Windows 10

Personalization for Non-Enterprise SKUs



Microsoft Windows Logo Curious Blue Background

INTRO

The personalization and branding of the Windows endpoints in your organization is important. It looks more professional and should be consistent. In Windows we can manage all of this with Group Policy, that is, if your business didn’t buy Windows 10 Home or Pro licenses. Windows 10 makes customizing the look a bit complicated for Non-Enterprise SKUs. Here are the main GPOs:

PERSONALIZATION GROUP POLICIES

Windows Spotlight:
Group Policy: User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows spotlight features
File Location: C:\Users\%username%\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\Assets

Lock Screen:
Group Policy: Computer Configuration\Administrative Templates\Control Panel\Personalization\Force a specific default lock screen and logon image
File Location: C:\Windows\Web\Screen

Logon Image:
Group Policy: Computer Configuration\Administrative Templates\Control Panel\Personalization\Force a specific default lock screen and logon image
File Location: C:\Windows\Web\Screen

Desktop Wallpaper:
Group Policy: User Configuration\Administrative Templates\Desktop\Desktop\Desktop Wallpaper
File Location: C:\Windows\Web\Wallpaper\Windows

Secure Logon Background:
Group Policy: Navigate to Computer Configuration \Windows Settings\Security Settings\Local Policies\Security Options\Interactive Logon: Do not require CTRL ALT DEL

User Account Pictures:
Group Policy: Computer Configuration\Administrative Templates\User Accounts\Apply the default account picture to all users
File Location: C:\ProgramData\Microsoft\User Account Pictures

There are quite a few options to manage but Microsoft has made it so that Non-Enterprise SKUs can’t utilize the “Force a specific default lock screen and logon image” GPO. This affects other elements in Windows regarding the look.

WHAT THE POWERSHELL SCRIPT WILL DO

Through research I found a way to accomplish this, and added my own additions and edits, although not an official solution by Microsoft, it worked perfectly for me when deployed through RMM as a PowerShell script. Make sure the image assets you want to use are in the executing script directory.

The script will:

– Enable secure sign-in (requires Ctrl+Alt+Del)
– Set secure sign-in wallpaper.
– Set desktop wallpaper.
– Disable the default Windows sign-in background (this is the picture that appears behind the user account when selecting which user account to login to).
– Disable Windows Spotlight (is a feature that changes the lock screen image for users by random over the cloud with images selected by Microsoft).
– Set Windows to use the default user account picture.
– Replaces default account pictures with your custom image assets.

DEPLOYING GROUP POLICIES

Note: This job should only be run on Windows 10 Home devices but will also work for Pro. With Windows 10 Pro and Pro devices joined to the domain, we can use Group Policy to set several of these items, except for the lock screen and logon image which is only available to Enterprise, Education, and Server SKUs. This script will not edit Group Policy but make the changes directly to the registry.

To deploy Group Policies without a domain server, you can use LGPO and deploy with RMM.

  • To deploy Group Polices, use gpedit.msc to set the policies you desire on your source endpoint.
  • Then do a gpupdate /force to verify there are no conflicts.
  • Then copy the following files to a location, for this example, we will use “D:\GPOsExport” where “D” is a USB drive:
    • C:\Windows\System32\GroupPolicy\Machine\Registry.pol
    • C:\Windows\System32\GroupPolicy\User\Registry.pol
  • The above files contain your GPO settings. Download LGPO and then go to its directory in Command Prompt.
  • To deploy the GPOs to your destination machine, here is an example in Command Prompt:
    • LGPO /m "D:\GPOsExport\GroupPolicy\Machine\Registry.pol"
    • LGPO /u "D:\GPOsExport\GroupPolicy\User\Registry.pol"
  • Once done, both Machine and User policies will be deployed. This gives you a start converting the command to PowerShell if you want to go that way as well.

