Intune: Setting custom wallpaper and lockscreen on Windows 10 devices with PowerShell and Azure Storage Blobs

If you want to deploy a custom branded wallpaper and/or lockscreen for devices via Intune, this is natively supported if your devices are running Windows 10 Enterprise or Education, and is easily done via the GUI in Intune, as seen on the info dialog in configuration profiles:

Maskingenerert alternativ tekst:
A Personalization 
Desktop background picture URL (Desktop only) 
Set a desktop background image that users cannot change. Applicable on devices running Windows 10 Enterprise and Windows 10 Education. Image file type must be PNG, JPG, or JPEG. 
ttps://fabrikam.com/image.png

But what if you want to do this with Windows 10 Pro or similar?
Well, then you need to do it via PowerShell, to set som reg values, and get the image files over to the devices you are looking to customize.

Here I will show you how I am doing this with the combination of powershell, Azure storage blobs, and Intune.

Note: The Azure resources in this guide are only for illustration, and are created while writing this post, and deleted after.

To start, get your Azure storage account, containers and blobs ready.

Using Azure storage blob, you get a cheap way of making the image files available for fetching with powershell later.
When you put files up on the blob, you can get a unique URI for the wanted file, for use in the later script.
You can also control the availability of this URI for expiration etc.

Costwise, this is also cheap, so no worry there, and of course, you can use the blob later for other things as well, it is all up to your imagination.

Lets begin:

Head over to your Azure admin portal at https://portal.azure.com and log in with your admin credentials. After login, search for storage accounts in the search bar, and select storage accounts.
Once in the storage accounts view, click add, to create a new storage account, or use an exisiting one should you want to. The guide is based on creating a new one
Next, choose the subscription to bill the storage account to, and select the resource group for the storage account, Create a new resource group for this purpose – as I am doing below.
Set a name for your storage account – this must be unique across Azure.
Change your location to the one that best suits your purpose
The rest can be left as default.

Click review+create, and then Create on the next screen to complete.
(Should you want to apply tags etc – feel free to do so first)

If you worry about the costs for this storage – you can check this here :
https://azure.microsoft.com/en-us/pricing/details/storage/blobs/
And as you can se on that page – the cost will not be noticable for this, unless you have a crazy amount of usage for the deployment. Remember, we are doing this for some image files – not huge chunks of data.
Wait for the creation to complete – takes a short amount of time
When complete, click on the button “Go to resource” to continue
This will take you to the overview section of your new storage account, click on Containers to continue
Click + on the Container option, to create a new container, give it a name, and click create
After creation, it will show in the container section, clik on the container to continue
Once inside the container, click upload to upload your image file(s)
Repeat for wallpaper and lockscreen
Right click on the uploaded file,
Select “Generate SAS”
Set to read
HTTPS as protocol,
Change the start and expiry iinformation to your need
Click generate SAS token and URL.
Copy the URL given in the Blob SAS URL field – you need this for the script later.

Repeat for both files as needed.

PS: Take note of the Start an Expiry information for the URL, change it to something usable – default is just 24 hours, something that will not be ideal for this deployment for Intune.

After doing this, and having noted down the 2 URLs for the files, the next step is to get your script ready for Intune.

Getting your script in order

The powershell script I am using for this is located on my GitHub, and can be found here:
https://github.com/geirdybbugt/Archive-Dybbugt.no/blob/master/Win10/
Download the script and change the following, to get it adapted to your previously created URLs for the image files, also change the location for where the files are put on the endpoints if you want. 

You are now ready to deploy the script to your endpoints via Intune.

Deploy powershell script via Intune

Head over to the Microsoft Endpoint Manager admin center, here: https://devicemanagement.microsoft.com/
 
Click your way to Devices>Windows>PowerShell scripts
Click Add to add the script
Input a name and description for the script, click next
Click the browse button to upload your script, set it to run on 64 bit PowerShell host, click Next
Assign the script to the group you wish to deploy this to, click Review + save
Review your settings, click Add if everything looks ok

Your devices will now get this script shortly. The script will run on the device, download the images from your Azure Storage Blob, and set the needed values for wallpaper and lockscreen on your devices.

