Windows Scripting

• Active Directory Join (Windows)
• Adding A Printer for All Users (Windows)
• Create local admin accounts on Windows
• Deploy SSL Certificates (Windows)
• Installing Windows Fonts
• Local Group Policy Object Utility (Windows EXE)
• Rename Windows Hostname based FileWave Client Name
• Storing the BitLocker volume keys using a Custom Field
• Upgrade Windows 10 and 11
• Notify Users with a dialog (Windows)
• Windows Wallpaper via CSP Personalization

Active Directory Join (Windows)

Description

This Fileset is designed to bind Windows computers to a Directory structure. By associating this Fileset the binding process can be automated.

Ingredients

• Active Directory domain
• Windows 10 or 11 filewave client
• FileWave Admin

Directions

1. Download the Active Directory join fileset template: Active Directory Join.fileset.zip
2. Unzip and import the fileset into FileWave Admin.
3. Open the Fileset, highlight the join_ad.ps1 script and choose Get Info > Executable > Environment Variables.
4. Modify these variables to reflect the Active Directory environment:
   
   

   user
   password
   domain
   ou

THIS SCRIPT WILL FORCE THE MACHINE TO RESTART. IF THAT IS NOT THE BEHAVIOR THAT IS DESIRED REMOVE THIS LINE FROM THE JOINDOMAIN.PS1 FILE: 
Restart-Computer -Force

THIS SCRIPT WILL DELETE ITSELF ONCE IT HAS RUN ON THE CLIENT MACHINE LOCALLY.

Example:

For the user, please use full path like
e.g. "domain\username"

Save changes and associate the Fileset to either Windows 10 or 11 client machines!

Adding A Printer for All Users (Windows)

The task at hand seems simple enough...install a printer for a Windows user for a printer on a Print Server. In our example, I'll use a print share called BigDill on a print server named Arkone.

Easy, right?  A quick web search for "powershell add printer" takes me to the add-printer cmdlet, and it is pretty easy to use for a print server.  The command looks like this (don't use this example!):

import-module printmanagement
add-printer -ConnectionName \\arkone\BigDill

I tested it locally outside of FileWave in the PowerShell ISE and it worked fine.  I ran the command, and it added the printer for me.  So, I created a fileset for the exact same thing and tried it out.  The result: nothing whatsoever.  The script seemed to run fine, but the user logged in didn't see a new printer!

So, why did this happen?  For two important reasons:

1. The Add-Printer cmdlet is great, but it ONLY adds a printer for the current user
2. When FileWave runs a script, it is always run under the context of the System account

When I investigated further by opening a command prompt as system, I found that in fact my fileset had run fine, and added the printer, but only for the system account.  

Testing Scripts for Use in FileWave
Review our KB Script Best Practices which demonstrates the use of psexec to run scripts on Windows as if they were run through FileWave (as System User and 32bit).

So, a little more research was required, and PowerShell in this instance is not the answer.  Instead, we are going to use a command-line utility in a batch file called printui.exe.  PrintUI can be used in many ways: Microsoft PrintUI Documentation

We won't get into all of the options of this command here, but printui can add a printer globally for all users using the /ga command line option (/gd is a global delete if you happen to want to add a removal script as well).  So our new batch file (Activation Script) code looks like this:

@echo off
printui /ga /n\\arkone\BigDill
exit 0

And our results, in this case, were excellent...the printer is added for every user at their next login.  (Given this, you may want to make this a reboot fileset)

And, for completeness' sake, if we wanted to add a post-uninstallation script to "clean-up" if this fileset were removed, we could do:

@echo off
printui /gd /n\\arkone\BigDill
exit 0

Related Content

• Script Best Practices

Create local admin accounts on Windows

Description

Need to manage local admin accounts on your Windows devices? FileWave has you covered. Below is the recipe with Fileset to create your local admin account with username, password and full name. In addition, if needing to remove the local admin account, there is a removal script included.

