I’ve deployed corporate desktops since Windows 95 and I can’t recall a single client that wanted us to build desktops with the default Microsoft-provided images. As Microsoft released new versions of Windows, they introduced new components that clients wanted customized as well; first the lock screen when the NT line rolled out, then Help & Support page when 2000 became popular, and recently the Account Profile image Vista showcased when it made its brief appearance. With the exception of the Modern UI Start Screen, Windows 8 hasn’t visually built too much on the customizable areas that Windows 7 had, but there are some interesting under the hood changes that makes reliance on the legacy methods difficult. In this article, I’ll cover all the areas of customization and the best practices for configuration.
One of the biggest changes administrators will notice is the level of lock-down on many of the system folders that contain branding components. This actually only happens after Windows 8 completes the setup process, and in combination with the dependence on the local administrator’s profile to create the default user’s profile, if your branding strategy has thus far been a layering effort after setup, your job gets a lot harder. For this reason, you’ll want to change most of your branding from post-Windows setup, to pre-Windows setup. Additionally, if you are currently branding everything all at once with a single process, you’ll want to consider breaking it up into different components.
There are a few assumptions this article makes. The first is that you are not deploying desktops “from the ground up”, i.e., you are not installing Windows 8 each time using the SETUP.EXE, rather you adhere to best practices and have a “thin” or “hybrid” image which is periodically updated to roll in service packs and hotfixes and serves as the foundation for your builds. The second is that you are using a combination of Microsoft platforms to deploy and manage, namely SCCM 2012 SP1 or MDT 2012 Update 1 (“SCCM/MDT”) and Active Directory respectively. This is because the best time to implement your branding is after the WinPE portion of the deployment has completed configuring the Windows setup environment, but before the computer boot into the native OS for the mini-setup portion of the build; “off-line servicing” if you will. Taking that into consideration, all references in this article to locally placed files reference the native Windows installation. During the WinPE phase, you may need to discover what that drive letter is, and as such, replace the listed question mark (“?:\”) with the correct letter. Lastly, I make the assumption that your process is either Lite-Touch or Zero-Touch, as these scenarios offer you the ability to customize the information being branded to better match your target user. If your build environment differs from this, it isn’t a big deal as you can still incorporate the components in whatever form your environment requires.
Twice does Windows setup use an answer file to automate installation (“unattend.xml”); once during the initial SETUP.EXE phase, and once during the post-sysprep mini-setup phase. This is a critical component in complete branding as it includes native settings to handle much of the text-based configuration. It is also somewhat dynamic in that SCCM/MDT can update the unattend.xml during the build process with discovered information, thereby limiting the amount of additional scripting an administrator needs to do and resulting in a branding more tailored for the intended recipient. If you are not completely familiar with the unattend.xml and how it works, make sure you download the Windows 8 ADK so you have access to the Windows System Image Manager (Windows SIM). Also ensure you are familiar with the different configuration passes Windows makes during setup so you can place information correctly. I’ll cover where you can use the unattend.xml within the following Areas of Branding, and when referencing the subcomponents therein, I’ll be using the placeholder “xxxxx” instead of the individual component’s “amd64″, “wow64″ or “x86″ descriptor; you will need to adjust to match your environment.
Group Policy also plays a role, a minor and optional role, but one all the same. You can use Group Policies to change your branding from “default but changeable” to “mandatory” for your desktops. I’ll cover where you can implement Group Policy options when applicable.
Lastly, good old scripting. This is the workhorse for your branding efforts, and serves as the backbone of most deployment mechanisms. For almost every single configuration area, you’ll find yourself scripting a delivery method.