Thoughts?

As you can see, this is a rather easy way to get this done around your devices, and you may also get other ideas, on things you can do the same way by leveraging the same methodology for deployment with Azure storage.

There are many usecases you can leverage here if you put your mind to it.

Some of the things I am using this for myself, together with Autopilot, are:

  • Pushing my custom KeePass config file across my devices
  • Pushing Outlook signatures across devices
  • Setting wallpaper/lockscreen
  • Pulling, and deploying various Generic GPOs from Azure when deploying new setups
  • Fetching script packages from Azure to devices when doing various tasks – having one file, getting the rest from Azure on demand, with menus on what script to run etc – timesaving, and easy to maintain

Hope anyone finds this useful.

40 thoughts on “Intune: Setting custom wallpaper and lockscreen on Windows 10 devices with PowerShell and Azure Storage Blobs

  • Logo 468x120
  • Great script, its working pushed via intune. The only thing is that under Overview in Scripts it show only errors and no Succeeded messages. Do you have any solution for that ?

  • Hello Geir,
    I have corrected the script and thats working well when i run it my machine. But when i’m pushing from Intune/Endpoint manager it’s not applying.. Please suggest

  • Hello Geir,
    Thanks for your prompt support. Below error i got while i run the script in powersell ise.

    Start-BitsTransfer : HTTP status 403: The client does not have sufficient access rights to the requested server object.
    At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:24 char:1
    + Start-BitsTransfer -Source $WallpaperURL -Destination “$WallpaperDest …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [Start-BitsTransfer], Exception
    + FullyQualifiedErrorId : StartBitsTransferCOMException,Microsoft.BackgroundIntelligentTransfer.Management.NewBitsTransferCommand

    Start-BitsTransfer : HTTP status 403: The client does not have sufficient access rights to the requested server object.
    At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:25 char:1
    + Start-BitsTransfer -Source $LockscreenUrl -Destination “$LockScreenDe …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [Start-BitsTransfer], Exception
    + FullyQualifiedErrorId : StartBitsTransferCOMException,Microsoft.BackgroundIntelligentTransfer.Management.NewBitsTransferCommand

    New-ItemProperty : Requested registry access is not allowed.
    At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:57 char:1
    + New-ItemProperty -Path $RegKeyPath -Name $DesktopStatus -Value $Statu …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH…sonalizationCSP:String) [New-ItemProperty], SecurityException
    + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.NewItemPropertyCommand

    New-ItemProperty : Requested registry access is not allowed.
    At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:58 char:1
    + New-ItemProperty -Path $RegKeyPath -Name $LockScreenStatus -Value $va …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH…sonalizationCSP:String) [New-ItemProperty], SecurityException
    + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.NewItemPropertyCommand

    New-ItemProperty : Requested registry access is not allowed.
    At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:59 char:1
    + New-ItemProperty -Path $RegKeyPath -Name $DesktopPath -Value $Desktop …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH…sonalizationCSP:String) [New-ItemProperty], SecurityException
    + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.NewItemPropertyCommand

    New-ItemProperty : Requested registry access is not allowed.
    At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:60 char:1
    + New-ItemProperty -Path $RegKeyPath -Name $DesktopUrl -Value $DesktopI …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH…sonalizationCSP:String) [New-ItemProperty], SecurityException
    + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.NewItemPropertyCommand

    New-ItemProperty : Requested registry access is not allowed.
    At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:61 char:1
    + New-ItemProperty -Path $RegKeyPath -Name $LockScreenPath -Value $Lock …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH…sonalizationCSP:String) [New-ItemProperty], SecurityException
    + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.NewItemPropertyCommand