POWERSHELL SCRIPT AND RMM

PowerShell
$WindowsVersion = [System.Environment]::OSVersion.Version.Major
$ExecutingScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
 
# Create Directory and Copy Wallpaper.
New-Item -Path "$env:SystemRoot\System32\oobe\info\backgrounds" -ItemType Directory -Force
Move-Item -Path "$ExecutingScriptDirectory\BackgroundDefault.jpg" -Destination 'C:\Windows\System32\oobe\info\backgrounds' -Force
 
 
$LockScreenImage = "C:\Windows\System32\oobe\info\backgrounds\BackgroundDefault.jpg"
    if ($WindowsVersion -eq 6) {
        Remove-Item -Path 'C:\Windows\System32\oobe\info\backgrounds\*' -Force
        $LockScreenDestination = 'C:\Windows\System32\oobe\info\backgrounds\BackgroundDefault.jpg'
        Copy-Item $LockScreenImage $LockScreenDestination -Force
        Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" -Name "OEMBackground" -Value 1 -Force
    } elseif ($WindowsVersion -eq 10) {
        New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedPC" -Name "SetEduPolicies" -Value 1 -PropertyType DWORD -Force | Out-Null
        $RegKeyPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP"
        if (!(Test-Path $RegKeyPath)) {
            New-Item -Path $RegKeyPath -Force | Out-Null
        }
        New-ItemProperty -Path $RegKeyPath -Name "LockScreenImageStatus" -Value 1 -PropertyType DWORD -Force | Out-Null
        New-ItemProperty -Path $RegKeyPath -Name "LockScreenImagePath" -Value $LockScreenImage -PropertyType STRING -Force | Out-Null
        New-ItemProperty -Path $RegKeyPath -Name "LockScreenImageUrl" -Value $LockScreenImage -PropertyType STRING -Force | Out-Null
            # In case you want to force a corporate desktop image
            $DesktopImageValue = "C:\Windows\System32\oobe\info\backgrounds\BackgroundDefault.jpg"
            New-ItemProperty -Path $RegKeyPath -Name "DesktopImageStatus" -Value 1 -PropertyType DWORD -Force | Out-Null
            New-ItemProperty -Path $RegKeyPath -Name "DesktopImagePath" -Value $DesktopImageValue -PropertyType STRING -Force | Out-Null
            New-ItemProperty -Path $RegKeyPath -Name "DesktopImageUrl" -Value $DesktopImageValue -PropertyType STRING -Force | Out-Null
        # Disable Windows 10 Spotlight for all users
        New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
        $RegArray = Get-ChildItem -Directory -Name "HKU:"
        foreach ($RegItem in $RegArray) {
            $RegPath = "HKU:\$RegItem\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager"
            Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenEnabled" -Value 0 -Force -ErrorAction SilentlyContinue
            Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenOverlayEnabled" -Value 0 -Force -ErrorAction SilentlyContinue
            Set-ItemProperty -Path $RegPath -Name "ContentDeliveryAllowed" -Value 0 -Force -ErrorAction SilentlyContinue
            Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338388Enabled" -Value 0 -Force -ErrorAction SilentlyContinue
            Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338389Enabled" -Value 0 -Force -ErrorAction SilentlyContinue
        }
               # Disable Windows 10 Sign-in Background
               Get-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" | New-ItemProperty -Name "DisableLogonBackgroundImage" -Value 1 -Force -ErrorAction SilentlyContinue
 
               # Enable Secure Sign-in
               Get-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" | New-ItemProperty -Name "DisableCAD" -Value 0 -Force -ErrorAction SilentlyContinue
               Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
               Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
               Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
 
               # Backup Account Pictures 
               New-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\default" -ItemType Directory -Force
               Move-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" -Destination 'C:\ProgramData\Microsoft\User Account Pictures\default' -Force
               Move-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures\default' -Force
               Move-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user-32.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures\default' -Force
               Move-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user-40.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures\default' -Force
               Move-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user-48.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures\default' -Force
               Move-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user-192.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures\default' -Force
 
               # Copy Custom Account Pictures
               Move-Item -Path "$ExecutingScriptDirectory\user.bmp" -Destination 'C:\ProgramData\Microsoft\User Account Pictures' -Force
               Move-Item -Path "$ExecutingScriptDirectory\user.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures' -Force
               Move-Item -Path "$ExecutingScriptDirectory\user-32.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures' -Force
               Move-Item -Path "$ExecutingScriptDirectory\user-40.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures' -Force
               Move-Item -Path "$ExecutingScriptDirectory\user-48.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures' -Force
               Move-Item -Path "$ExecutingScriptDirectory\user-192.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures' -Force
                
