Windows 10, Windows 11

Bypass Windows Restrictions: Non-Enterprise Personalization with PowerShell + GPO Tips

🖥️ Why Branding Your Windows Endpoints Matters

The personalization and branding of the Windows endpoints in your organization is important. It looks more professional and should be consistent. In Windows we can manage all of this with Group Policy, that is, if your business didn’t buy Windows 10 Home or Pro licenses. Windows 10 makes customizing the look a bit complicated for Non-Enterprise SKUs. Here are the main GPOs:

⚙️ Group Policies for Personalization

Below are key GPO paths and their associated file locations for managing Windows visuals:

✨ Windows Spotlight

  • GPO Path: User Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off all Windows spotlight features
  • Asset Path: C:\Users\%username%\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\Assets

🔒 Lock Screen & Logon Image

  • GPO Path: Computer Configuration > Administrative Templates > Control Panel > Personalization > Force a specific default lock screen and logon image
  • Asset Path: C:\Windows\Web\Screen

🖼️ Desktop Wallpaper

  • GPO Path: User Configuration > Administrative Templates > Desktop > Desktop > Desktop Wallpaper
  • Asset Path: C:\Windows\Web\Wallpaper\Windows

🔐 Secure Sign-in Background

  • GPO Path: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive Logon: Do not require CTRL+ALT+DEL

👤 User Account Pictures

  • GPO Path: Computer Configuration > Administrative Templates > User Accounts > Apply the default account picture to all users
  • Asset Path: C:\ProgramData\Microsoft\User Account Pictures

💡 Note: The “Force a specific default lock screen and logon image” policy is not supported on Home or Pro editions, limiting your branding options without a workaround.

🧪 What the PowerShell Script Does

After extensive testing and tweaks, I created a PowerShell script that bypasses these GPO limitations on Windows 10 Home and Pro. It’s not an official Microsoft solution but works reliably when deployed through an RMM tool.

📦 Ensure your image assets are in the script’s execution directory.

✅ This script will:

  • Enable secure sign-in (Ctrl + Alt + Del requirement)
  • Set custom lock screen and desktop wallpapers
  • Disable the default Windows sign-in background
  • Turn off Windows Spotlight for all users
  • Apply a default user account image
  • Replace default account pictures with your custom assets

🚀 Deploying Group Policies Without a Domain

For non-domain environments, you can still manage GPOs using LGPO (Local Group Policy Object Utility) and RMM deployment.

🛠️ Steps:

  1. Use gpedit.msc to configure settings on your source machine.
  2. Run gpupdate /force to confirm changes.
  3. Copy the following files to a USB or shared location (e.g., D:\GPOsExport):
    • C:\Windows\System32\GroupPolicy\Machine\Registry.pol
    • C:\Windows\System32\GroupPolicy\User\Registry.pol
  4. Deploy to the target machine using:
BAT (Batchfile)
LGPO /m "D:\GPOsExport\GroupPolicy\Machine\Registry.pol"
LGPO /u "D:\GPOsExport\GroupPolicy\User\Registry.pol"

💬 These steps provide a strong foundation for scripting GPO deployment via PowerShell as well.

    💻 PowerShell Script: Apply Custom Branding

    Paste the following script into your RMM tool or PowerShell window to apply your branding:

    PowerShell
    $WindowsVersion = [System.Environment]::OSVersion.Version.Major
$ExecutingScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
 
# Create Directory and Copy Wallpaper.
New-Item -Path "$env:SystemRoot\System32\oobe\info\backgrounds" -ItemType Directory -Force
Move-Item -Path "$ExecutingScriptDirectory\BackgroundDefault.jpg" -Destination 'C:\Windows\System32\oobe\info\backgrounds' -Force
 
