Step by Step Redirecting and Managing the modern Start Menu in Windows 2012(R2) RDS


I got several requests and questions about customizing and managing a redirected Start Menu when using a Full Desktop session collection. This post will cover the basics for doing that and is based on implementations we have done for real customers, on Windows Server 2012.
The methods I describe below are therefore meant for Windows Server 2012 RDS environment, but work on Windows 2012 R2 RDS as well.
I used the setup from the Step by Step Windows 2012 R2 Remote Desktop Services – Part 1 post as a base for this guide, so check that post for details on how to set that up in a lab.
I added the “Desktop Experience” feature to the ITWRDS01. This is not a requirement, but was part of another experiment. I realized I left it there when I was almost done with documenting this post.

First things first, let’s prepare this environment for Start Menu redirection.

 

Creating the Start Menu redirection location
To redirect the Start Menu we need a folder structure that is going to hold the redirected Start Menu. Since the setup I am using only has two servers, a Domain Controller and a Remote Desktop Services server, I will use the Domain Controller to hold this folder structure.
I created the following folder structure:
RDS Deployment - Redirected StartMenu 01
I shared the “Redirection” folder. No additional settings for this share have been changed here.
Next we’ll need to enable access-based enumeration on the shared folder. To do this open Server Manager on the Domain Controller.

Server Manager
RDS Deployment - Redirected StartMenu 09
Select File and Storage services, then click Shares.
Right-click the Redirection share and click Properties.

Redirection Properties
RDS Deployment - Redirected StartMenu 10
Check Enable access-based enumeration. Then click OK.


Creating the Start Menu redirection Group Policy Object

As creating the Domain and adding the RDS Server was not covered in the Step-by-step guide, make sure you create an Organizational Unit that holds the RDS Server object.
RDS Deployment - Redirected StartMenu 02
Now create a new Group Policy Object. For this guide I named it “RedirectedStartMenu”.
Configure three settings in this GPO:
Turn on Loopback processing. You can find this setting by navigating to Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy -> Configure user Group Policy loopback processing mode. I set it to “Replace” but it all depends on how you configured Group Policies in your domain.
RDS Deployment - Redirected StartMenu 03
Turn on Start Menu redirection. Navigate to User Configuration -> Policies -> Windows Settings -> Folder Redirection -> Start Menu.

On the Target tab:
RDS Deployment - Redirected StartMenu 04
Select the Basic setting, since we’re going to redirect for all users in this guide. In the Target folder location box select “Redirect to the following location” and point the Root Path to the share, but include the Start Menu folder in the folder structure.

On the Settings tab:
RDS Deployment - Redirected StartMenu 05
We don’t want users to have exclusive rights, so uncheck that.
The second option we’ll leave checked now, I’ll show you why a little later.

Remove common program groups. Navigate to User Configuration -> Policies -> Administrative Templates -> Start Menu and Taskbar -> Remove common program groups from Start Menu. Set this to “Enabled”.
RDS Deployment - Redirected StartMenu 25

Link the Group Policy Object to the Remote Desktop Services OU:
RDS Deployment - Redirected StartMenu 06
Exclude the Domain Administrators group from this policy (Deny Apply policy in the Delegation tab and then clicking Advanced).

 

Creating a temporary user to configure Start Menu redirection settings
The redirected folder structure needs to meet specific requirements. There are several options to configure these requirements. I find the easiest way is to create a temporary user and let this user’s Start Menu be redirected to the predefined folder structure once. That’s why I left “Move the contents of Start Menu to the new location” checked in the Settings tab for the redirection policy.
Create a temporary user and add this user to the Domain Admins group. This is probably too much, but since it’s a temporary user I don’t care about that. I created the user “redirection”.


Completing the Start Menu redirection pre-requisites

Log on to the Full Desktop using the temporary user to redirect the contents of the default Start Menu to the redirected Start Menu folder structure.

Check the redirected Start Menu folder structure:
RDS Deployment - Redirected StartMenu 07
When this structure is completed, log off the temporary user.

