More than I would like, I encounter programs that write shortcuts to the public and/or user desktop. This applies to installations as well as (partly) updates. To remove unwanted desktop shortcuts as soon as they appear, I used a Proactive Remediation feature in Endpoint Manager. This allows me to proactively remove desktop shortcuts.

Table of Contents

Proactive Remediation Package at GitHub

Download @GitHub

Requirements - Licenses

  • Enterprise: Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
  • Academic: Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
  • Windows 10/11 Virtual Desktop Access (VDA) per user

More information in the Microsoft Docs: Proactive remediations - Microsoft Endpoint Manager

Detection

The detection script is relatively simple. The first line lists the shortcuts to monitor/remove. These in turn are then searched for on the public desktop or on all desktops. If a link is detected, the script ends with the exit code "1". This tells the endpoint manager to run the remediation script and delete the shortcuts.

$Shortcuts2Remove = "Google Chrome.lnk", "VLC media player.lnk"
$DesktopPath = "C:\Users\Public\Desktop" # Public and User Desktop: "C:\Users\*\Desktop\*", for Public Desktop shortcuts only: "C:\Users\Public\Desktop" 
$ShortcutsOnClient = Get-ChildItem $DesktopPath
$ShortcutsUnwanted = $ShortcutsOnClient | Where-Object -FilterScript {$_.Name -in $Shortcuts2Remove }

if (!$ShortcutsUnwanted) {
	Write-Host "All good, no shortcuts found. "
	exit 0
}else{
	Write-Host "Unwanted shortcut detected."
	Exit 1
}
Code language: PowerShell (powershell)

Remediation

In the remediation script, I use the same logic for detection. The unwanted desktop shortcuts on the public or all desktops are also read out, then all files that were recognized on the local desktop and are in the "Shortcuts2Remove" array are deleted.

$Shortcuts2Remove = "Google Chrome.lnk", "VLC media player.lnk"
$DesktopPath = "C:\Users\Public\Desktop" # Public and User Desktop: "C:\Users\*\Desktop\*", for Public Desktop shortcuts only: "C:\Users\Public\Desktop" 
$ShortcutsOnClient = Get-ChildItem $DesktopPath

try{
    $($ShortcutsOnClient | Where-Object -FilterScript {$_.Name -in $Shortcuts2Remove }) | Remove-Item -Force
    Write-Host "Unwanted shortcut(s) removed."
}catch{
    Write-Error "Error removing shortcut(s)"
}
Code language: PowerShell (powershell)

With the detection shown above, we remove unwanted desktop shortcuts proactively and easily.

Setup

If your tenant meets the license requirements, you can go to "Reports > Endpoint analytics > Proactive remediations" create a script package:

create Proactive remediations

You give this a meaningful name and optionally a description.

Proactive remediations Name and description

In the settings you upload the detection.ps1 on the one hand and the remediation.ps1 on the other. Both files can and should be adjusted as needed.

Proactive remediations Settings

You only have to set the scope tag if this feature is actively used in your environment.
Otherwise you can continue with the assignment and also define in it how often the detection should be made. I chose hourly here to intercept changes as quickly as possible.

Proactive remediations Schedule

Apart from the unwanted shortcuts, do you want to distribute some? Then I have an article for you here: Manage desktop shortcut(s) / icon with Intune

4 Responses

  1. Alireza Nahangi says:
    23. August 2023 at 3:08

    Hi Florian,
    i have followed the all the steps unfortunately doesn't work any advice base on below information

    im trying to remove two RDP shortcut from users' desktops

    "Azure RDS NonProd.rdp", "AZUR RDS.rdp"

    note: one thing is different for us is our desktop users syncing with their one drive to backup everything there so the location for our user might be different

    C:\Users\usernamexxx\OneDrive - companyname\Desktop

    Detection-----------------------------

    $Shortcuts2Remove = "Azure RDS NonProd.lnk", "AZUR RDS.lnk"
    $DesktopPath = "C:\Users\Public\Desktop" # Public and User Desktop: "C:\Users\*\Desktop\*", for Public Desktop shortcuts only: "C:\Users\Public\Desktop"
    $ShortcutsOnClient = Get-ChildItem $DesktopPath
    $ShortcutsUnwanted = $ShortcutsOnClient | Where-Object -FilterScript {$_.Name -in $Shortcuts2Remove }

    if (!$ShortcutsUnwanted) {
    Write-Host "All good, no shortcuts found. "
    exit 0
    }else{
    Write-Host "Unwanted shortcut detected."
    Exit 1
    }

    Remediation---------------------------

    $Shortcuts2Remove = "Azure RDS NonProd.lnk", "AZUR RDS.lnk.lnk"
    $DesktopPath = "C:\Users\Public\Desktop" # Public and User Desktop: "C:\Users\*\Desktop\*", for Public Desktop shortcuts only: "C:\Users\Public\Desktop"
    $ShortcutsOnClient = Get-ChildItem $DesktopPath

    try{
    $($ShortcutsOnClient | Where-Object -FilterScript {$_.Name -in $Shortcuts2Remove }) | Remove-Item -Force
    Write-Host "Unwanted shortcut(s) removed."
    }catch{
    Write-Error "Error removing shortcut(s)"
    }

    Reply
    • Florian says:
      23. August 2023 at 13:18

      Hi Alireza,
      You have to use the following in booth the detection and remediation:
      $DesktopPath = "C:\Users\*\*\Desktop\*"
      With the twi wildchrds, you incluede the OneDrive location. as an alternativ you could also use:
      $DesktopPath = "C:\Users\*\OneDrive - YourComapnyName\Desktop\*"

      Reply
  2. Dave says:
    23. October 2023 at 17:16

    I'm impressed, nearly anytime I have an idea what I could do in Intune, then Google it, I find an Article of you!

    Thank you for your work, I appreciate it! Even I have to rework most of your Scripts for my use case, it's still a great inspiration!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Florian Salzmann
Senior Workplace Consultant @UMB AG

Stay in the Loop with My Monthly Newsletter!