Windows 10 and Server 2016 Start Menu broken after domain join
Applocker automatic policy that is built in turned on after domain join blocking GUI functionality.
One of the most interesting and annoying things I've found in Windows 10 and Server 2016 is that it includes a set of default applocker policies that disable functionality that is native to Windows itself and actually prevents you from using search or the start menu. Normally this won't affect you at all for non domain joined devices, but without any policy being applied when you domain join applocker turns on automatically. This was quite fun to figure out originally, but now there are plenty of articles out there about it. But still most don't give simple instructions on how to fix the issue.
If you don't know what applocker is you can read more about it here: https://technet.microsoft.com/en-us/library/dd723678(v=ws.10).aspx
App locker is turned on by default to any domain joined computer running 10/2016 if no policy is set that disables its functionality. Basically what caused our issue is Applocker blocks Cortana, store, search index, and parts of the tiles functionality. Effectively this breaks most of the GUI, since most of those are integrated throughout the start menu.
1. Wipe out applocker policies in group policy or explicitly define only the ones you want. Here is a nice article that explains modifying them, I don't feel like reinventing the wheel: https://technet.microsoft.com/en-us/library/ee791894(ws.10).aspx .
2. Set applocker to audit only if possible. If you're not currently using applocker it is an amazing feature and you should investigate it. But if you have no plans to properly implement it at this time, it's better to just set it to audit only. This may generate a tiny bit of audit log noise, but nothing compared to normal audit log noise in a large domain.
3. Additionally don’t turn it to disabled unless you clean out the rules as well by setting them in group policy. Here are more articles about this issue. At least now there is information about it, it was a fun one to troubleshoot originally.
Hopefully this prevents some people from having the same issues as we did originally. Or maybe someone to convince Microsoft to fix the underlying issue.