Delete the Maintenance, System Tools, Windows Accessories, and Windows Ease of Access folders, including all items they may contain.
RDS Deployment - Redirected StartMenu 11


Cleaning up before proceeding

Since the basic structure is now in place, let’s clean up a little bit before proceeding.
Remove the temporary user from the Domain Admins group. Do not delete the user, just remove it from the group.
Open the Start Menu redirection policy and remove the check we left in place when we created the policy:
RDS Deployment - Redirected StartMenu 08

Creating the custom Start Menu
Now let’s have a look what all these preparations have left us with. RDP to the server and log in with the temporary user.

Start Menu
RDS Deployment - Redirected StartMenu 12
All Programs
RDS Deployment - Redirected StartMenu 13
Looks a little bit empty. Let’s fix that.

Do not log off the RDS session just yet.

Log on to the RDS Server with an admin account and install a couple of utilities. For this setup I installed Notepad++ (http://download.tuxfamily.org/notepadplus/6.5.5/npp.6.5.5.Installer.exe), Foxit Reader (http://www.foxitsoftware.com/Secure_PDF_Reader) and WinMerge (http://winmerge.org/downloads).
You can log off the admin account from the RDS Server now.

A user’s Start Menu for a user that does not have a profile yet will be created from the All User’s Start Menu, which is located in “\\itwrds01\c$\ProgramData\Microsoft\Windows\Start Menu\Programs”, and from the Default User’s Start Menu, which is located in “\\itwrds01\c$\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs”.

Log on to the Domain Controller.

Create two folders:
\\itwdc01\redirection\startmenu\programs\Accesories
\\itwdc01\redirection\startmenu\programs\Extra

From the All User’s Start Menu path, copy the following items:
Desktop.lnk to \\itwdc01\redirection\startmenu\programs
Windows Accesories\Calculator.lnk to \\itwdc01\redirection\startmenu\programs\accesories
Windows Accesories\Calculator.lnk to \\itwdc01\redirection\startmenu\programs\accesories
Windows Accesories\Paint.lnk to \\itwdc01\redirection\startmenu\programs\accesories
Windows Accesories\Wordpad.lnk to \\itwdc01\redirection\startmenu\programs\accesories
Foxit Reader\Foxit Reader.lnk to \\itwdc01\redirection\startmenu\programs\extra
Notepad++\Notepad++.lnk to \\itwdc01\redirection\startmenu\programs\extra
WinMerge\WinMerge.lnk to \\itwdc01\redirection\startmenu\programs\extra

From the Default User’s Start Menu path, copy the following items:
Winodws System\Control Panel.lnk to \\itwdc01\redirection\startmenu\programs
Winodws System\File Explorer.lnk to \\itwdc01\redirection\startmenu\programs
Windows Accessories\Notepad.lnk to \\itwdc01\redirection\startmenu\programs\accesories

Now switch to the All Programs screen on the RDS Session for the temporary user again:
RDS Deployment - Redirected StartMenu 14
A few things have changed. You can see the application links we added to the Programs folder in the redirected Start Menu. Those are visible in the left most column, ungrouped. The folders we created however (Accessories and Extra) including the program links we copied there, are seen grouped by their folder name. How cool is that? The groups correspond to the folders in the redirected Start Menu folder structure. You can rename these on the fly and your changes will reflect in the user’s session immediately should the need arise. And it gets better..

Switch back to the Start Menu and add programs and groups to make it look like this:
RDS Deployment - Redirected StartMenu 15
How to add program links to the Start Menu like this or how to group them and name those groups is not part of this guide and should be common knowledge for IT pros ;)

Again, leave the temporary user logged on to the RDS Session.

The next step is based on Windows 2012 RDS but works on Windows 2012 R2 RDS as well. There’s a different method available that works on Windows 2012 R2 RDS only, but I’m not going into that right now.
The Start Menu layout and icons is kept in the user profile. To force this layout to all users, we simply copy this file to the Default User’s profile on every RD Session Host in the deployment. To distribute this file or updates to this file to users that already have a profile is beyond the scope of this post. This post is just a guide that shows a method to ensure all users that don’t have a profile yet will get the default Start Menu layout. So preferably deploy this method before allowing users access to your RDS farm.