Ingredients

• FW Admin

• Create Local Admin (Win).fileset.zip

Directions

1. Download and unzip the Fileset
   

2. Import into your server via FileWave Admin
   
3. Highlight the Fileset and select "Scripts" for this Fileset
   
4. Select the create_admin.ps1 to open the script properties
5. Enter in your local admin Username, Password and Full Name for the desired account
6. Repeat the process for the remove_admin.ps1 and enter in the desired Username to remove
   
   

   The remove_admin.ps1 script environment variable needs to match the Username found on the machine or in the create_admin.ps1. If it does not match it will not successfully remove the admin account.
   

   
7. Close the Script window to Save
   
8. Assign to a test device
   
9. Perform a Model Update to deploy

Confirmation of local admin created, you may open the Windows Settings > Accounts > Other Users to view the newly created local admin account.

Notes

Both scripts will output their executed tasks for detailed logging. These logs may be found in:

C:\ProgramData\FileWave\Logs\

The create_admin script log will be labeled: CreateLocalUser_FromEnv.log

The remove_admin script log will be labeled: RemoveLocalUser_FullCleanup.log

The create admin script will skip if there is an username already exists.

Related Content

• How to Create Local User Accounts on macOS

Deploy SSL Certificates (Windows)

Deploy SSL certificates to Windows "Trusted Root Certification Authorities" certificate store for use in secure services such as web content filters.

Step-by-step guide

• Download, unzip, and import the following Fileset Template into FileWave Central - Windows - Install SSL Certificate.fileset.zip
• Import the desired SSL certificate into the Fileset's "\temp\ssl\" directory and delete "placeholder.pem".
• Select the "install_ssl.bat" file, click "Edit Text", and replace "placeholder.pem" with the full file name of the newly uploaded certificate.

This script will add the desired SSL certificate to the Windows "Trusted Root Certification Authorities" certificate store for both the Local Machine (-enterprise) and the Current User (-user).

• Associate and deploy the Fileset to a test machine and verify the installation on the Windows machine.
  • Open "certlm.msc" for the Local Machine (-enterprise) Certificate Store or "certmgr.msc" for the Current User (-user) Certificate Store via Windows Run dialog (Win + R) or Command Prompt.
  • Navigate to "Trusted Root Certification Authorities>Certificates" and verify the name of the newly added certificate.
    
    

Additional Information
More information and options for the "certutil" program can be found on Microsoft Docs.

Related articles

• APNs Certificate Creation & Renewal on Windows Computers

Installing Windows Fonts

Description

Windows font installation is not as simple as adding files to a folder.  As well as copying files, the registry requires editing.  The following Fileset will add Fonts to Windows systems.

TTF
The Fileset has been tested with TTF on Windows Pro 10, 1803 and 1903

Registry Editing

This Fileset edits the Windows registry. Follow instructions carefully to ensure only the required Font files exist in the suggested folder.

Information

Download and import the Fileset, then ensure to edit appropriately, as per the directions, for desired fonts

Windows Instal Fonts.fileset.zip

Description

The Fileset consists of:

• An Activation Script
• A folder to provide the fonts; with a placeholder file

Adding Fonts

• Select the Fonts in a macOS Finder or Windows Explorer Window
• Drag them into the Fileset folder Windows > Temp > Fonts
• Select the Fonts folder in the Fileset, choose Get Info > Verification and set Ignore At Verify; Apply to Enclosed
• Remove the 'placeholder.remove' file

Example, Monsterrat Font:

Deployment

On Association and Activation, the script will:

• Copy ALL files from C:\Windows\Temp\Fonts to C:\Windows\Fonts (if they do not already exist)
• For each file copied, a registry entry will be created (if one does not yet exist)
• Finally the script will remove each file from the temporary directory: C:\Windows\Temp\Fonts

Changing Temporary Folder

Should a different temporary folder be desirable:

• Drag the fonts to the desired location in the Fileset
• Change the Launch Argument to match: InstalFonts.ps1 > Get Info > Executable

As always, test on appropriate devices before deploying en masse.

Local Group Policy Object Utility (Windows EXE)

What

LGPO.exe is Microsoft’s Local Group Policy Object utility. It lets administrators import, export, and apply local Windows Group Policy settings from the command line. This can be useful when deploying security baselines or local policy settings to Windows devices that are not managed through Active Directory Group Policy.

When/Why

LGPO.exe can help apply required local policy settings to Windows devices so they meet your organization’s security and compliance requirements.

