How to remove the default Windows 10 taskbar items using Group Policy Powershell Scripting and Task Scheduler
How to remove pesky Windows 10 items from new user accounts in Group Policy in a Domain environment. (Can be adapted to a single PC)
You might have noticed that every time a new user logs into a Windows 10 PC they get the extra Microsoft Bloatware/cruft. Sure, you could make a single image that partially removes some of this stuff, but if you do not live in a Domain where all the PCs are the same then you might just want Group Policy to handle the automated removal of this stuff. Be prepared to be patient with the steps and the testing as there are a number of things which can change the way you will get this done.
For now and as a sort of introduction, we will be using a Powershell script that is run from the users scheduled tasks to run at user login to unpin the Microsoft Store and Microsoft Edge from the taskbar. Sounds simple right?
A lot of this is going to be involved with Certificates, security, and other Domain related items. You could implement this on a workgroup environment, but you would have to edit the process for your needs, and would require a bit more manual work, either by setting Powershell to run without being signed or manually copying code signing certificates which is outside of the scope of this guide.
You will require Domain Admin / Administrator rights on the PCs and Domain.
Build the Script
1. The first task is to get something that will automatically unpin Store and Edge, the one from this page should do the trick, with a little bit of modification.
$appnames = "^Microsoft
Edge$|^Microsoft Store$"
((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items()
|
Where-Object{$_.Name -match $appnames}).Verbs()
|
Where-Object{$_.Name.replace('&','')
-match 'Unpin from taskbar'} |
ForEach-Object{$_.DoIt(); $exec = $true}
a. If your domain uses a different region than US English, you may need to modify the last match statement such as LotPings indicates in his post
b. Also, you may need to change the $appnames statement to match the exact name of the application, in my case I had to specify Microsoft along with Store in order for it to work.
2. Create a temporary normal user on your desired testing domain and obtain a test PC to carry out the testing.
3.
Create a text file
somewhere in the Domain you selected above paste in your script from above and
save the file on the desktop by choosing a name with a .ps1 extension, in our
example we will be calling it StoreEdgeScript.ps1
a. If you are unsure of the regionalization, just continue from this point with the testing and using the US English localization written script as it is above.
4. While Logged into the test PC as a new user, open the .ps1 file you created above with PowerShell ISE, and navigate to the directory where the .ps1 file is.
5. Run the script by entering the following after the prompt as shown below into the lower portion of the PowerShell ISE window
PS C:\USERS\TESTUSER\Desktop> .\StoreEdgeScript.ps1
a. If the Edge and Store icons do not disappear use ISE to edit the script and save before rerunning to troubleshoot why it does not work for your environment. If it works then continue to the next step.
b. Log the Test User off and log back into the testing PC with an Administrator and delete the testing Users Profile to reset the PC to a state where we can test execution under the intended situation. You may need to do this many times, if you need help on how to do this follow these steps here, make sure you are doing it while logged in as an administrator on that PC.
Script Execution Preparation
1. If you already know the execution policy (in GPO) of scripts in your domain and know how to handle PowerShell Script execution then you can skip this section.
2. Ideally you have restricted script execution to signed scripts in your domain to prevent the unsigned script attack vector, if you would like to do this you can see how here.
3. Now we will want to test how script execution occurs within our environment. We will first test in the Admin account and then in a regular user account.
a. On the test computer type [Windows Key] + [R] to get the run dialog
b. Type in taskschd.msc and hit OK, the Task Scheduler window will open
c. Right Click on Task Scheduler Library and select New Folder… with a relevant name (like MyTest)
d. Expand the Library and Select your new folder and right click it and select Create Task…
e. General Tab: Name the task something relevant like Test Login Script, tick the Run with highest privileges, and select Configure for: Windows® 7, Windows Server™ 2008 R2. We are going to test running the task as a normal user so do not change the security options to any other user other than yourself. Both of the tests will be done this way.
f. Triggers Tab: Click New…, select Begin the task: to At log on, and make sure that Enabled is clicked.
g. Conditions Tab: Untick any options here.
