Solved

How to secure Start Menu in Windows 10 Anniversary (1607)

Posted on 2016-11-02
23
35 Views
Last Modified: 2016-11-03
I have several Kiosk pc's that we have secured using  Microsoft Management Console adding the Group Policy Object editing it to point to a specific user and then disable and enable what we choose. I am trying this on a Win10 Anniversary and I have been unable to secure the start menu. Anybody know how to do this. On Win7 we would end up with an icon or two that we need to run but I have not been able to shut down this menu.

Note: I tried to add Policy, GPO etc to topics but they weren't there
0
Comment
Question by:jbcbussoft
  • 11
  • 7
  • 5
23 Comments
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 250 total points
ID: 41871481
If you are running enterprise or education, you can do this via group policy in 1607 (but not older.)

https://technet.microsoft.com/en-us/itpro/windows/manage/customize-windows-10-start-screens-by-using-group-policy

If you are running home or pro on your kiosk, there is no native built in way to lock it down. You'll need to hack it together with scripts (easily bypassed) or 3rd party tools.
0
 

Author Comment

by:jbcbussoft
ID: 41871489
I'm running pro so no straight forward way.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41871494
Correct
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41871665
Not so fast. Though we cannot enforce a layout of the start menu (is that even what you asked for?) on the pro edition, we can of course unpin all apps scripted (see https://gallery.technet.microsoft.com/scriptcenter/Script-to-pin-items-to-51be533c ) but the one or two that are needed and then lock the start menu by setting certain GPOs (that work on pro as well) from user config - administrative templates  - start menu and taskbar, namely
" Prevent users from customizing their Start Screen" which reads
"This policy setting allows you to prevent users from changing their Start screen layout. If you enable this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start and Apps. If you disable or do not configure this setting, you will allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps."
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41871677
Only applies to enterprise as of 1607. Documented here:

https://technet.microsoft.com/en-us/itpro/windows/manage/windows-10-start-layout-options-and-policies

First paragraph clearly says enterprise/education.  The policy you listed is included in that table. Yes, 1607 took away functionality from pro that worked in 1511. A lot of IT pro's have slammed into this and forums have their complaints.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41871682
Cliff, I know, but Microsoft wouldn't be Microsoft if they didn't make mistakes all the time. Try it on pro. Setting that policy does work, at least for my 1607 pro.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41871684
Wait... LOL! Setting this policy partly only works on Win10 pro 1607... we cannot pin anything to start, but we can unpin.

Ok, the author needs to say if preventing from pinning is enough.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41871685
I *just* did. Enabled the setting. Did a gpupdate. And then rearranged and added a tile effortless. On my surface book, 1607, running pro (surface book doesn't come with home.)
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41871686
Ah... it's the same for enterprise, by the way, unpinning works. All broken.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41871691
My enterprise VM (also running on my book) worked flawlessly. Could not pin, unpin, rearrange, or resize. You have another unrelated issue.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41871692
Read your comment. I have no idea what is up with your machine, here, the pro ones act like the enterprise ones - setting the policy makes a difference, immediately. We cannot pin afterwards (but still unpin). 1607 pro, tried two machines by now.

Edit: maybe the big difference is that my machines (the enterprise and the pro ones) where all 1511 once and have been upgraded to 1607? Will try a clean 1607 pro now.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41871703
I got the book launch week (November of last year.) So it is indeed an upgraded OS. As is my VM (mostly because, at the moment, I am developing training material for MDT and covering windows 10 upgrade scenarios.)

I do not have a clean 1607 to test. But all works as expected here, so I don't see that as an issue. Maybe your 1511 image had an issue already, so it has carried forward. My machine is OEM, and my lab is stock VL media from production MDT shares.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41871704
Ok, tested with a machine that was installed with 1607 pro (never been on any earlier build) and the policy works, after logoff/logon even unpinning is prevented. I have no idea, I only know that something is fishy, but don't blame it on me.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41871729
Cliff, I just took 10 minutes to install another clean win10 1607 pro (clean unmodified ISO), no policies, no domain membership even and the policy works as expected: you cannot make any changes to the start menu. Tried to pin notepad - no context menu entry there to do it. Tried to unpin built-in apps like 3d builder: again, no context menu entry for it.
Go figure.

Next, I will retry if the other policy works, the one with the exported layout.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41871735
Works as well. I can enforce a start menu layout on pro.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41871746
*shrug* my labs work as documented. At best, I would still never recommend the op do something that doesn't work as documented. Any bugs, changes, inaccurate behavior can get fixed by an update at any time, and thus time invested on an unauthorized solution is lost. Microsoft clearly has this feature set specified for enterprise only (link already provided above) and that'd be the only in-box solution I'd comfortably recommend. Anything else is an academic debate at best.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41871866
I completely agree. Just recommended it since I knew it works on pro (and I forgot it shouldn't work).
0
 

Author Comment

by:jbcbussoft
ID: 41871890
So, I can use Windows as Microsoft intended or see if the changes will work as they shouldn't hoping a fix won't be implemented.

I must say the two of you were much more productive during the past few hours than I was. In my time zone I was catching zzz's
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41871893
Well, at least I am in a different time zone (MEZ) and awake since 6 hours or so :-)
0
 

Author Comment

by:jbcbussoft
ID: 41872123
Well is it possible to only allow the apps I choose? I wasn't looking for this but this would also solve the problem.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 41872423
"Allowing apps" is either done using file system permissions or using application whitelisting. The latter is done through applocker (no part of the pro edition) or software restriction policies (part of pro).
Look into those - I could offer more help.
0
 

Author Comment

by:jbcbussoft
ID: 41873163
Thanks for the help
0
 

Author Closing Comment

by:jbcbussoft
ID: 41873165
I enjoyed the late night/early morning conversation
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
With Windows evolving further, the built-in protective mechanisms get better and better. Still, Microsoft is not very good at introducing those to the technical community. This article is about a new bitlocker functionality that could revolutionize …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now