Features:

• Import settings into local group policy from GPO backups or from individual policy component files, including Registry Policy (registry.pol), security templates, and advanced auditing CSV files.
• Export local policy to a GPO backup.
• Parse a Registry Policy (registry.pol) file into readable “LGPO text.” The output can be redirected to a file, edited, and imported back into local policy.
• Build a new Registry Policy (registry.pol) file from "LGPO text".
• Enable group policy client-side extensions for local policy processing.

Before you begin

• Test LGPO changes on a non-production device first.
• Run LGPO.exe with administrator privileges.
• Back up the current local policy before applying new settings.
• Policy changes may affect security, login behavior, Windows Update behavior, browser settings, or other system behavior depending on the imported policy.
• Some changes may require gpupdate /force, a sign-out/sign-in, or a reboot.

Example: Deploy LGPO.exe with FileWave

1. Download LGPO.zip.
2. Add the required policy files to the same Fileset, such as:
   • registry.pol
   • GptTmpl.inf
   • Audit.csv
   • lgpo.txt
3. Create a Windows script in the Fileset.
4. Use the LGPO command that matches the policy file you are deploying, for example:

   LGPO.exe /m "%~dp0registry.pol" /v
   gpupdate /force

5. Associate the Fileset with a test device first.
6. After validation, deploy to the intended device group.

LGPO Policy Example Template

Example Template Fileset:

• Example LGPO Template.fileset.zip

Use the template variable examples below to apply or remove one Windows local policy value.

You only need to set a few environment variables:

• apply_policy.ps1 applies the policy.
• remove_policy.ps1 removes the policy value.

Example Fileset Contents

Example contents: LGPO.exe, apply_policy.ps1, and remove_policy.ps1. GeneratedPolicy.txt is created by the script at runtime.

Required Variables

FW_POLICY_TYPE and FW_POLICY_DATA are required when applying a policy. They are not required when removing a policy.

Optional Variables

For User policies, include LGPO.exe and use LGPO text import. Direct registry fallback is intended for Computer policies because FileWave often runs scripts as LocalSystem.

Example: Disable Windows Installer

$env:FW_POLICY_KEY = "Software\Policies\Microsoft\Windows\Installer"
$env:FW_POLICY_VALUE = "DisableMSI"
$env:FW_POLICY_TYPE = "DWORD"
$env:FW_POLICY_DATA = "2"

.\apply_policy.ps1

$env:FW_POLICY_KEY = "Software\Policies\Microsoft\Windows\Installer"
$env:FW_POLICY_VALUE = "DisableMSI"

.\remove_policy.ps1

The attached zip contains LGPO.exe, Microsoft’s Local Group Policy Object utility: LGPO.zip

Goal	Recommended Command
Apply LGPO text policy	LGPO.exe /t path\lgpo.txt
Apply a full GPO backup	LGPO.exe /g path
Apply machine policy settings	LGPO.exe /m path\registry.pol
Apply user policy settings	LGPO.exe /u path\registry.pol
Apply a security template	LGPO.exe /s path\GptTmpl.inf
Apply advanced audit settings	LGPO.exe /a path\Audit.csv
Export current local policy	LGPO.exe /b path [/n GPO-name]
Convert Registry.pol to readable text	LGPO.exe /parse /m path\registry.pol
Build Registry.pol from LGPO text	LGPO.exe /r path\lgpo.txt /w path\registry.pol

LGPO.exe has four modes:

1. Import and apply policy settings;
2. Export local policy to a GPO backup;
3. Parse a registry.pol file to "LGPO text" format;
4. Build a registry.pol file from "LGPO text".

To apply policy settings, use one or more of the following LGPO.exe options. Each option can be repeated as needed:

/g path                             import settings from one or more GPO backups under "path"
/m path\registry.pol     import settings from registry.pol into machine config
/u path\registry.pol      import settings from registry.pol into user config
/s path\GptTmpl.inf     apply security template
/a[c] path\Audit.csv     apply advanced auditing settings; /ac to clear policy first
/t path\lgpo.txt              apply registry commands from LGPO text

/e <name>|<guid>       enable GP extension for local policy processing; specify a GUID, or one of these names:
              **  "zone" for IE zone mapping extension
              **  "mitigation" for mitigation options, including font blocking
              **   "audit" for advanced audit policy configuration
              
