If you want to deploy a custom branded wallpaper and/or lockscreen for devices via Intune, this is natively supported if your devices are running Windows 10 Enterprise or Education, and is easily done via the GUI in Intune, as seen on the info dialog in configuration profiles:
But what if you want to do this with Windows 10 Pro or similar?
Well, then you need to do it via PowerShell, to set som reg values, and get the image files over to the devices you are looking to customize.
Here I will show you how I am doing this with the combination of powershell, Azure storage blobs, and Intune.
Note: The Azure resources in this guide are only for illustration, and are created while writing this post, and deleted after.
To start, get your Azure storage account, containers and blobs ready.
Using Azure storage blob, you get a cheap way of making the image files available for fetching with powershell later.
When you put files up on the blob, you can get a unique URI for the wanted file, for use in the later script.
You can also control the availability of this URI for expiration etc.
Costwise, this is also cheap, so no worry there, and of course, you can use the blob later for other things as well, it is all up to your imagination.
Lets begin:
Set a name for your storage account – this must be unique across Azure.
Change your location to the one that best suits your purpose
The rest can be left as default.
Click review+create, and then Create on the next screen to complete.
(Should you want to apply tags etc – feel free to do so first)
If you worry about the costs for this storage – you can check this here :
https://azure.microsoft.com/en-us/pricing/details/storage/blobs/
And as you can se on that page – the cost will not be noticable for this, unless you have a crazy amount of usage for the deployment. Remember, we are doing this for some image files – not huge chunks of data.
Repeat for wallpaper and lockscreen
Select “Generate SAS”
HTTPS as protocol,
Change the start and expiry iinformation to your need
Click generate SAS token and URL.
Copy the URL given in the Blob SAS URL field – you need this for the script later.
Repeat for both files as needed.
PS: Take note of the Start an Expiry information for the URL, change it to something usable – default is just 24 hours, something that will not be ideal for this deployment for Intune.
After doing this, and having noted down the 2 URLs for the files, the next step is to get your script ready for Intune.
Getting your script in order
https://github.com/geirdybbugt/Archive-Dybbugt.no/blob/master/Win10/
You are now ready to deploy the script to your endpoints via Intune.
Deploy powershell script via Intune
Click your way to Devices>Windows>PowerShell scripts
Your devices will now get this script shortly. The script will run on the device, download the images from your Azure Storage Blob, and set the needed values for wallpaper and lockscreen on your devices.
Thoughts?
As you can see, this is a rather easy way to get this done around your devices, and you may also get other ideas, on things you can do the same way by leveraging the same methodology for deployment with Azure storage.
There are many usecases you can leverage here if you put your mind to it.
Some of the things I am using this for myself, together with Autopilot, are:
- Pushing my custom KeePass config file across my devices
- Pushing Outlook signatures across devices
- Setting wallpaper/lockscreen
- Pulling, and deploying various Generic GPOs from Azure when deploying new setups
- Fetching script packages from Azure to devices when doing various tasks – having one file, getting the rest from Azure on demand, with menus on what script to run etc – timesaving, and easy to maintain
Hope anyone finds this useful.
Consultant manager & SME @ iteam, localized in Kristiansund, Norway.
Focused on EUC, security, mobility, virtualization, management and a modern workplace.
Highly specialized around RDS/Citrix/EUC/Mobility.
Great script, its working pushed via intune. The only thing is that under Overview in Scripts it show only errors and no Succeeded messages. Do you have any solution for that ?
Hello Geir,
I have corrected the script and thats working well when i run it my machine. But when i’m pushing from Intune/Endpoint manager it’s not applying.. Please suggest
Hello Geir,
Thanks for your prompt support. Below error i got while i run the script in powersell ise.
Start-BitsTransfer : HTTP status 403: The client does not have sufficient access rights to the requested server object.
At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:24 char:1
+ Start-BitsTransfer -Source $WallpaperURL -Destination “$WallpaperDest …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Start-BitsTransfer], Exception
+ FullyQualifiedErrorId : StartBitsTransferCOMException,Microsoft.BackgroundIntelligentTransfer.Management.NewBitsTransferCommand
Start-BitsTransfer : HTTP status 403: The client does not have sufficient access rights to the requested server object.
At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:25 char:1
+ Start-BitsTransfer -Source $LockscreenUrl -Destination “$LockScreenDe …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Start-BitsTransfer], Exception
+ FullyQualifiedErrorId : StartBitsTransferCOMException,Microsoft.BackgroundIntelligentTransfer.Management.NewBitsTransferCommand
New-ItemProperty : Requested registry access is not allowed.