From the Domain Controller copy the following file:
\\itwrds01\c$\users\redirection\appdata\local\microsoft\windows\appsFolder.itemdata-ms to \\itwrds01\c$\users\default\appdata\local\microsoft\windows
After the file is copied set it to read-only (the one in the Default User’s profile, not the original file!).
RDS Deployment - Redirected StartMenu 16
The reason we need to do this is that only read-only files will be copied from the Default User’s profile to a new user profile upon creation. This presents a new problem though. If this file in the new profile remains read-only, which it will if we don’t act on it, the user wouldn’t be able to change anything in the Start Menu.

So open the RedirectStartMenu Group Policy again.
Navigate to User Configuration -> Preferences -> Windows Settings -> Registry
Add a new Registry Item.
Key Path: Software\Microsoft\Windows\CurrentVersion\Run
Value name: Metro fix
Value type: REG_EXPAND_SZ
Value data: c:\windows\system32\attrib.exe %USERPROFILE%\appdata\local\microsoft\windows\appsfolder.itemdata-ms –R
The result looks like this:
RDS Deployment - Redirected StartMenu 17
I know this is a rather dirty fix, but it gets the job done.

I tested the whole thing by logging of the temporary user. Then I deleted the local profile (In the original setup I had no profile disks configured, so by default users get a local profile) and logged in again.
RDS Deployment - Redirected StartMenu 15
Yes, still looks good. Checking the read-only attribute on the appsFolder.itemdata-ms for the temporary user (in my case located in \\itwrds01\c$\users\redirection\appdata\local\microsoft\windows):
RDS Deployment - Redirected StartMenu 21
Looking good, so the policy to remove the read-only attribute works.

Remember that we enabled access-based enumeration on the share? Let’s put that in effect now.
Create a Global Security group in Active Directory called “RDS Extra Applications” or whatever you see fit to call it.
Don’t add any users yet.
Browse to \\itwdc01\redirection\startmenu\programs and open the security tab for the Extra folder.
RDS Deployment - Redirected StartMenu 18
Click Advanced.
RDS Deployment - Redirected StartMenu 19
Click Disable inheritance, and then select to Convert inherited permissions into explicit permissions on this object.
Then click OK.

Click Edit, and remove the Users group from the list.
Click Add, and add the Global Security group we created earlier.
Do not change the default rights for this group, effectively granting it Read access.
RDS Deployment - Redirected StartMenu 20

Log on to an RDS Session with a test user (Jan Klaassen in my setup).
RDS Deployment - Redirected StartMenu 22
And the group “Extra” is gone. So what happened here? We limited the Extra folder, and the applications in it, to the security group “RDS Extra Applications”. Since Jan is not a member of this group access-based enumeration refuses to show the contents when browsing the folder, and this works for the new Start Menu as well.

This Extra group is also not visible in the All Programs view, and searching for Notepad only shows the default Notepad program, and not the Notepad++ program, which is a program in the Extra group.
RDS Deployment - Redirected StartMenu 23
RDS Deployment - Redirected StartMenu 24

Now for the cool part of this. Log the test user out of the RDS Session, add the test user to the “RDS Extra Applications” security group.

Log back in to the RDS Session:
RDS Deployment - Redirected StartMenu 26
And there it is. The Extra group is back because Jan now has access to the folder. Thank you access-based enumeration!

So.
This post showed a way of managing a dynamic Start Menu and access to application links for the Start Menu and All Programs Section for Windows 2012 RDS.
Things to consider:
If the user has access to the drive where the applications are installed the user is still able to launch the application. Again, there are several options to prevent that, but locking down the rest of the RDS Session Host is not in the scope of this post.
If you add program folders to the redirected Start Menu they do get added to the All Programs section, but you need to redo the Start Menu layout bit to design a new Start Menu file. You then need to distribute it in some way to all the user who already have a profile, but it would override any customizations those users may have done themselves.