/boot                                reboot after applying policies
/v                                       verbose output
/q                                       quiet output (no headers)

To create a GPO backup from local policy:

LGPO.exe /b path [/n GPO-name]

/b path                       Create GPO backup in "path"
/n GPO-name           Optional GPO display name (use quotes if it contains spaces)

To parse a Registry.pol file to LGPO text (stdout):

LGPO.exe /parse [/q] {/m|/u} path\registry.pol

/m path\registry.pol         parse registry.pol as machine config commands
/u path\registry.pol          parse registry.pol as user config commands
/q                                           quiet output (no headers)

To build a Registry.pol file from LGPO text:

LGPO.exe /r path\lgpo.txt /w path\registry.pol [/v]

/r path\lgpo.txt              Read input from LGPO text file
/w path\registry.pol     Write new registry.pol file

Validate the policy

After deployment, you can validate the result on the Windows device using one or more of the following:

gpupdate /force
gpresult /h C:\Temp\gpresult.html /f

You can also review the relevant local policy settings using the Local Group Policy Editor, where applicable.

Troubleshooting

• Confirm the script is running as administrator or LocalSystem.
• Confirm paths are correct. When deploying through FileWave, use paths relative to the script location when possible.
• Use /v for verbose output during testing.
• Check whether the policy is machine-based or user-based before choosing /m or /u.
• Reboot the device if the policy requires it.
• Test rollback or backup procedures before broad deployment.

Related Content

• Microsoft Download Security Compliance Toolkit and Baselines

Digging Deeper

• Microsoft Security Compliance Toolkit Documentation

Rename Windows Hostname based FileWave Client Name

Description

This Fileset renames a Windows computer so its Windows hostname matches the FileWave Client Name shown in FileWave Admin.

With this Fileset associated, the FileWave Client Name becomes the source of truth. If the Windows hostname is changed directly in Windows, Active Directory, or another tool, the Fileset changes it back to the FileWave Client Name the next time the rename workflow runs.

Use a FileWave Client Name that follows the Windows computer naming conventions. Avoid spaces, underscores, apostrophes, and names longer than the NetBIOS limit. There is no name-checking logic in these scripts.

Good name examples:

• FILEWAVE-PC
• TCE-3453234
• PRINT-SRV

Bad name examples:

• Jerry's Desktop Computer
• GO_BEARS!
• THISNAMEISMUCHLONGERTHAN15CHARACTERS

Ingredients

• FileWave Client for Windows
• Windows - Rename Windows Hostname (No Domain) PowerShell.fileset.zip
• Windows - Rename Windows Hostname (Domain Joined) PowerShell.fileset.zip

Older batch-file versions are still attached for reference, but the PowerShell Filesets are the current examples to start from:

• Windows - Rename Windows Hostname (No Domain).fileset.zip
• Windows - Rename Windows Hostname (Domain Joined).fileset.zip

Machines not joined to Active Directory

1. Download, unzip, and import the Windows - Rename Windows Hostname (No Domain) PowerShell Fileset into FileWave Admin.
2. Associate the Fileset with the Windows devices that should follow their FileWave Client Name.
3. Rename the device in FileWave Admin.
4. Update Model.
5. Wait for the client to check in and run the Fileset. The included workflow is designed around the normal FileWave preflight/tickle timing.
6. The user receives a reboot prompt, and the device reboots after the configured timeout.
7. The Windows hostname is changed to the FileWave Client Name after reboot.
8. FileWave Client communication is not affected by the rename.

Machines joined to Active Directory

1. Download, unzip, and import the Windows - Rename Windows Hostname (Domain Joined) PowerShell Fileset into FileWave Admin.
2. Review the included scripts before deployment and update the domain account placeholders for your environment.
3. Test with a small group first. Domain-joined renames depend on Active Directory permissions, DNS/domain health, and the reboot completing successfully.
4. Associate the Fileset with the Windows devices that should follow their FileWave Client Name.
5. Rename the device in FileWave Admin.
6. Update Model.
7. Wait for the client to check in and run the Fileset.
8. The user receives a reboot prompt, and the device reboots after the configured timeout.
9. The Windows hostname is changed to the FileWave Client Name after reboot.
10. FileWave Client communication is not affected by the rename.

