Take the powershell commands into your logonscript and/or startup script. I cold give you those tomorrow, we do this.

That would be very much appreciated!

this can be done by using GPO...

take one machine unpin/ uninstall tiles as you want... create a startup screen which you want to see on the all machines.

then run the following command on power shell :
export-startlayout –path c:\startmenu\start.xml –for startmenu

and copy the XML file that you created to your file server, so it can be accessible from the network. Then you can simply enable the Start Menu Layout setting in Group Policy:

In  Group Policy Object , expand User Configuration-Administrative Templates-and click Start Menu and Taskbar.
Double click Start Menu Layout.
In the Start Screen Layout dialog box, click Enabled.
In the Start Layout File box, type the path to the *.xml configuration file you previously created using export-startlayout. The file should be located on a share folder on your company file server.

Then click OK.

all the best

That would however enforce this layout - people would not be able to change it. That is not what most people are looking for.

McKnife - Just to check that this script won't affect any other OS logins?

I'm away now for a few days but hope to get this in place by next Tuesday, I'll come back to you then :)

No, it doesn't interfere.

Sorry for the delay guys...

@Shaik M. Sajid - I considered your method but I get the following error within Powershell:

Export-StartLayout : A parameter cannot be found that matches parameter name 'for'.
At line:1 char:49
+ export-startlayout –path c:\startmenu\start.xml –for startmenu
+                                                 ~~~~
    + CategoryInfo          : InvalidArgument: (:) [Export-StartLayout], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.Windows.StartLayout.Commands.ExportStartLayoutCommand

@McKnife - Do I need to set three different login scripts or can they all be on the same script? Also where do I put the last PS script you mentioned, does this also go within the logon scripts?

thanks

1 and 2 are no logon scripts, but startup scripts. Only 3 is a logon script.
Save code block 1 as remove_ads.bat
Save block 2 as RemoveAppx.ps1
and block 3 as cleanstart.ps1

2 and 3 can be combined into one, yes.

To configure startup scripts, open a GPO, go to computer configuration - policies - windows settings - scripts - startup. There will be a tab for scripts (.bat for example) and another tab for powershell scripts (.ps1 files) where you can add those code blocks you saved before.

OK, all done and added 1&2 to the 'Staff' GPO startup script and 3 added as a logon script -

When logging in as a 'Staff' user nothing has changed, the apps are all still there - Am I missing something?

Do I need to put anything in the 'script parameters field' - I had left this blank as I browsed for the relevant scripts when installing, should I be pasting the code straight in to that field?

You might be missing that startup scripts run at startup, not at logon. And logon scripts are delayed by 5 minutes, google logon script delay to tune that.
Also make sure that the powershell execution policy allows scripts to run, set it to remote signed. Lastly, check if you downloaded the helper components I linked and made them accessible on the share names in the script.

You might also do tests before deployment by running the scripts from an elevated command prompt / elevated powershell prompt, So you see errors, just in case.

No script parameters needed.

This is not working for me, I cannot get this to happen using scripts/GPO. the only thing I'm not 100% sure what you mean is...

check if you downloaded the helper components I linked and made them accessible on the share names in the script.

Please can you elaborate and I'll give this a go too.

Incidentally, I've also tried removing some apps using (e.g)...

get-appxpackage -allusers *xboxapp* | remove-appxpackage

This hasn't worked either!

I will publish an article with a step by step this week. Depending on how fast experts exchange article review is, it will be published within a few days. I'll link it here.

That would be very welcome, thanks for your help so far :)

You know what? You'll be my first reader. Then you can try it and I get feedback. Win-win :-)
You need a share \\server\share with read access for the group "authenticated users". There, you place the following files:
1 get-shortcut.ps1 which holds the following code:

Param(
	[Parameter(Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True, Position=0)][ValidateNotNull()]
	[string[]]$Path
)
Begin {
	$Shell = New-Object -ComObject WScript.Shell
	$Installer = New-Object -ComObject WindowsInstaller.Installer
}
Process {
	$Path | ForEach-Object {
		If (Test-Path -Path $_ -PathType Leaf) {
			$Shortcut = $Shell.CreateShortcut($_) | Select-Object -Property `
				Name,
				*,
