Personalization for Non-Enterprise SKUs
Table of Contents
INTRO
The personalization and branding of the Windows endpoints in your organization is important. It looks more professional and should be consistent. In Windows we can manage all of this with Group Policy, that is, if your business didn’t buy Windows 10 Home or Pro licenses. Windows 10 makes customizing the look a bit complicated for Non-Enterprise SKUs. Here are the main GPOs:
PERSONALIZATION GROUP POLICIES
Windows Spotlight:
Group Policy: User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows spotlight features
File Location: C:\Users\%username%\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\AssetsLock Screen:
Group Policy: Computer Configuration\Administrative Templates\Control Panel\Personalization\Force a specific default lock screen and logon image
File Location: C:\Windows\Web\ScreenLogon Image:
Group Policy: Computer Configuration\Administrative Templates\Control Panel\Personalization\Force a specific default lock screen and logon image
File Location: C:\Windows\Web\ScreenDesktop Wallpaper:
Group Policy: User Configuration\Administrative Templates\Desktop\Desktop\Desktop Wallpaper
File Location: C:\Windows\Web\Wallpaper\WindowsSecure Logon Background:
Group Policy: Navigate to Computer Configuration \Windows Settings\Security Settings\Local Policies\Security Options\Interactive Logon: Do not require CTRL ALT DELUser Account Pictures:
Group Policy: Computer Configuration\Administrative Templates\User Accounts\Apply the default account picture to all users
File Location: C:\ProgramData\Microsoft\User Account Pictures
There are quite a few options to manage but Microsoft has made it so that Non-Enterprise SKUs can’t utilize the “Force a specific default lock screen and logon image” GPO. This affects other elements in Windows regarding the look.
WHAT THE POWERSHELL SCRIPT WILL DO
Through research I found a way to accomplish this, and added my own additions and edits, although not an official solution by Microsoft, it worked perfectly for me when deployed through RMM as a PowerShell script. Make sure the image assets you want to use are in the executing script directory.
The script will:
– Enable secure sign-in (requires Ctrl+Alt+Del)
– Set secure sign-in wallpaper.
– Set desktop wallpaper.
– Disable the default Windows sign-in background (this is the picture that appears behind the user account when selecting which user account to login to).
– Disable Windows Spotlight (is a feature that changes the lock screen image for users by random over the cloud with images selected by Microsoft).
– Set Windows to use the default user account picture.
– Replaces default account pictures with your custom image assets.
DEPLOYING GROUP POLICIES
Note: This job should only be run on Windows 10 Home devices but will also work for Pro. With Windows 10 Pro and Pro devices joined to the domain, we can use Group Policy to set several of these items, except for the lock screen and logon image which is only available to Enterprise, Education, and Server SKUs. This script will not edit Group Policy but make the changes directly to the registry.
To deploy Group Policies without a domain server, you can use LGPO and deploy with RMM.
- To deploy Group Polices, use gpedit.msc to set the policies you desire on your source endpoint.
- Then do a gpupdate /force to verify there are no conflicts.
- Then copy the following files to a location, for this example, we will use “D:\GPOsExport” where “D” is a USB drive:
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
C:\Windows\System32\GroupPolicy\User\Registry.pol
- The above files contain your GPO settings. Download LGPO and then go to its directory in Command Prompt.
- To deploy the GPOs to your destination machine, here is an example in Command Prompt:
LGPO /m "D:\GPOsExport\GroupPolicy\Machine\Registry.pol"
LGPO /u "D:\GPOsExport\GroupPolicy\User\Registry.pol"
- Once done, both Machine and User policies will be deployed. This gives you a start converting the command to PowerShell if you want to go that way as well.