h. Settings Tab: Only Allow task to be run on demand should be selected here.
i. We skipped the Action tab because we are going to first verify that what we want to do works. So open a PowerShell window and type in msg $Env:username Test Message. You should get a message that is brought to the front with your username and the date and time in the header with the message you typed. Click OK to clear the message.
j. Create a text file somewhere on the computer that all users have read privileges such as C:\Windows\Temp\. Call the file TestScript.ps1 and open it with your favorite text editor.
k. In this file paste the following text and save and close the file:
msg $Env:username Test Message Two
l. Go back to the task scheduler window.
m. Actions Tab:
i. Click New… and fill out ALL the fields below as follows:
1. Program/script: msg
2. Add arguments (optional): %username% Test Message One
3. Select OK to close the window
ii. Click New… again and fill out ALL of the fields below as follows:
1.
Program/script: C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
2.
Add arguments (optional): -ExecutionPolicy
Bypass -command "& C:\Windows\Temp\TestScript.ps1”
3. Select OK to close the window
iii. Click New… again and fill out ALL of the fields below as follows:
1.
Program/script: msg
2. Add arguments (optional): %username% Test Message Three
3. Select OK to close the window
iv. Select OK to close the Create Task window and save it.
n. With the Windows Explorer window open to verify that your script is still there, right click the task you created in Task Scheduler and select Run. You should see some of the test messages that you had specified as well as possibly a Powershell window briefly open. You will have one of two outcomes:
i. Either you will see all three test messages, this will be because your domain allows unsigned scripts to execute, you should consider closing this loophole you can see how here as indicated before.
ii. If you only have two test messages to clear than congratulations you require signed scripts in your domain. We will continue in the next section on how to sign scripts. After each test run you want to make sure that the location where you saved your test script has not been cleared such as with using C:\Windows\Temp\
o. You can repeat the test by logging out and back in again with the administrator and also by creating the task within the test standard user. Most likely you will get all the same results.
p. When you are finished testing you can delete the test task and the test script.
Signing a Script
There are multiple ways to sign a script, however in this case we are going to assume that you have already installed Microsoft Certificate Services Server somewhere on your network. I have adapted this guide for our use. You may refer to the section ‘Signing Certificates via Active Directory Certificate Services’ if you want images. If you are unsure of what you are doing, you should first run these steps in your testing environment, otherwise you can run these steps on your desktop PC.
1. Open Server Manager from either your Certificate Server PC or from a Domained PC with RSAT installed and all your Servers added to the tool. You can also add RSAT to Windows 10 1809 or later through ‘features on demand’ by going to Settings > Apps and Features > Optional Features > Add a Feature then pick all the RSAT items in that list that you will need.
2. Click on the AD CS icon on the left pane, and right click your desired server and select Certificate Authority.
3. Expand your desired certificate server and right click Certificate Templates and select Manage.
4. Double click the Code Signing Template.
a. If you would like to change the default one year issuance of the certificate instead right click the Code Signing template and select Duplicate.
b. In the General tab select the desired Validity period and Renewal Period.
c. You can also select other options to customize your certificate here if you so desire. Make sure to research the options if you are unfamiliar as you can inadvertently open up an attack vector.
5. Select the Security Tab, and select or add the group that you want to be able to request signing certificates.
a. Allow Read and Enroll.
6. Close the Certificate Templates Console and go back to Certsrv
7. Right Click on the Certificate Templates and select NEW > Certificate Template to Issue.
8. Select the Code Signing template.
9. Click OK and close the Certificate Authority Console (certsrv).
10. On your machine Press the Windows Key + R and type mmc and OK.
11. Select File > Add/Remove Snap-in…
12. Select Certificates, click on Add and then OK.
13. Make sure My user account is selected and click Finish.
14. Expand Certificates, and right click on Personal > All Tasks > Request New Certificate.
15. Click Next > Active Directory Enrollment Policy > Next.
16. Select your Code Signing Certificate Template.
17. Expand Details and then click on Properties.
18. Go to the Private Key tab, Key Options, and select Make private key exportable then click OK.
19. Click Enroll, and then Finish.
20. You should see your certificate now in the Personal \ Certificates folder.
21. [Optional] You can skip to step 22 in order to start signing your scripts now, or you can continue to add the certificate to the Trusted Publishers for your domain adapted from this guide.
