How to Control Windows Start Menu Shortcuts Using Microsoft Intune

Before creating policies in Intune, you need to capture the desired Start menu layout from a test Windows 11 device. This generates the JSON configuration that Intune will deploy to your managed devices.

Set up your ideal Start menu on a test Windows 11 device by pinning and unpinning applications as needed. Once configured, open PowerShell as Administrator and run the export command:

Export-StartLayout -Path "C:\temp\StartLayout.json"

This command creates a JSON file containing your current Start menu configuration. The JSON format is required for Windows 11 devices, replacing the older XML format used in Windows 10.

Open the generated JSON file to review its contents:

Get-Content "C:\temp\StartLayout.json"

The file should contain a structure similar to this:

{
  "pinnedList": [
    {
      "desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"
    },
    {
      "packagedAppId": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"
    }
  ]
}

Navigate to the Microsoft Endpoint Manager admin center to create a custom configuration profile that will control Start menu layouts across your organization.

Sign in to https://endpoint.microsoft.com and navigate to Devices > Windows > Configuration profiles. Click Create profile and select:

• Platform: Windows 10 and later
• Profile type: Custom

Provide a descriptive name like "Corporate Start Menu Layout" and add a detailed description explaining the policy's purpose.

In the Configuration settings section, click Add to create your first OMA-URI setting:

Name: Configure Start Pins
Description: Sets custom pinned applications in Start menu
OMA-URI: ./Vendor/MSFT/Policy/Config/Start/ConfigureStartPins
Data type: String
Value: [Paste your complete JSON content from Step 1]

Add a second OMA-URI setting to hide the Recommended section:

Name: Hide Recommended Section
Description: Removes recommended apps from Start menu
OMA-URI: ./Vendor/MSFT/Policy/Config/Start/HideRecommendedSection
Data type: Integer
Value: 1

Add a third setting to prevent users from modifying the Start menu:

Name: Lock Start Menu
Description: Prevents user customization of Start menu
OMA-URI: ./Vendor/MSFT/Policy/Config/Start/LockStart
Data type: Integer
Value: 1

Configure the assignment settings to deploy your Start menu policy to specific device or user groups within your organization.

In the Assignments tab of your configuration profile, click Add group to select target groups. You can assign to:

• Device groups: Applies regardless of who logs in
• User groups: Follows users across devices
• All devices/users: Organization-wide deployment

Set the assignment type based on your requirements:

Assignment type: Required
Filter: None (or create custom filters)
Applicability rules: Not configured

Configure the policy scope settings:

• Required: Policy must be applied and cannot be removed by users
• Available: Users can choose to apply the policy
• Not configured: Policy is not enforced

Review the assignment summary and click Create to deploy the configuration profile.

Create and deploy PowerShell scripts through Intune to add custom shortcuts that may not be available through standard application pinning.

Create a PowerShell script to deploy custom shortcuts like the Music app. Save this script as Deploy-StartMenuShortcuts.ps1:

# Create Music shortcut
$WshShell = New-Object -ComObject WScript.Shell
$ShortcutPath = "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Music.url"
$Shortcut = $WshShell.CreateShortcut($ShortcutPath)
$Shortcut.TargetPath = "ms-music:"
$Shortcut.IconLocation = "C:\Windows\System32\shell32.dll,13"
$Shortcut.Save()

# Create custom application shortcut
$AppShortcut = $WshShell.CreateShortcut("$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Company Portal.lnk")
$AppShortcut.TargetPath = "C:\Program Files\Microsoft\CompanyPortal\CompanyPortal.exe"
$AppShortcut.Save()

Write-Output "Start menu shortcuts deployed successfully"

In the Intune admin center, navigate to Devices > Scripts and click Add > Windows 10+. Upload your PowerShell script with these settings:

Name: Deploy Start Menu Shortcuts
Description: Adds custom shortcuts to Start menu
Script location: [Upload Deploy-StartMenuShortcuts.ps1]
Run this script using the logged on credentials: No
Enforce script signature check: No
Run script in 64 bit PowerShell Host: Yes

Assign the script to the same groups as your configuration profile to ensure consistent deployment.

Control whether users can modify their Start menu layout or if they must use the organization-defined configuration exclusively.