And till next time,

Arjan

20+ years experience in Microsoft powered environments. Enjoy automating stuff using scripts, powershell, and even batch files. In my free time (hah! as if there is any) I hunt achievements and gamerscore on anything Xbox Live enabled (Windows Mobile, Windows 8, Windows 10, Xbox 360 and Xbox One). When I'm not doing that I enjoy traveling or riding my Yamaha R1 on the edge ;)

Tagged with: , ,
Posted in Remote Desktop, Step-by-Step guide, Windows 2012, Windows 2012 R2
43 comments on “Step by Step Redirecting and Managing the modern Start Menu in Windows 2012(R2) RDS
  1. Eric says:

    Thnx for the guide but it is not the best way to customise the start menu, for server 2012 it is the only way but for R2 there is a export-startlayout. See the URL for the info.

    http://technet.microsoft.com/en-us/library/dn283401.aspx

  2. hello – What if you have several collctions ? – you only have one default profile

  3. Arjan Mensch says:

    Hi Nadia,
    If you have multiple desktop collections, each collection has its own servers assigned to it.
    Each collection has its own User Profile Disk location, and thus you have multiple default profiles. One for each collection to be exact.
    Say you have collection A with 10 servers and collection B with 10 servers.
    Perform the procedures as described in this post twice. Once for the servers in collection A and once for the servers in collection B. Since each collection has its own profile disk share (you can’t use a UPD in more than 1 collection) the same principles apply. You just have to do everything twice.
    If a user is in a security group which grant him or her access to an application that is only installed on the servers in collection A, the application icon will not show up on desktops from collection B.

    Cheers

  4. Dennis says:

    Hey there.

    If you create a temporary user and add it to the Domain Admins after setting the Deny policy to administrators. Wouldn’t that fizzle and Not create the Start Menu at the share location since the policy isn’t applied to administrators?

    //Dennis

    • Arjan Mensch says:

      Hi Dennis,
      Good catch. Set Deny for Domains Admins after creating the initial folder structure, or copy the folder structure from a profile that belongs to a user that has logged on before. Point is that the folder structure needs to comply to a standard which is accepted by Windows as a valid start menu folder structure.

      • Dennis says:

        Absolutely, I was following the guide and ran into some issues but it was due to me forgetting that creating a share through the advanced options sets Read only permissions to everyone on the share level as default. I have implemented it now and everything is working as planned. A really well made guide!

  5. Bert says:

    Thanks for your work.
    I went through the guide and i got an issue.
    I disabled the check “move contents of start menu to the new folder” but when users create new shortcuts to theire startmenu it is transfered to the redirected folder so all other users also get these new shortcuts.

    Hope you can help me out.

    • Arjan Mensch says:

      Hi Bert,
      Make sure Authenticated Users have Read access only on the redirected folder. The check you mentioned is not to prevent users from adding shortcuts to the redirected folder.

  6. Mike Farrar says:

    Great Article, however after having created the two folders “Accessories” and “Extra” you used in your example they do not show in the temporary users Apps view. I have tried several times and made sure that my sharepoint for the start menu redirection has full share and NTFS permissions, but I cannot seem to get past this point.

    I would really like to use this approach for my deployment, but I cant seem to get it working like you have demonstrated in your examples.

  7. Lele says:

    is their anyway to setup UPD apply to only some users and not all users?

    • Arjan Mensch says:

      Hi Lele,
      UPDs are associated with the Session Collection, so if you need a group of users to not use the UPDs, you need to create a Session Collection just for them. And since a RD Session Host can only belong to a single Session Collection, the simple answer to your question is No.

  8. dazzo says:

    I had to change your registry entry to be the below, moving the -R to after attrib
    Value data: c:\windows\system32\attrib.exe -R %USERPROFILE%\appdata\local\microsoft\windows\appsfolder.itemdata-ms

    • Arjan Mensch says:

      Hi dazzo,
      According to attrib.exe’s syntax, you’re absolutely right. If anyone has an issue with my syntax (I have not, strange enough), which would probably result in users not being able to modify their own start menu layout, check out dazzo’s comment for the fix.

  9. Justin says:

    Much appreciated! This put me on the right track for my deployment.

  10. Frank says:

    Hi

    We are thinking of offering our RDS solution to coworkers private PC’s.