    New-ItemProperty : Requested registry access is not allowed.
    At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:62 char:1
    + New-ItemProperty -Path $RegKeyPath -Name $LockScreenUrl -Value $LockS …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH…sonalizationCSP:String) [New-ItemProperty], SecurityException
    + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.NewItemPropertyCommand

    stop-process : Cannot stop process “explorer (22848)” because of the following error: Access is denied
    At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:67 char:5
    + stop-process -name explorer -force
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : CloseError: (System.Diagnostics.Process (explorer):Process) [Stop-Process], ProcessCommandException
    + FullyQualifiedErrorId : CouldNotStopProcess,Microsoft.PowerShell.Commands.StopProcessCommand

      • Thanks for your suggestion. Below error i;m getting now.
        Start-BitsTransfer : HTTP status 403: The client does not have sufficient access rights to the requested server object.
        At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:24 char:1
        + Start-BitsTransfer -Source $WallpaperURL -Destination “$WallpaperDest …
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : InvalidOperation: (:) [Start-BitsTransfer], Exception
        + FullyQualifiedErrorId : StartBitsTransferCOMException,Microsoft.BackgroundIntelligentTransfer.Management.NewBitsTransferCommand

        Start-BitsTransfer : HTTP status 403: The client does not have sufficient access rights to the requested server object.
        At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:25 char:1
        + Start-BitsTransfer -Source $LockscreenUrl -Destination “$LockScreenDe …
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : InvalidOperation: (:) [Start-BitsTransfer], Exception
        + FullyQualifiedErrorId : StartBitsTransferCOMException,Microsoft.BackgroundIntelligentTransfer.Management.NewBitsTransferCommand

  • I have followed the same steps, but no wallpaper applied through Intune policy via script to end users devices.
    and when i checked the status it just shows failed.

      • This what i have just mention in the script.
        ####————————————————————————####
        #### Script to download and set the Lockscreen and Wallpaper for the user
        #### Can be deployed on Win10 Pro – also via Intune
        #### Based upon the script located here: https://abcdeployment.wordpress.com/2017/04/20/how-to-set-custom-backgrounds-for-desktop-and-lockscreen-in-windows-10-creators-update-v1703-with-powershell/
        ####
        #### Editor info: Geir Dybbugt – https://dybbugt.no
        ####————————————————————————####

        # Parameters for source and destination for the Image file
        # Current script is edited to put the same image on LockScreen and Wallpaper

        $WallpaperURL = “https://dwallpaper.blob.core.windows.net/desktopq/wallpaper.png?sp=r&st=2022-03-11T21:04:52Z&se=2022-03-12T05:04:52Z&spr=https&sv=2020-08-04&sr=b&sig=GXsPruBO7Wgfl3oR1hB9tBSvBvpLzWAAe0vTdw2v%2BEE%3D” # Change to your fitting
        $LockscreenUrl = “https://dwallpaper.blob.core.windows.net/desktopq/Lock%20Screen.png?sp=r&st=2022-03-11T21:02:21Z&se=2022-03-12T05:02:21Z&spr=https&sv=2020-08-04&sr=b&sig=GXlTDRjuP4OxeMfrxnHUQCNEgFha%2FdMxi7j0BjFFTck%3D
        ” # Change to your fitting

        $ImageDestinationFolder = “c:\temp” # Change to your fitting – this is the folder for the wallpaper image
        $WallpaperDestinationFile = “$ImageDestinationFolder\wallpaper.png” # Change to your fitting – this is the Wallpaper image
        $LockScreenDestinationFile = “$ImageDestinationFolder\LockScreen.png” # Change to your fitting – this is the Lockscreen image

        # Creates the destination folder on the target computer
        md $ImageDestinationFolder -erroraction silentlycontinue

        # Downloads the image file from the source location
        Start-BitsTransfer -Source $WallpaperURL -Destination “$WallpaperDestinationFile”
        Start-BitsTransfer -Source $LockscreenUrl -Destination “$LockScreenDestinationFile”