The Default User’s Profile
I will talk more about this in the upcoming sections, but in addition to branding over-all system areas, much of the branding happens within the user profile area. Because of this, it is important to understand what the “default user” (the non-existent user profile which forms the base for all future created user profiles) is. Different versions of Windows have had different methods of configuring this profile during a deployment scenario, but starting with Windows Vista, Microsoft focused on using the Local Administrator’s profile as the template. In a deployment, that profile is configured as desired prior to the mini-setup. It is not, however, the default behavior of Windows setup to use any template profile for the basis of future profiles. If you do not tell Windows specifically to do this, Windows will instead create a new generic profile based on settings found in a few different places. There is also only one way to tell Windows to use the local administrator’s profile as the default user template, and this is from the unattend.xml file.
Make sure this is set or you will have unexpected results with each new user.
The Native OS Registry
Many areas will require you to make changes to the native Windows registry, which isn’t immediately accessible when you are in WinPE. You can load these registry hives while in WinPE using the REG command. The two files you will need are:
- The native HKLM SOFTWARE hive:
- The default user HKU hive:
To differentiate these loaded hives from the native, I’ll reference them as HKLM\WIN8LM and HKLM\WIN8U respectively.
Be aware that there are areas of customization not available or used if configured until Windows is activated. Those areas are noted in the following sections.
Areas Of Branding
There are five areas of branding available to you in Windows 8:
With little exception, any time you manually install Windows or any application, they ask you for the Owner and Company name. When configured for Windows, this information serves as the default information for not only future application installations, but any time a user or company name is required. There are two locations to set organization information, one being the general Windows configuration, and the second being the IE configuration. Even if you’re not using IE as your desktop’s primary browser, its full integration with the OS means that many built-in components and third party applications will pull information from the IE settings so it is best to include the information there. This area also includes a generic Home Page URL location. It is a bit of a throw-back to the old days of single-windowed browsing, and most multi-tabbed browsers allow you to set multiple home pages, but this can still serve as go-to information for some components and is a good place to put your corporate support URL.
Configuration via Unattend.xml
This is the preferred and cleanest method for setting the information, and for the general Windows owner and company information, it can be set within the Generalize, Specialize, and OobeSystem sections, as appropriate for when you are applying your unattend.xml.
Configuration via Direct Registry Edit
Depending on your desktop deployment build process, you may find it preferable to set this information via a direct registry edit.
• CompanyName (REG_SZ)
• Home_Page (REG_SZ)
• RegisteredOrganization (REG_SZ)
• RegisteredOwner (REG_SZ)
Although image branding (desktop / lock screen) is the most visible, OEM branding is much more integrated and gives companies the ability to customize the information displayed to the user when the Settings\Control Panel\System page (System page) is displayed. OEM Branding falls into two styles, which for this article I’ll reference as “Standard” and “Help Customized”. Figure: OEM Branding shows a typical “Standard” configuration. Under the “System” section, user is presented with the corporate logo, as well as information for Manufacturer and Model. Below, in a section named after your Manufacturer information is a Phone Number, Support Hours and the Website URL. “Help Customized” (no image shown) is a bit more complicated and outside the scope of this article, but summarized, it involves developing your own Help & Support file which integrates with Windows Help. When this approach is taken, the only thing the System page displays is your corporate logo with a Support Information link below it that when clicked opens the custom help file. You can find more information on developing custom Help & Support content on TechNet.
Configuration via Unattend.xml
This is the preferred and cleanest method for setting the information. There are a few items to note here. First, do not set HelpCustomized (or set it to False) or you will wind up with the “Help Customized” configuration as described above. Second, the Logo field needs a full path and file name to your corporate image (see “Required File System Changes” below). This can be either a hard coded path (e.g., “C:\Windows\…“) or an variable coded path (e.g., “%WinDir%\…“). The remaining fields are written without validation, so anything you add to the fields will be displayed as-is, with the exception of SupportURL which will become the link’s target.
Configuration via Direct Registry Edit
Depending on your desktop deployment build process, you may find it preferable to set this information via a direct registry edit. The same rules that govern the HelpCustomized and Logo entries within the unattend.xml apply to the direct registry placement.
