Intune: Desktop & Start menu customizations

-

Ever since endpoint device management gravitated towards Intune (aka Microsoft Endpoint Management or MEM), the need for SOE management (Standard Operating Environment) for end user devices has become a prime requirement. A small but important part of this is implementing Windows 10 customizations to suit organizational needs. 

I recently had to implement the same for a customer so wanted to cover some unique & specific aspects through this blog.

Desktop Icons Customization

If you are anything like me who likes his desktop clean or have a similar SOE requirement in your organization then the following method may just help you.

A Powershell script can be used to clean the desktop for all the unwanted icons and place custom icons like ‘This PC’ shortcut. I did the same for devices that were getting provisioned using Autopilot. Please note that this will nuke all the icons for all user profiles so use it carefully.

Get-ChildItem $env:Public\Desktop\*.lnk | ForEach-Object {Remove-item $_ }

$WshShell = New-Object -ComObject WScript.Shell

$Shortcut = $WshShell.CreateShortcut("C:\users\public\Desktop\This PC.lnk")

$Shortcut.TargetPath = [environment]::getfolderpath("mycomputer")

$Shortcut.Save()

Start Menu URL shortcuts for Tiles

There are multiple ways of pinning URL tiles in the Start Menu. The easiest & most consistent method I have found is using a script to create the url based shortcuts on the fly for the purpose of using them in the start menu layout. This way one doesn’t have to worry about creating & then copying the files during a deployment. The script below will create 2 url shortcuts and place them under the “C:\ProgramData\Microsoft\Windows\Start Menu\Programs” path.

$WshShell = New-Object -ComObject WScript.Shell

$Shortcut1 = $WshShell.CreateShortcut("C:\ProgramData\Microsoft\Windows\Start Menu\Programs\xxxxxx Sharepoint.url")

$Shortcut2 = $WshShell.CreateShortcut("C:\ProgramData\Microsoft\Windows\Start Menu\Programs\xxxxxx Yammer.url")

$Shortcut1.TargetPath = "https://xxxxxx.sharepoint.com"

$Shortcut2.TargetPath = "https://www.yammer.com/xxxxxx.com"

$Shortcut1.Save()

$Shortcut2.Save()

At this point the work is only half done as we will need to export the Start menu layout xml and import it in Intune. Let us see how that is done.

Start Menu & Task Bar Customizations

Using a reference PC, create a Start menu layout of your choice and then run the following commands using logged in user credentials.

Export-StartLayout -UseDesktopApplicationID -Path StartLayoutMarketing.xml

-path is a required parameter that specifies the path and file name for the export file. You can specify a local path to which you have access like C:\Temp\StartLayoutMarketing.xml or a UNC path (for example, \\FileServer01\StartLayouts\StartLayoutMarketing.xml)

Once the xml is exported, add the Taskbar layout elements as shown below.

<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"

xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout">

  <LayoutOptions StartTileGroupCellWidth="6" />

  <DefaultLayoutOverride>

    <StartLayoutCollection>

      <defaultlayout:StartLayout GroupCellWidth="6">

        <start:Group Name="xxxxxx">

          <start:DesktopApplicationTile Size="2x2" Column="2" Row="6" DesktopApplicationID="https://www.yammer.com/xxxxxx.com" />

          <start:DesktopApplicationTile Size="2x2" Column="4" Row="4" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\SnippingTool.exe" />

          <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="Microsoft.Office.EXCEL.EXE.15" />

          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="Microsoft.Office.OUTLOOK.EXE.15" />

          <start:DesktopApplicationTile Size="2x2" Column="4" Row="2" DesktopApplicationID="Chrome" />

          <start:DesktopApplicationTile Size="2x2" Column="0" Row="2" DesktopApplicationID="Microsoft.Office.WINWORD.EXE.15" />

          <start:DesktopApplicationTile Size="2x2" Column="2" Row="4" DesktopApplicationID="{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" />

          <start:DesktopApplicationTile Size="2x2" Column="0" Row="6" DesktopApplicationID="https://xxxxxx.sharepoint.com/" />

          <start:DesktopApplicationTile Size="2x2" Column="4" Row="0" DesktopApplicationID="Microsoft.Office.POWERPNT.EXE.15" />

          <start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationID="Microsoft.Office.ONENOTE.EXE.15" />

          <start:DesktopApplicationTile Size="2x2" Column="0" Row="4" DesktopApplicationID="com.squirrel.Teams.Teams" />

        </start:Group>

      </defaultlayout:StartLayout>

    </StartLayoutCollection>

  </DefaultLayoutOverride>

      <CustomTaskbarLayoutCollection PinListPlacement="Replace">

      <defaultlayout:TaskbarLayout>

        <taskbar:TaskbarPinList>

          <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk" />

                <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Outlook.lnk" />

          </taskbar:TaskbarPinList>

      </defaultlayout:TaskbarLayout>

    </CustomTaskbarLayoutCollection>

</LayoutModificationTemplate>

Now we import the desktop cleanup, shortcut creation scripts and the start menu layout in Intune. To import the scripts, follow the process below.

  1. Sign-in to the https://endpoint.microsoft.com
  2. Browse to Devices – Windows – Powershell Scripts
  3. Click Add
  4. Provide a Name and hit next
  5. Under Script settings, select the desired script.
  6. Select No against Run this script using the logged on credentials option.
  7. Select No against Enforce script signature check option.
  8. Select Yes against Run script in 64 bit PowerShell Host option.
  9. Assign the script to a device-based group.

To configure the Startmenu layout policy, follow the process below.

  1. Sign-in to the https://endpoint.microsoft.com
  2. Browse to Devices – Windows – Configuration Profiles
  3. Click Create Profile
  4. Select Platform as Windows 10 and later
  5. Select Profile as Device Restriction
  6. Provide a Name and hit next.
  7. Under Configuration Settings-Start, import the StartLayoutMarketing.xml exported earlier. If the syntax of the xml is correct, then it will get added successfully.
  8. You can configure other settings as well, but for configuring Start menu layout, the setting stated above is enough.
  9. Commit the settings and assign to a device-based group.

End Result

All the icons are deleted and ‘This PC’ shortcut is placed on the desktop.

Start menu layout gets applied with the url shortcuts pinned. 

Url shortcuts are created in the “C:\ProgramData\Microsoft\Windows\Start Menu\Programs” path.




Until next time..

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Prevent users from running certain programs or applications on Windows endpoints using Intune

-
Image
  When it comes to blocking or preventing users from running an application on Windows devices, one normally uses App locker policy, Windows Defender Application Control and not so new but pretty useful method called Defender Vulnerability management within Microsoft 365 Defender Portal. A recent question on the Tech Community Microsoft forum prompted me to look for all possible alternatives. I started reminiscing over the legacy GPO policies and that is when I stumbled upon the policy  Don’t run specified Windows applications  located under User Administrative Templates - The policy setting does come with its own caveat - " This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting pr
Read more