a. While still in the Personal \ Certificates folder, right click on the newly created certificate and select All Tasks > Export…
b. Click Next > Next
c. Select Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B)
i. If you are going to deploy this certificate for the script on another domain then you might want to select Include all certification path if possible, please find a guide on how this may work. Please note if the certificate is self-signed, and cannot be traced back to a certificate that is in the Trusted Root Certification Authorities certificate store, then you must also copy the certificate to that store.
d. Click Next > Browse, choose a secure location to save the certificate (usually your computer’s desktop) and then choose a useful file name, and click Save.
e. Click Next > Finish after reviewing the Export Wizard Settings window. You will get a message indicating the export was successful, click OK.
f. Open Server Manager from your domained PC, go to Tools > Group Policy Management
g. You will now import the certificate you just exported into a new GPO. Either go to Group Policy Objects and find an existing GPO or create a new GPO by creating one by right clicking Group Policy Objects and selecting New and type in a name according to your organizations standard naming policy.
i. If the GPO is pre-existing ensure that it is associated with the domain, site, or organizational unit whose users you want affected by the policy.
h. Right click the GPO, and then select Edit…
i. In the left navigation pane, open Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Publishers.
j. Right click in the right pane or click the Action menu, and then click Import…
k. Click Next > Browse. . . and change the file type option to PKCS #7 Certificates (*.spc;*.p7b)
l. Find your certificate and then select Open > Next.
m. Ensure that the Certificate Store that the certificate will be placed in is Trusted Publishers and then click Next.
n. Ensure that the Import Settings are correct and then click Finish.
o. You should now see the certificate in the Group Policy Management Editor window, close the window after you have verified that it is there. It should be listed with your name or the name that is used for your domain account.
p. Now back in your Group Policy Management window, right click the OUs, domains, or sites where the computers you want to run scripts and select Link an Existing GPO… and select the GPO that you just edited.
i. If you want to test on one PC then you could isolate that to a group within the domain to which the GPO exists.
q. Right click the linked GPO and enable it by selecting Enforced, a tick mark should appear next to it in the right clicked list along with a locked icon next to the linked GPO.
r. You can now restart or run gpupdate /force on the computers within the OUs that the policy is enabled to install the certificate.
s. Select the Certificate / MMC window which shows certificates on your computer (or a computer that you applied the GPO to).
t. Open the Trusted Publishers / Certificates folder and now find the Trusted Certificate located here.
22. Go to an Administrator Powershell window and type the following command:
dir Cert:\CurrentUser\My -CodeSigningCert
23. Locate the certificate that you created for Code Signing, it should be the one with the CN= your domain user full name (usually first middle last names).
24. Now we will assign a variable to this certificate so we can pass it along to the cmdlet to sign your script. In this example we will make the variable called cscert. Pay attention to where your certificate exists in the list shown below. If it is listed first then we will use [0] at the end of the command to specify it, [1] if it is second, [2] if it is third, etc. Type the full command in below to Powershell assuming that the certificate was first in the list.
$cscert =(dir Cert:\CurrentUser\My -CodeSigningCert)[0]
25. Type the following to verify that the correct certificate was selected:
$cscert
26. Now we will sign the script with Set-AuthenticodeSignature cmdlet.
a. Navigate to the directory that has your script created above so if it is on your Desktop you would type (replace yourusername with your user name):
cd C:\Users\yourusername\Desktop
b. Open your script in notepad and verify that it is correct, then close it
c. Run the following command to sign the script (change the script name if you are testing with other scripts):
Set-AuthenticodeSignature .\StoreEdgeScript.ps1 -Certificate $cscert
27. Now we will use the Get-AuthenticodeSignature cmdlet to verify that the correct certificate was applied. Type in the command below for your script:
Get-AuthenticodeSignature .\StoreEdgeScript.ps1 | ft -AutoSize
28. You should see something like this:
|
PS C:\Users\yourusername\Desktop> Get-AuthenticodeSignature .\StoreEdgeScript.ps1 | ft -AutoSize |
||
|
|
||
|
SignerCertificate |
Status |
Path |
|
----------------- |
------ |
---- |
|
SQ3KQ4SCI486R33MIUE9NHL1UAAUE4RH5ZIHBEYF |
Valid |
StoreEdgeScript.ps1 |
29. Open your script again with notepad you should now see the script directly below the last line of your script as in this example:
# SIG # Begin signature block
# Some long text of random characters….
# SIG # End signature block
30. Go back to your desktop and delete the exported certificate if you created it earlier in Step 21.
Testing the StoreEdgeScript.ps1
1. We will now make sure the script runs on a test environment. In order to do that you could create a testing user in your regular domain, but since all we want to know is that the script runs, we will first edit the script to enter a message item into it so that we get some sort of confirmation that something happens. Make sure that the script is run on a computer that has the certificate installed in the trusted publisher store e.g. a computer that is in an OU that the GPO was installed as shown above. To start log into the test PC.
2. Press WIN + R and type in mmc.
3. Select File > Add/Remove Snap-in…
4. Select Certificates > Add > My user account > Finish > OK
5. Expand Certificates - Current User > Trusted Publishers > Certificates
6. Make sure the Code Signing certificate with your Domain First Middle Last name is there.
a. If it is not there, open a Powershell or CMD window and type gpupdate /force and hit enter, it may ask you to logout.
b. Log back in redoing steps 2 to 5 and check again
c. If it is still not there you have to go back to the previous section and figure out which OU the computer is in and either redo step 21 p, or move to a PC that you know is in an OU that has the GPO that you previously linked on. You can get the computer name by typing hostname.
7. Copy your StoreEdgeScript.ps1 to the Desktop of the test PC.
8. Open the script with Notepad: WIN + R > notepad > File > Open.
Before the # SIG # Begin signature block type in the following to make a message appear after the script runs:
msg %username% Script has run
9. Save the script.
10. Open an Administrator CMD window; Click the Start Menu > type cmd > (right click) or select Run as administrator
a. We are running it in CMD window because that is the way that Task Scheduler runs the task.
11. Navigate to where you had saved the script by typing (modify the command for your use and replace yourusername with your username)
C:
Cd \Users\yourusername\Desktop
12. Run the script by typing the following into the command prompt
powershell -ExecutionPolicy Remote-Signed -command "& .\StoreEdgeScript.ps1"
13. You should get your message box, select OK. If you get the message box then the script ran correctly and should run correctly.
a. If you do not get the message box then there might be a problem with
i. The Certificate Signing Process
ii. The location that you are running the script from
iii. Some of the code that you put in the script
iv. The execution command
b. Troubleshoot by reviewing from step 1, and then by running the script in Powershell, and or the permissions that you have on that computer. There may be other factors that are affecting you. You could try a different command for testing.
14. Delete the test script on the test machine, and log off from that machine.
Implementing the Script in Group Policy
1. Open a Windows Explorer window on your domain PC and start an administrator CMD window:
a. Click the Start Menu > type cmd > (right click) or select Run as administrator
2. Type the following command into the window
systeminfo | findstr /B /C:"Domain"
3. You will now see the Domain name for your computer
4. Go back to the Windows Explorer
a. We will need some place to place the script where everyone will have read access to it, the best place would be the NETLOGON share
b. You can also choose another location, but it is very important that regular users only have read access and that it is not well known.
5. In the address bar where the current location in text is type in the following (replacing yourdomain.com with your domain obtained in step 2
\\yourdomain.com\NETLOGON\
6. Copy your signed StoreEdgeScript.ps1 here.
7. Open Server Manager PC, go to Tools > Group Policy Management
8. Create a new GPO by right clicking Group Policy Objects and selecting New and type in a name according to your organizations standard naming policy.
9. Right click the new GPO and select Edit…
10. Because we are implementing this on something that runs after the user has logged in we will be working within the User space. There are two sections in Group Policy Objects, one for the System space (runs system processes in the background), and one in the User space, it is important to pay attention to this when implementing items on Group Policy.