Create an additional configuration profile specifically for user permissions. Navigate to Devices > Configuration profiles > Create profile with these settings:

• Platform: Windows 10 and later
• Profile type: Custom
• Name: "Start Menu User Permissions"

Add OMA-URI settings to control user customization capabilities:

Name: Allow Pinned Folder Items
OMA-URI: ./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderItems
Data type: Integer
Value: 0 (disable) or 1 (enable)

Name: Disable Context Menus
OMA-URI: ./Vendor/MSFT/Policy/Config/Start/DisableContextMenus
Data type: Integer
Value: 1 (disable right-click menus)

For organizations requiring flexibility, create different permission profiles:

Implement monitoring and troubleshooting procedures to ensure your Start menu policies deploy successfully across all target devices.

Monitor policy deployment status through the Intune admin center. Navigate to Devices > Monitor > Device configuration to view deployment statistics:

• Succeeded: Policy applied successfully
• Error: Policy failed to apply
• Conflict: Multiple conflicting policies
• Not applicable: Device doesn't meet requirements

For detailed troubleshooting, access individual device reports by clicking on a specific device in Devices > All devices, then reviewing the Device configuration section.

Common troubleshooting commands for end devices:

# Force policy sync on target device
Get-ScheduledTask | Where-Object {$_.TaskName -eq "PushLaunch"} | Start-ScheduledTask

# Check policy application status
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Start" -Name ConfigureStartPins

# View Start menu policy logs
Get-WinEvent -LogName "Microsoft-Windows-Shell-Core/Operational" | Where-Object {$_.Message -like "*Start*"}

Create a troubleshooting PowerShell script for help desk teams:

# Start Menu Policy Troubleshooting Script
$PolicyPath = "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Start"
$ConfigValue = Get-ItemProperty -Path $PolicyPath -Name "ConfigureStartPins" -ErrorAction SilentlyContinue

if ($ConfigValue) {
    Write-Output "Start menu policy is applied"
    Write-Output "Policy value: $($ConfigValue.ConfigureStartPins)"
} else {
    Write-Output "Start menu policy not found - check Intune deployment"
}

# Check for conflicting policies
$ConflictingPolicies = Get-ChildItem -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer" -ErrorAction SilentlyContinue
if ($ConflictingPolicies) {
    Write-Output "Warning: Conflicting Group Policy settings detected"
}

Perform comprehensive testing to ensure your Start menu configuration works correctly across different user scenarios and device types.

Create a systematic testing checklist for validation:

1. Fresh device enrollment: Test on newly enrolled devices
2. Existing device updates: Verify policy applies to previously configured devices
3. User profile scenarios: Test with new and existing user profiles
4. Different Windows versions: Validate on Windows 10 and Windows 11

Use this PowerShell script to validate Start menu configuration on test devices:

# Start Menu Validation Script
$StartLayoutPath = "$env:LOCALAPPDATA\Microsoft\Windows\Shell\LayoutModification.xml"
$PolicyApplied = Test-Path $StartLayoutPath

Write-Output "Start Menu Validation Results:"
Write-Output "================================"
Write-Output "Layout file exists: $PolicyApplied"

if ($PolicyApplied) {
    $LayoutContent = Get-Content $StartLayoutPath
    Write-Output "Layout file size: $((Get-Item $StartLayoutPath).Length) bytes"
    
    # Check for specific pinned applications
    $PinnedApps = $LayoutContent | Select-String "desktopAppLink|packagedAppId"
    Write-Output "Pinned applications found: $($PinnedApps.Count)"
    
    foreach ($App in $PinnedApps) {
        Write-Output "  - $($App.Line.Trim())"
    }
}

# Test user customization restrictions
$RegistryPath = "HKCU:\Software\Policies\Microsoft\Windows\Explorer"
$StartPinned = Get-ItemProperty -Path $RegistryPath -Name "LockedStartLayout" -ErrorAction SilentlyContinue

if ($StartPinned) {
    Write-Output "Start menu is locked: $($StartPinned.LockedStartLayout -eq 1)"
} else {
    Write-Output "Start menu lock status: Not configured"
}

Document test results and create a rollback plan:

# Emergency rollback script
# Remove Start menu policy application
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Start" -Name "ConfigureStartPins" -Force -ErrorAction SilentlyContinue

# Clear user-specific layout modifications
Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\Windows\Shell\LayoutModification.xml" -Force -ErrorAction SilentlyContinue

# Restart Explorer to apply changes
Stop-Process -Name "explorer" -Force
Start-Process "explorer.exe"