Windows - Enterprise Branding - Set Login Screen Background

What the Login Screen Background Configurator does

This Automox Worklet™ configures a custom background image for the Windows login screen (lock screen) on Windows 8.1 and later endpoints. The Worklet downloads an image from a specified URL, caches it locally, and configures the appropriate registry settings for both Windows Professional and Enterprise editions.

The Worklet stores the downloaded image in the Automox agent cache directory at C:\ProgramData\amagent\WorkletCache\Enterprise-Branding. It supports JPEG, PNG, BMP, GIF, and TIFF image formats, automatically detecting the format from the downloaded content.

Registry configuration differs between Windows editions. For Enterprise, the Worklet uses Software\Policies\Microsoft\Windows\Personalization with LockScreenImage and NoChangingLockScreen values. For Professional, it uses SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP with LockScreenImagePath.

Why configure login screen branding

Organizations struggle to display compliance notices and security warnings before users authenticate. The default Windows login screen provides no way to communicate acceptable use policies or emergency contact information to users who approach locked or logged-out endpoints.

Customizing the login screen solves this challenge by displaying critical information before authentication occurs. Unlike desktop wallpaper, login screen content appears to anyone who approaches the endpoint, making it ideal for legal notices, branding requirements, or security warnings that must be visible before access is granted.

The Worklet can optionally lock the login screen image to prevent users from changing it. This setting maintains consistent branding across the organization and preserves the visibility of any compliance or security messages displayed on the login screen.

How login screen configuration works

1. Evaluation phase: The Worklet verifies that the cache directory exists, checks for the presence of the cached image file (AX-LockScreen.*), and validates the registry configuration. It checks both Enterprise and Professional registry paths for the correct LockScreenImage/LockScreenImagePath values pointing to the cached image, and verifies the NoChangingLockScreen setting matches the desired configuration.

2. Remediation phase: The Worklet creates the cache directory if needed, validates DNS resolution and port connectivity to the image URL, downloads the image using System.Net.WebClient, detects the image format, and saves it to the cache. It then creates or updates the registry keys for both Enterprise and Professional editions, setting the LockScreenImage/LockScreenImagePath to the cached image path and configuring NoChangingLockScreen based on the AllowLockScreenImageChange parameter.

Login screen configuration requirements

• Windows 8.1 or later (Professional or Enterprise edition)

• Windows must be activated (Worklet will not function on unactivated systems)

• Network access to the image URL from the endpoint

• Image must be JPEG, PNG, BMP, GIF, or TIFF format

• Logout or reboot required for changes to take effect

Expected login screen appearance after remediation

After remediation and a user logout or system reboot, you can expect these specific outcomes:

• The custom image appears as the Windows login screen background

• The cached image exists at C:\ProgramData\amagent\WorkletCache\Enterprise-Branding\AX-LockScreen.*

• Registry values in HKLM\Software\Policies\Microsoft\Windows\Personalization (Enterprise) or HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP (Professional) point to the cached image

• If NoChangingLockScreen is enabled, users cannot change the lock screen image through Windows Settings

To update the login screen image, modify the ImageURL parameter and run the Worklet again.

How to validate set login screen background changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for set login screen background.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Enterprise-Branding, Write-Verbose, AX-LockScreen.

4. Validate remediation effects from script operations such as Add-Type, Enterprise-Branding, Write-Verbose, then rerun evaluation for compliance.