11. Navigate to User Configuration > Preferences > Control Panel Settings > Scheduled Tasks
12. In the Scheduled Tasks pane right click and select New > Scheduled Task (At least Windows 7)
a. The options for new have two operating system choices (one you will never want), and two types of Scheduled Task execution types.
i. The first two Scheduled Task, and Immediate Task (Windows XP) are both for obsolete versions of Windows and thus should never be used and won’t work. You always want the choices that say (At least Windows 7), as this will work for everything newer than Windows 7, including Windows 10.
ii. The first type of task is a regular Scheduled Task like what you would create if you opened Scheduled Tasks normally.
iii. The Immediate Task is something that runs as soon as Group Policy updates on a client machine and runs only once (if set correctly).
13. In the General Tab (1st tab) set the following:
a. Name: Give a useful name
b. When running the task use the following user account: %LogonDomain%\%LogonUser%
c. Run only when user is logged on: selected
d. Run with highest privileges: ticked
e. Configure for: Windows® 7, Windows Server™ 2008R2
14. Triggers Tab:
a. Click New…, select Begin the task to At log on.
b. Make sure Any user is selected in the Settings Section
c. In the Advanced Settings section set:
i. Tick Delay task for: 1 minute, this is to make sure the login process has time to occur, you can increase this time on slower PCs (if they take longer to login)
ii. And ensure Enabled is selected.
15. Conditions Tab:
a. Make sure nothing is ticked here
16. Settings Tab:
a. Make sure nothing is ticked here
b. If the task is already running, then the following rule applies: Do not start a new instance
17. Common Tab:
a. Make sure nothing is ticked here
18. Actions Tab:
a. Click New…, select Action to Start a program
b. In Program/script:
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
c. In Add arguments(optional):
-ExecutionPolicy Remote-Signed -windowstyle hidden -command "& \\YourDomain.com\NETLOGON\StoreEdgeScript.ps1"
d. Click OK
19. Click on OK to close the Scheduled task
20. Close the Group Policy Management Editor window.
21. Now back in your Group Policy Management window, right click the OUs, domains, or sites where the computers you want to run scripts and select Link an Existing GPO… and select the GPO that you just edited.
a. If you want to test on one PC then you could isolate that to a group within the domain to which the GPO exists.
22. Right click the linked GPO and enable it by selecting Enforced, a tick mark should appear next to it in the right clicked list along with a locked icon next to the linked GPO.
23. You can now restart or run gpupdate /force on the computers within the OUs that the policy is enabled to set the scheduled task.
24. Log into one of the computers and click WIN + R and type taskschd.msc
25. You should now see the Scheduled task in the Task Schedule Library. If now you may have
a. Set the GPO in the wrong OU
b. DIdn’t run gpupdate /force on the computer
26. Make a backup of the StoreEdgeScript.ps1 somewhere secure.
Final Testing
1. Log into a computer that you know that has the Scheduled task enabled and installed
2. Click Start > type Edge > right click Edge > and select Pin to Taskbar
3. Click Start > type Store > right click Microsoft Store > and select Pin to Taskbar
4. Restart the PC
5. Login to the PC as normal
6. Wait for about a minute or two, Edge and Store should disappear from the taskbar immediately.
As I wrote this script and procedure for a specific task, you can reuse the steps to put in whatever login, or one time thing you want removed, installed, or otherwise set.
Some ideas:
- Set a script to run in an immediate (apply once) Task to remove all the default Windows Store Apps
- Set a script to uninstall OneDrive
- Set a script to run in an immediate (apply once) remove Windows tracker services/tasks
The following links were used to develop this guide:
https://community.spiceworks.com/how_to/158771-how-to-delete-user-profile-in-windows-10
https://4sysops.com/archives/set-powershell-execution-policy-with-group-policy/
https://4sysops.com/archives/run-powershell-scripts-as-immediate-scheduled-tasks-with-group-policy/
https://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html
Comments
Post a Comment