    If a private computer gets stolen, Is there any way that I can prevent that particular computer from attempting to login?

    Best Regards
    FC

  11. Glenn says:

    Anyone tested this for Windows 10? Im struggling to get start menu folder redirection working…

  12. Martin Berard says:

    Just a simple question, why do you leave the administrative tool (empty?) folder inside the start menu?

    • Arjan Mensch says:

      Hi Martin,
      I believe we had an issue with removing it once. Can’t remember for sure. If it works for you deleting it, delete it.
      I think it had something to do with that customer also wanting redirected startmenu for their named admin accounts.

  13. Slagerij says:

    Hi,
    I logged on as an ordinary user and successfully created a nice layout. I pinned the programs from: All Apps. After that, I grabbed the appsfolder.itemdata-ms, copied it to C:\Users\Default\AppData\Local\Microsoft\Windows and made the file Read-Only.

    Than I tossed away the test users profile disk and logged on. The Startmenu layout was as I hoped for and expected. The layout that I had prepared was in place. I logged out and on again and, the horror: The StartMenu was completely empty.

    I Looked in the Users profile: C:\Users\%Username%\Appadata\Local\Microsoft\Windows, and there is the appsfolder.itemdata-ms file I deployed. The Logged on user has Full Control permissions to it, but it looks like it’s not being “picked up” bij Windows or whatsoever.

    After some testing I decided to revert the Read-Only part and I made appsfolder.itemdata-ms write-able.
    When I came back to my Start menu, I was still blank. I tried to pin a program, that was previously pinned in my default lay-out, to Start-Menu, nothing happends. But then I tried to pin a program that was not part of my lay-out. Guess what ? All the tiles I included in my layout, including this “new” tile, all appeared.

    Another interesting thing: killing explorer (tskill explorer) brings back the Start Menu…

    • Arjan Mensch says:

      Hi Slagerij,
      The itemdata-ms file needs to be read-only in the default program, and needs to be read/write (attrib -R) in the user’s profile.
      If you omit the last step and simply rely on copying the default profile the file will remain readonly and you won’t be able to make changes.
      As to why the startmenu turned up empty for you, I have no idea. You could mount the user’s profile disk instead of tossing it to check if the file is there when the user logs off.

      • Slagerij says:

        Found the solution:

        https://thewolfblog.com/2014/02/24/user-profile-disks-for-rds-2012-2012-r2/

        Here the author writes about user profile disks:

        This option is great since it is focusing on the real important pieces of a user’s profile, however in some cases this can cause problems, especially if the users are connecting to a desktop with a customized Start Screen.

        They will lose their settings once they log off because these settings are held within a file called appsFolder.itemdata-ms located in the directory (AppData\Local\Microsoft\Windows). Since we have the user profile disks configured for the roaming data of a user’s profile only, we will need to include this folder to our user profile disks. To do so, click on the add button and add the directory (AppData\Local\Microsoft\Windows).

        Once completed, the directory (AppData\Local\Microsoft\Windows) will now be preserved in the user’s profile disk.

      • Arjan Mensch says:

        That explains a lot. I’m used to working the other way around: preserve everything in the profile by default and manage your applications properly to store data where you want it.
        Temp folders get emptied or deleted by setting appropriate options. “Roaming folders” such as documents, desktop, etc are redirected to the home folder or a different location using Group Policies.

  14. I have implemented this start menu management for our users on 2012 R2. I never got the export-startmenulayout to work. Some times the start menu appeared, some times it was empty.. I never figured it out. So the appsFolder.itemdata-ms was my best solution.. However. This seems only to work with new users. What if I want to add a shortcut and update existing users’ start menu? I can’t figure this out.

    Hopefully you are still reading this, @Arjan Mensch

    Thank you for a great article.