At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:57 char:1
+ New-ItemProperty -Path $RegKeyPath -Name $DesktopStatus -Value $Statu …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH…sonalizationCSP:String) [New-ItemProperty], SecurityException
+ FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.NewItemPropertyCommand
New-ItemProperty : Requested registry access is not allowed.
At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:58 char:1
+ New-ItemProperty -Path $RegKeyPath -Name $LockScreenStatus -Value $va …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH…sonalizationCSP:String) [New-ItemProperty], SecurityException
+ FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.NewItemPropertyCommand
New-ItemProperty : Requested registry access is not allowed.
At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:59 char:1
+ New-ItemProperty -Path $RegKeyPath -Name $DesktopPath -Value $Desktop …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH…sonalizationCSP:String) [New-ItemProperty], SecurityException
+ FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.NewItemPropertyCommand
New-ItemProperty : Requested registry access is not allowed.
At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:60 char:1
+ New-ItemProperty -Path $RegKeyPath -Name $DesktopUrl -Value $DesktopI …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH…sonalizationCSP:String) [New-ItemProperty], SecurityException
+ FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.NewItemPropertyCommand
New-ItemProperty : Requested registry access is not allowed.
At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:61 char:1
+ New-ItemProperty -Path $RegKeyPath -Name $LockScreenPath -Value $Lock …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH…sonalizationCSP:String) [New-ItemProperty], SecurityException
+ FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.NewItemPropertyCommand
New-ItemProperty : Requested registry access is not allowed.
At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:62 char:1
+ New-ItemProperty -Path $RegKeyPath -Name $LockScreenUrl -Value $LockS …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH…sonalizationCSP:String) [New-ItemProperty], SecurityException
+ FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.NewItemPropertyCommand
stop-process : Cannot stop process “explorer (22848)” because of the following error: Access is denied
At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:67 char:5
+ stop-process -name explorer -force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (System.Diagnostics.Process (explorer):Process) [Stop-Process], ProcessCommandException
+ FullyQualifiedErrorId : CouldNotStopProcess,Microsoft.PowerShell.Commands.StopProcessCommand
No problem. Looks like you are not running as admin for the test. Run powershell ise as admin and try again🙂
Thanks for your suggestion. Below error i;m getting now.
Start-BitsTransfer : HTTP status 403: The client does not have sufficient access rights to the requested server object.
At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:24 char:1
+ Start-BitsTransfer -Source $WallpaperURL -Destination “$WallpaperDest …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Start-BitsTransfer], Exception
+ FullyQualifiedErrorId : StartBitsTransferCOMException,Microsoft.BackgroundIntelligentTransfer.Management.NewBitsTransferCommand
Start-BitsTransfer : HTTP status 403: The client does not have sufficient access rights to the requested server object.
At C:\Users\Rashid K – The Lead\Pictures\Wallpaper updated.ps1:25 char:1
+ Start-BitsTransfer -Source $LockscreenUrl -Destination “$LockScreenDe …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Start-BitsTransfer], Exception
+ FullyQualifiedErrorId : StartBitsTransferCOMException,Microsoft.BackgroundIntelligentTransfer.Management.NewBitsTransferCommand
I have followed the same steps, but no wallpaper applied through Intune policy via script to end users devices.
and when i checked the status it just shows failed.
Make sure you used the right script from github, not the one named custom. This is the correct one.:
https://github.com/geirdybbugt/Archive-Dybbugt.no/blob/master/Win10/Win10-SetWallpaperAndLockscreenFromUri.ps1
Also, make sure to input your uri and path for files etc.
Windows home edition is also not supported.
This what i have just mention in the script.
