatives. A few years ago I was looking into how to build a custom start layout using a so called LayoutModification.xml file.

This XML file can be used to create a custom tile layout with the tiles you specify, I will not elaborate further on how to do this, as I will only use this XML file to clear out any tiles in start menu, and while we’re at it, the taskbar area as well.

Microsoft has a very extensive whitepaper on how to create the LayoutModification.xml file.

Here are the contents of my LayoutModifications.xml file:

<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
  <LayoutOptions StartTileGroupCellWidth="6" />
  <DefaultLayoutOverride>
    <StartLayoutCollection>
      <defaultlayout:StartLayout GroupCellWidth="6" />
    </StartLayoutCollection>
  </DefaultLayoutOverride>
<CustomTaskbarLayoutCollection PinListPlacement="Replace">
    <defaultlayout:TaskbarLayout>
        <taskbar:TaskbarPinList>
</taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>

This will clear out any tiles left in the start menu, and also clear out any tiles/pinned apps on the taskbar. If you don’t want to clear out the taskbar, remove the lines 14 through 19.

When you save the LayoutModification file, make sure to save it as UTF-8 encoding, otherwise it might not work.

There are 2 ways of distributing this XML file. It can be done either via a GPO or copied to the Default User folder. There are pros and cons with either method.

Deploying the XML file via a GPO

This can be done using the Start Layout policy which can be found in:
User Configuration/Administrative Templates/Start Menu and Taskbar

Input the path to the LayoutModification.xml path

Pros:
Easy to configure
Easy to manage

Cons:
Disables to ability to pin applications to the start menu
Citrix Workspace Environment Management is no long able to pin applications either

Deploying the XML file via the Default User

This is done by copying the LayoutModification.xml to the Default User profile, the exact path is:
C:\Users\Default\AppData\Local\Microsoft\Windows\Shell

Copying the file can be done via Group Policy Preferences or a startup script. It can also be done during any automated deployment jobs you might have.

Pros:
Does not disable the ability to pin applications to the start menu
Citrix Workspace Environment Management will be able to handle both application shortcuts and tiles in the start menu

Cons:
Only works for new users, which does not yet have a profile
Existing users, with existing profiles, are not affected by the LayoutModification.xml file.

I prefer copying the LayoutModification.xml to the Default User profile, this provides the best user experience and enables me to use Citrix Workspace Environment Management to build and manage the start menu.

/EndofUpdate

Windows Security

If you, like me, are running the Windows Defender on your servers, users will actually be able to go into the management console of Windows Defender, and poke around. They will obviously not be able to change anything because of the lack of administrative privileges, however in my opinion, they really shouldn’t be able to access this management console.

The only way, for now, to implement some kind of restriction, that doesn’t restrict administrative users, only non-admin users, is to use our good, old friend AppLocker. One of may very first bogs posts, was actually covering AppLocker breaking the start menu. Since then it has become a known fact, that if we enable AppLocker, and you really should, then we have to enable the default Packaged app rule, otherwise the start menu in modern Windows versions break.

However to prevent access to the Windows Security app, you have to take a different approach. You have to remove the default rule, which targets Everyone, and then create to new rules which are slightly more restricted.

How to create the AppLocker rule:

If you are not familiar with AppLocker, Microsoft has a basic guide here that shows how to enable AppLocker in Windows 10. It’s the same procedure on Windows Server 2019.

Start by removing the default rule. Then right click the Packaged app Rules and select Create new rule

Click Next
Click the Select button and specify the Domain Users group
Click the Select button and select a random app in the list, it doesn’t really matter which app
Select an app
Move the slider all the way up, so that there is a * in every box. This tells AppLocker allow any signed packaged apps to run
Click Next
Give the rule a name
Make a similar rule, but target Administrators, instead of Domain Users. Make sure to select BUILTIN\Administrators, otherwise you might block any local administrative users,
Right click the rule that targets the Domain Users and select Properties, go to the exceptions pane
Click add and select Windows Security in the list
Note: This can only be done on a server running Windows Server 2019
Move the slider up a notch, so that there is a * in Package version. This is done to make sure the rule still works, even if Microsoft should change the version of the app
The exceptions box, should now look like this.

Make sure that AppLocker is running and processing rules. Then either reboot your server or do a gpupdate /target:computer /force, to make sure AppLocker picks up the new rules.

Once the new Packaged app Rules are processed and working, users will be met by this message:

The Windows Security app is now blocked by AppLocker

This is not the prettiest of solutions, but it gets the job done, and prevents the users from accessing the Windows Security management console. Hopefully Microsoft comes up with another solution, which is a bit easier to configure, until then this is the way to go.

This concludes the article. The start menu in Windows Server 2019 is a bit easier to handle, than the start menu in Windows Server 2016 and if you are still holding on to any legacy profile handling tehcnology, like Windows Roaming Profile or Citrix Profile Management, then you’ll find that roaming the start menu in Windows Server 2019 has also become a bit easier and more stable, compared to Windows Server 2016.

Leave a Reply

Your email address will not be published. Required fields are marked *