• Logo (REG_EXPAND_SZ)
• Manufacturer (REG_SZ)
• Model (REG_SZ)
• SupportHours (REG_SZ)
• SupportURL (REG_SZ)
• HelpCustomized (REG_DWORD)
Required File System Changes
Regardless of how you set this information, you will need to include your corporate logo. This image is a 120×120 pixel 32-bit depth BMP file. Although the file can be named and placed anywhere on your local system, there is a 259 character limit to the path and name, so best practices has you storing it in the following location:
You can find more information on the OEMInformation configuration on TechNet.
The approach to the lock screen in Windows 7 was pretty straight forward, making use of the OEM configuration setting to place the image, then setting a value in the registry to ensure usage of the image. This approach still works, but there is also a new method of setting an image that is not tied to OEM configuration, but the default user profile instead. I will cover both methods; they do not conflict with each other so if you use both, you will not have any complications.
Regardless of approach, the images used are the same. Unless you have an extremely homogeneous environment, you will be deploying your desktop image to multiple hardware platforms, and each platform will have different default resolution. You want your image to look correctly scaled on any resolution it is displayed on, and as such, you will need to create an separate image file for each resolution within your environment. I recommend you start with a “master” image, at a resolution of 1900×1200 pixels, and save this as a JPG file no larger than 256kb. Then for each target platform’s resolution, rework your master image to the new resolution and save it as a new file, again as a JPG and no larger than 256kb.
Of course discovering resolutions for all your models may be time consuming, and it will not take into consideration future resolutions, so you may find it easier to just create some common resolutions, like those listed in the call-out box, and leave it at that. Keep in mind that many users have rotating monitors, which means that your image may be displayed in portrait instead of landscape: 1024×768 is much different than 768×1024.
One final design consideration for the image is the overall background color. Windows uses a white text, so if your image has too light a background, it will be difficult to see the clock/date displayed when the unit is locked.
This approach involves talking all your scaled images and dropping them into a system folder. Windows will automatically pick the best resolution image as the display resolution changes, using a default image if a matching resolution image is not found.
With a copy of all your master images, rename each one to fit the pattern of backgroundWidthxHeight.jpg where Width and Height are replaced with the resolution dimensions (e.g., background1024x768.jpg). Pick one of the images (typically the largest resolution or the one that will scale best if you have not provided an exact match resolution image) and copy it to a new file named backgroundDefault.jpg. Copy all those files to the following location:
After this, you need to update the native registry to instruct Windows to use the OEMBackground:
• OEMBackground=1 (REG_DWORD)
You can lock this down by using Group Policy as well:
Computer Configuration\Administrative Templates\System\Logon
“Always use custom logon background”
Default User Approach
This approach involves taking all your scaled images and dropping them into a user-specific system folder. Windows will automatically search that folder for the file that matches the currently set resolution of the system. If it doesn’t find the file, a solid color is displayed instead.
With a copy of all your master images, rename each one to fit the pattern of LockScreen___Width_Height.jpg (three underscores after LockScreen) where Width and Height are replaced with the resolution dimensions of the image (e.g., LockScreen___1900x1200.jpg), but padded to be 4 digits long (i.e., if your image is 1024×768, the file name is LockScreen___1024x0768.jpg). Unlike the OEM methods, you do not need to create a default image. Create the folder structure listed below and copy all your files into it.
Quick side note. Technically speaking, only one file, the one matching the current resolution, is needed within the LockScreen_Z folder. Windows isn’t enumerating all the files in the folder, only looking for a file named after the resolution currently active. But as these files are small, dumping all of them in does no harm and save you discovery and automation work. Second, each time the display resolution changes, Windows creates a new folder under the …\ReadOnly subfolder patterned as LockScreen_? where the question mark is replace by a single letter starting with Z and descending to A. If you have users that change resolution often, such as the case with a swivel monitor, you might consider pre-creating the LockScreen_Y as well and populating it with the correct resolution files.
