There are multiple user types that typically access your VDI environments: typical “Task Workers,” who require a highly predictable and static environment, “Knowledge Workers,” who require a bit more flexibility and control, and  administrators or ICT-based staff that rarely require any sort of control.

Custom start menu layouts in VDI environments can be a particularly useful way of presenting a controlled and manageable environment to your user base. Configured appropriately, they can be extremely powerful and flexible tools that can assist greatly in adapting the virtual desktop to your user types, providing both consistency and flexibility, as required.

This blog post will focus on 2 specific branches of Windows: Windows 10 Enterprise 1709 Current Branch and Windows 10 Enterprise LTSB 1607, and how you can manipulate these branches to successfully manage your start menus in a supported fashion.

LTSB is a great option for VDI deployments, as its Windows 10 core code without any of the UWC apps or consumer-based content (it is only available to Enterprise customers with an existing Enterprise agreement). Windows 10 1709, the current branch release (at time of writing), is recommended by Microsoft for all new deployments.

First off, let’s take a quick look at what the out-of-the-box default environments look like for Windows 10 Current Branch vs. Windows 10 LTSB and the reasons most people want to change things up.

Windows 10 Enterprise 1607 LTSB out-of-the-box
Windows 10 Enterprise 1709 out-of-the-box

To start, let’s delve into the 1709 environment shown above. The start menu above is made up of a few different components:

  1. UWC/Modern/Built-In Applications. These applications are available through the Windows Store and are provisioned to the user’s profile. They are what primarily make up the existing tiles on the right-hand side of the Windows 10 start menu.
  2. Consumer Experience Applications. Microsoft’s Windows 10 operating system ships not only with a selection of applications created by Microsoft, but also third-party apps or application links that are placed in the right-hand of the start menu.
  3. Traditional Applications. These are the apps you install yourself. They appear, primarily, in the traditional left-hand portion of the start menu until pinned. Examples of these are Microsoft Office Suite, Citrix Receiver, and so on.

The left-hand side is the traditional start menu, populated via a combination of:

  • Modern Applications and Consumer Experience-based Applications
  • The “all users” profile directory: %ProgramData%\Microsoft\Windows\Start Menu\Programs (also known as %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs)
  • The default users profile content, which is copied on creation of new profile: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
  • And of course, the user’s profile itself once created: %UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs 

The right-hand side is the tile area, which is stored in a combination of file system and registry locations. The default configuration and layout of this start menu is pulled from the default user profile via the following location:

C:\users\default\appdata\local\microsoft\windows\shell\DefaultLayouts.xml

What we see, by default, in Windows 10 1709 is both modern apps and consumer experience apps deployed into the user’s profile. Typically, in a VDI environment, we do not want either of these things, however removing them is not as easy as it would seem and comes with some inherent risk. This is why the LTSB option available to customers with an EA agreement with Microsoft, is such a good model for VDI.

There is a full write-up from Microsoft on the architecture behind the XML design; however, it is far simpler to create a start menu as you like it, export it, and then deploy it.

Removal of Consumer Experience Apps

With Windows 10, Microsoft introduced an additional concept of third party, or “consumer experience” applications being presented into your Start Menu. These often look and feel like Microsoft modern apps, but they are third party products. Some examples of these are Photoshop Express, Flipboard, and the infamous Candy Crush Saga. These consumer experience apps aren’t all installed on your image, but they are presented as links to the Windows Store, encouraging you to download and use them. Removal of the consumer experience-based applications can be handled simply by Group Policy for Enterprise Windows 10. There is little to no reason that Enterprise organizations would ever want items like Candy Crush or Xbox Services on their VDI base. This policy is located here:

Computer Configuration > Administrative Templates > Windows Components > Cloud Content: Turn off Microsoft consumer experience

Once this policy has been enabled, new user profiles will look like the image below:

This is significantly better, but still not ideal.