               # Apply Default User Picture For All Users in Windows 10
               New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "UseDefaultTile" -Value 1 -Force -ErrorAction SilentlyContinue
 
           # Disable Windows 10 Spotlight for current user (in case the 'all users' portion skipped the current user due to a permissions error)
           $RegPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager"
           Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenEnabled" -Value 0 -Force -ErrorAction SilentlyContinue
           Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenOverlayEnabled" -Value 0 -Force -ErrorAction SilentlyContinue
           Set-ItemProperty -Path $RegPath -Name "ContentDeliveryAllowed" -Value 0 -Force -ErrorAction SilentlyContinue
           Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338388Enabled" -Value 0 -Force -ErrorAction SilentlyContinue
           Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338389Enabled" -Value 0 -Force -ErrorAction SilentlyContinue
    }

REMOVAL SCRIPT

Of course, we should have a removal script in-case we need to revert.

PowerShell
$WindowsVersion = [System.Environment]::OSVersion.Version.Major
$ExecutingScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
 
    if ($WindowsVersion -eq 6) {
        Remove-Item -Path 'C:\Windows\System32\oobe\info\backgrounds\*' -Force
        Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" -Name "OEMBackground" -Value 1 -Force
    } elseif ($WindowsVersion -eq 10) {
        New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedPC" -Name "SetEduPolicies" -Value 1 -PropertyType DWORD -Force | Out-Null
        $RegKeyPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP"
        if (!(Test-Path $RegKeyPath)) {
            New-Item -Path $RegKeyPath -Force | Out-Null
        }
        Remove-ItemProperty -Path $RegKeyPath -Name "LockScreenImageStatus" -Force | Out-Null
        Remove-ItemProperty -Path $RegKeyPath -Name "LockScreenImagePath" -Force | Out-Null
        Remove-ItemProperty -Path $RegKeyPath -Name "LockScreenImageUrl" -Force | Out-Null
            # In case you want to remove a corporate desktop image
            $DesktopImageValue = "C:\Windows\System32\oobe\info\backgrounds\BackgroundDefault.jpg"
            Remove-ItemProperty -Path $RegKeyPath -Name "DesktopImageStatus" -Force | Out-Null
            Remove-ItemProperty -Path $RegKeyPath -Name "DesktopImagePath" -Force | Out-Null
            Remove-ItemProperty -Path $RegKeyPath -Name "DesktopImageUrl" -Force | Out-Null
        # Disable Windows 10 Spotlight for all users
        New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
        $RegArray = Get-ChildItem -Directory -Name "HKU:"
        foreach ($RegItem in $RegArray) {
            $RegPath = "HKU:\$RegItem\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager"
            Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenEnabled" -Value 1 -Force -ErrorAction SilentlyContinue
            Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenOverlayEnabled" -Value 1 -Force -ErrorAction SilentlyContinue
            Set-ItemProperty -Path $RegPath -Name "ContentDeliveryAllowed" -Value 1 -Force -ErrorAction SilentlyContinue
            Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338388Enabled" -Value 1 -Force -ErrorAction SilentlyContinue
            Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338389Enabled" -Value 1 -Force -ErrorAction SilentlyContinue
        }
               # Enable Windows 10 Sign-in Background
               Get-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" | Remove-ItemProperty -Name "DisableLogonBackgroundImage" -Force -ErrorAction SilentlyContinue
 
               # Disable Secure Sign-in
               Get-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" | Remove-ItemProperty -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
               Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
               Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
               Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
 
               
           # Enable Windows 10 Spotlight for current user (in case the 'all users' portion skipped the current user due to a permissions error)
           $RegPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager"
           Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenEnabled" -Value 1 -Force -ErrorAction SilentlyContinue
           Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenOverlayEnabled" -Value 1 -Force -ErrorAction SilentlyContinue
           Set-ItemProperty -Path $RegPath -Name "ContentDeliveryAllowed" -Value 1 -Force -ErrorAction SilentlyContinue
           Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338388Enabled" -Value 1 -Force -ErrorAction SilentlyContinue
           Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338389Enabled" -Value 1 -Force -ErrorAction SilentlyContinue
    }

CONCLUSION

This was a life changing journey, since so many people buy Home and Pro devices, the perfectionist in me was not a happy camper. It was great to finally get a solution to this, and while Microsoft tried to prevent it, the people won this battle.

1 reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *