Create a Start Menu for RDSH Users – Part 1

by Dennis Mohrmann, CTA

You all know the challenge on a RDSH Windows Server 2019 to turn the start menu into a suitable start menu for the users. Without making any changes, users get a start menu that is fine for administrators, but not for normal users. Unfortunately, Microsoft only offers a few options for making changes to the start menu with standard tools like group policies. In this post, I will show you how to create a start menu for your RDSH users. Part II deals with the admin start menu. So, let’s face the challenge!

Default Start Menu

This is what a normal start menu looks like after a user logs on to a Windows Server 2019!

And this is what the Win-X menu (right click on start) looks like:

There are a lot of items and links we like to hide from the user. Just think of PowerShell, Computer Management, Administrative Tools, Device Manager, Windows Security, etc.

Of course, you can (and should) restrict or block these apps, but why should a user see and access them at all?

Customized Start Menu

It doesn’t take much to create a user (and admin) friendly start menu. This one looks so much better, doesn’t it?

And this is a what a Win-X menu can look like!

The only tools we need to create a customized start menu are Citrix Workspace Environment Manager (WEM) and Microsoft FSLogix. So, no additional cost in most cases for third party software.

I always recommend installing the FSLogix apps these days. I have a script that takes care of some special settings and future updates. Even if you don’t use FSLogix profiles yet, you should at least use the great AppMasking feature. Same here for Citrix WEM, it’s included in your license (except standard edition), so give it a try, if you don’t already do so.

We need to install both, the WEM agent and FSLogix AppSuite on a Windows Server 2019, of course we also need a WEM Infrastructure server or the WEM cloud service. You’ll find lots of documentation about installing WEM and FSLogix, so I don’t want to go into detail here. The websites from CTPs Manuel Winkel, James Rankin and James Kindon are really great resources. Of course, there are many others, but I can’t list them all here…

OK, let’s start! There are five things we take care of:

1. Default start menu tiles
2. Common start menu folders and items like Administrative Tools, Windows System, etc.
3. “Windows security” app link
4. The folders and items on the left side
5. The Win-X menu

Let’s look at all of them one by one.

Start Menu Tiles

Normally, new user profiles get the layout from the file “C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml”

To adapt the layout, we need a LayoutModifications.xml file. I recommend removing all the tiles, so that the admin and (or) the user can create their own tiles.

To achieve this, we need a layout that we use as a template. Based on the blog post from my fellow CTA Kasper Johansen, we take a suitable layout.xml file. This template also cleans the task bar, which is perfect for our use case.

Here are the contents of the “LayoutModifications.xml” file:

<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1"> 
<LayoutOptions StartTileGroupCellWidth="6" />
  <DefaultLayoutOverride>
    <StartLayoutCollection>
      <defaultlayout:StartLayout GroupCellWidth="6" />
    </StartLayoutCollection>
  </DefaultLayoutOverride>
<CustomTaskbarLayoutCollection PinListPlacement="Replace">
    <defaultlayout:TaskbarLayout>
        <taskbar:TaskbarPinList>
</taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>

To use this template, follow these steps:

1. Create a folder on your reference system or golden master in which you put the templates we need. We (meaning my team at S&L) use to name the folder C:\Program Files (x86)\SuL\Citrix Management Tools but you can name it whatever you want.
2. Create the subfolders Startmenu\Startmenu tiles
3. Place the layout file “LayoutModifications.xml” in the folder Startmenu tiles

Now we have a template, but how can we assign it to our users?

That’s the first job for FSLogix AppMasking. We need a rule to redirect the standard layout xml file to the custom xml file. The advantage is, that we do not change the original layout file, so that admins can use it.

This is how we create the AppMasking rule:

1. Start the FSLogix Rule Editor as admin
2. Click File> New and create a fxr file called “Startmenu-Layout-Users.fxr” or whatever you want in the folder “C:\Program Files\FSLogix\Apps\Rules”
3. Choose Blank rule set
4. Click on the “+” icon and create a Redirection rule

Source:

C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\LayoutModification.xml
Destination:

C:\Program Files (x86)\SuL\Citrix Management Tools\Startmenu\Startmenu tiles\LayoutModification.xml (use your folder here!)