The Citrix Optimizer tool provides the ability to remove Microsoft modern apps from the default user profile, ensuring the all new user profiles do not provision these applications. However, it will not touch existing profiles, including the profile under which you are running the tool. If you need to remove the applications from that profile you, you have to do it manually.

Not all modern/built-in applications can be removed in Windows 10 1709 – some are inherently to the underlying operating system – however, these are not pinned to the start menu and remain fairly low profile. Some examples of these are the “connect” or “mixed reality” apps.

Start Menu Layout Customisation

In the detail below, the following configuration and settings are in place to make our demo environment what it is:

  1. The modern applications have been dealt with. They do not get deployed into user’s profiles (the exception to this is Microsoft Edge).
  2. Microsoft Edge is dealt with differently, and removed for each user
  3. The following Group Policy settings are configured with Loopback in Replace Mode
    1. Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off Microsoft consumer experience (Enabled)
    2. Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Do not show Windows tips (Enabled)
    3. Computer Configuration > Administrative Templates > Windows Components > Search > Allow Cortana (Disabled)

As such, with the above configured, the base start menu, for all users, looks as shown below. It’s important to note you don’t have to have your image configured this way; you will simply have the default start menu sitting underneath.

If you would like to see the process undertaken to gain this style of start menu, you can view my blog post here.

There are three scenarios available for custom layouts, each built off the Microsoft capability of deploying a full start layout or a partial start layout, per Microsoft definitions.

These scenarios can be summarised as follows:

  1. Mandatory Start Menu — A pre–defined, read-only layout that end users cannot change. This uses the full start layout implementation, in which users cannot pin, unpin, move or uninstall applications from the start menu. Users can still view and open all applications. This is most useful for task workers or environments with strictly defined applications and workflows.
  2. Partially Customizable Start Menu — A layout where certain groups of applications are mandatory, but users can still personalize their experience. This uses the partial start layout implementation, in which administrator can pre–configure and lock certain application groups. The content of these groups cannot be changed, but users can still move these groups, create, and customize their own groups. This is mostly useful if you want to provide a pre–configured set of applications for specific departments (e.g. apps that everyone in Marketing or HR uses).
  3. Default Start Menu — A layout that is pre–configured, but fully customizable by end users. This is usually recommended for power users, administrators, or environments where you want to provide users with the most personalized experience. Default user profile and start menu layout can be configured by “Import-StartLayout” cmdlet

Creating a Full (Mandatory) Start Layout

In the image below, we have logged on to the Windows 10 1709 Enterprise image with an account used to create a default layout that we want to apply to all others.

This user is not hampered by an existing start menu configuration policy; it is, happily, default everything. In the start menu, we have pinned a load of applications available on the base image and created some groupings:

From here, we use PowerShell to export the layout to an XML file. We store this XML file in a location that is accessible to all users on the network, as we will deploy it later.

Export-StartLayout -Path \\Server\Share\CustomStart.xml

If you were to open this XML file, you would see how the tile layout is structured and how it can be manipulated. A full technical specification of this XML file is provided by Microsoft.

There are two important items to note at this point:

  1. As it stands, the default export creates a full start layout. As we discussed above, this means that if this layout is applied, it cannot be altered by users once assigned.
  2. The pathing of what you have pinned here is something that needs to be well-thought out. Note that, by default, when you pin apps from the start menu, it will choose the %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs location of the .ink file. If you use something like WEM to configure your start menu and choose to hide the common programs folder via GPO, WEM, or any other means, then these locations will not be accessible to your users.

To deploy this new layout to users, create a new group policy object, apply it to the Windows 10 OU (ensure Loopback is enabled), and configure the following setting:

User Configuration > Administrative Templates > Start Menu and Taskbar > Start Layout: Enabled and specify the File Path

Choosing to use the user configuration rather than the computer configuration here allows flexibility to apply different layouts to different departments based on filtering of GPOs.

When logging in to the image with a new user, note the new start menu layout below:

Note that in the layout currently applied, there is no ability to alter it. There is no ability to pin, unpin, move, or alter the start menu layout in any way. For those that don’t want users to be able to do anything (such as your task worker user base), then the job is done. For those that want some flexibility, read on.

