Group Policies

Managing Windows 10 Start Menu Layout and Taskbar Pin Apps With GPO

By April 1, 2020No Comments

In a Active Directory domain, you can centrally manage and customize Start Menu and Taskbar Layout on Windows 10 users’ computers using Group Policy. This allows you to assign the same settings for icons and pinned app shortcuts in the Start Menu and Taskbar pane for users of various departments. You can set the custom layout for different user groups and make sure that all workstations are configured in the same way.

How to Export and Import Start Menu Layout in Windows 10 With PowerShell?

The easiest way to get Start Menu Layout template on Windows 10 (Windows Server 2016) is to manually customize desktop appearance and elements on a reference user profile. Create shortcuts (tiles) for the necessary applications, pin and group them, delete unnecessary elements. Then you can export the current Start Menu layout to an XML file.

Windows 10 manage Start Layout via GPO

You can export the current Start Menu settings using PowerShell cmdlet Export-StartLayout:

Export-StartLayout –path c:\Temp\StartLayoutW10.xml

Later you can manually import this Start Menu layout on another Windows 10 computer using the Import-StartLayout cmdlet as follows:

Import-StartLayout –LayoutPath c:\Temp\StartLayoutW10.xml  –MountPath c:\
Note. MountPath specifies the path where .wim file of the system image is mounted.

The main drawback of the Import-StartLayout cmdlet is that it doesn’t import the Start layout to the current user profile, but to the default user profile (the file Layoutmodification.xml appears in C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\ directory). This XML Start Screen layout will only apply to the new user profiles when they log in for the first time.

Deploying Windows 10 Start Menu Layout using GPO

To deploy your Windows 10 Start Menu layout on domain computers using Group Policy (GPO), you need to copy your layout XML file to the NETLOGON directory on the domain controller. Then run Group Policy Management Console (GPMC.msc) and create a new policy or edit the existing one and link it to the users OU.

In the Group Policy Management Editor, find the policy with the name Start Layout in the section User Configuration -> Policies -> Administrative Templates -> Start Menu and Taskbar. You can also assign the Start Menu layout to the computer objects. In this case you need to configure the same policy in the Computer Configuration section.

Windows 10 Start Menu and Taskbar policy - Start Layout

Note. You can configure this policy from any computer if you have the following administrative template files: StartMenu.admx and StartMenu.adml (they already exist in Windows 10 / Windows Server 2016).

Open the policy, enable it and in Start Layout File field specify the UNC path to the XML file containing Windows 10 Start Menu layout settings (for example, \\contoso.com\netlogon\StartLayoutW10.xml).

If you want to apply the Start Layout policy only to specific user groups or computers, you can use Security Filtering or WMI GPO filters.
Important. By default, when configuring Start Menu and Taskbar settings for user computers using the Group Policy, users cannot change its elements (delete shortcuts, pin their own items). To allow the user to change the layout elements, use the Partial Lockdown feature described in the following section.

Using Partial Lockdown to Lock Certain Items in Start Menu

Partial Lockdown mode, that appeared in Windows 10 1511, allows you to specify groups of Start Menu tiles that users cannot change. Those you can allow the user to change any shortcuts, icons and tiles except for a certain group of corporate app shortcuts.

To set the locked Start Layout groups, you need to manually edit the XML layout file using any text editor (it is convenient to use Notepad ++ to edit the XML file).

LayoutCustomizationRestrictionType

Open your file StartLayoutW10.xml and find the following section in it: <DefaultLayoutOverride>. To lock the specific shortcut group, you need to change the attribute of this section to <DefaultLayoutOverride LayoutCustomizationRestrictionType=”OnlySpecifiedGroups”> 

Save the changes to the XML file and deploy it on users computers using GPO. Then only groups of tiles (shortcuts) specified in the XML file will be locked. All other groups, their contents, and element settings can be changed by users.

Partial Lockdown works both in Windows 10 Enterprise and Pro (starting from 1703 build).

Windows 10 has a small bug when the assigned Internet Explorer shortcut doesn’t appear after applying the XML layout file via GPO. To solve the problem, you need to edit the XML file and change the line for the IE shortcut as follows:

<start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk" />

And then through the GPO you need to copy the shortcut file “Internet Explorer.lnk” to the %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\.

How to Manage Pinned Taskbar Items Using GPO?

Starting from Windows 10 1607, you can manage pinned shortcuts in the taskbar via the same XML file with the Start Menu layout. To add your own pinned shortcuts to the XML layout, which is distributed through the GPO, edit the XML file. After the </DefaultLayoutOverride> tag, add the following code:

<CustomTaskbarLayoutCollection PinListPlacement="Replace"><defaultlayout:TaskbarLayout><taskbar:TaskbarPinList><taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" /><taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk" /></taskbar:TaskbarPinList></defaultlayout:TaskbarLayout></CustomTaskbarLayoutCollection>

CustomTaskbarLayoutCollection TaskbarPinList

In this example, we will add two pinned shortcuts to the taskbar: File Explorer and Internet Explorer. After applying the policy on the user’s computer, two pinned shortcuts will appear in the Windows 10 taskbar.

pinned apps taskbar win10 gpo

In older Windows builds (pre 1607), pinned app shortcuts in the taskbar are configured differently. Let’s try to figure out how.

The list of pinned taskbar shortcuts in Windows 10 is stored in the user profile folder %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar.

setting pinned taskbar apps using gpo

And the settings of the pinned apps are stored encoded in the following registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband.

To distribute these Taskbar settings to domain computers, you need to export the contents of this registry key on a reference computer to a REG file:

reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband C:\Temp\PinnedItem.reg

Copy this REG file and the directory containing icons (%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar) to a shared network folder (for example, you can use NETLOGON). In the Domain Group Policy Editor (User Configuration -> Policies -> Windows Settings -> Scripts (Logon/Logoff) -> Logon), add a logon script (deploy_taskbar.bat) with the following code:

@echo off
set Logfile=%AppData%\pinned.log
if not exist "%Logfile% (
IF EXIST "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" GOTO NOTASKDIR
del "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\*" /S /Q
:NOTASKDIR
xcopy /E /Y "\\contoso.com\netlogon\PinnedItem " "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned"
regedit.exe /s "\\contoso.com\netlogon\PinnedItem.reg "
echo PinnedItemImported on %date% at %time% >> %LogFile%
taskkill /IM explorer.exe /f
start explorer.exe
)

Note. The check if the file %AppData%\pinned.log exists is included in this script. If the file exists, this script has already been run on this computer and it doesn’t have to be reapplied so that a user could delete or add its own icons in the Taskbar.

gpo: logon script

You can deploy this Reg file to domain computers not through a batch file, but through a GPO.

A user at logon will see the corporate set of pinned app icons in the Windows 10 Taskbar.

Leave a Reply