Customize the reboot prompt or timeout

The current PowerShell Filesets include the reboot prompt and timeout in the imported script. Review that line before broad deployment if you want a different delay or message.

For the older batch-file Filesets, the same behavior is controlled by this shutdown command:

%windir%\System32\shutdown.exe /r /t 60 /c "Computer renamed to %fwClientName%. Rebooting in 60 seconds." /f /d p:4:1

Change the /t 60 value for the timeout in seconds, and update the text after /c if you want the user prompt to say something different.

Sync Computer Name
When a client is manually renamed in FileWave Admin, FileWave disables Sync Computer Name for that client. That allows the Fileset to apply the FileWave Client Name to Windows instead of having Windows immediately sync its old computer name back into FileWave.

Storing the BitLocker volume keys using a Custom Field

Use a FileWave Custom Field to store the volume keys for your BitLocker volumes. This can be helpful if you don't have another way to escrow the volume keys. The Custom Field outlined in this article will get the volume key for every volume so if there is an encrypted C: and D: you would see both reported by this field. 

Adding the Custom Field

1. Download the following Custom Field export: BitLocker Key Custom Field.customfields
2. Import the downloaded file into "FileWave Admin>Assistants>Custom Fields>Edit Custom Fields>Import".
3. Save changes within Custom Fields dialog.
4. Associate Custom Field with desired Windows devices via "right-click>Edit Custom Field(s) Associations".
   1. A Windows-based Smart Group is very helpful to quickly associate Custom Field
   2. Smart Group criteria: "Client OS Platform [equals] Windows"

Here is the script from the Custom Field:

# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
 
# $my_var = $Env:ENV_VAR_NAME
#
# Identify all the Bitlocker volumes.
$BitlockerVolumers = Get-BitLockerVolume
 
# For each volume, get the RecoveryPassowrd and display it.
$BitlockerVolumers |
    ForEach-Object {
        $MountPoint = $_.MountPoint
        $RecoveryKey = [string]($_.KeyProtector).RecoveryPassword      
        if ($RecoveryKey.Length -gt 5) {
            Write-Output ("$MountPoint,$RecoveryKey")
        }       
    }
 
exit 0

Assigning the Custom Field to devices

1. Save changes within Custom Fields dialog.
2. Associate Custom Field with desired Windows devices via "right-click>Edit Custom Field(s) Associations".
   • A Windows-based Smart Group is very helpful to quickly associate Custom Field
   • Smart Group criteria: "Client OS Platform [equals] Windows"
3. Alternatively you could assign the field to all devices since only Windows devices will run the script.

Results

Related articles

• Securing FileWave Server on the Internet for Remote Device Management

Upgrade Windows 10 and 11

Description

Although Software Updates are available as standard catalogue, Feature Updates are not.  The following method may be used to update Windows devices using Feature Updates, e.g. 1909, 21H1.  Last tested upgrading 20H2 to 21H1

Ingredients

• Latest Windows 10 ISO or Windows 11 ISO – If downloading from a Windows 10 device, please use the steps linked here to access the appropriate ISO download page.
• Following Fileset Recipe:

↓ Windows
Windows - Feature Upgrade.fileset.zip

Directions

Test manually launching the ISO on one or more typical example machines.  Not only will this provide an idea of how long the update may take, but the installer may highlight additional criteria required when pushing the Fileset.  Depending upon setup and desired options, differing arguments can be supplied to the Fileset to meet requirements.

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-command-line-options

Microsoft may change these options with differing versions.  For example, there is a new argument /EULA which has been introduced for Windows 11, whilst the /DynamicUpdate argument has additional options available since Windows 10, 2004.

Examples could include Dynamic Updates or Compatibility (which have been included in the provided Fileset)

Dynamic Updates (DynamicUpdate):

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate

Compatibility (Compat):

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-command-line-options#compat

Defining Dynamic Updates is optional (Microsoft default values will be applied if not supplied), but where warnings are received, if Compatibility is not defined, the Fileset will fail to instal the update.

