Monday, November 26, 2012

Predefining and customizing the Modern UI Start Screen on RDS 2012

As you probably know Windows 8 does not have a classic Start Menu anymore. To replace that we now have the Modern UI Start Screen. For Windows Server 2012 this is no different. In fact, as soon as you enable the desktop experience feature on a Windows Server 2012 (RD Session Host) server the Modern UI Start Screen is launched upon logging on.

So when running Remote Desktop Services on Windows Server 2012 that raises the question, how can we control the Start Screen the way we would usually control the Start Menu up until Windows Server 2008 R2. With Windows Server 2008 R2 a method that was commonly used (although it has it’s CON’s) was the redirecting the Start Menu to a central location. And by using Access Based Enumeration on the share that hosted the Start Menu, end users would only see shortcuts they were authorized to see, based on group membership.

So, what happen if we would stick to this solution and redirect the Start Menu using the following well-known GPO setting?

image

This is what a new user would see upon first logon:

image

That’s right, a completely empty Start Screen, whoops!
Why is that? This is because the Start Screen can simply not be redirected using folder redirection the way the Start Menu was redirected in Windows Server 2008 R2. Instead, what happens is the All Apps section of the Start Screen is redirected to the folder we specified in the folder redirection GPO.

As you might know you can access that by right clicking on the Start Screen (or by pressing CTRL-TAB).

image

Here the user is able to see shortcuts to the applications he’s authorized to.

image

From here, a user is able to pin the shortcuts he would like to see to his Start Screen

image

Using this method the end user is able to build his personal Start Screen. The fact that a user is able to customize the Start Screen to meet his needs is great. However, many users will be completely lost upon first logon when they are presented with the completely empty Start Screen.

Let’s build a configuration so that the end-users receive a default pre-defined Start Screen as a starting point at first logon and allow them to customize that to their needs by adding or removing shortcuts and adding sections to group shortcuts together.

Step 1
Logon as a test user and create the Start Screen you’d like to become the default pre-defined Start Screen. Below is an example of what’s possible.

image

Step 2
The Start Screen is stored in a binary file called appsfolder.itemdata-ms and is located in %USERPROFILE%\appdata\local\microsoft\windows\ After creating the Start Screen you want, copy this file to the following location on your RD Session Host Server(s): C:\Users\Default\appdata\local\microsoft\windows\appsfolder.itemdata-ms. If you want to save the current file make sure you create a backup of the exciting file first.

Step 3
Mark the file C:\Users\Default\appdata\local\microsoft\windows\appsfolder.itemdata-as as Read-only.

image

This configuration sets the basics. If a new user now logs in he’ll receive the Start Screen we’ve just created. Basically he received a copy of that file in his profile folder under: %USERPROFILE%\appdata\local\microsoft\windows

As you might have noticed, this folder is under the local section of the profile, meaning it would not roam. However, a copy of the file is created in %USERPROFILE%\ upon log off so that the file roams across different RD Session Host servers.

Also note that because we had to mark the appsfolder.itemdata-ms file in the default users profile to read-only is also marked read-only in the user profile. Meaning that changes a user makes to the Start Screen are not saved. To achieve this follow with step 4.

Step 4
Create a new GPO setting on a GPO that is linked to the OU that hosts your RD Session Host servers. And create the following GPO Registry Preference.

image

Key Path: Software\Microsoft\Windows\CurrentVersion\Run
Value data:: c:\windows\system32\attrib.exe %USERPROFILE%\appdata\local\microsoft\windows\appsfolder.itemdata-ms -R

What that does is it removes the read-only property of the appsfolder.itemdata-ms file inside the current users profile.

This allows the end user to customize his Modern UI Start Screen based on a Default Start Screen we pre-defined !

44 comments:

  1. Great post. Been trying to figure this out for a few days. Without the read-only flag, the UI file will not propagate, amazing it's just that flag.

    Additionally, I've hidden the Admin Tools folder here C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools as after the user removes the read, when they logon again, all the admin icons will clutter up the Modern UI.

    ReplyDelete
  2. Thanks for the feedback Nelis, glad you like to post all I did not come across the admin tools issue you describe. Does that happen consequently? Did the user by any chance have admin privileges at the time>

    ReplyDelete
  3. You have done the hard work!!! This looks like a great solution. Many thanks.

    ReplyDelete
  4. Thanks for the feedback, appreciate it !

    ReplyDelete
  5. Excellent work. Thanks for putting it out there.

    ReplyDelete
  6. Just what i was looking for, many thanks!

    As much as i like Microsoft and think they get a hard time it amazes me how difficult they makes things for admins in a RDS environment, nothing is ever simple!

    Now need a simple guide for pinned desktop icons plz!

    ReplyDelete
  7. appsfolder.itemdata-ms should have been a simple INI og XML text file to make this manageable, or even just registry settings. This is a big drawback to make this a binary blob file.

    ReplyDelete
  8. why bother with making it read-only only to create a 4th step to undo it? Is that a precaution or will something automatically change/delete your customization otherwise?

    ReplyDelete
  9. Duane,

    No, not out of precaution. The file inside the default profile only gets copied (during the first logon) when it's set to read only.