				@{Name="IsAdvertised"; Expression={$False}},
				AdvertisedTargetPath,
				@{Name="TargetExists"; Expression={$False}},
				Error
			$Shortcut.Name = [IO.Path]::GetFileName($_)
			If ([string]::IsNullOrEmpty($Shortcut.TargetPath)) {
				$Shortcut.Error = "Not a valid shortcut."
			} ElseIf ($Shortcut.TargetPath.ToUpper().StartsWith("${ENV:Systemroot}\Installer\".ToUpper())) {
				$Shortcut.IsAdvertised = $True
				Try {
					$ShortcutTarget = $Installer.GetType().InvokeMember("ShortcutTarget", "GetProperty", $Null, $Installer, $_)
					$StringData = 1, 3 | % {$ShortcutTarget.GetType().InvokeMember("StringData", "GetProperty", $Null, $ShortcutTarget, $_)}
					$Shortcut.AdvertisedTargetPath = $Installer.GetType().InvokeMember("ComponentPath", "GetProperty", $Null, $Installer, $StringData)
				} Catch {
					$Shortcut.Error = "Advertised product not installed."
				}
			}
			$Shortcut.TargetExists = ![string]::IsNullOrEmpty($Shortcut.TargetPath) -And ((Get-Item -Path $Shortcut.TargetPath -ErrorAction SilentlyContinue) -ne $Null)
			$Shortcut | Write-Output
		} Else {
			"Shortcut '$_' not found!" | Write-Error
		}
	}
}
End {
}

Select allOpen in new window

2 pin2start.psm1 which holds

#--------------------------------------------------------------------------------- 
#The sample scripts are not supported under any Microsoft standard support 
#program or service. The sample scripts are provided AS IS without warranty  
#of any kind. Microsoft further disclaims all implied warranties including,  
#without limitation, any implied warranties of merchantability or of fitness for 
#a particular purpose. The entire risk arising out of the use or performance of  
#the sample scripts and documentation remains with you. In no event shall 
#Microsoft, its authors, or anyone else involved in the creation, production, or 
#delivery of the scripts be liable for any damages whatsoever (including, 
#without limitation, damages for loss of business profits, business interruption, 
#loss of business information, or other pecuniary loss) arising out of the use 
#of or inability to use the sample scripts or documentation, even if Microsoft 
#has been advised of the possibility of such damages 
#--------------------------------------------------------------------------------- 

#requires -Version 3.0

Function Set-OSCPin
{
<#
 	.SYNOPSIS
        Set-OSCPin is an advanced function which can be used to pin a item or more items to the Start menu.
    .DESCRIPTION
        Set-OSCPin is an advanced function which can be used to pin a item or more items to the Start menu.
    .PARAMETER  <Path>
		Specifies a path to one or more locations.
    .EXAMPLE
        C:\PS> Set-OSCPin -Path "C:\Windows"
		
        Pin "Windows" to the Start menu sucessfully.
        
		This command shows how to pin the "shutdown.exe" file to the Start menu.
    .EXAMPLE
        C:\PS> Set-OSCPin -Path "C:\Windows","C:\Windows\System32\shutdown.exe"
		
        Pin "Windows" to the Start menu sucessfully.
        Pin "shutdown.exe" to the Start menu sucessfully.

		This command shows how to pin the "Windows" folder and "shutdown.exe" file to the Start menu.
#>
    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory,Position=0)]
        [Alias('p')]
        [String[]]$Path
    )

    $Shell = New-Object -ComObject Shell.Application
	$Desktop = $Shell.NameSpace(0X0)
    $WshShell = New-Object -comObject WScript.Shell
    $Flag=0

    Foreach($itemPath in $Path)
    {
        $itemName = Split-Path -Path $itemPath -Leaf
        #pin application to windows Start menu
        $ItemLnk = $Desktop.ParseName($itemPath)
        $ItemVerbs = $ItemLnk.Verbs()
        Foreach($ItemVerb in $ItemVerbs)
        {
            If($ItemVerb.Name.Replace('&','') -match 'Pin to Start|An "Start" anheften')
            {
                $ItemVerb.DoIt()
                $Flag=1
            }
        }
        
        If($Flag=1)
        {
            Write-Host "Pin ""$ItemName"" to the Start menu sucessfully." -ForegroundColor Green
        }
        Else
        {
            Write-Host "The ""$ItemName"" cannot pin to the Start menu." -ForegroundColor Red
        }
    }
}

Select allOpen in new window

(source: https://gallery.technet.microsoft.com/scriptcenter/Script-to-pin-items-to-51be533c - attention: I renamed it)
3 removeappx.ps1

timeout 15
md c:\starthasstarted
Get-appxprovisionedpackage –online | where-object {$_.packagename –notlike “*microsoft.messaging*”} | Remove-AppxProvisionedPackage -online
reg load "HKLM\temp_default_profile" "C:\Users\Default\ntuser.dat"
reg add "HKLM\temp_default_profile\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreinstalledAppsEnabled /d 0 /t "REG_DWORD" /f
reg unload "HKLM\temp_default_profile"
md c:\starthasrun

Select allOpen in new window

4 userpart.ps1

del "$env:appdata\Microsoft\Windows\Start Menu\programs\onedrive.lnk"