 
$LockScreenImage = "C:\Windows\System32\oobe\info\backgrounds\BackgroundDefault.jpg"
    if ($WindowsVersion -eq 6) {
        Remove-Item -Path 'C:\Windows\System32\oobe\info\backgrounds\*' -Force
        $LockScreenDestination = 'C:\Windows\System32\oobe\info\backgrounds\BackgroundDefault.jpg'
        Copy-Item $LockScreenImage $LockScreenDestination -Force
        Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" -Name "OEMBackground" -Value 1 -Force
    } elseif ($WindowsVersion -eq 10) {
        New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedPC" -Name "SetEduPolicies" -Value 1 -PropertyType DWORD -Force | Out-Null
        $RegKeyPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP"
        if (!(Test-Path $RegKeyPath)) {
            New-Item -Path $RegKeyPath -Force | Out-Null
        }
        New-ItemProperty -Path $RegKeyPath -Name "LockScreenImageStatus" -Value 1 -PropertyType DWORD -Force | Out-Null
        New-ItemProperty -Path $RegKeyPath -Name "LockScreenImagePath" -Value $LockScreenImage -PropertyType STRING -Force | Out-Null
        New-ItemProperty -Path $RegKeyPath -Name "LockScreenImageUrl" -Value $LockScreenImage -PropertyType STRING -Force | Out-Null
            # In case you want to force a corporate desktop image
            $DesktopImageValue = "C:\Windows\System32\oobe\info\backgrounds\BackgroundDefault.jpg"
            New-ItemProperty -Path $RegKeyPath -Name "DesktopImageStatus" -Value 1 -PropertyType DWORD -Force | Out-Null
            New-ItemProperty -Path $RegKeyPath -Name "DesktopImagePath" -Value $DesktopImageValue -PropertyType STRING -Force | Out-Null
            New-ItemProperty -Path $RegKeyPath -Name "DesktopImageUrl" -Value $DesktopImageValue -PropertyType STRING -Force | Out-Null
        # Disable Windows 10 Spotlight for all users
        New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
        $RegArray = Get-ChildItem -Directory -Name "HKU:"
        foreach ($RegItem in $RegArray) {
            $RegPath = "HKU:\$RegItem\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager"
            Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenEnabled" -Value 0 -Force -ErrorAction SilentlyContinue
            Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenOverlayEnabled" -Value 0 -Force -ErrorAction SilentlyContinue
            Set-ItemProperty -Path $RegPath -Name "ContentDeliveryAllowed" -Value 0 -Force -ErrorAction SilentlyContinue
            Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338388Enabled" -Value 0 -Force -ErrorAction SilentlyContinue
            Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338389Enabled" -Value 0 -Force -ErrorAction SilentlyContinue
        }
               # Disable Windows 10 Sign-in Background
               Get-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" | New-ItemProperty -Name "DisableLogonBackgroundImage" -Value 1 -Force -ErrorAction SilentlyContinue
 
               # Enable Secure Sign-in
               Get-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" | New-ItemProperty -Name "DisableCAD" -Value 0 -Force -ErrorAction SilentlyContinue
               Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
               Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
               Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
 
               # Backup Account Pictures 
               New-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\default" -ItemType Directory -Force
               Move-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" -Destination 'C:\ProgramData\Microsoft\User Account Pictures\default' -Force
               Move-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures\default' -Force
               Move-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user-32.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures\default' -Force
               Move-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user-40.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures\default' -Force
               Move-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user-48.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures\default' -Force
               Move-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user-192.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures\default' -Force
 
               # Copy Custom Account Pictures
               Move-Item -Path "$ExecutingScriptDirectory\user.bmp" -Destination 'C:\ProgramData\Microsoft\User Account Pictures' -Force
               Move-Item -Path "$ExecutingScriptDirectory\user.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures' -Force
               Move-Item -Path "$ExecutingScriptDirectory\user-32.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures' -Force
               Move-Item -Path "$ExecutingScriptDirectory\user-40.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures' -Force
               Move-Item -Path "$ExecutingScriptDirectory\user-48.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures' -Force
               Move-Item -Path "$ExecutingScriptDirectory\user-192.png" -Destination 'C:\ProgramData\Microsoft\User Account Pictures' -Force
                
               # Apply Default User Picture For All Users in Windows 10
               New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "UseDefaultTile" -Value 1 -Force -ErrorAction SilentlyContinue
 
           # Disable Windows 10 Spotlight for current user (in case the 'all users' portion skipped the current user due to a permissions error)
           $RegPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager"
           Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenEnabled" -Value 0 -Force -ErrorAction SilentlyContinue
           Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenOverlayEnabled" -Value 0 -Force -ErrorAction SilentlyContinue
           Set-ItemProperty -Path $RegPath -Name "ContentDeliveryAllowed" -Value 0 -Force -ErrorAction SilentlyContinue
           Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338388Enabled" -Value 0 -Force -ErrorAction SilentlyContinue
           Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338389Enabled" -Value 0 -Force -ErrorAction SilentlyContinue
    }

    🧹 Removal Script: Revert All Changes

    Always have a way to roll things back. This PowerShell script restores the default Windows settings, undoing all branding changes made by the primary script.

