This is something I currently just have done myself, in our own environment, and while it’s neither super technical nor advanced, then I figured it deserved some attention regardless.
I assume most hybrid (co-managed) environments still look towards Group Policy when doing this, because it’s easy and what we’ve always been doing. I’m regularly asked to change our desktop wallpaper and lock screen images, and when things needs to be done in a hurry, you usually stick to the easy solution.
This time though, I was stubborn and insisted on moving away from Group Policy and do it with Intune. The process made up this short blog post. 🙂
When coming from group policy, configuring lock screen image and desktop wallpaper, this is respectively done for the computer (computer configuration) and the user (user configuration), and would typically require 2 Group Policy objects (unless mixing user and computer configurations, but that’d be a mess in my opinion).
Lock screen image
Below is the illustration taken directly from my production environment, and while still configuring something with group policy in this area (yikes), the lock screen policy is no longer configured. Notice that this is a computer configuration:
Below is the illustration, also taken directly from my production environment, where the desktop wallpaper policy no longer is configured. Also notice this is a user configuration:
Microsoft Endpoint Manager Intune
Now, transitioning the lock screen and desktop wallpaper policy to Microsoft Endpoint Manager is easy, and obviously takes place in the Microsoft Endpoint Manager admin center: https://endpoint.microsoft.com/
Create a new device configuration profile (Device restrictions) for Windows 10:
Browse to the Locked Screen Experience options.
Notice how the tooltip suggests that this should be a https source. This is not entirely necessary or required, and can be a local source too if configured like so: file:///C:/Windows/lockscreen.png
Browse to the Personalization options.
Notice how the tooltip suggests that this should be a https source. This is not entirely necessary or required, and can be a local source too if configured like so: file:///C:/Windows/wallpaper.png
When done configuring above, you have a device configuration profile similar to below illustration, which can be assigned to your devices:
What’s happening on the device?
Once the policy has applied to your device, you will see your configuration made above, create entries in following location in the registry:
The DesktopImageStatus and LockScreenImageStatus values are defined as following (so this will be a place to look, if something is not working as expected):
- 1 – Successfully downloaded or copied.
- 2 – Download or copy in progress.
- 3 – Download or copy failed.
- 4 – Unknown file type.
- 5 – Unsupported URL scheme.
- 6 – Max retry failed.
- 7 – Blocked, SKU not allowed
I deploy the source files via Configuration Manager, packaged as an .MSI. This can obviously be done with Intune as well. Notice I do something similar for our screensaver (that might turn into another blog post).
Don’t mind me obfuscating some business applications. As usual, this is taken directly from my own production device.
I build the MSI using Advanced Installer, and the configuration needed here, is super straightforward:
- If management ask me how many devices have gotten the new wallpaper / lock screen images installed, I can give them exact numbers coming from reporting in ConfigMgr
- Versioning when using an .msi makes it really easy to know exactly which files are installed, and automatically cleans up old files which are no longer a part of the .msi, and thus no longer in use.