Jump to content
Welcome to our new Citrix community!
  • Create a Start Menu for RDSH Users – Part 1


    cugcblogs

    dennismohrmannrnd.png.03b9c7f91d18c8c7f2d317a110cc73ef.png by Dennis Mohrmann, CTA

    You all know the challenge on a RDSH Windows Server 2019 to turn the start menu into a suitable start menu for the users. Without making any changes, users get a start menu that is fine for administrators, but not for normal users. Unfortunately, Microsoft only offers a few options for making changes to the start menu with standard tools like group policies. In this post, I will show you how to create a start menu for your RDSH users. Part II deals with the admin start menu. So, let's face the challenge!

    Default Start Menu

    This is what a normal start menu looks like after a user logs on to a Windows Server 2019!

    image-36.png?w=736

    And this is what the Win-X menu (right click on start) looks like:

    image-37.png?w=378

    There are a lot of items and links we like to hide from the user. Just think of PowerShell, Computer Management, Administrative Tools, Device Manager, Windows Security, etc.

    Of course, you can (and should) restrict or block these apps, but why should a user see and access them at all?

    Customized Start Menu

    It doesn't take much to create a user (and admin) friendly start menu. This one looks so much better, doesn't it?

    image-38.png?w=738

    And this is a what a Win-X menu can look like!

    image-39.png?w=370

    The only tools we need to create a customized start menu are Citrix Workspace Environment Manager (WEM) and Microsoft FSLogix. So, no additional cost in most cases for third party software.

    I always recommend installing the FSLogix apps these days. I have a script that takes care of some special settings and future updates. Even if you don’t use FSLogix profiles yet, you should at least use the great AppMasking feature. Same here for Citrix WEM, it’s included in your license (except standard edition), so give it a try, if you don’t already do so.

    We need to install both, the WEM agent and FSLogix AppSuite on a Windows Server 2019, of course we also need a WEM Infrastructure server or the WEM cloud service. You'll find lots of documentation about installing WEM and FSLogix, so I don't want to go into detail here. The websites from CTPs Manuel Winkel, James Rankin and James Kindon are really great resources. Of course, there are many others, but I can’t list them all here…

    OK, let’s start! There are five things we take care of:

    1. Default start menu tiles
    2. Common start menu folders and items like Administrative Tools, Windows System, etc.
    3. “Windows security” app link
    4. The folders and items on the left side
    5. The Win-X menu
    image-40.png?w=758

    Let's look at all of them one by one.

    Start Menu Tiles

    Normally, new user profiles get the layout from the file "C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml"

    To adapt the layout, we need a LayoutModifications.xml file. I recommend removing all the tiles, so that the admin and (or) the user can create their own tiles.

    To achieve this, we need a layout that we use as a template. Based on the blog post from my fellow CTA Kasper Johansen, we take a suitable layout.xml file. This template also cleans the task bar, which is perfect for our use case.

    Here are the contents of the “LayoutModifications.xml” file:

    <?xml version="1.0" encoding="utf-8"?>

    <LayoutModificationTemplate

    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"

    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"

    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"

    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"

    Version="1"> 

    <LayoutOptions StartTileGroupCellWidth="6" />

      <DefaultLayoutOverride>

        <StartLayoutCollection>

          <defaultlayout:StartLayout GroupCellWidth="6" />

        </StartLayoutCollection>

      </DefaultLayoutOverride>

    <CustomTaskbarLayoutCollection PinListPlacement="Replace">

        <defaultlayout:TaskbarLayout>

            <taskbar:TaskbarPinList>

    </taskbar:TaskbarPinList>

        </defaultlayout:TaskbarLayout>

    </CustomTaskbarLayoutCollection>

    </LayoutModificationTemplate>

    To use this template, follow these steps:

    1. Create a folder on your reference system or golden master in which you put the templates we need. We (meaning my team at S&L) use to name the folder C:\Program Files (x86)\SuL\Citrix Management Tools but you can name it whatever you want.
    2. Create the subfolders Startmenu\Startmenu tiles
    3. Place the layout file “LayoutModifications.xml” in the folder Startmenu tiles
    image-41.png?w=942

    Now we have a template, but how can we assign it to our users?

    That’s the first job for FSLogix AppMasking. We need a rule to redirect the standard layout xml file to the custom xml file. The advantage is, that we do not change the original layout file, so that admins can use it.

    This is how we create the AppMasking rule:

    1. Start the FSLogix Rule Editor as admin
    2. Click File> New and create a fxr file called “Startmenu-Layout-Users.fxr” or whatever you want in the folder “C:\Program Files\FSLogix\Apps\Rules”
    3. Choose Blank rule set
    4. Click on the “+” icon and create a Redirection rule

    Source:

    C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\LayoutModification.xml

    Destination:

    C:\Program Files (x86)\SuL\Citrix Management Tools\Startmenu\Startmenu tiles\LayoutModification.xml (use your folder here!)