        # Assigns the wallpaper
        $RegKeyPath = ‘HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP’

        $DesktopPath = “DesktopImagePath”
        $DesktopStatus = “DesktopImageStatus”
        $DesktopUrl = “DesktopImageUrl”
        $LockScreenPath = “LockScreenImagePath”
        $LockScreenStatus = “LockScreenImageStatus”
        $LockScreenUrl = “LockScreenImageUrl”

        $StatusValue = “1”
        $DesktopImageValue = “$WallpaperDestinationFile”
        $LockScreenImageValue = “$LockScreenDestinationFile”

        IF(!(Test-Path $RegKeyPath))

        {

        New-Item -Path $RegKeyPath -Force | Out-Null

        New-ItemProperty -Path $RegKeyPath -Name $DesktopStatus -Value $StatusValue -PropertyType DWORD -Force | Out-Null
        New-ItemProperty -Path $RegKeyPath -Name $LockScreenStatus -Value $StatusValue -PropertyType DWORD -Force | Out-Null
        New-ItemProperty -Path $RegKeyPath -Name $DesktopPath -Value $DesktopImageValue -PropertyType STRING -Force | Out-Null
        New-ItemProperty -Path $RegKeyPath -Name $DesktopUrl -Value $DesktopImageValue -PropertyType STRING -Force | Out-Null
        New-ItemProperty -Path $RegKeyPath -Name $LockScreenPath -Value $LockScreenImageValue -PropertyType STRING -Force | Out-Null
        New-ItemProperty -Path $RegKeyPath -Name $LockScreenUrl -Value $LockScreenImageValue -PropertyType STRING -Force | Out-Null

        }

        ELSE {

        New-ItemProperty -Path $RegKeyPath -Name $DesktopStatus -Value $Statusvalue -PropertyType DWORD -Force | Out-Null
        New-ItemProperty -Path $RegKeyPath -Name $LockScreenStatus -Value $value -PropertyType DWORD -Force | Out-Null
        New-ItemProperty -Path $RegKeyPath -Name $DesktopPath -Value $DesktopImageValue -PropertyType STRING -Force | Out-Null
        New-ItemProperty -Path $RegKeyPath -Name $DesktopUrl -Value $DesktopImageValue -PropertyType STRING -Force | Out-Null
        New-ItemProperty -Path $RegKeyPath -Name $LockScreenPath -Value $LockScreenImageValue -PropertyType STRING -Force | Out-Null
        New-ItemProperty -Path $RegKeyPath -Name $LockScreenUrl -Value $LockScreenImageValue -PropertyType STRING -Force | Out-Null
        }

        # Restart explorer.exe
        stop-process -name explorer –force

        # Clears the error log from powershell before exiting
        $error.clear()

        • There is a formating error from some copy pasting on the restart explorer part on the end of your script. Should be -force.

          The rest looks ok.

          1. Is your windows edition valid? (Pro/business/education/enterprise)

          2.Do the files get downloaded?

          3.Restart the explorer process manually

          4. Does the lockscreen come if you do a logout?

          • Could please share the exact script which needs to be applied on the Intune. I’m geting slightly confuse, like which porrtion i should pick from the script and make PS script.
            i would appreciate if you can share the right script where i can just mention azure blob image url.

            My Windows details:-
            Edition Windows 10 Pro
            Version 21H2
            Installed on ‎08/‎28/‎2020
            OS build 19044.1586
            Experience Windows Feature Experience Pack 120.2212.4170.0

          • I linked to the exact script in a previous comment. Youbare using the right one.

            Check for formatting errors, test it locally in powershell ise. You will see what is failing there.

  • The spotlight feature can be controlled only for windows 10 enterprise devices. The settings you mentioned wont work on windows 10 pro devices. Having a custom lock screen with windows spotlight enabled doesn’t make sense at least visually. Is there a workaround for the same.

    • So, definitly a limitation for pro. I’m guessing it the “fun facts” parts that causing you some headaches?
      Dosent look good out of the box for MS docs: https://docs.microsoft.com/en-us/windows/configuration/manage-tips-and-suggestions
      – Disabled by default on Pro Education editon, And both enterprise editon.
      – Disabled by default on EDU editions, cannot to enable for 3rd party info change.
      – Can disable MS app + 3 party info on Enterprise
      – Cannot disable on pure Pro, and by default show from 3rd party.