Object Type: File / Registry Value

Don’t select “Copy Object”!

5. Click on Manage Assignments and add “Domain Users” (or an appropriate group) apply and “Domain Admins” does not apply

6. Save the rule

What happens if the rule applies to a domain user? The custom xml layout gets redirected, and the tiles are gone. The taskbar is also clean. Remember that this rule only applies to NEW user profiles, this is the moment the XML layout takes over. If you want to change the layout to existing users, you could change the source to something like C:\Users\*\AppData\Local\Microsoft\Windows\Shell\LayoutModification.xml

Common Start Menu Folders and Items

This one is quite easy, this time we need WEM to do it.

1. Open the WEM console and in your Configuration set go to

Policies and Profiles > Environmental Settings > Start Menu Tab and select

• Hide Common Programs
• Hide Administrative Tools

2. Navigate to

Advanced settings > Configuration > Cleanup Actions Tab and select

• Delete Start Menu Shortcuts

That’s it, common start menu folders and Administrative Tools are gone, but what about the cleanup action? The setting “Delete Start Menu Shortcuts” will delete everything from start menu including the folders Windows Accessories, Windows Powershell, Windows System and Windows Ease of Access.

Don’t worry, we get the folders back that are really needed.

Windows Security App

Users normally don’t need to access this app, Administrators often ask me how to get rid of the entry in the start menu. Again, FSLogix is our friend 😀.

We create another rule:

1. Start the FSLogix Rule Editor as admin
2. Click File > New and create a fxr file called “Windows Security-Startmenu.fxr” or whatever you want in the folder “C:\Program Files\FSLogix\Apps\Rules”
3. Choose Blank rule set
4. Click on the + icon and create a Hiding rule

Object Name:

C:\windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
Object Type: File / Registry Value

5. Confirm the warning message
6. Click on the + icon and create another Hiding rule

Object Name:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI_10.0.17763.1_neutral__cw5n1h2txyewy
Object Type: Directory / Registry Key

7. Click on Manage Assignments and add “Domain Users” (or an appropriate group) apply and “Domain Admins” does not apply

Additionally, add NT AUTHORITY\SYSTEM, NETWORK, NETWORK SERVICE and LOCAL SERVICE and choose rule set does NOT apply. We need these accounts for system stability.

8. Save the rule

After the rule applies, the Windows Security app is not accessible anymore, it’s even gone!

Folders and Items on the Left

Usually, the links and items on the left are rarely used, unfortunately for many users it is inconvenient to simply log out of the server because the sign out button is difficult to find. The result is that many users disconnect from the session instead of logging out. We try to help the users and clean up the left half of the start menu.

To get rid of the entries you must create some registry keys and items. There is no group policy for this. The registry key we need is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Start

Inside the key you must create the following items:

Name	Type	Data	Item
AllowPinnedFolderDocuments	REG_DWORD	0	Documents
AllowPinnedFolderDocuments_ ProviderSet	REG_DWORD	1	Documents
AllowPinnedFolderPictures	REG_DWORD	0	Pictures
AllowPinnedFolderPictures_ ProviderSet	REG_DWORD	1	Pictures
AllowPinnedFolderSettings	REG_DWORD	0	Settings
AllowPinnedFolderSettings_ ProviderSet	REG_DWORD	1	Settings
HidePowerButton	REG_DWORD	1	Power Button

If you set AllowedPinnedFolder to “0” the item is gone. To hide the power button set “HidePowerButton” to 1.

Use these Powershell commands to create the items:

New-Item -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device -Name Start -Force

New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Start -Name AllowPinnedFolderDocuments -Value 0

New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Start -Name AllowPinnedFolderDocuments_ProviderSet -Value 1

New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Start -Name AllowPinnedFolderPictures -Value 0

New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Start -Name AllowPinnedFolderPictures_ProviderSet -Value 1

New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Start -Name AllowPinnedFolderSettings -Value 0

New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Start -Name AllowPinnedFolderSettings_ProviderSet -Value 1

New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Start -Name HidePowerButton -Value 1

Because we have to create the items in HKEY_LOCAL_MACHINE this affects all users, including the Administrators. You can verify this, if you log out and log on the machine or simply restart the explorer.exe process. But we don’t want to delete these items for the Administrators. Sounds like a job for FSLogix AppMasking.