    ReplyDelete
    Replies
    1. If we are using UDP (User disk profile), how do you modify the template image? Whe we use UDP, it created a default template but, i havent find a way to customize. any ideas?

      Delete
    2. This comment has been removed by the author.

      Delete
    3. Same problem here, can't get this to work with User Profile Disks enabled.

      Delete
    4. Just to clarify, if you do not set the Read Only Attribute in the Default folder, it will not copy into a new user? Can you copy that custom file into their profile path with another process?

      Delete
  10. well that's a pain in the... Thanks for the tip (and the explanation)!

    ReplyDelete
  11. Is anyone aware of a way to programmatically manipulate appsfolder.itemdata-ms to add/remove items without removing the shortcut and deleting it from "all apps"? Perhaps a .net method that can be called with PowerShell?

    ReplyDelete
  12. Hi, great instructions :-) But i have some troubles about Intranet-URL, mapped Drives and some Apps from Control-Panel. When i customize the Modern-UI with Intranet-Website, some mapped drives and the Display from Control-Panel, all user will are not able to see on Modern-UI. How i can fix it?

    ReplyDelete
  13. Hi Jury,
    Not exactly sure what you mean here. Feel free to drop me an email, maybe I can help out.

    ReplyDelete
  14. Update: See this blog post for what's new on this topic for in Windows Server 2012 R2:

    http://microsoftplatform.blogspot.nl/2013/06/predefining-and-customizing-modern-ui.html

    ReplyDelete
  15. Great article. We agree, that it is only possible to do deploy the initial start layout. If change occur, then the user has to do some change themself.

    ReplyDelete
  16. Hi Thomas,

    Thanks for the feedback!

    ReplyDelete
  17. That was a real time saver - cheers!

    ReplyDelete
  18. Great article, thanks for you're help!

    ReplyDelete
  19. As far as i can see there is also an option through the Group Policy Preferences options, there is an option to create shortcut's for an user in their start menu.

    The downside with this is that it only works for current users, with an new user the shortcuts only get applied to the all apps part and not tot the start menu.

    ReplyDelete
  20. Thank you for these instructions, they have helped me setup a default start screen for a RDS server. I have tried creating shortcuts for shutdown tasks like log off and lock screen, but those shortcuts seem to disappear when new users log in. All the other programs show up fine. Any suggestions?

    ReplyDelete
  21. Thanks for this, I look forward to trying it. Based on a comment above, would you be able to clarify if this method is expected to work with session based remote desktop deployment using User Profile Disks?

    ReplyDelete
  22. Hi,

    Yes, this method also works in combination with UPD. I've used that combination before. Just make sure you configure UPD so that the path where the binary files is stored is included.

    ReplyDelete
  23. Hi Everyone,

    In regards to some of the questions about the combination of the above and User Profile Disks (UPD) also see:

    http://microsoftplatform.blogspot.nl/2013/09/using-user-profile-disks-upd-in.html

    Kind regards,
    Freek Berson

    ReplyDelete
    Replies
    1. Hi Freek, I've followed your blog and can get a customized start screen for new users, but only if they log on locally to the console of the session hosts. I am trying to access the collection from the Collection icon in RDWEB ( client environment is XP, so I think this is my only option). When I do this, the test user does not get the preconfigured start menu. I'm using UPD's configured to store all data. examining the binary file in the users UPD, I can see that they are not getting the read only binary file stored in default profile. Is there something else i need to do to make this work when connection is initiated from RDWEB.

      Delete
  24. Hi everyone,

    tried this method for deploying a default startscreen to normal desktops (8.1 Enterprise preview) without redirecting the desktop. It kinda works (-:

    However when the file is made R/W at first logon the apps are automatically installed and pinned to the startscreen )-:

    When I manually make the file R/W at the second logon all is well; no apps and the user can customize.

    The R/W can also be done much easier with an 'update' file preference with only the target configured (%homedrive%%homepath%\blablabla...) and the checkbox 'Read Only' cleared...

    Now I only have to get it to run at second logon / not at first logon (-:

    ReplyDelete
  25. I seem to be having an issue with the Group Policy Registry Entry.
    If I assign the Group Policy to the Computer OU then it makes the correct entry in the HKEY Users\.Default\Software\Microsoft\Windows\CurrentVersion\Run however it doesn't seem to be removing the Read Only flag.

    Is the Default registry supposed to be copied over to the new user account?
    Shouldn't we be setting the Add Registry item at the Users OU level?

    I've just tried this on my setup and it definitely works when assigning the Group Policy to the OU of your Users and creating the Registry Policy under User Configuration/Preferences/Windows Settings/Registry

    Thanks for the great tips but I think it should be done at the user level not the computer level. Feel free to correct me if I'm wrong but this works for me.

    ReplyDelete
  26. Hi Brett,

    Thanks for the input. In my case I have configured this in the GPO on the Computer level, because more User GPO settings were configured there. However, to apply User Settings to an OU containing computers you need to configure Loopback processing in the GPO. More info: http://technet.microsoft.com/nl-nl/library/cc757470(v=ws.10).aspx If you want to use the User OU, that's fine too of course, only note that that policy will apply when they logon to ANY computer. In my case it only applied when they log on to a RD Session Host.