POWERSHELL SCRIPT AND RMM
$WindowsVersion = [System.Environment]::OSVersion.Version.Major
$ExecutingScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
# Create Directory and Copy Wallpaper.
New-Item -Path "$env:SystemRoot\System32\oobe\info\backgrounds" -ItemType Directory -Force
Move-Item -Path "$ExecutingScriptDirectory\BackgroundDefault.jpg" -Destination 'C:\Windows\System32\oobe\info\backgrounds' -Force
$LockScreenImage = "C:\Windows\System32\oobe\info\backgrounds\BackgroundDefault.jpg"
if ($WindowsVersion -eq 6) {
Remove-Item -Path 'C:\Windows\System32\oobe\info\backgrounds\*' -Force
$LockScreenDestination = 'C:\Windows\System32\oobe\info\backgrounds\BackgroundDefault.jpg'
Copy-Item $LockScreenImage $LockScreenDestination -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" -Name "OEMBackground" -Value 1 -Force
} elseif ($WindowsVersion -eq 10) {
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedPC" -Name "SetEduPolicies" -Value 1 -PropertyType DWORD -Force | Out-Null
$RegKeyPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP"
if (!(Test-Path $RegKeyPath)) {
New-Item -Path $RegKeyPath -Force | Out-Null
}
New-ItemProperty -Path $RegKeyPath -Name "LockScreenImageStatus" -Value 1 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $RegKeyPath -Name "LockScreenImagePath" -Value $LockScreenImage -PropertyType STRING -Force | Out-Null
New-ItemProperty -Path $RegKeyPath -Name "LockScreenImageUrl" -Value $LockScreenImage -PropertyType STRING -Force | Out-Null
# In case you want to force a corporate desktop image
$DesktopImageValue = "C:\Windows\System32\oobe\info\backgrounds\BackgroundDefault.jpg"
New-ItemProperty -Path $RegKeyPath -Name "DesktopImageStatus" -Value 1 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $RegKeyPath -Name "DesktopImagePath" -Value $DesktopImageValue -PropertyType STRING -Force | Out-Null
New-ItemProperty -Path $RegKeyPath -Name "DesktopImageUrl" -Value $DesktopImageValue -PropertyType STRING -Force | Out-Null
# Disable Windows 10 Spotlight for all users
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
$RegArray = Get-ChildItem -Directory -Name "HKU:"
foreach ($RegItem in $RegArray) {
$RegPath = "HKU:\$RegItem\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager"
Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenEnabled" -Value 0 -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenOverlayEnabled" -Value 0 -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $RegPath -Name "ContentDeliveryAllowed" -Value 0 -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338388Enabled" -Value 0 -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338389Enabled" -Value 0 -Force -ErrorAction SilentlyContinue
}
# Disable Windows 10 Sign-in Background
Get-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" | New-ItemProperty -Name "DisableLogonBackgroundImage" -Value 1 -Force -ErrorAction SilentlyContinue
# Enable Secure Sign-in
Get-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" | New-ItemProperty -Name "DisableCAD" -Value 0 -Force -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
# Backup Account Pictures
New-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\default" -ItemType Directory -Force
Move-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" -Destination 'C:\ProgramData\Microsoft\User Account Pictures\default' -Force
Move-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures\default' -Force
Move-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user-32.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures\default' -Force
Move-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user-40.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures\default' -Force
Move-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user-48.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures\default' -Force
Move-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user-192.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures\default' -Force
# Copy Custom Account Pictures
Move-Item -Path "$ExecutingScriptDirectory\user.bmp" -Destination 'C:\ProgramData\Microsoft\User Account Pictures' -Force
Move-Item -Path "$ExecutingScriptDirectory\user.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures' -Force
Move-Item -Path "$ExecutingScriptDirectory\user-32.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures' -Force
Move-Item -Path "$ExecutingScriptDirectory\user-40.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures' -Force
Move-Item -Path "$ExecutingScriptDirectory\user-48.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures' -Force
Move-Item -Path "$ExecutingScriptDirectory\user-192.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures' -Force
# Apply Default User Picture For All Users in Windows 10
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "UseDefaultTile" -Value 1 -Force -ErrorAction SilentlyContinue
# Disable Windows 10 Spotlight for current user (in case the 'all users' portion skipped the current user due to a permissions error)
$RegPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager"
Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenEnabled" -Value 0 -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenOverlayEnabled" -Value 0 -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $RegPath -Name "ContentDeliveryAllowed" -Value 0 -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338388Enabled" -Value 0 -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338389Enabled" -Value 0 -Force -ErrorAction SilentlyContinue
}
REMOVAL SCRIPT
Of course, we should have a removal script in-case we need to revert.
