So, you think you’re setting the lock screen, just to have OSD finish and be like “Why is the lock screen missing and showing a dark blueish color?” or “Argh, it’s the stinking Windows default lock screen, not the one I wanted”. Perhaps you have a lab, and don’t activate your PC’s, so you get the rotating Bing Picture of the day, which is actually pretty cool and all, unless you’re trying to test Lock Screens. Thanks to Doug (managedoug.com) for bringing this to my attention and having me dig into it a bit more.
I’ve got Several Steps to control this during OSD which include Copying Files over the default lock screen images, and setting registry keys, basically depends on exactly what outcome you’re looking for.
Scenario 1, you want to set the Lock Screen and NEVER allow the user to change it.
Scenario 2, you’re cool with the user changing it, but want to set it to your own custom default.
To accomplish both, there are several things in common you need to do, so I’ll start with the steps you need to do for either situation, then break apart the single additional step that enables scenario 1.
- Tweak – Replace Default LockScreen Step 1
cmd.exe /c takeown /f C:\Windows\Web\Screen\*.* & cmd.exe /c icacls C:\Windows\Web\Screen\*.* /Grant System:(F)
- Tweak – Replace Default LockScreen Step 2
cmd.exe /c copy WallPapersLockScreens\lego-img1.jpg C:\Windows\Web\Screen\img100.jpg /Y & cmd.exe /c copy WallPapersLockScreens\lego-img1.jpg C:\Windows\Web\Screen\img105.jpg /Y
- Tweak – Mount ntuser.dat as defuser
-
reg.exe load HKEY_LOCAL_MACHINE\defuser c:\users\default\ntuser.dat
Tweak – LockScreen Tools TIps & Rotation Disable
cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /V RotatingLockScreenOverlayEnabled /T REG_DWORD /D 0 /F & cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /T REG_DWORD /V RotatingLockScreenEnabled /D 0 /F
- Tweak – LockScreen BING Rotation Disable
cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\Creative" /V LockImageFlags /T REG_DWORD /D 00000000 /F & cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\Creative" /V LockScreenOptions /T REG_DWORD /D 00000000 /F & cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\Creative" /V CreativeId /T REG_SZ /D "" /F & cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\Creative" /V DescriptionText /T REG_SZ /D "" /F & cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\Creative" /V ActionText /T REG_SZ /D "" /F & cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\Creative" /V ActionUri /T REG_SZ /D "" /F & cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\Creative" /V PlacementId /T REG_SZ /D "" /F & cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\Creative" /V ClickthroughToken /T REG_SZ /D "" /F & cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\Creative" /V ImpressionToken /T REG_SZ /D "" /F & cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\Creative" /V CreativeJson /T REG_SZ /D "" /F & cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\Creative" /V PortraitAssetPath /T REG_SZ /D "C:\Windows\Web\Screen\img100.jpg" /F & cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\Creative" /V LandscapeAssetPath /T REG_SZ /D "C:\Windows\Web\Screen\img100.jpg" /F & cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\Creative" /V HotspotImageFolderPath /T REG_SZ /D "C:\Windows\Web\Screen\img100.jpg" /F
- Tweak – LockScreen SpotLight Disable
REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /V DisableWindowsSpotlightFeatures /T REG_DWORD /D 00000001 /F
-
- Tweak – Unmount ntuser.dat as defuser
reg.exe unload HKEY_LOCAL_MACHINE\defuser
Lock Down Mode (Scenario 1)
- Tweak – Set Enforced Lock Screen Step 1 (Copy) –Same as the one used above, just different description
cmd.exe /c copy WallPapersLockScreens\lego-img1.jpg C:\Windows\Web\Screen\img100.jpg /Y & cmd.exe /c copy WallPapersLockScreens\lego-img1.jpg C:\Windows\Web\Screen\img105.jpg /Y
- Tweak – Set Enforced Lock Screen Step 2 (Registry)
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" /V LockScreenImage /T REG_SZ /D C:\Windows\Web\Screen\img100.jpg /F
You can download this entire TS from my blog post about Windows 10 Customizations.
So, how does it look when after OSD completes… pretty.
Posted originally at garytown.com – @gwblok
Do some of those disable lock screen annoyances/ads commands you have also work for win 10 pro or just enterprise?
How about setting a custom theme? I’ve got a theme i created with custom corporate wallpapers that rotate and exported it as a theme, id like to be able to apply that in OSD. Id like to move away from copy profile entirely which is how i currently keep a custom theme set as default for everyone.
I just ran my TS on Pro instead of Enterprise. The LockScreen tweaks appear to have worked. FYI, this is just one test, and I typically don’t test or run Pro. I’d recommend just give it a try on one machine, and let it run for awhile and see what happens. But my initial results look good.
