W11 Customized Start Menu layout for pinned Apps

[garlin]

MS rolled out the ability to customize W11 Start Menu layouts, to their MDM clients. After reading a few articles, I figured how to do this without MDM or learning to write in JSON. With a custom layout, you can change the list and order of pinned Start Menu apps.

You need to install W11 first (and all your apps) since we need a list of package names.
Run the first script to export the current Start Menu layout.

Spoiler: Export_Layout.ps1

PS C:\Users\GARLIN\Downloads> .\Export_Layout.ps1
{"packagedAppId":"microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail"}
{"packagedAppId":"microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar"}
{"packagedAppId":"Microsoft.WindowsStore_8wekyb3d8bbwe!App"}
{"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"}
{"packagedAppId":"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"}
{"packagedAppId":"Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe!Microsoft.MicrosoftOfficeHub"}
{"packagedAppId":"Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe!App"}
{"packagedAppId":"Clipchamp.Clipchamp_yxz26nhyzhsrt!App"}
{"desktopAppId":"MSEdge"}
{"packagedAppId":"2FE3CB00.PicsArt-PhotoStudio_crhqpqs3x1ygc!App"}
{"packagedAppId":"5319275A.WhatsAppDesktop_cv1g1gvanyjgm!WhatsAppDesktop"}
{"packagedAppId":"Microsoft.Todos_8wekyb3d8bbwe!App"}
{"packagedAppId":"CorelCorporation.PaintShopPro_wbjqpk9xt50t4!PSPPROUWP"}
{"packagedAppId":"Facebook.317180B0BB486_8xx8rvfyw5nnt!App"}
{"packagedAppId":"NAVER.LINEwin8_8ptj331gd3tyt!LINE"}
{"packagedAppId":"Microsoft.WindowsNotepad_8wekyb3d8bbwe!App"}
{"packagedAppId":"Microsoft.Paint_8wekyb3d8bbwe!App"}
{"desktopAppId":"Microsoft.Windows.Explorer"}

Copy this list to Notepad. Remove all the apps you don't want, and move the lines around so the list runs in left-to-right order (6 apps per row). Run the second script to convert this text file into a registry file.

Spoiler: Configure_StartPins.ps1

PS C:\Users\GARLIN\Downloads> .\Configure_StartPins.ps1 .\LIST.TXT
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Start]
"ConfigureStartPins"="{\"pinnedList\":[{\"desktopAppId\":\"MSEdge\"},{\"desktopAppId\":\"Microsoft.Windows.Explorer\"},{\"packagedAppId\":\"Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe!Microsoft.MicrosoftOfficeHub\"},{\"packagedAppId\":\"microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail\"},{\"packagedAppId\":\"microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar\"},{\"packagedAppId\":\"Microsoft.WindowsStore_8wekyb3d8bbwe!
App\"},{\"packagedAppId\":\"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel\"}]}"
"ConfigureStartPins_ProviderSet"=dword:00000000

Load this reg file into your image (Registry or Post-setup), it will apply to any user who hasn't logged on before.
ConfigureStartPins_ProviderSet manages if the user is allowed to change the layout or not. Win32 apps are supported as desktop LNKs (read the 2nd link below).




FAQs
What does this do? Create a custom layout, showing only the Pinned Apps you want.
Does this remove any apps? No, it only hides them from the pinned screen. Remove unwanted apps the normal way.
What about the All Apps listing? Sorry, MS doesn't support this.
What about Recommended Apps? Layouts don't touch Recommended Apps. Disable suggestions the normal way.
Manual customization is faster? Yes. But we can deploy this as a registry file for all users.
Why do I have to install W11? If you know the exact package names, you can run the 2nd script alone.

Thanks to:
https://docs.microsoft.com/en-us/windows/configuration/customize-start-menu-layout-windows-11
https://www.petervanderwoude.nl/post/customizing-the-start-menu-layout-on-windows-11-devices/
https://oofhours.com/2021/10/27/customize-the-windows-11-start-menu/

 

[garlin]

I've updated the script, because 22H2 doesn't allow desktopAppLink items. Now the script converts them to desktopAppID.
Don't ask why they changed it. /shrug

 

[simondalton]

Hi Garlin

This is not working for me







Also tried Write-Output '"ConfigureStartPins_ProviderSet"=dword:00000000' set to 1 (as per the articles that you linked). Same result

Any ideas?

Thanks

 

[garlin]

Can you attach a copy of your exported layout (from Export_Layout.ps1?)

 

[simondalton]

Thanks Garlin. See attached. We need to remove TikToc as per new government rules, but thought we would tidy it up while we are at it.

 

[garlin]

Export_Layout.ps1 is glitching with this incorrect output:

{"desktopAppId":"Microsoft.Office.WINWORD.EXE.15 {6D809377-6AF0-444B-8957-A3773F02200E}\Windows NT\Accessories\wordpad.exe"}
{"desktopAppId":"Microsoft.Office.EXCEL.EXE.15"}
{"desktopAppId":"Microsoft.Office.POWERPNT.EXE.15"}

After trimming the wordpad.exe "junk" from WINWORD.EXE.15's line, we can get a normal layout. I don't see WordPad pictured in your Start Menu, so that's very strange.