Because “S-1-5-18” is the static SID for the Local Administrator’s account, this becomes a user-system folder and helps form the “default user profile”. No registry configurations are needed for this section.
Alternative User Images
Unless locked down by Group Policy, users can change their lock screen once Windows is activated. If they choose to do this, they are given a default selection of 5 images and allowed to upload their own. This also provides an additional area for corporate branding, providing alternative corporate images to the default one you have implemented.
This is the folder location that contains the images. These can be either JPG or PNG images, at a size which will scale down well (1900×1200), and at any file size (they do not adhere to the 256kb limit). These files have a specific naming convention, starting with “IMG”, followed by a number starting at 100, and ending with the correct file extension. Windows will start with IMG100 and ascend until all sequential images are displayed.
Using Group Policy to Disable Lock Screen Changes
If desired, you can restrict users from changing their background image via Group Policy. This setting has no configuration options other than Enabled or Disabled/Not Configured.
Computer Configuration\Administrative Templates\Control Panel\Personalization
“Prevent changing lock screen image”
Using Group Policy to Force a Specific Lock Screen Image
[Update: 12/20/12] The "Windows 8 and Windows Server 2012 cumulative update: November 2012", which is comprised of several patches and updates (KB 2770917) introduced the ability to force a specific image for the Lock Screen. This image can be a local or network share image. Microsoft recommends a Dfs share for a network image for redundancy, but this obviously limits you to a single image for all display resolutions. If you select a local file, although all units will point to the same local file, you can point to a common-named image that is specifically placed on the local computer that matches that unit's display resolution, exactly as you would do with the defaultBackground.jpg image in the OEM Approach (if you take that approach, you could specify that file within the Group Policy).
Computer Configuration\Administrative Templates\Control Panel\Personalization
"Force a specific default lock screen image"
The internet is filled with conversations over customizing the Start Screen. Most of the original conversation threads focused around hacks to change the color, then pick one of the included image patterns, and finally to using your own image. I’ll say up front that I only cover changing what Microsoft has made available for change, and as with all other sections, I do not include any 3rd party utilities or other file-hacking methods.
The Start Screen is simply a solid color with an “accent” patterned overlaying it; nothing more, there is no “image”. Software you see that promises to use a custom image are performing a trick by which they are displaying an image over the solid background but under the tiles; it is not actually there, it only is visible while the utility is running, and the utility must be run on each user logon. What you can change is the solid color and the accent image.
Microsoft provides 24 stock color schemes you can use. These corresponds to the image bar below. Please not that regardless of which method you use to set this, you need to use the decimal value; the registry will have a default view of the HEX value.
The desired method of changing this is using the unattend.xml:
This can also be set via the registry. Note that this is set at a per-user level, so you are updating the default user profile.
• ColorSet_Version3 (REG_DWORD)
The Accent Overlay
Microsoft provides 19 overlays, and a “no overlay” option for just a solid color background. Changing the color scheme does not change the accent overlay colors. You cannot alter the overlays or add any of your own. At this time, the only method of changing the accent overlay is via the registry. Note that this is a per-user setting.
• AccentId_v8.00 (REG_DWORD)
The value will match the following values, shown in their decimal form.
Although you cannot seem to choose the default accent overlay except via the registry, you can disable the overlay via Group Policy:
Computer Configuration\Administrative Templates\Windows Components\Desktop Window Manager
“Use solid color for Start background”
One thing to note is that regardless of your direct registry selection, the accent overlay change will not take affect until Windows is activated.
Locking the Start Background
As noted above, you can set the color via unattend.xml or the registry, and the accent overlay only via the registry. But you can lock users from changing the color scheme and overlay via group policy:
Computer Configuration\Administrative Templates\Control Panel\Personalization
“Prevent changing start menu background”
Interestingly enough, this just removes the graphical ability; any user with registry access can change the value and subsequently the color and accent.