    Object Type: File / Registry Value

    Don’t select “Copy Object”!

    image-42.png?w=850
    1. Click on Manage Assignments and add “Domain Users” (or an appropriate group) apply and “Domain Admins” does not apply
    image-43.png?w=868
    1. Save the rule

    What happens if the rule applies to a domain user? The custom xml layout gets redirected, and the tiles are gone. The taskbar is also clean. Remember that this rule only applies to NEW user profiles, this is the moment the XML layout takes over. If you want to change the layout to existing users, you could change the source to something like C:\Users\*\AppData\Local\Microsoft\Windows\Shell\LayoutModification.xml

    Common Start Menu Folders and Items

    This one is quite easy, this time we need WEM to do it.

    1. Open the WEM console and in your Configuration set go to

    Policies and Profiles > Environmental Settings > Start Menu Tab and select

    • Hide Common Programs
    • Hide Administrative Tools
    image-44.png?w=988
    1. Navigate to

    Advanced settings > Configuration > Cleanup Actions Tab and select

    • Delete Start Menu Shortcuts
    image-45.png?w=982

    That’s it, common start menu folders and Administrative Tools are gone, but what about the cleanup action? The setting “Delete Start Menu Shortcuts” will delete everything from start menu including the folders Windows Accessories, Windows Powershell, Windows System and Windows Ease of Access.

    Don’t worry, we get the folders back that are really needed.

    image-46.png?w=418

    Windows Security App

    Users normally don’t need to access this app, Administrators often ask me how to get rid of the entry in the start menu. Again, FSLogix is our friend 😀.

    We create another rule:

    1. Start the FSLogix Rule Editor as admin
    2. Click File > New and create a fxr file called “Windows Security-Startmenu.fxr” or whatever you want in the folder “C:\Program Files\FSLogix\Apps\Rules”
    3. Choose Blank rule set
    4. Click on the + icon and create a Hiding rule

    Object Name:

    C:\windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe

    Object Type: File / Registry Value

    1. Confirm the warning message
    2. Click on the + icon and create another Hiding rule

    Object Name:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI_10.0.17763.1_neutral__cw5n1h2txyewy

    Object Type: Directory / Registry Key

    image-47.png?w=976
    1. Click on Manage Assignments and add “Domain Users” (or an appropriate group) apply and “Domain Admins” does not apply

    Additionally, add NT AUTHORITY\SYSTEM, NETWORK, NETWORK SERVICE and LOCAL SERVICE and choose rule set does NOT apply. We need these accounts for system stability.

    image-48.png?w=868
    1. Save the rule

    After the rule applies, the Windows Security app is not accessible anymore, it’s even gone!

    Folders and Items on the Left

    Usually, the links and items on the left are rarely used, unfortunately for many users it is inconvenient to simply log out of the server because the sign out button is difficult to find. The result is that many users disconnect from the session instead of logging out. We try to help the users and clean up the left half of the start menu.

    image-49.png?w=84

    To get rid of the entries you must create some registry keys and items. There is no group policy for this. The registry key we need is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Start

    Inside the key you must create the following items:

    NameTypeDataItem
    AllowPinnedFolderDocumentsREG_DWORD0Documents
    AllowPinnedFolderDocuments_ ProviderSetREG_DWORD1Documents
    AllowPinnedFolderPicturesREG_DWORD0Pictures
    AllowPinnedFolderPictures_ ProviderSetREG_DWORD1Pictures
    AllowPinnedFolderSettingsREG_DWORD0Settings
    AllowPinnedFolderSettings_ ProviderSetREG_DWORD1Settings
    HidePowerButtonREG_DWORD1Power Button

    If you set AllowedPinnedFolder to “0” the item is gone. To hide the power button set “HidePowerButton” to 1.

    Use these Powershell commands to create the items:

    New-Item -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device -Name Start -Force
    New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Start -Name AllowPinnedFolderDocuments -Value 0
    New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Start -Name AllowPinnedFolderDocuments_ProviderSet -Value 1
    New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Start -Name AllowPinnedFolderPictures -Value 0
    New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Start -Name AllowPinnedFolderPictures_ProviderSet -Value 1
    New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Start -Name AllowPinnedFolderSettings -Value 0
    New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Start -Name AllowPinnedFolderSettings_ProviderSet -Value 1
    New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Start -Name HidePowerButton -Value 1

    Because we have to create the items in HKEY_LOCAL_MACHINE this affects all users, including the Administrators. You can verify this, if you log out and log on the machine or simply restart the explorer.exe process. But we don’t want to delete these items for the Administrators. Sounds like a job for FSLogix AppMasking.