If you get the same weird combination shown above, just edit it in Notepad and make WINWORD or EXCEL look like it's immediate neighbor.

You might want to block TikTok using a local AppLocker security policy, which can be exported to individual machines if you're not in a domain environment (using LGPO to export pre-made policy files).

 

[simondalton]

Downloaded the reg file and adjusted so it only had the applications that we wanted, ran it and rebooted the PC. No change - Pinned applications are still showing as above.

The Pinned applications list goes for two pages, which is why it doesn't show everything in the exported list.
We don't have inTune and are till using the 2012 Schema, so we can't use AppLocker. This is why we have had to go down this path... and it's killing me :-(

 

[garlin]

Layouts are only applied to NEW accounts. Unfortunately, this method does nothing for existing users. Create a new local user to confirm whether it works or not.

 

[simondalton]

Yeah - okay, so that works for a new user. Thanks.

Only problem is I can't really wipe 900+ users local profiles. Technically I can - just wouldn't want to be on the helpdesk, Monday morning! I'll keep hacking away at it and see if I can come up with something.

Really appreciate your help.

 

[garlin]

This might be an opportunity for management to consider the cost of moving to InTune or any AppLocker-compatible MDM, against the cost of non-compliance. No manager wants to spend the money, until the lawyers get involved. Simply hiding an app won't get a passing grade on the next security audit.

The other method is to push a fixed Start Menu layout XML via GPO or local policy, but then it's not customizable on a per-user basis. So that's just as bad as wiping out everyone's profile and starting over. If not, hope your network team can successfully block all of TikTok's CDN sites.

 

[SacDeLait]

Layouts are only applied to NEW accounts. Unfortunately, this method does nothing for existing users. Create a new local user to confirm whether it works or not.

Might be a dumb question but are we talking new accounts on the machine or new accounts on the domain?

 

[garlin]

If you're in a domain, a GPO which specifies the layout file can overwrite the current Start Menu settings, regardless of if they're old or new users. But you can edit the XML, to allow users some degree of customization. The XML defines whether your Start Menu gets reset on next logon, or personal updates are saved.

Prepare Windows 10 Start Menu for all computers in Active Directory

 

[SacDeLait]

If you're in a domain, a GPO which specifies the layout file can overwrite the current Start Menu settings, regardless of if they're old or new users. But you can edit the XML, to allow users some degree of customization. The XML defines whether your Start Menu gets reset on next logon, or personal updates are saved.

Prepare Windows 10 Start Menu for all computers in Active Directory

My current install is working as I would like it to (with no extra apps) (Spotify, Grammarly and such).
I have the content delivery component removed in the NTLite settings and everything I want to remove gone.

The problem I'm trying to solve: apps icons reappears after the latest updates.

If I understand correctly:
When they reappear, the apps are not installed but "shortcuts to install" icons.
Since my test machine is off domain, a GPO being set once they join the domain would solve the issue.

Is this correct?

 

[garlin]

Content Delivery Manager is being re-installed as part of the latest Monthly Updates.

You need to run a Remove Reinstalls on the live system to clean it up again. The alternative is if your Start Menu is fairly static, then export Start2.bin layout file and copy it back after updating Windows.

%LOCALAPPDATA%\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\Start2.bin

 

[SacDeLait]

Would it be possible to use the "remove reinstalls" and "disable content delivery" function on the update packages before uploading them to a local server and have the machines retrieve their updates from there?

Your suggested solutions are perfectly logic, the scenario I'm in is the main challenge here.

 

[garlin]

Unfortunately, the Component-Based Servicing model doesn't work that way.

When an image is DISM mounted for servicing, all the component folders and files are extracted to a mount folder. Updates are applied against the image, with replacement components placed side by side in the mount. The servicing stack then determines the WinSxS "winners" which will be active after installation/update. If the image is mounted, NTLite can pick and choose component removals.

Windows Update MSU's & CAB's can be extracted to a folder, but you can't pick and choose parts of them because they're protected by digital signatures and manifest hashes. The only option is to apply the Updates first, and then clean it up afterwards.

This leads to a repetitive cycle of Remove Reinstalls after every future Update, but it's because MS protects CU package integrity.

 

[SacDeLait]

Unfortunately, the Component-Based Servicing model doesn't work that way.

When an image is DISM mounted for servicing, all the component folders and files are extracted to a mount folder. Updates are applied against the image, with replacement components placed side by side in the mount. The servicing stack then determines the WinSxS "winners" which will be active after installation/update. If the image is mounted, NTLite can pick and choose component removals.

Windows Update MSU's & CAB's can be extracted to a folder, but you can't pick and choose parts of them because they're protected by digital signatures and manifest hashes. The only option is to apply the Updates first, and then clean it up afterwards.

This leads to a repetitive cycle of Remove Reinstalls after every future Update, but it's because MS protects CU package integrity.

Thanks for the detailed explanation, much appreciated