If you are familiar with the methods of setting this in Windows 7, you will recognize this in Windows 8 as nothing has changed. Review the Image Configuration information from the above Lock Screen section as you will follow the same development principals.
Unlike the Lock Screen where you used all the images, for the desktop you only use one. That image must match your target’s display resolution as Windows will not scale it, and it must match the file format and size as you are replacing system files.
Windows 8 uses a single default desktop background image for all profiles. That file is called img0.jpg and is in several places on your local computer. Because this is a system file, you must change it in not only the easy to find location, but any system file backup location. The system file backup location is in a subfolder under ?:\Windows\winsxs and is cryptically named to meet the Windows CPU platform, Windows component, and service pack version. This means that it can vary from computer to computer. An example of found locations would be as below, where the first path is the easy one, and the second is the system backup.
Because of this, it is best to not attempt a direct replacement, but rather query your local file system and update as found. A quick WMI query to return the locations is as follows:
SELECT Path FROM CIM_DataFile WHERE FileName=”img0” AND Extension=”jpg” and Drive=”?:”
The update process is as follows: Query your local system for each instance of img0.jpg. For each instance found, take your correctly sized image, rename it to img0.jpg, and replace the native file.
Locking the Desktop Wallpaper
You can lock users out of changing the desktop wallpaper via Group Policy:
User Configuration\Administrative Templates\Control Panel\Personalization
“Prevent changing desktop background”
The last area of branding are the Account Pictures. First introduced with Windows Vista, these have matured from the more simplistic smaller images to more dynamic profile objects that are used quite extensively within Windows.
The two figures to the right show two versions of the Account Picture. Figure: Profile Large shows the image as it appears on the lock screen, while Figure: Profile Small shows it as it appears on the Start Screen. Although a user is unable to change their account picture until Windows is activated, you can set the default images displayed ahead of time.
If you do use the GUI to change the account picture, Windows will create scaled images to match the display need. This can result in the single image looking incorrect at one of the scaled sized. As you can see from the figures however, you are not actually bound to a single account picture.
Three images are used by Windows for the default Account Pictures. These image default as all PNG files at a depth of 32-bit. Although not immediately clear when interacting with Windows, the three sizes are 448×448 pixels, 200×200 pixels, and 40×40 pixels. Figure: Profile Large, although displayed at logon and when you are personalizing the profile is at a 200×200 pixel size, it is actually 448×448 pixels and subsequently scaled down. Figure: Profile Small is actually the 40×40 pixels image. Create your master images to match as follows:
|File Name||File Type||Diminsions||Bit Depth|
Very similar to the desktop’s img0.jpg described in the Desktop section, all of the PNG files are system files located in both an easy to find common folder, and a more difficult system backup folder:
?:\ProgramData\Microsoft\User Account Pictures
Therefore, as with the Desktop image, a query/replace approach is best:
SELECT Path FROM CIM_DataFile WHERE FileName=”[filename]” AND Extension=”png” and Drive=”?:”
Where [filename] is replaced with “USER”, “GUEST”, “USER-200″ and “USER-40″ in succession. This leaves you with the two BMP files, which you place into the ..\User Account Pictures directory, overwriting the images currently there.
Locking the Account Picture
As with other sections, you can user Group Policy to keep users from changing their account pictures.
User Configuration\Administrative Templates\Control Panel\User Accounts
“Apply the default account picture to all users”
There are quite a few tasks that must be done to fully brand your desktop with the corporate identity. The most daunting and time consuming is development of the lock screen and desktop backgrounds as scale-sensitive items such as logos, photos, and text can go from looking polished to looking amateur quickly. Back-filling an in-production or post-setup desktop build is extremely difficult, so a higher attention to configuration timing during deployment is needed. Scripting and automation are absolutely your best friends here, shrinking the time taken to incorporate all these components to seconds while giving your build the ability to dynamically change environmental settings as needed. Windows 8 may have introduced many challenges to administrators, but corporate branding doesn’t need to be one of them.