I received a request from a client to deploy their organization’s wallpaper and lock screen image across all domain-joined workstations, including laptops that connect via VPN.
I have created a GPO that covers both scenarios. It’s a tested policy that is working effectively on the target systems/users. Let me share the policy details, which can save you some time if you receive a similar request.
For domain-joined PCs that are not in the office and connect occasionally via VPN, I have used a wallpaper.bat file, which is copied to the user’s desktop. I have also set a RUN registry key that will execute this file every time the PC restarts. I will guide you on how to set this up with screenshots, but first, let’s create a bat file named wallpaper.bat and save it in the sysvol folder.
Table of Contents
1. Prepare Wallpaper.bat file
The first step is to prepare the wallpaper.bat file. Copy the code below and paste it into a file named wallpaper.bat. Make the necessary changes in the file.
- copyfrom = Update this variable to point it to a location where your Wallpaper file is stored. It’s convenient to store a wallpaper in the NETLOGON folder which is generally accessible from all Active directory domain-joined PCs.
- Update the Name of the wallpaper file wherever necessary in this bat file.
@ECHO OFF set wallpaper=C:\wallpaper set copyfrom=\\<domainname>\NETLOGON\PAMDesktop.jpg IF EXIST "%wallpaper%\PAMDesktop.jpg" ( EXIT ) ELSE ( MKDIR %wallpaper% xcopy "%copyfrom%" "%wallpaper%" /k/y )
2. Create a Group Policy Object (GPO)
The next step is to create a Group Policy Object in Active Directory using the following steps:
- Login on a Domain Controller and Open Group Policy Management Console
- Navigate to the Group Policy Objects folder and right-click on it, Select New.
- Provide a Name. For Example DesktopWall and ScreenLock and click on OK.
- Once the GPO is created, Right-click on it and select Edit.
3. Copy the Wallpaper on User’s Devices
To copy our wallpaper to each PC at C:\wallpaper location, we will use the wallpaper.bat file created earlier and deploy it using this GPO by configuring a Startup script. Follow the steps below to add a Startup script.
- Go to Computer Configuration -> Policies -> Windows Settings -> Scripts
- Double-click on Startup and then Click on the Add button.
- Browse to Wallpaper.bat file.
4. Configure Desktop and Lock Screen Wallpaper in GPO
In this step, we will configure Desktop and Lock screen wallpaper in the same GPO we created before: DesktopWall and ScreenLock.
Configure Lock Screen Wallpaper
We can target the lock screen to C:\wallpaper\PAMdesktop.jpg, as the startup script is going to copy the wallpaper from the source location to this folder.
The local path is preferable as it has no dependency on the server and will work even if there is no connection to the server, benefiting the PCs that are domain-joined and connect via VPN.
To configure Lock Screen Wallpaper, follow below steps:
- Go to Computer Configuration > Administrative Templates > Control Panel > Personalization
- On the right-hand side, Find “Force a specific default lock screen image” setting and set it to Enabled.
- In the Path to the lock screen image, Provide C:\wallpaper\PAMDesktop.jpg path.
Configure Desktop Wallpaper
We will target the desktop wallpaper to the same location as the lock screen image, as we want to keep both the same. If you want to have a different desktop wallpaper than the lock screen, you can modify the bat file to copy the desktop wallpaper to the C:\wallpaper location and provide the path and name of that wallpaper in the below policy setting.
To configure Desktop Wallpaper, follow the below steps:
- Go to User Configuration > Policies > Desktop > Desktop
- On the right-hand side, Find the “Desktop Wallpaper” setting and set it to Enabled.
- Wallpaper Name: C:\wallpaper\PAMDesktop.jpg path.
- Wallpaper Style: Fill
That’s it, Our Desktop and Lock Screen wallpaper is configured in the GPO. Now, let’s link the GPO to an OU so that it can be deployed on devices.
5. Group Policy Scope and Linking
- Security Filtering: Add Authenticated Users and Domain Computers under Security Filtering of this GPO.
- Link this GPO to an OU container’s Users and Computers.
That’s it! Desktop and Lock screen wallpaper have been configured for users. There is no further action required. However, if you have a remote user scenario and you want to ensure that those users also get a new Desktop and Lock screen as per the deployment, you can follow the guidance in the next steps:
Deploy Desktop and Lock Screen Wallpaper (In a VPN Scenario)
Copy the wallpaper.bat file on Uses Devices
The following steps are necessary to ensure that remote users who are not connected to the office network most of the time also get the new Desktop and Lock screen wallpaper.
This includes users working from domain-joined Windows 10/11 PCs at home. The startup script might not work for offline clients; therefore, this step will copy the wallpaper.bat file to users desktops.
We used the wallpaper.bat file as a startup script to copy necessary wallpaper files to users devices. However, when users do not often connect to the office network or face network issues, the startup script may not execute.
Either you can provide Wallpaper.bat file to the user so that they can double-click on it and manually Execute it to fetch the wallpapers or you can also create a GPO that will copy Wallpaper. bat file from a shared location accessible from the device.
Manually invoking the wallpaper.bat file will create a folder called “wallpaper” in their C:\ drive and copy the wallpaper from copyfrom location configured in the script.
Let’s check the steps to Copy Wallpaper.bat file using a GPO.
Go to User configuration -> Preferences -> Windows Settings -> Files
Source file: Provide the UNC path where the wallpaper.bat file is located. Please ensure that all users have full permissions on this folder. I suggest creating a shared folder on a server, granting everyone full control (both share permission and NTFS permission), and copying the wallpaper.bat file to this location. Provide the UNC path in the source file(s) textbox.
Destination file: Provide a destination path to download the script file from the Source location.
Now comes the execution part where you can instruct the users to execute the wallpaper.bat file manually. However, to avoid this step, you can create a RUN registry entry and provide the path to this batch file. On every reboot, Windows will execute the wallpaper.bat file from the location provided in the Run registry key.
Configure Execution of Wallpaper.bat file
Create an Entry in the RUN reg key to run the bat file automatically:
The Run registry key location is HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Let’s configure it via a GPO.
- Go to Computer Configuration -> Preferences -> Registry -> Create a registry Item
- Action: Update
- Hive: HKEY_LOCAL_MACHINE
- Key Path: /SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value Name: Wallpaper
- Value type: REG_SZ
- Value data: C:\users\%username%\desktop\wallpaper.bat
Loopback Processing Mode:
Make sure Loopback processing mode is set to Merge in the same policy:
- Go to Computer Configuration -> Administrative Templates -> System -> Group Policy
- Configure user Group Policy loopback processing mode -> Enabled and set it to Merge.
Group Policy Troubleshooting
If there are any issues with the GPO, you can follow the steps below to troubleshoot.
- Make sure the Domain Controllers are replicated after creating the group policy or after making any changes in the group policy. To force Active Directory replication, open the command prompt as an administrator and run
repadmin /syncall /APed.
gupdate /forcecommand on the workstation to force Sync any policy changes.
- Run the command
gpresult /r /v | moreto find out if the policy DesktopWall and ScreenLock have been applied on the workstation. This will only show user configuration policy settings.
- To check the computer configuration policy, open the command prompt as an administrator and run the command
gpresult /r /v /scope computer | more.
Gpresult User Configuration Policy
Gpresult Computer Configuration Policy