    • Arjan Mensch says:

      Hi Stolt,
      The Export-Startmenulayout might work for you, but you’d have to use GPO to apply it, and results in users not being able to change the startmenu layout, or pin apps to the taskbar.
      Unfortunately you cannot insert an app shortcut into the startmenu layout.
      Whenever I need to add a new app, I create a new folder in the redirected startmenu and add the shortcut there. Users see “New!” next to the app if the user views the all apps view in the startmenu and can then choose to add it to their startmenu.
      There’s no way to add it into your startmenu layout without overwriting all personalizations done by users.
      If that’s not a big deal I’d look into distributing the updated appsFolder.itemdata-ms using GPO or logon script or something like that.

      • Thank you very much for a quick reply.

        I did already try the export-startmenulayout and GPO by following this article: http://xenappblog.com/2013/customize-windows-2012-start-screen-using-group-policy/ and although it seems to work one time, another time when the user is logging in, the start menu is just empty. The user can log off and log in again, and the start menu will be populated with shortcuts, or not.. so it is not exactly reliable.

        I guess this is it for now. I should continue working with the appsFolder.itemdata-ms folder. Hopefully there will be a simpler solution for updating the start menu in the future.

  15. Ramon says:

    Hi there!
    Thank you for the great guide at first. Was looking for that quite a long time.
    Though I still have one last problem: The registry fix does to work with me. The read-only is always active. When I manually execute the attrib.exe copied from the registry string read-only attribute gets removed. Any ideas?
    Best regards
    Ramon

    • Ramon says:

      Sorry just noticed something: The read-only attribute gets removed as it should – just takes some time to apply after login.

      But the problem persists: The whole metro is just empty after the second login. Is there some way to fix this?

      • Arjan Mensch says:

        Hi Ramon,
        If you make sure the local profiles do not get deleted, for instance, using UPD or (please no!) roaming profiles, the start menu layout should be roamed or retained between sessions.

  16. James Everingham says:

    I’ve been using this setup for redirecting the start menu for all of our RDS users for some time now and been really happy with the results. I need to update the original layout to accommodate a couple of new applications we have installed. Has anyone managed to do this ?

    Any help would be appreciated, I’m pulling my hair out !!

    • Arjan Mensch says:

      Hi James,
      If you do this (logon script using powershell to overwrite the original layout file when a user logs on) you will lose all customization a user might have done to the layout.
      If possible just add the new shortcuts to the redirected start menu and have the users add them to the layout themselves?

  17. Julian says:

    Great article! At first I was wondering about the method you shared the redirection directory? Did you simply “share” it or did you an advanced share? My problem was that due to the inheritance on C: the Domain-Admin group wasn’t able to create folders / files?
    Another point is that (if I click on a link in the start menu) the security warning comes to front, I have to choose open the file or cancel. Did you manage this via GPO and added the domain name of the DC to trusted zone?

    • Arjan Mensch says:

      Hi Julian,
      I always share advanced to have more control. I have not touched any GPOs in these guides, but I can imagine environments where it is necessary to add netwaork locations and such to the local intranet zone.

      • Julian says:

        Wow Arjan, that answer came quite fast! Thank you. What’d you recommend to avoid the security dialog to come up, annoying the user and requires the additional “open” click? How did you do that?

  18. Saaj says:

    Thanks for this great article, I have used this as a baseline and got everything working as I wanted. The only problem is that IE and File Explorer no longer show up in the taskbar. This usually shows up as default so either “remove common programs” GPO or the redirection has removed these. Is there a way to pin these back to taskbar without affecting the redirection? I do not want to give users ability to pin anything to taskbar and have got this locked down via GPO but I would like to make IE and File Explorer available in taskbar as default for everyone.

    Thanks.

    • Arjan Mensch says:

      Hi Saaj,
      I have not yet found a method to effectively pin programs to the all users’ taskbar, sorry.

      • Saaj says:

        Thanks Arjan for getting back to me. Is that a known issue with desktop redirection that it unpins items from the taskbar?

      • Arjan Mensch says:

        Hi Saaj,
        No it is not and I suspect there might be an issue with the appsFolder.itemdata-ms file, but I’m not sure if that holds the taskbar pinned items as well.
        I have had an issue once where users were unable to pin to the taskbar and that was related to the appsFolder.itemdata-ms file.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog Authors
Donate Button

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 322 other followers

Blog Stats
  • 1,913,769 hits
%d bloggers like this: