• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 628
  • Last Modified:

Custom StartMenu (Windows 10 Enterprise), also disabling installation of apps (xBox, Paid Wifi and Mobile, Skype Preview) via GPO

Hi all - I hope you can help!

I've been battling with a couple of issues with GPO between Win Server 2012 r2 and Win 10 Enterprise all day and am now resulting to posting my questions online after not finding any useful information myself.

Any help you can give will be hugely appreciated.

Issue 1
Custom Start Menu Layout deployment.  This works, for about a minute, when creating a new user profile on the domain.  As soon as Win10Ent goes through the horrible process of installing it's bloatware (xBox etc) it overrides my custom start menu layout with three icons for Settings, Store and Microsoft Edge (which is awful and I've reverted to IE so is redundant).  No matter what I do with the GPO, or gpupdate utility I cannot get my custom menu back.
I'm completely outraged with this because all the information MS give says this should work without a problem.

For more information:  
1) The XML for the custom start menu is in a folder on each machine and "ownership" and "full control" is my security group that the user account is a member of.  
2) The links for the tiles in the XML are not related to any public folder and point directly to shortcuts in folders on the local machine.
3) The layout works perfectly for 30-45 seconds when initially creating the profile for a new user but then disappears.

Issue 2
This kind-of references the previous issue as it is about stopping Win10Ent from "installing" all the bloatware that gets created in the start menu on new-user profile creation.  There are three items that bother me most, but others are an issue too.
Important ones:  xBox, Paid Wifi and Mobile, Skype Preview.   Non-Essential but would be nice to stop:  Calendar, Contact Support, Mail, Microsoft Edge, People, Store.

I've already attempted to remove these using PowerShell commands (which only work on a per-user basis and get reinstalled every time I create a new user profile).  It's literally driving me nuts that I can't stop this on Win10 Enterprise (which costs a fortune just to stop the damn Candy Crush and Minecraft apps).

Please, help.
James De Silva
James De Silva
  • 2
  • 2
2 Solutions
Cliff GaliherCommented:
The XML gpo's *only* work with 1607. If you are deploying 1511 or RTM, they have no effect. Gpresult is also useful.

Removing apps. To prevent then from installing for new users, remove *provisioned* apps. That removes it from the image and is not per user.

Google/bing for a blog my Michael Niehaus. He managed MDT for years, is always putting out good deployment stuff (which your questions fall under) and is very active in the community. He also has sessions from ignite and in the Microsoft virtual academy on these subjects.

So relax. What you want to do is doable, is documented, is *tested and proven* in the real world already, and isn't that hard. Somehow you've just missed the right search terms or missed a step in what you've found.

As an aside, if you don't want "candy crush" et al, one other group policy worth considering, especially for corporate owned devices, is to turn off "consumer experiences" which prevents a bunch of default consumer-only behaviors...including store apps from auto-downloading.
James De SilvaAuthor Commented:
Hi Cliff,
Many thanks for your prompt response to my questions.
I will definitely look into Michael Niehaus' blog and see what information I can get there.

In response to your answers, however, I am running Windows 10 Enterprise 1607 and the xml works initially until the user profile setup is nearly complete.  Then it gets overridden by something in the user profile creation process, never to be seen again.  That's what's baffling me to be completely honest.

Can you perhaps elaborate a little on the *provisioned apps* that you mention.  Essentially, I'm not using any kind of deployment server or tool - rather just installing Enterprise manually on each laptop and adding it to the domain.  I was trying to rely entirely on the GPO to publish the required settings to the machines.  I assume by your response that I'm certainly going about it the right way - I just need a little guidance as to what you mean regarding *provisioned apps*.

I have already turned off "consumer experiences" - this is the thing that required me to upgrade the machines to Enterprise from Pro as this GPO/Registry setting only affects Enterprise or above and not Pro, since the update to 1607 in August.  Incredibly irritating but as we're a charity we get the licenses fairly cheap.  No worries regarding candy crush - it's gone and banished, never to be seen again.

Thanks again for your help so far.
Cliff GaliherCommented:
Removing provisioned apps is done via PowerShell. Again, Bing will turn up a tone with that search term. Which means you can do it when you install. As an admin later. Or via script run with group policy  the latter gets tricky though, as the apps may get changed by updates, and the script will then fail as it doesn't "see" the app. During deployment is best. I always recommend standardizing images whenever possible, and that is very very easy if you are licensed for enterprise. I, have non-peofits that use techsoup too, so I know what you mean. Learn MDT. Use MDT. Removing apps during deployment and kocking OEM images and bloat to the curb will make you much happier with windows 10 than you are now.

Regarding the start menu, the XML is re-applied by the client *every* logon. So the "it is getting replaced near the end of setup) doesn't really work. The fact is is disappearing means something (unique to your environment) is overriding. Either a higher precedent group policy or a script/scheduled task that is running *after* the client side engine processes the group policy you have set.

You'd be surprised how often I have found "unofficial" start menu customization scripts replacing .bin files, dating back to windoes 8, that an admin forgot about. Which, of course, will still happily undo their new settings. On every logon. This my suggestion to actually use gpresults. See what policies are applying. What settings are "winning." If loopback processing is in the mix. If bad WMI filters ate breaking things. If scripts are running. Can't assume anything.
Open gpedit.msc, navigate to "Computer Configuration/Administrative Templates/Windows Components/Cloud Content/", "Turn off M$ consumer experiences", and then select "Enabled".

This will prevent the m$ store crapps from getting downloaded and being reinstalled again and again and again, even after you uninstalled them.

As for the consistent settings for user accounts, here is what I'd try (I haven't tired it myself though). Setup an account the way you need it. Then delete the \User\Default account and copy the account you just created over to \User\Default. I think that should get you the menu settings and layouts you need when you create new users.
James De SilvaAuthor Commented:
Thanks to Cliff again for all his help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now