copy \\server\share\Notepad.lnk "$env:APPDATA\Microsoft\Windows\Start Menu\programs" -Force
Import-Module "\\server\share\pin2start.psm1"
timeout 5
Get-ChildItem -Path "$env:APPDATA\Microsoft\Windows\Start Menu\programs" -Filter *.lnk | % {\\server\share\Get-Shortcut.ps1 -Path $_.FullName} |  % {Set-OSCPin -Path $_.TargetPath}
function Pin-App {
    param(
        [string]$appname,
        [switch]$unpin
    )
    try{
        if ($unpin.IsPresent){
            ((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Von "Start" lösen|Unpin from Start'} | %{$_.DoIt()}
            return "App '$appname' unpinned from Start"
        }else{
            ((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'An "Start" anheften|Pin to Start'} | %{$_.DoIt()}
            return "App '$appname' pinned to Start"
        }
    }catch{
        Write-Error "Error Pinning/Unpinning App! (App-Name correct?)"
    }
}
pin-app "Microsoft Edge" -unpin
pin-app "Skype video" -unpin
pin-app "Search" -unpin

Select allOpen in new window

5 and finally a shortcut to %windir%\system32\notepad.exe called notepad (create it manually).
Ready? Then the last step is to create a test GPO with the following settings
--
Computer Configuration - Policies - Administrative Templates - System - Group Policy
Configure Logon Script Delay ->set to zero
--
Computer config - Windows Components/Windows PowerShell
Turn on Script Execution Enabled  
Execution Policy: Allow local scripts and remote signed scripts
--
Computer config - Preferences
Control Panel Settings - Scheduled Tasks
Scheduled Task (At least Windows 7)
Taskname: Win10_Cleanstart
Executioner: system
Trigger: on startup
Action1: powershell, paramter: \\server\share\removeappx.ps1
Action2: cmd parameter: /c schtasks /delete /tn win10_cleanstart /f
(please note: Action2 is used to delete the task itself after execution)
--
And finally one script: User Configuration - Policies - Windows Settings - Scripts - Logon
Name: userclean.bat (create it right inside the GPO) which contains:

if exist %appdata%\admin\userclean goto end
md %appdata%\admin\userclean
powershell \\server\share\userpart.ps1
:end

Select allOpen in new window

--
Link that GPO to both your test computer and test user's OU. Let it roll.
Before: all the crappy shortcuts, after: just one shortcut: notepad (I use notepad as a demonstration).

I am awaiting your feedback. Please note that I tested this on win 10 x64 v1511 enterprise several times and it works flawless.

PS: in file 3, I included 2 lines ms c:\starthasstarted  and md c:\starthasrun for diagnostic reasons so that you can see when the task has run and is finished. Those 2 lines should be deleted after testing.

Great, thank you!

A couple of things which don't stack up though...

Computer Configuration - Policies - Administrative Templates - System - Group Policy
Configure Logon Script Delay ->set to zero

The above doesn't appear on Server 2008 R2 - Although I did do this yesterday using RSAT tools on a Win 10 client, I'm unsure if we can test this is successful at this stage.

Computer config - Preferences
Control Panel Settings - Scheduled Tasks
Scheduled Task (At least Windows 7)
Taskname: Win10_Cleanstart
Executioner: system
Trigger: on startup
Action1: powershell, paramter: \\server\share\removeappx.ps1
Action2: cmd parameter: /c schtasks /delete /tn win10_cleanstart /f
(please note: Action2 is used to delete the task itself after execution)

I can't see 'preferences' anywhere so I'm kind of stuck at this part (I could be in the wrong area) - I can create a new policy within GPO (GPMe) then edit to create the task but my version doesn't seem to allow multiple actions, there's also no executioner field (see attachment)?

I've stopped at this point, the remainder looks straightforward :)
server.jpg

Use RSAT on win10, so start the GPMC on win10. It will solve both.

Login delay script, sorted

Computer config - Preferences Control Panel Settings - Scheduled Tasks >>> I can not find this in GPM on either server 2008 or via win10 RSAT?

You see the preferences section? If nor, make a screenshot.

MadPC, feedback needed.

Hi McKnife,

sorry for the delay in coming back to you, it seems everytime a try to change something on this server I find another can or worms to fix before we can go any further.

Anyway, I'm just about sorted, the only issue I have now is with creating the scheduled task using RSAT - The \\server is not showing up when I try to browse for the script, unfortunately this cannot be typed in manually and has to be selected from within the task schedule creation. I can see other computers on the network, just not the server, however if I go-in via explorer (\\server) I can browse it fine - frustrating to say the least.

