What follows is applicable only to Windows 7 / Server 2008R2. Certain updates to Windows (even to those versions) may have invalidated this advice, but I am leaving this article here in case it still works for some.
Beyond this, there is a more reliable option that you can read about here. I am confident this newer strategy will work on all versions of Windows.
Every time a new user logs into Windows, Explorer (explorer.exe), Internet Explorer (iexplore.exe) and Windows Media Player (wmplayer.exe) are automatically pinning to the taskbar. You disabled ActiveSetup. You exported/imported registry keys and made your .lnks, and still they were pinned. Not even a copying a profile with the desired setup (and using it as your mandatory one) stopped it.
You may have tried the “Remove pinned programs from the taskbar” GPO only to realize it prevented the pinning of anything at all. Maybe you even found a .vbs script that worked, but which took forever to achieve your goal.
So, how do we prevent these guys from pinning themselves, and how do we do it cleanly?
I will address customized taskbar items later in this post (and don’t worry, you won’t need a sysprep with an unattend.xml file and TaskbarLinks). But for now, let’s start with the fix for the auto-pinning.
I have to start by crediting the AppSense Bigot (as I often do on this blog) because he actually (technically) found the solution. He was, however, on a totally different train of thought, so your Google Fu might not have led his way for the answer.
In his post, he speaks to an attempt to pin a specific file to the taskbar (with a .chm extension). He created a shortcut to the file (more specifically, to the hh.exe program which handles .chm files) but found that Windows wouldn’t let him right-click and pin the item to the taskbar. Eventually, he found the following registry value:
This string consists of a semicolon-separated list of .exes. And sure enough, there was hh.exe right there in the middle. It turns out that this value is here to prevent certain programs from being ever being pinned to the taskbar. If you’re wondering what happens when you add iexplore.exe and wmplayer.exe to this REG_SZ value, you’re ahead of me. It turns out, it stops Windows from pinning them automatically. You can also add explorer.exe in the same way, for the record, I am just personally not sure why you would. Everybody likes that one pinned, right?
Admittedly, this will prevent users from manually pinning them later, but since you are going to enforce your own custom set, that shouldn’t be too much of a concern. If it is a concern, then sorry, this post isn’t the one you’re after.
Pinning Custom Items to the Taskbar
I expect that most people will have figured this part out before consulting Google about the above fix. This question is actually addressed all over the internet, and especially well by the infamous Brink. However, for the sake of convenience, and in case you haven’t got your custom pins sorted by this point, here’s how:
Taskbar pins are handled by a combination of a registry key and a set of .lnk files in a particular folder. You really do need both of these — it won’t work if you try to manage one without the other.
Set up a taskbar exactly as you want your users to see it. That is, unpin anything you don’t want there, and pin the things you do. Now, the shortcuts you pinned exist as .lnk files at the following hidden path:
%appdata%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
You will need to create these files exactly as they appear in that folder for each new user. You can toss them into the default/mandatory user profile at that %appdata% location, or you can import them into AppSense for creation at login. You could even write a login script if you like making things hard on yourself for some reason, but in any case, you’re not quite done yet.
Once you’ve got these icons sorted, you will need to export the following registry key:
It will be filled with some binary values and DWORDs that will likely make no sense to you. Don’t worry: they don’t make sense to anybody else either. The point is that you need to export this key as-is, and subsequently import it for new profiles (again through a customized default/mandatory profile, AppSense, login script, etc.).
This process does not require you to kill and restart Explorer. If you are finding that to be the case, you need to apply the changes sooner. Even via AppSense login actions, I was able to spin up a new desktop with pins configured exactly as desired, and with no delay.
Hopefully this clears up the whole process. Let me know if any of this was confusing (or if it wasn’t!).