    PowerShell
    $WindowsVersion = [System.Environment]::OSVersion.Version.Major
$ExecutingScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
 
    if ($WindowsVersion -eq 6) {
        Remove-Item -Path 'C:\Windows\System32\oobe\info\backgrounds\*' -Force
        Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" -Name "OEMBackground" -Value 1 -Force
    } elseif ($WindowsVersion -eq 10) {
        New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedPC" -Name "SetEduPolicies" -Value 1 -PropertyType DWORD -Force | Out-Null
        $RegKeyPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP"
        if (!(Test-Path $RegKeyPath)) {
            New-Item -Path $RegKeyPath -Force | Out-Null
        }
        Remove-ItemProperty -Path $RegKeyPath -Name "LockScreenImageStatus" -Force | Out-Null
        Remove-ItemProperty -Path $RegKeyPath -Name "LockScreenImagePath" -Force | Out-Null
        Remove-ItemProperty -Path $RegKeyPath -Name "LockScreenImageUrl" -Force | Out-Null
            # In case you want to remove a corporate desktop image
            $DesktopImageValue = "C:\Windows\System32\oobe\info\backgrounds\BackgroundDefault.jpg"
            Remove-ItemProperty -Path $RegKeyPath -Name "DesktopImageStatus" -Force | Out-Null
            Remove-ItemProperty -Path $RegKeyPath -Name "DesktopImagePath" -Force | Out-Null
            Remove-ItemProperty -Path $RegKeyPath -Name "DesktopImageUrl" -Force | Out-Null
        # Disable Windows 10 Spotlight for all users
        New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
        $RegArray = Get-ChildItem -Directory -Name "HKU:"
        foreach ($RegItem in $RegArray) {
            $RegPath = "HKU:\$RegItem\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager"
            Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenEnabled" -Value 1 -Force -ErrorAction SilentlyContinue
            Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenOverlayEnabled" -Value 1 -Force -ErrorAction SilentlyContinue
            Set-ItemProperty -Path $RegPath -Name "ContentDeliveryAllowed" -Value 1 -Force -ErrorAction SilentlyContinue
            Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338388Enabled" -Value 1 -Force -ErrorAction SilentlyContinue
            Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338389Enabled" -Value 1 -Force -ErrorAction SilentlyContinue
        }
               # Enable Windows 10 Sign-in Background
               Get-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" | Remove-ItemProperty -Name "DisableLogonBackgroundImage" -Force -ErrorAction SilentlyContinue
 
               # Disable Secure Sign-in
               Get-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" | Remove-ItemProperty -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
               Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
               Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
               Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableCAD" -Force -ErrorAction SilentlyContinue
 
               
           # Enable Windows 10 Spotlight for current user (in case the 'all users' portion skipped the current user due to a permissions error)
           $RegPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager"
           Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenEnabled" -Value 1 -Force -ErrorAction SilentlyContinue
           Set-ItemProperty -Path $RegPath -Name "RotatingLockScreenOverlayEnabled" -Value 1 -Force -ErrorAction SilentlyContinue
           Set-ItemProperty -Path $RegPath -Name "ContentDeliveryAllowed" -Value 1 -Force -ErrorAction SilentlyContinue
           Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338388Enabled" -Value 1 -Force -ErrorAction SilentlyContinue
           Set-ItemProperty -Path $RegPath -Name "SubscribedContent-338389Enabled" -Value 1 -Force -ErrorAction SilentlyContinue
    }

    ✅ Conclusion

    Customizing Windows branding on Home and Pro editions has long been restricted, but this workaround lets you enforce consistency without an Enterprise license. While Microsoft may have tried to limit this flexibility, the power of community-driven solutions proves once again that where there’s a will, there’s a way.

    💪 The battle for control over your endpoints’ appearance has been won — by you.

    🌿 Final Thoughts

    Customizing and branding Windows endpoints—especially on Home and Pro editions—can feel unnecessarily restrictive, but with a bit of persistence and PowerShell wizardry, it is possible to achieve professional results. While Microsoft limits certain features to Enterprise SKUs, this script-based approach provides a reliable workaround for consistent visual branding across your organization.

    Whether you’re supporting a small business, managing endpoints via RMM, or just tired of default lock screens, these methods offer control, clarity, and cohesion. As always, thoroughly test on a non-production device before large-scale deployment, and keep a rollback plan handy.

    In the end, it’s not just about aesthetics—it’s about providing a polished, secure, and user-friendly environment.

    /1 Comment/by
    1 reply

    Leave a Reply

    Want to join the discussion?
    Feel free to contribute!

    Leave a Reply

    Your email address will not be published. Required fields are marked *