Windows 1803 “Choose which folders appear on start” GPO

17 May

I have a setup with quite a few laptops on a separate locked down domain. I recently rolled out Windows 1803 to these and noticed that the start menu now, by default, had additional links to documents and pictures. Whilst not the end of the world by a long way, I really wanted these machines to be really clean, and remove all clutter.

I couldn’t find an easy way to change this via GPO, I don’t ever modify my vanilla image but instead perform all post image configuration using GPO.

After a bit of digging, I found the registry entry to control this was:

However, the random string after $de$ was different on each laptop, and I couldn't find another reference to this random string anywhere, almost like it was put in to stop automated modification of its contents. Looking at 1709 build it seems to be under:
Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$$\CurrentWhich would have been far easier to reference and change.

Anyway, on the 1803 build, with all the items turned off, the REG_BINARY value became:


So, I ended up writing a PowerShell script to find the key I wanted and sett the value so that all the icons were removed. It;’s worth noting that you then need to log off and back on for this to take effect. (or just kill explorer.exe of course)

Oddly, trying to Set-ItemPropery I couldn’t get to work, so I ended up removing the Data key and then creating it again with the value to clear all the icons.

Get-ChildItem "HKCU:\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\" -Recurse | Where-Object {$_.pspath -like "*.startglobalproperties"} | ForEach-Object { 

$NoIcons = "02,00,00,00,FB,F1,44,D5,EE,EC,D3,01,00,00,00,00,43,42,01,00,C2,3C,01,C2,46,01,C5,5A,01,00"
$RegPath = $_.pspath + "\current"
$AttrName  = "Data"
$hexified = $NoIcons .Split(',') | % { "0x$_"}

Get-Item -path $regPath | Remove-ItemProperty -Name $AttrName
New-ItemProperty -Path $RegPath -Name $AttrName -PropertyType Binary -Value ([byte[]]$hexified) 

This is then deployed a Login script with the parameters “-executionpolicy Bypass”