      But, I dont have access to Pro edition, could you check the following registry change, assuming you have admin access to registry for HKCU hive:
      – Navigate to “HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent” if the path dosent exist, create it.
      – Create a New > DWORD (32-bit) Value inside “CloudContent” key.
      – Name it “DisableWindowsSpotlightFeatures” give it a value of “1”
      – Restart explorer process, or restart computer and check for effect.

      If it works, try removing the key, and creating it in the same path, but in HKLM hive, restart, check for effect.
      This is just to verify if it can be set on machine level or need to be done on pr user level in regards to deployment on a wider scale etc.

      Let me know how it goes 🙂

  • This is great and works on fresh install of Win10 Pro. However, it doesnt disable spotlight. So when you lock the screen you get the spotlisht tips over the image. I can disable this by creating the HKCU:\SOFTWARE\Policies\Microsoft\Windows\CloudContent DIsableWIndowsSpotLightFeatures – however i can seem to set this using script since its a protected HKU key so running as user doesnt have permissions to set. Anyone solved this issue?

    • Hi, sorry for the late reply.
      The script will not disable spotlight, as that is an entirely different feature. Registry items in the HKCU\Software\policies\ area are policy controlled settings and are protected.
      There is no need to change the settings there via script or registry. Since you are already using Intune here, you can use the native intune policies to control this.
      For Spotlight this can be done by creating a a configuration profile, and assigning it to your devices.

      Configuration profiles:
      https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesMenu/configurationProfiles

      -Create a new profile
      -Platform:windows 10 and later
      -Profile type: Templates
      -Template name: Device restrictions
      -Give the profile a name
      -Scroll down to Windows Spotlight, sett your settings, click next
      -Assign to your group of devices or users, next
      -Next on applicability rules
      -Review setting, click creat if all is ok.

  • I have been having issues deploying this script as i keep getting status: Failed and i am not too sure why. I have followed the guide. Is this down to the fact we are running windows 10 pro?

    • Have you adapted the script according to your needs in regards to source for the image file, uri etc?
      Have you tried running the script on a device directly, to see if it is successfull?
      If error, what is the error message?
      Or is it the status in Intune that shows as failed?

      Script works with windows 10 pro. It’s a workaround to the intune policy for the same, that will require Enterprise/education editions.

  • This is working great, we want to also allow users to change the background and lockscreen image to what they want. Would that be simple as changing the $RegKeyPath to $RegKeyPath = ‘HKCU:\Control Panel\Desktop’ ?

  • Has anyone questioned Microsoft as to why they only limit the simple policy to Enterprise? Next time one of their feel good, high five, backslapping survey forms pop up, let them know what you think.

      • Guess I didn’t wait for the script to take effect now works on Business Edition but for Home Edition still not working. I’m gonna try other laptops with Pro edition. I’ll update you. Thanks!

  • I’d like to know what should i do if i want to upload more than 1 background
    $WallpaperURL = URL1
    $WallpaperURL = URL2

    ????

    • Just to have 2 files downloaded, or different image for differerent users/devices? Or different lockscreen vs wallpaper?

      In either way you just need to adjust the script to dowbload from 2 sources and adjust accordingly.

  • Geir, you genius 🙂 Thanks alot! Just used this in a large deployment and it worked perfectly for machines without Enterprise license.

  • Thank you Geir Dybbugt for the share,

    The script did not change my desktop background, but for the lock screen it works,

    What could be the issue please ?

  • Thx for the tutorial. The lockscreen works, the wallpaper unfortunately doesn’t, it is downloaded but not used. What could be the reason?

    • Signature files located in azure, powershell script that looks for the accountname in question in the registry, and downloads the files and sets the values in registry when found. By no means perfect?

  • Explore Yubico

Leave a Reply