So, we create our third rule to hide this key for the Administrators and only apply it to Domain Users.

1. Start the FSLogix Rule Editor as admin
2. Click File > New and create a fxr file called “Startmenu-Items.fxr” or whatever you want in the folder “C:\Program Files\FSLogix\Apps\Rules”
3. Choose Blank rule set
4. Click on the + icon and create Hiding rule
   Object Name:

HKLM\SOFTWARE\Microsoft\PolicyManager\current

Object Type: Directory / Registry Key

Click on Manage Assignments and add “Domain Users” (or an appropriate group) does NOT apply and “Domain Admins” does apply. If you wonder why “Domain Users” come first, this is because the Administrators are also part of this group. We need to take care of that and put the “Domain Admins” on second place.

6. Save the rule

Mission accomplished! Now it’s easier for the users to the Sign out.

Win-X Menu

The last thing to edit is the Win-X menu, this is quite easy too. The location of the Win-X items is the following folder:

C:\Users\<username>\AppData\Local\Microsoft\Windows\WinX.

Inside this folder you find three subfolders, the content determines the items you see.

To modify the items, we use the same method we used to change the layout

1. Create a folder on your reference system or golden master in which you put the templates we need. We (meaning my team at S&L) use to name the folder C:\Program Files (x86)\SuL\Citrix Management Tools but you can name it whatever you want
2. Create the subfolders Startmenu\User\WinX
3. Inside these folders we need three subfolders called

• Group1
• Group2
• Group3

4. Place the links you need in the subfolders. If you want to rename the items, just open the properties and place a text in the “Comment” field.

Now, we create another FSLogix rule.

1. Start the FSLogix Rule Editor as an Admin
2. Click File > New and create a fxr file called “Startmenu-WinX-Users.fxr” or whatever you want in the folder “C:\Program Files\FSLogix\Apps\Rules”
3. Choose Blank rule set
4. Click on the “+” icon and create a Redirection rule

Source:

C:\Users\*\AppData\Local\Microsoft\Windows\WinX

Destination:

C:\Program Files (x86)\SuL\Citrix Management Tools\Startmenu\User\WinX (use your folder here!)

Object Type: Directory / Registry Key

Don’t select “Copy Object”!

Click on Manage Assignments and add “Domain Users” (or an appropriate group) apply and “Domain Admins” does NOT apply.

6. Save the rule

After the rule applies, the Win-X menu appears like you defined it!

One more hint for the items in the Win-X menu. It doesn’t really matter how you name them; the number defines the order:

The name of the item is given in the comment field of the shortcut. Consider creating different shortcuts that match the user language. You can place them in different subfolders and use AppMasking for differs AD groups.

Shortcuts

If everything went well, the start menu should look like this:

The final step is to create the shortcuts the user needs. We use WEM for this task. I don’t want to go to much in detail here, because this is very easy to accomplish.

Let me show you one example.

1. Start the WEM console
2. Navigate to Actions > Applications > Start Menu View Tab
3. To get the start menu folders “Windows Accessories” and “Windows Ease of Access” back, right click Programs and select Add Folder

4. Create both folders
5. Go the Application List Tab and add an application
6. We use the Magnifier in this example, change start menu integration to the folder Windows Ease of Access

Assign the application to the user or group and select at least Create Start Menu

Assign all you other applications with WEM. If you make use of the feature “Use Cache to Accelerate Action Processing” (Advanced Settings > Configuration > Agent Options Tab) remember to refresh the agent cache and wait a minute before you log on with us user.

Let me show you how the FIRST logon with a fresh profile looks like. I also pinned some applications to the start menu. The result looks pretty good, don’t you think?

So, that’s it! I hope this blog is useful for you! You can find the FSLogix rules in my GitHub repository, feel free to use them as a template. I also created a PowerShell script to assign the Domain Users, Admins and the System accounts, according to your environment. There are no users assigned inside the template rules! Of course, you should check the assignments and adapt them to your needs.

If you have any questions, contact me via Twitter @mohrpheus78 🙂

Regards,

Dennis Mohrmann | Citrix CTA