####————————————————————————####
#### Script to download and set the Lockscreen and Wallpaper for the user
#### Can be deployed on Win10 Pro – also via Intune
#### Based upon the script located here: https://abcdeployment.wordpress.com/2017/04/20/how-to-set-custom-backgrounds-for-desktop-and-lockscreen-in-windows-10-creators-update-v1703-with-powershell/
####
#### Editor info: Geir Dybbugt – https://dybbugt.no
####————————————————————————####
# Parameters for source and destination for the Image file
# Current script is edited to put the same image on LockScreen and Wallpaper
$WallpaperURL = “https://dwallpaper.blob.core.windows.net/desktopq/wallpaper.png?sp=r&st=2022-03-11T21:04:52Z&se=2022-03-12T05:04:52Z&spr=https&sv=2020-08-04&sr=b&sig=GXsPruBO7Wgfl3oR1hB9tBSvBvpLzWAAe0vTdw2v%2BEE%3D” # Change to your fitting
$LockscreenUrl = “https://dwallpaper.blob.core.windows.net/desktopq/Lock%20Screen.png?sp=r&st=2022-03-11T21:02:21Z&se=2022-03-12T05:02:21Z&spr=https&sv=2020-08-04&sr=b&sig=GXlTDRjuP4OxeMfrxnHUQCNEgFha%2FdMxi7j0BjFFTck%3D
” # Change to your fitting
$ImageDestinationFolder = “c:\temp” # Change to your fitting – this is the folder for the wallpaper image
$WallpaperDestinationFile = “$ImageDestinationFolder\wallpaper.png” # Change to your fitting – this is the Wallpaper image
$LockScreenDestinationFile = “$ImageDestinationFolder\LockScreen.png” # Change to your fitting – this is the Lockscreen image
# Creates the destination folder on the target computer
md $ImageDestinationFolder -erroraction silentlycontinue
# Downloads the image file from the source location
Start-BitsTransfer -Source $WallpaperURL -Destination “$WallpaperDestinationFile”
Start-BitsTransfer -Source $LockscreenUrl -Destination “$LockScreenDestinationFile”
# Assigns the wallpaper
$RegKeyPath = ‘HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP’
$DesktopPath = “DesktopImagePath”
$DesktopStatus = “DesktopImageStatus”
$DesktopUrl = “DesktopImageUrl”
$LockScreenPath = “LockScreenImagePath”
$LockScreenStatus = “LockScreenImageStatus”
$LockScreenUrl = “LockScreenImageUrl”
$StatusValue = “1”
$DesktopImageValue = “$WallpaperDestinationFile”
$LockScreenImageValue = “$LockScreenDestinationFile”
IF(!(Test-Path $RegKeyPath))
{
New-Item -Path $RegKeyPath -Force | Out-Null
New-ItemProperty -Path $RegKeyPath -Name $DesktopStatus -Value $StatusValue -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $RegKeyPath -Name $LockScreenStatus -Value $StatusValue -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $RegKeyPath -Name $DesktopPath -Value $DesktopImageValue -PropertyType STRING -Force | Out-Null
New-ItemProperty -Path $RegKeyPath -Name $DesktopUrl -Value $DesktopImageValue -PropertyType STRING -Force | Out-Null
New-ItemProperty -Path $RegKeyPath -Name $LockScreenPath -Value $LockScreenImageValue -PropertyType STRING -Force | Out-Null
New-ItemProperty -Path $RegKeyPath -Name $LockScreenUrl -Value $LockScreenImageValue -PropertyType STRING -Force | Out-Null
}
ELSE {
New-ItemProperty -Path $RegKeyPath -Name $DesktopStatus -Value $Statusvalue -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $RegKeyPath -Name $LockScreenStatus -Value $value -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $RegKeyPath -Name $DesktopPath -Value $DesktopImageValue -PropertyType STRING -Force | Out-Null
New-ItemProperty -Path $RegKeyPath -Name $DesktopUrl -Value $DesktopImageValue -PropertyType STRING -Force | Out-Null
New-ItemProperty -Path $RegKeyPath -Name $LockScreenPath -Value $LockScreenImageValue -PropertyType STRING -Force | Out-Null
New-ItemProperty -Path $RegKeyPath -Name $LockScreenUrl -Value $LockScreenImageValue -PropertyType STRING -Force | Out-Null
}
# Restart explorer.exe
stop-process -name explorer –force
# Clears the error log from powershell before exiting
$error.clear()
There is a formating error from some copy pasting on the restart explorer part on the end of your script. Should be -force.
The rest looks ok.
1. Is your windows edition valid? (Pro/business/education/enterprise)
2.Do the files get downloaded?
3.Restart the explorer process manually
4. Does the lockscreen come if you do a logout?
Could please share the exact script which needs to be applied on the Intune. I’m geting slightly confuse, like which porrtion i should pick from the script and make PS script.
i would appreciate if you can share the right script where i can just mention azure blob image url.
My Windows details:-
Edition Windows 10 Pro
Version 21H2
Installed on 08/28/2020
OS build 19044.1586
Experience Windows Feature Experience Pack 120.2212.4170.0
I linked to the exact script in a previous comment. Youbare using the right one.
Check for formatting errors, test it locally in powershell ise. You will see what is failing there.
The spotlight feature can be controlled only for windows 10 enterprise devices. The settings you mentioned wont work on windows 10 pro devices. Having a custom lock screen with windows spotlight enabled doesn’t make sense at least visually. Is there a workaround for the same.
Another enerprise/education limitation then i guess. I will check it out and update you. Probably an easy workaround to that one as well🙂
So, definitly a limitation for pro. I’m guessing it the “fun facts” parts that causing you some headaches?