From what I understand, if we deployed this from GPO it wouldn’t work on Windows 10 Pro, Microsoft disabled most of these policies after the anniversary update. But since we’re making so many local user registry and file modifications it appears to take effect. Make sure that when you do a feature update that these are reapplied to the device as some of the settings will not make it through.
Hi Gary,
Have you seen this thread: https://social.technet.microsoft.com/Forums/en-US/1664b0ab-f1d8-4e60-8337-13f079a33752/windows-10-1803-custom-loginlock-screen-image-is-not-applied-until-a-user-logs-in?forum=win10itprosetup
I have tried your solution, but it does not work during in-place upgrade.
I was able to replicate your problem. To fix it, I took the settings I was applying the default user profile, and applying the HKCU registry hive, which requires having the user logged on during the TS. I’d recommend just applying them via GPO. (I assume you have no plans to use SpotLight) – As always, please test this yourself.
From the blog post https://garytown.com/windows-10-lock-screen
there are 3 steps that I use to apply to default profile:
Tweak – LockScreen Tools TIps & Rotation Disable
Tweak – LockScreen BING Rotation Disable
Tweak – LockScreen SpotLight Disable
Those 3 steps work great for OSD when a user hasn’t logged on, but if you didn’t have them there before hand, and those keys aren’t currently applied to the user’s profile, then the method in the blog wouldn’t work. In my test, I just took those 3 steps and modified them, and all was well.
I did a find / replace. HKEY_LOCAL_MACHINE\defuser -> HKEY_CURRENT_USER
Then placed those 3 steps in the upgrade TS. The LockScreen I wanted then applied after IPU instead of the blue screen, or windows default.
Since odds are good you’ll be doing the IPU when a user isn’t logged on, I’d recommend just doing it all via group policy.
We are deploying Windows 10 1803 with cumulative update from August. We are applying a power shell script
#LockScreen
takeown /f C:\Windows\Web\Screen\*.*
icacls C:\Windows\Web\Screen\*.* /Grant ‘System:(F)’
Remove-Item C:\Windows\Web\Screen\*.*
Copy-Item $PSScriptRoot\CustomImages\LockScreen\*.* C:\Windows\Web\Screen
We have GPO which is forcing LockScreen to registry at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization and under lockScreen we are applying C:\Windows\Web\Screen\img101.jpg
Whenever I apply windows update from Task Sequence or inject offline Servicing updates, I end up with the lock screen missing and showing a dark blueish color. I do not know what I am missing. Please help
Have you tested with 1809? If you use unpatched GA released 1803, it works fine? I’m guessing there is a bug in 1803. I haven’t done any testing with 1803, as we skipped 1803 release.
I have a few questions on this. First, I’m using Windows 10 Pro. I know I shouldn’t but we’re a non-profit and can’t afford enterprise/education at this time.
1. You take ownership of the windows\web\screen directory in the first step. You don’t put it back, that’s okay?
2. We’re copying the files to overwrite 100 and 105 but I don’t see a setting to change it from “spotlight” to “Picture” or does disabling spotlight automatically choose “picture”?
3. It is updating for a default user, but I was hoping to run this task sequence for people who are already setup and running. You mention in the comments changing to HKEY_CURRENT_USER but they have to be logged in for that to work.
You mentioned running it via GPO but I can’t run SCCM task sequences in GPO, right? so do I create a .BAT file instead and run that via GPO?
4. For windows 7 we run a simple file copy to copy the file to the system for the boot screen. Now that this TS takes ownership of the windows\web\screen directory can we do a simple file copy whenever we decide to change the logon/lock screen picture?
1) Yep, it’s not a problem, not need to restore original permissions.
2) Yes, if you disable spotlight, it should default to the picture
3) You would not use a TS for this at all, it would all be done via Group Policy Preferences. You could create a batch file as well that ran under user context, just depends on what works best for your env.
4) Yes, that sounds correct.
Hi Gary,
I’m new to deploying Windows and have been playing around with Task Sequence. I came across this article and decided to give it a shot. Had a few questions. In what part of the Task Sequence should I place your tweaks? My default Task Sequence has 7 Folders. Initialization, Validation, State Capture, Preinstall, Install, Post Install, and State Restore. I placed them in the State Restore phase of the Task Sequence and it failed. Before I dig too deep into the issue I thought I’d ask. Thanks.
Are you using native MDT or CM with MDT? The steps would be located anytime after the OS is installed and the TS is running in Windows.
Thanks for the quick reply. I’m using Deployment Workbench… Not sure if that’s the same or not.