$WindowsVersion = [System.Environment]::OSVersion.Version.Major
$ExecutingScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
if ($WindowsVersion -eq 6) {
Remove-Item -Path 'C:\Windows\System32\oobe\info\backgrounds\*' -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" -Name "OEMBackground" -Value 1 -Force
} elseif ($WindowsVersion -eq 10) {
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedPC" -Name "SetEduPolicies" -Value 1 -PropertyType DWORD -Force | Out-Null
$RegKeyPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP"
if (!(Test-Path $RegKeyPath)) {
New-Item -Path $RegKeyPath -Force | Out-Null
}
Remove-ItemProperty -Path $RegKeyPath -Name "LockScreenImageStatus" -Force | Out-Null
Remove-ItemProperty -Path $RegKeyPath -Name "LockScreenImagePath" -Force | Out-Null
Remove-ItemProperty -Path $RegKeyPath -Name "LockScreenImageUrl" -Force | Out-Null
# In case you want to remove a corporate desktop image
$DesktopImageValue = "C:\Windows\System32\oobe\info\backgrounds\BackgroundDefault.jpg"
Remove-ItemProperty -Path $RegKeyPath -Name "DesktopImageStatus" -Force | Out-Null
Remove-ItemProperty -Path $RegKeyPath -Name "DesktopImagePath" -Force | Out-Null
Remove-ItemProperty -Path $RegKeyPath -Name "DesktopImageUrl" -Force | Out-Null
# Disable Windows 10 Spotlight for all users
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
$RegArray = Get-ChildItem -Directory -Name "HKU:"
foreach ($RegItem in $RegArray) {
$RegPath = "HKU:\$RegItem\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager"
Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenEnabled" -Value 1 -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenOverlayEnabled" -Value 1 -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $RegPath -Name "ContentDeliveryAllowed" -Value 1 -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338388Enabled" -Value 1 -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338389Enabled" -Value 1 -Force -ErrorAction SilentlyContinue
}
# Enable Windows 10 Sign-in Background
Get-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" | Remove-ItemProperty -Name "DisableLogonBackgroundImage" -Force -ErrorAction SilentlyContinue
# Disable Secure Sign-in
Get-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" | Remove-ItemProperty -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
# Enable Windows 10 Spotlight for current user (in case the 'all users' portion skipped the current user due to a permissions error)
$RegPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager"
Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenEnabled" -Value 1 -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenOverlayEnabled" -Value 1 -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $RegPath -Name "ContentDeliveryAllowed" -Value 1 -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338388Enabled" -Value 1 -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338389Enabled" -Value 1 -Force -ErrorAction SilentlyContinue
}
CONCLUSION
This was a life changing journey, since so many people buy Home and Pro devices, the perfectionist in me was not a happy camper. It was great to finally get a solution to this, and while Microsoft tried to prevent it, the people won this battle.
My name is Dex Sandel, author at WinReflection, a blog which aims to help others on various IT and Christian related subjects. DON’T TREAD ON ME! The best is yet to come, and nothing can stop what’s coming!
You all have a greater destiny in Christ, should you choose to ‘follow’ Him, not just believe. Many of you feel lost, without drive, and lack a greater purpose in your life causing depression, sadness, anxiety, and loneliness. Working your 9-5 job isn’t your primary purpose. So, then what is? That’s for you to discover, but hopefully I can provide some new unlocks along your path.
What will ‘you’ do, and what will your destiny be?
John 3:16: For God so loved the world that he gave his one and only Son, that whoever believes in him shall not perish but have eternal life.
shiii! thank you so much for this excellent content!! it’s perfection – beautiful