1. Upload the provided Fileset using FileWave Admin
2. Upload the downloaded ISO into the same folder as the Placeholder within the Fileset; approximately 5GB in size.  (The .placeholder_windows_iso file may be removed).  Ensure the ISO has the same name as the below screenshot: 'Windows_Upgrade.iso"
   
3. Select "FeatureUpgrade.ps1" from the Fileset contents and click "Get Info" from the top menu bar.
   
4. Select the "Executable" tab within the "Get Info" window.
   
5. Modify the "Launch Arguments" as desired and click "Apply" to save changes.  Remove any unwanted or add any additional arguments from Microsoft's above KB.  Please consider the following:
   
   
   • Launch Arguments as a bare minimum:
     • /auto upgrade
     • /quiet
       
       
   • Launch Arguments for Windows 11:

     • /auto upgrade

     • /quiet
     • /noreboot
     • /eula accept
     • /dynamicupdate disable
     • /copylogs C:\Temp\win11upgradelogs
       
       
   • IMPORTANT NOTE: Compat mode will be required if warnings prevent the installer from completing.
     More details on Windows 11 Launch Arguments here: Windows 11 Setup Command Line Options
     
     
6. Associate Fileset to machines and wait patiently for the upgrade to complete.

Testing

When testing, consider disabling the Reboot option in the Fileset properties, such that the Windows interface is still available during the initial process of the upgrade.  Windows Task Manager will show "Modern Host Setup" process whilst upgrade is in progress.

Timings will vary depending upon chosen options, device usage and network bandwidth.  It could take 30-40 minutes or more before the device shows the Windows Update blue screen; as the update prepares the device and other possible updates.  It should also be expected that the device may reboot multiple times.

It could also be possible to have the ISO available via a network mount and adapt the script to mount the shared ISO rather than pushing the ISO via FileWave.

User Experience

Due to the nature of how Microsoft Feature Updates work, there can be a substantial amount of time between the launch of the update and the device continuing to the Blue Updates Screen.  Where the Reboot option is selected for the Fileset, this wait will not commence util the user accepts the update.  As such the FileWave user prompt may be on the screen for a lengthy period of time.  If the reboot option is not selected, although the user will not be impacted by this preliminary stage of the Feature Upgrade, once completed, the user will suddenly be dropped out of their user session, without warning, for the installation and reboots to take place.

Notify Users with a dialog (Windows)

Description

The provided Fileset is an example of notifying users, in particular here, a message regarding Fileset status when downloading and installing new Filesets.

 The Fileset is designed to:

• Create a continual running service that monitors Fileset changes
• Where Fileset changes occur, begin monitoring the FileWave Client log file
• If a number of preset text strings are found in the log file, send this to the Notification Centre
• Lastly, where another preset text is found, stop monitoring the log file

The service has been built to be actioned automatically by the user logging in.  Where Filesets are disassociated, each has a pre-uninstallation script to ensure the services should also be removed.

Ingredients

• Provided Fileset:

↓ Windows

Directions

For the example provided:

• Download the necessary provided Fileset
• Upload using FileWave Admin
• Associate to the appropriate devices
• 'Update Model'.

Fileset scripts may be modified for personal preference.  In each Fileset there is a script that is actioned by the local computer service.  The scripts are using a pattern match.  The pattern matching may be edited as required, removing or adding appropriately.

Windows

Locate the "BallonTipSwitchWatcher.ps1" file within the Fileset and choose to edit.  In the following code block snippet from this script, the switch statement is pattern matching text.  In the provided example the script is looking for lines that contain any one of the following:

• Model version
• Downloading Fileset
• Done activating
• Activate all

Where found, the 'ShowBalloonTipInfo' function is being used to prompt the user:

BallonTipSwitchWatcher.ps1

$changeAction = Get-Content C:\ProgramData\FileWave\FWClient\fwcld.log -tail 1 -wait | ForEach-Object {
switch($_) {
{ $_ -match "Model version" -or $_ -match "Downloading Fileset" -or $_ -match "Done activating" -or $_ -match "Activate all" } { ShowBalloonTipInfo ("FileWave: ",$_.split("|")[4]) }

The second part of the switch statement is causing the script to exit.  The pattern match this time, is any line that contains:

• Installation

BallonTipSwitchWatcher.ps1

{ $_ -match "Installation" } { break }

Notes

The above provides an example of notifying users, using a service.  However, with some adaptation messages could be sent in other ways at alternate times to users.