    ReplyDelete
    Replies
    1. Hi Freek,

      I'm running Windows Server 2012 R2 and it seems that it doesn't work.
      Also how did you create a GPO on a computer level?
      I would appreciate a step by step instructions.

      Delete
  27. Hi freek, when I follow your guide and redirect the start menu to a common location the users cannot see folders in redirected start menu. The see only entries in the root of the start menu folder. If I, for example, create a folder in the common start menu location called "microsoft office" the users cannot see the folder and the items inside that. All permiossions are ok, do you know where can i look to find the problem?

    Many thanks in advance.

    ReplyDelete
  28. Hi Giuseppe,

    You will not see a folder structure in the All App Section. Sub folders are shows as header text, like e.g. "Accessoires" in the 4th screenshot of this blog post.

    ReplyDelete
    Replies
    1. Yes, I know. The problem is the following:
      - I configure a folder redirection for the start menu.
      - In the redirected folder I create a folder named "Microsoft Office" and there I put shortcuts for Word and Excel.
      - If the user logs on, he cannot see the header "Microsoft Office" nor the shortcuts to word and excel. He can see nothing! If I place the shortcuts directly in the root folder of the redirected start menu, the user can see the shortcuts.

      If I disable the startmenu gpo "remove access to common programs" everything is ok, but I cannot understand why the redirected start menu behaves this way (on 2008 r2 it was different). That policy should be about the start menu of the "all users" folder......

      Delete
  29. Thanks for this post! Helping me out a lot but placing the menu into the default folder is not working. My new users that are logging on are getting a different default menu from somewhere else.

    If i manually copy the file across to their locally created app data and then logoff/logon they receive the correct menu. Cant work out where the menu they receive on first logon is coming from?

    ReplyDelete
  30. The new way to do it

    http://technet.microsoft.com/en-us/library/dn467928.aspx

    ReplyDelete
  31. Good post, thank you. In the section with 'Here the user is able to see shortcuts to the applications he’s authorized to.' where you show the apps page, how do you set permissions to what users is authorized to and what they are not?

    ReplyDelete
  32. Hi Klaus,

    Permissions are set using AD group membership, and because Access Based Enumeration is enabled on the share, users only "see" shortcuts they're authorized for. Obviously you still need solutions like e.g. AppLocker, to also make sure they cannot launch those applications using another method.

    ReplyDelete
  33. Windows 2012R2 has a GPO key, but it's read-only (meaning the end user can't customize the Start menu or Taskbar if the setting is enabled). The GPO info above doesn't appear to work for R2, either. So... I ended up putting the c:\windows\system32\attrib.exe %USERPROFILE%\appdata\local\microsoft\windows\appsfolder.itemdata-ms -R command in a batch file w/ a shortcut on the default profile desktop (with the last line of the batch file deleting the shortcut).

    The user sees the batch file the first time they log in, they click it, the read-only attribute is removed & they can customize a pre-populated Start screen.

    Not as elegant as I'd like, but so far it's the only workaround I've been able to devise. Please let me know if you come up with anything better.

    ReplyDelete
  34. Got most of it working but the following does not happen:
    ------------------------------------
    As you might have noticed, this folder is under the local section of the profile, meaning it would not roam. However, a copy of the file is created in %USERPROFILE%\ upon log off so that the file roams across different RD Session Host servers.
    ----------------------------------
    I can create a starting start menu, have it taken off read only, and users can make changes to the start menu, but as soon as they log out all the changes are gone.

    I do delete local copies of profiles as soon as they log out.

    am I missing anything?

    ReplyDelete
    Replies
    1. I actually do see it in the root of the profile, but it doesnt actually load it when I login again.

      Delete
    2. disregard, my last, it now works all of a sudden....

      Delete
  35. Export Start Screen Layout into XML and then assign via local GPO didn't work for me. I can rely on this method.
    The best approach:
    1. Login with admin user, prepare your favorite Start Screen layout.
    2. Copy appsfolder.itemdata-ms into Default path to make it available for all users.
    3. Make it Read only
    4. Create a StartLayout.bat file
    @echo off
    timeout /t 60
    cd \Windows\System32
    attrib %USERPROFILE%\appdata\local\microsoft\windows\appsfolder.itemdata-ms -R
    Save batch file.
    5. Create a RuninStart.VBS file
    Set WshShell = CreateObject("WScript.Shell")
    WshShell.Run chr(34) & "C:\Batch Files\StartLayout.bat" & Chr(34), 0
    Set WshShell = Nothing
    6. Create another batch file (RunInStart.bat)
    @echo off
    wscript c:\Batch Files\RuninStart.VBS
    Save it.
    7. Save RunInStart.bat file to Windows startup.

    What is does?
    a) New User will login and new start screen template will be assigned.
    b) after 60 seconds template ready only property will be removed so user can add app shortcut to start screen.
    c) this method will avoid icon cluttering during first time user login.
    Cheers...

    ReplyDelete