I've done a bit of digging and it seems that the 'computer browser' service needs to be started (done) and also netbios/Wins needs to be enabled (done that too) - Firewalls all disabled so now it should just be a case of waiting a little while for the server to show up in explorer - sheesh! I'm back onsite later today, fingers crossed we'll have this nailed!

You don't need to browse. Simply enter the path.

Oh dear, sorry, I saw the browse button and never gave it a thought to type the path.

I've applied all to an existing GPO and just tested a login, the start menu hasn't changed.

Just looking at userpart script, this bit..

pin-app "Microsoft Edge" -unpin
pin-app "Skype video" -unpin
pin-app "Search" -unpin


Do I need to add all apps in similar format that I don't want?

e.g pin-app "Xboxapp" -unpin

Is there a way we can see any logs to find out why the scripts aren't deploying properly?

"Is there a way we can see any logs to find out why the scripts aren't deploying properly?" - Look closely at what I wrote before: there is a line within the startupscript:

md c:\starthasstarted

Select allOpen in new window

that will create that c:\starthasstarted directory just for diagnostics. So look for that directory and for c:\starthasrun which will get created after the startup script has finished - it takes quite long, could be one or 2 minutes. Afterwards, logon with a new user and you'll see the start menu is emptied. No need for further unpinning.

The folder is not there :(

Ok, let me ask you: how do you restart your PC? :-) No, seriously, do you turn it off and on again or do you select "restart", because that makes a huge difference. When you do a real restart selecting "restart", startup scripts do run, if you turn it off and on again AND your OS is win8.x or win10, then startup scripts do NOT run by default thanks to microsoft's performance optimizations.

I've tried both methods today, also tried logging on some different win10 laptops and using varying user accounts, still no joy unfortunately.

User accounts confirmed as being linked to our GPO too and I've double checked the process again today to make sure I didn't miss anything, we could be fighting a lost cause :(

AND your OS is win8.x or win10, then startup scripts do NOT run by default thanks to microsoft's performance optimizations.

and here lies another potential problem with the scripts - Quite often the laptops in particular are left stored but powered on, they eventually deplete the battery so will go through the full boot process once power is restored, does this mean that if this happens then the scripts won't run?

I'm more than happy for these apps to be deleted permanently if there is a way? They will never be used.

The startup-triggered task (not the startup script - there is no startup script configured, i confused that myself) needs to run only once. So let's diagnose why it does not run. please check whether there is a scheduled task configured at the target system. If not, check whether the policy that deployed the task has applied using

gpresult /h %temp%\result.html /f & %temp%\result.html

Select allOpen in new window

right at the client on an elevated command prompt.

"Quite often the laptops in particular are left stored but powered on, they eventually deplete the battery so will go through the full boot process once power is restored, does this mean that if this happens then the scripts won't run?" - no, that is no problem. The "full boot" is good. The "fast startup" is the problem, not the full boot.

Signing in as a user I get the attached error when trying to run the CMD (as administrator) - I can't access CP when logged in as user to check scheduled tasks as this is restricted by policy.

Signing in as administrator I get a user policy with 'no errors detected' but I cannot see the scheduled task within the client (and the start menu still contains bloatware)
rpc.jpg

Open that html file manually.

Progress?

Hi McKnife, really sorry for the delay here, I've been away but I'm back now.

OK, It was a bit fiddly but I managed to export the HTML file, I can't see anything which mentions the scheduled task config (F3> search for 'scheduled' - Nothing returned)

You cannot search for "scheduled" when nothing is expanded. The scheduled task section is right where you set it in the policy, there you'll need to look:
Computer config - Preferences - Control Panel Settings - Scheduled Tasks

I opened the file in Dreamweaver and searched through the code too, there's no 'Computer Config', 'Control Panel', 'Preferences' or 'Scheduled' in the file?

Open it in internet explorer.

Did that already, nothing there :(

Ok, that is expected behavior in case the policy wasn't applied. Was it applied? The same html file will name the applied policies.

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Not enough information to confirm an answer.

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

angelIII
Experts-Exchange Cleanup Volunteer

MadPC, you won't abandon this question after all this, I guess?

Alright, next time ;-)