    So, we create our third rule to hide this key for the Administrators and only apply it to Domain Users.

    1. Start the FSLogix Rule Editor as admin
    2. Click File > New and create a fxr file called “Startmenu-Items.fxr” or whatever you want in the folder “C:\Program Files\FSLogix\Apps\Rules”
    3. Choose Blank rule set
    4. Click on the + icon and create Hiding rule

      Object Name:

    HKLM\SOFTWARE\Microsoft\PolicyManager\current

    Object Type: Directory / Registry Key

    image-50.png?w=946

    Click on Manage Assignments and add “Domain Users” (or an appropriate group) does NOT apply and “Domain Admins” does apply. If you wonder why “Domain Users” come first, this is because the Administrators are also part of this group. We need to take care of that and put the “Domain Admins” on second place.

    image-51.png?w=868
    1. Save the rule

    Mission accomplished! Now it’s easier for the users to the Sign out.

    image-52.png?w=414

    Win-X Menu

    The last thing to edit is the Win-X menu, this is quite easy too. The location of the Win-X items is the following folder:

    C:\Users\<username>\AppData\Local\Microsoft\Windows\WinX.

    Inside this folder you find three subfolders, the content determines the items you see.

    image-53.png?w=412

    To modify the items, we use the same method we used to change the layout

    1. Create a folder on your reference system or golden master in which you put the templates we need. We (meaning my team at S&L) use to name the folder C:\Program Files (x86)\SuL\Citrix Management Tools but you can name it whatever you want
    2. Create the subfolders Startmenu\User\WinX
    3. Inside these folders we need three subfolders called
    • Group1
    • Group2
    • Group3
    1. Place the links you need in the subfolders. If you want to rename the items, just open the properties and place a text in the “Comment” field.
    image-54.png?w=942

    Now, we create another FSLogix rule.

    1. Start the FSLogix Rule Editor as an Admin
    2. Click File > New and create a fxr file called “Startmenu-WinX-Users.fxr” or whatever you want in the folder “C:\Program Files\FSLogix\Apps\Rules”
    3. Choose Blank rule set
    4. Click on the “+” icon and create a Redirection rule

    Source:

    C:\Users\*\AppData\Local\Microsoft\Windows\WinX

    Destination:

    C:\Program Files (x86)\SuL\Citrix Management Tools\Startmenu\User\WinX (use your folder here!)

    Object Type: Directory / Registry Key

    Don’t select “Copy Object”!

    image-55.png?w=944

    Click on Manage Assignments and add “Domain Users” (or an appropriate group) apply and “Domain Admins” does NOT apply.

    image-56.png?w=868
    1. Save the rule

    After the rule applies, the Win-X menu appears like you defined it!

    One more hint for the items in the Win-X menu. It doesn’t really matter how you name them; the number defines the order:

    image-57.png?w=414image-58.png?w=334

    The name of the item is given in the comment field of the shortcut. Consider creating different shortcuts that match the user language. You can place them in different subfolders and use AppMasking for differs AD groups.

    image-59.png?w=816

    Shortcuts

    If everything went well, the start menu should look like this:

    image-60.png?w=372

    The final step is to create the shortcuts the user needs. We use WEM for this task. I don’t want to go to much in detail here, because this is very easy to accomplish.

    Let me show you one example.

    1. Start the WEM console
    2. Navigate to Actions > Applications > Start Menu View Tab
    3. To get the start menu folders “Windows Accessories” and “Windows Ease of Access” back, right click Programs and select Add Folder
    image-61.png?w=406
    1. Create both folders
    2. Go the Application List Tab and add an application
    3. We use the Magnifier in this example, change start menu integration to the folder Windows Ease of Access
    image-62.png?w=646

    Assign the application to the user or group and select at least Create Start Menu

    image-63.png?w=446

    Assign all you other applications with WEM. If you make use of the feature “Use Cache to Accelerate Action Processing” (Advanced Settings > Configuration > Agent Options Tab) remember to refresh the agent cache and wait a minute before you log on with us user.

    image-64.png?w=702

    Let me show you how the FIRST logon with a fresh profile looks like. I also pinned some applications to the start menu. The result looks pretty good, don’t you think?

    So, that’s it! I hope this blog is useful for you! You can find the FSLogix rules in my GitHub repository, feel free to use them as a template. I also created a PowerShell script to assign the Domain Users, Admins and the System accounts, according to your environment. There are no users assigned inside the template rules! Of course, you should check the assignments and adapt them to your needs.

    If you have any questions, contact me via Twitter @mohrpheus78 🙂

    Regards,

    Dennis Mohrmann | Citrix CTA

    logon.gif.b33fb12cd9c59822c458db11f0392138.gif


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...