Dosent look good out of the box for MS docs: https://docs.microsoft.com/en-us/windows/configuration/manage-tips-and-suggestions
– Disabled by default on Pro Education editon, And both enterprise editon.
– Disabled by default on EDU editions, cannot to enable for 3rd party info change.
– Can disable MS app + 3 party info on Enterprise
– Cannot disable on pure Pro, and by default show from 3rd party.
But, I dont have access to Pro edition, could you check the following registry change, assuming you have admin access to registry for HKCU hive:
– Navigate to “HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent” if the path dosent exist, create it.
– Create a New > DWORD (32-bit) Value inside “CloudContent” key.
– Name it “DisableWindowsSpotlightFeatures” give it a value of “1”
– Restart explorer process, or restart computer and check for effect.
If it works, try removing the key, and creating it in the same path, but in HKLM hive, restart, check for effect.
This is just to verify if it can be set on machine level or need to be done on pr user level in regards to deployment on a wider scale etc.
Let me know how it goes 🙂
This is great and works on fresh install of Win10 Pro. However, it doesnt disable spotlight. So when you lock the screen you get the spotlisht tips over the image. I can disable this by creating the HKCU:\SOFTWARE\Policies\Microsoft\Windows\CloudContent DIsableWIndowsSpotLightFeatures – however i can seem to set this using script since its a protected HKU key so running as user doesnt have permissions to set. Anyone solved this issue?
Hi, sorry for the late reply.
The script will not disable spotlight, as that is an entirely different feature. Registry items in the HKCU\Software\policies\ area are policy controlled settings and are protected.
There is no need to change the settings there via script or registry. Since you are already using Intune here, you can use the native intune policies to control this.
For Spotlight this can be done by creating a a configuration profile, and assigning it to your devices.
Configuration profiles:
https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesMenu/configurationProfiles
-Create a new profile
-Platform:windows 10 and later
-Profile type: Templates
-Template name: Device restrictions
-Give the profile a name
-Scroll down to Windows Spotlight, sett your settings, click next
-Assign to your group of devices or users, next
-Next on applicability rules
-Review setting, click creat if all is ok.
I have been having issues deploying this script as i keep getting status: Failed and i am not too sure why. I have followed the guide. Is this down to the fact we are running windows 10 pro?
Have you adapted the script according to your needs in regards to source for the image file, uri etc?
Have you tried running the script on a device directly, to see if it is successfull?
If error, what is the error message?
Or is it the status in Intune that shows as failed?
Script works with windows 10 pro. It’s a workaround to the intune policy for the same, that will require Enterprise/education editions.
This is working great, we want to also allow users to change the background and lockscreen image to what they want. Would that be simple as changing the $RegKeyPath to $RegKeyPath = ‘HKCU:\Control Panel\Desktop’ ?
Has anyone questioned Microsoft as to why they only limit the simple policy to Enterprise? Next time one of their feel good, high five, backslapping survey forms pop up, let them know what you think.
Thanks for sharing. Not working in Win 10 Home Single Language and Business Edition.
Running on win 10 business myself, no issues. Not tested with home. Have you adapted the script correctly?
Guess I didn’t wait for the script to take effect now works on Business Edition but for Home Edition still not working. I’m gonna try other laptops with Pro edition. I’ll update you. Thanks!
I’d like to know what should i do if i want to upload more than 1 background
$WallpaperURL = URL1
$WallpaperURL = URL2
????
Just to have 2 files downloaded, or different image for differerent users/devices? Or different lockscreen vs wallpaper?
In either way you just need to adjust the script to dowbload from 2 sources and adjust accordingly.
Geir, you genius 🙂 Thanks alot! Just used this in a large deployment and it worked perfectly for machines without Enterprise license.
Glad you found it useful?
Thank you Geir Dybbugt for the share,
The script did not change my desktop background, but for the lock screen it works,
What could be the issue please ?
Try restarting the explorer process. Sometimes needed the first time
Thx for the tutorial. The lockscreen works, the wallpaper unfortunately doesn’t, it is downloaded but not used. What could be the reason?
Found the solution. Script needs to run with logged on credentials.
This was a godsend for my users that don’t use E3 licensing! Thanks for the detailed info!!!
Glad you found it helpful?
How are you Pushing Outlook signatures across devices with intune
Signature files located in azure, powershell script that looks for the accountname in question in the registry, and downloads the files and sets the values in registry when found. By no means perfect?
Do you HAVE to use the storage blob in order to push backgrounds?
No, you can use other sources if you want. As long as it is available to fetch from the client side.
Great use of technology Geir! Thanks for sharing!
This is great does it allow the user to change the wallpaper?
The option will be grayed out. So only option to bypass is for the user to replace the files with something else if they have access.