Creating a Partial Start Menu Layout

As we mentioned above, a partial start layout allows some flexibility for the users to create their own groups and start menu items, whilst at the same time ensuring the default and required layouts are maintained to a certain level.

To change the existing deployed layout to a partial start layout, we need to alter the exported XML file and alter the following element:

From: <DefaultLayoutOverride>
To: <DefaultLayoutOverride LayoutCustomizationRestrictionType=”OnlySpecifiedGroups”>

There are some considerations to be aware of here in how a partial start menu is applied:

  • When a partial start layout is applied for the first time, the new groups are added to the users’ existing Start layouts. If an app tile is in both an existing group and in a new locked group, the duplicate app tile is removed from the existing (unlocked) group.
  • When a partial start layout is applied to a device that already has a StartLayout.xml applied, groups that were added previously are removed and the groups in the new layout are added.
  • If the start layout is applied by group policy or MDM, and the policy is removed, the groups remain on the devices but become unlocked.

As you can see straight away, what we have by default before applying a partial start layout, directly impacts what the users will see. In the environment depicted below, this is fine as we have dealt with modern apps and edge, however if you have not done so, you will be directly impacted by the default start menu when using a partial start layout as shown below:

This is where the option of overwriting the default layout on the base image may become appealing for some, using the import-start layout commandlet.

The import-start layout commandlet allows a default layout as to your liking for all new users. Be aware that this will always be a default layout and is not governed as a “full” or “partial” start menu layout rule set.

You still need to follow the above process of defining and exporting a layout file, however this time you simply import the layout back into the system to create a new baseline.

Import-StartLayout -LayoutPath \\Server\Share\CustomStart.xml -MountPath c:\

This creates a new LayoutModification.xml file in the default user profile location outlined below: “C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\LayoutModification.xml”

If you choose to use this approach, note that when updating the environment, you should remove the existing “C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\LayoutModification.xml” file before importing a new one.

Once the xml file has been altered to allow for partial start layout, logging back on shows some noticeable changes as shown below:

Note that in the above image, our locked groups are defined by a lock icon now identifying that these are controlled groups that cannot be altered from a content perspective. The rest of the layout however is free-for-all, as shown below:

In the above image, our user has moved some of the locked application groups around, has created a new group called “My Own Group” and has pinned notepad and paint to this group, all of which are retained in the user’s profile (if configured to roam appropriately).

Creating a Default Start Menu Layout

As you have probably noticed by now, we have addressed two out of the three layout approaches discussed above.

We attacked the predefined mandatory start menu layout scenario by utilising a full start layout approach which allows not customisation. We attacked the predefined, partially customisable start menu layout by utilising a partial start layout and discussed how to address existing layout items and how they will affect a partial start layout.

Our last — and the simplest scenario to deal with — is a predefined, yet completely customisable layout. This is met by following the same process we used to prepare our existing layouts for a partial start layout approach, by utilising the import-startlayout commandlet, we just never move on to defining a managed layout via Group Policy.

Happy User. Happy Admin.

Conclusion

Whilst the days of managing simple start menus in simple ways are behind us, the general experience that end users have with Windows 10 far exceeds what we could ever have imagined back when redirecting Windows XP start menus to a common network share.

Microsoft have provided a set of tools that when understood and configured appropriately, allow us to deliver a great user experience to end users, whilst still retaining a level of control, and at the same time flexibility that IT may need.

In Part 2 of this series, we will address considerations and the process of updating these layouts when changes occur within your environment, and how to appropriately prepare and deploy updates to your user base.

Today’s post was written by James Kindon, a consultant focusing on Citrix and Microsoft based EUC technologies in Australia. Family man in awe of the community and those that contribute.

Follow James on Twitter and connect with him on LinkedIn.


Citrix TechBytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.

Click here for more TechBytes and subscribe.

Want specific TechBytes? Let us know! tech-content-feedback@citrix.com