Custom StartMenu (Windows 10 Enterprise), also disabling installation of apps (xBox, Paid Wifi and Mobile, Skype Preview) via GPO

Posted on 2016-11-04
Medium Priority
Last Modified: 2016-11-08
Hi all - I hope you can help!

I've been battling with a couple of issues with GPO between Win Server 2012 r2 and Win 10 Enterprise all day and am now resulting to posting my questions online after not finding any useful information myself.

Any help you can give will be hugely appreciated.

Issue 1
Custom Start Menu Layout deployment.  This works, for about a minute, when creating a new user profile on the domain.  As soon as Win10Ent goes through the horrible process of installing it's bloatware (xBox etc) it overrides my custom start menu layout with three icons for Settings, Store and Microsoft Edge (which is awful and I've reverted to IE so is redundant).  No matter what I do with the GPO, or gpupdate utility I cannot get my custom menu back.
I'm completely outraged with this because all the information MS give says this should work without a problem.

For more information:  
1) The XML for the custom start menu is in a folder on each machine and "ownership" and "full control" is my security group that the user account is a member of.  
2) The links for the tiles in the XML are not related to any public folder and point directly to shortcuts in folders on the local machine.
3) The layout works perfectly for 30-45 seconds when initially creating the profile for a new user but then disappears.

Issue 2
This kind-of references the previous issue as it is about stopping Win10Ent from "installing" all the bloatware that gets created in the start menu on new-user profile creation.  There are three items that bother me most, but others are an issue too.
Important ones:  xBox, Paid Wifi and Mobile, Skype Preview.   Non-Essential but would be nice to stop:  Calendar, Contact Support, Mail, Microsoft Edge, People, Store.

I've already attempted to remove these using PowerShell commands (which only work on a per-user basis and get reinstalled every time I create a new user profile).  It's literally driving me nuts that I can't stop this on Win10 Enterprise (which costs a fortune just to stop the damn Candy Crush and Minecraft apps).

Please, help.
Question by:James De Silva
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 2000 total points
ID: 41875051
The XML gpo's *only* work with 1607. If you are deploying 1511 or RTM, they have no effect. Gpresult is also useful.

Removing apps. To prevent then from installing for new users, remove *provisioned* apps. That removes it from the image and is not per user.

Google/bing for a blog my Michael Niehaus. He managed MDT for years, is always putting out good deployment stuff (which your questions fall under) and is very active in the community. He also has sessions from ignite and in the Microsoft virtual academy on these subjects.

So relax. What you want to do is doable, is documented, is *tested and proven* in the real world already, and isn't that hard. Somehow you've just missed the right search terms or missed a step in what you've found.

As an aside, if you don't want "candy crush" et al, one other group policy worth considering, especially for corporate owned devices, is to turn off "consumer experiences" which prevents a bunch of default consumer-only behaviors...including store apps from auto-downloading.

Author Comment

by:James De Silva
ID: 41875056
Hi Cliff,
Many thanks for your prompt response to my questions.
I will definitely look into Michael Niehaus' blog and see what information I can get there.

In response to your answers, however, I am running Windows 10 Enterprise 1607 and the xml works initially until the user profile setup is nearly complete.  Then it gets overridden by something in the user profile creation process, never to be seen again.  That's what's baffling me to be completely honest.

Can you perhaps elaborate a little on the *provisioned apps* that you mention.  Essentially, I'm not using any kind of deployment server or tool - rather just installing Enterprise manually on each laptop and adding it to the domain.  I was trying to rely entirely on the GPO to publish the required settings to the machines.  I assume by your response that I'm certainly going about it the right way - I just need a little guidance as to what you mean regarding *provisioned apps*.

I have already turned off "consumer experiences" - this is the thing that required me to upgrade the machines to Enterprise from Pro as this GPO/Registry setting only affects Enterprise or above and not Pro, since the update to 1607 in August.  Incredibly irritating but as we're a charity we get the licenses fairly cheap.  No worries regarding candy crush - it's gone and banished, never to be seen again.

Thanks again for your help so far.
LVL 59

Accepted Solution

Cliff Galiher earned 2000 total points
ID: 41875062
Removing provisioned apps is done via PowerShell. Again, Bing will turn up a tone with that search term. Which means you can do it when you install. As an admin later. Or via script run with group policy  the latter gets tricky though, as the apps may get changed by updates, and the script will then fail as it doesn't "see" the app. During deployment is best. I always recommend standardizing images whenever possible, and that is very very easy if you are licensed for enterprise. I, have non-peofits that use techsoup too, so I know what you mean. Learn MDT. Use MDT. Removing apps during deployment and kocking OEM images and bloat to the curb will make you much happier with windows 10 than you are now.

Regarding the start menu, the XML is re-applied by the client *every* logon. So the "it is getting replaced near the end of setup) doesn't really work. The fact is is disappearing means something (unique to your environment) is overriding. Either a higher precedent group policy or a script/scheduled task that is running *after* the client side engine processes the group policy you have set.

You'd be surprised how often I have found "unofficial" start menu customization scripts replacing .bin files, dating back to windoes 8, that an admin forgot about. Which, of course, will still happily undo their new settings. On every logon. This my suggestion to actually use gpresults. See what policies are applying. What settings are "winning." If loopback processing is in the mix. If bad WMI filters ate breaking things. If scripts are running. Can't assume anything.
LVL 88

Expert Comment

ID: 41875300
Open gpedit.msc, navigate to "Computer Configuration/Administrative Templates/Windows Components/Cloud Content/", "Turn off M$ consumer experiences", and then select "Enabled".

This will prevent the m$ store crapps from getting downloaded and being reinstalled again and again and again, even after you uninstalled them.

As for the consistent settings for user accounts, here is what I'd try (I haven't tired it myself though). Setup an account the way you need it. Then delete the \User\Default account and copy the account you just created over to \User\Default. I think that should get you the menu settings and layouts you need when you create new users.

Author Closing Comment

by:James De Silva
ID: 41879639
Thanks to Cliff again for all his help.

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimized for private cloud infrastructures and datacenters, Nano Server is minimalistic, yet super-efficient, OS for services such as Hyper-V and Hyper-V cluster. Learn how you can easily deploy Nano Server and unlock its power!
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question