Windows
View all Worklets
WindowsWindows

Windows - Enterprise Branding - Set Desktop Background for All Users

Enforce a designated desktop wallpaper for every user profile on Windows endpoints from a remote image URL

Worklet Details

What the Windows wallpaper enforcer does

This Automox Worklet™ enforces a single desktop wallpaper across every user profile on a Windows endpoint. The Worklet downloads an image from the URL you configure, caches it under %SYSTEMROOT%\Web\Wallpaper\AXBackground, and writes the Wallpaper and WallpaperStyle values into every user SID hive under HKEY_USERS that is currently loaded. The result is a consistent corporate background that persists across logoffs and policy redeploys; endpoints with previously unloaded user hives are covered on the next policy run after those users log in.

The Worklet reads two parameters from the policy: ImageURL and WallpaperStyle. ImageURL must resolve to a BMP, GIF, JPEG, PNG, or TIFF asset; the remediation script detects the format from the byte stream via System.Drawing.Imaging.ImageFormat and saves the file with the correct extension. WallpaperStyle is an integer matching the standard Windows positioning options: 0 Center, 1 Tile, 2 Stretch, 3 Fit, 4 Fill, 5 Span. Stretch (2) is the default and matches the group policy reference at admx.help.

Enumeration is hive-aware. The script opens HKEY_USERS via Microsoft.Win32.RegistryKey::OpenBaseKey with the correct 32-bit or 64-bit registry view, then filters out the well-known service accounts S-1-5-18, S-1-5-19, S-1-5-20, the .DEFAULT key, and any _Classes subhives. Only real interactive user SIDs receive the policy. Every remediation run downloads the image fresh and writes all registry values; the evaluation phase determines whether remediation is needed at all.

Why enforce a wallpaper baseline at fleet scale

A wallpaper looks cosmetic until you treat it as a passive communication channel. Help desk phone numbers, ticket portal URLs, classification banners, and security awareness reminders displayed on every desktop reach end users who never read email and never browse the intranet. Shared workstations, kiosks, and lab endpoints also need a visible signal that the endpoint is corporate-managed; without it, users cannot tell organization endpoints from personal ones, which weakens acceptable use enforcement. Default Windows builds and reimages routinely revert to the Microsoft stock background, so the baseline drifts the moment a tech rebuilds an endpoint.

Wallpaper drift on Windows is easy to miss. A user can override the wallpaper through Personalization settings, or a feature update can reset the Control Panel\Desktop values without warning. Scheduling this Worklet against the Windows estate enforces the wallpaper baseline on every evaluation, so a reverted desktop is caught and re-applied on the next policy run. Each run targets every loaded HKEY_USERS hive across every endpoint in scope.

How Windows wallpaper enforcement works

  1. Evaluation phase: The Worklet checks for the cached image at %SYSTEMROOT%\Web\Wallpaper\AXBackground.* with Test-Path and exits 2 (FILE_NOT_FOUND) if the file is missing. It then opens HKEY_USERS through Microsoft.Win32.RegistryKey::OpenBaseKey on the correct registry view (Registry64 on 64-bit systems, Registry32 otherwise), filters out service SIDs and _Classes hives, and inspects SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System under each remaining user SID. A missing registry key exits 3 (PATH_NOT_FOUND). A Wallpaper value that does not match the cached path, or a WallpaperStyle value that does not match the configured integer, exits 13 (INVALID_DATA). Either non-zero exit code flags the endpoint for remediation.

  2. Remediation phase: The script creates %SYSTEMROOT%\Web\Wallpaper if it does not already exist, then uses System.Net.WebClient.DownloadData to fetch the image bytes from ImageURL. It loads the bytes through System.IO.MemoryStream into System.Drawing.Image, reads RawFormat to pick the correct file extension (bmp, gif, jpeg, png, tiff), and writes the file to AXBackground.<ext>. An invalid format exits 87 (INVALID_PARAMETER). The script then reopens HKEY_USERS with write access, creates the Policies\System subkey for any SID where it is missing, and writes the Wallpaper (full image path) and WallpaperStyle (integer 0–5) string values into every qualifying user hive before exiting 0.

Windows wallpaper enforcement requirements

  • Windows 8.1, Windows 10, Windows 11, or Windows Server 2012 R2 and later

  • PowerShell 5.1 or later with .NET access to System.Drawing and System.Net.WebClient (default on supported Windows builds)

  • Administrative privileges for the Automox agent so it can write to HKEY_USERS and %SYSTEMROOT%\Web\Wallpaper (the default agent context meets this)

  • Network reachability from every targeted endpoint to the ImageURL host; internal mirrors are recommended over public CDNs for compliance traceability

  • Image asset in BMP, GIF, JPEG, PNG, or TIFF format; other formats exit with code 87 (INVALID_PARAMETER)

  • Set ImageURL and WallpaperStyle in the policy. ImageURL is a fully qualified https URL; WallpaperStyle is an integer 0–5 corresponding to Center, Tile, Stretch, Fit, Fill, Span

  • Existing GPO or Intune wallpaper policy must be removed or set to Not Configured; conflicting policy will overwrite the registry values the Worklet writes

Expected state after Windows wallpaper enforcement

After remediation, %SYSTEMROOT%\Web\Wallpaper\AXBackground.<ext> contains the downloaded image, and every interactive user SID under HKEY_USERS has Wallpaper set to that full path and WallpaperStyle set to the configured value under SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. The wallpaper is visible on the next user logon or after the affected user runs RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters from an active session. Subsequent Automox policy runs report the endpoint as compliant without re-downloading the image, because the evaluation phase finds the cached file and the registry values intact.

Validate by spot-checking a sample SID with reg query "HKU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper and confirming the path matches AXBackground.<ext>. Confirm Automox activity logs show exit code 0 with the message Wallpaper configuration complete, exiting. To update the corporate image fleet-wide, delete the cached AXBackground file from each endpoint (or change the filename scheme) and rerun: the evaluation phase will detect the missing cached file and trigger a fresh download everywhere. To unwind the enforcement, remove the policy and clear the two registry values; the cached image file at AXBackground.<ext> can be deleted safely once no user SID still references it.

View in app
evalutation image
remediation image

Consider Worklets your easy button

What's a Worklet?

A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

do more with worklets