Related Content

• Notify Users with a dialog (macOS)

Windows Wallpaper via CSP Personalization

Description

This article explains how to enforce and remove a desktop and/or lock screen wallpaper on Windows 10 and Windows 11 devices using the MDM Personalization CSP through PowerShell. These scripts leverage the WMI Bridge Provider, allowing configuration at the device level via FileWave without requiring Active Directory Group Policy.

Two PowerShell scripts are provided:

• Wallpaper Deployment Script: Applies a desktop and/or lock screen image.

• Wallpaper Removal Script: Removes the applied configuration, returning wallpaper control to the end user.

These scripts are designed for deployment through FileWave as a Custom Fileset and run under the SYSTEM account to ensure MDM Bridge access. This is provided for those who don't use Windows MDM but want to still push a CSP. 

Ingredients

• FileWave Central
  

• Windows 10/11 Enterprise or Education (Pro supported only if SharedPC Edu Policies are applied)

• SYSTEM-level PowerShell execution (default for FileWave scripts but important for testing outside of FileWave)

• Custom wallpaper image(s) deployed via FileWave
  

Example Wallpaper Fileset

Windows Wallpaper.fileset.zip

Directions

Configure the Wallpaper Deployment script

1. 1. In FileWave Central, import the attached Fileset, and we will use it for this example.

   2. Use the example Windows Fileset to edit the PowerShell Activation Script. (Filesets -> Select Fileset -> Scripts -> Select the script -> Right Click -> Properties)
      

      

      
      
      

   3. Configure Environment Variables on the Executable tab of properties for the script:

      • DESKTOP_IMAGE_URL = file:///C:/ProgramData/FileWave/wallpaper/FileWaveDark.jpg

      • (Optional) LOCKSCREEN_IMAGE_URL = same or alternate image URI
        
        NOTE: The files should either already exist, or you should include them in the Fileset
        

   4. Associate the Fileset.

   5. Deploy the wallpaper; verify in logs, example output:

[2025-10-30T16:20:32] [INFO] Normalized DesktopImageUrl -> file:///C:/ProgramData/FileWave/wallpaper/FileWaveDark.jpg
[2025-10-30T16:20:33] [INFO] Setting DesktopImageUrl: file:///C:/ProgramData/FileWave/wallpaper/FileWaveDark.jpg
[2025-10-30T16:20:33] [INFO] CSP values committed via WMI Bridge.
[2025-10-30T16:20:43] [INFO] DesktopImageStatus=1 (Success)
[2025-10-30T16:20:43] [INFO] Wallpaper configuration completed.

Configure the Wallpaper Removal script

1. Configure the Windows Wallpaper Fileset.

2. If you look at the example Windows Fileset in the scripts dialog, you will see the Post-Uninstallation script. Keep in mind that by default, with the example Fileset, it will uninstall the wallpaper if you remove the Deployment/Association, so you may want to review these steps to make sure it is how you want. You could also take this script and make it an Activation Script in its own Fileset that you could deploy when you want to clear the managed wallpaper. 
   

   

3. Configure optional Environment Variables:

   • CLEAR_DESKTOP = true|false

   • CLEAR_LOCKSCREEN = true|false

   • REG_CLEANUP = true (recommended)

   • RESTART_EXPLORER = true (optional, for immediate effect)
     

4. Associate this Fileset with a device to set the Wallpaper and/or Lock Screen. Remove the Association/Deployment and see it removed when the removal script runs.
   

Expected log output:

[2025-10-30T16:09:26] [INFO] Wallpaper removal script initiated.
[2025-10-30T16:09:26] [INFO] Options: CLEAR_DESKTOP=True, CLEAR_LOCKSCREEN=True, REG_CLEANUP=True, RESTART_EXPLORER=True
[2025-10-30T16:09:27] [INFO] Connected to MDM Bridge Provider successfully.
[2025-10-30T16:09:27] [INFO] Cleared DesktopImageUrl via null assignment (CSP Delete).
[2025-10-30T16:09:27] [WARN] Null clear failed for LockScreenImageUrl. Trying empty string...
[2025-10-30T16:09:27] [ERROR] Failed to clear LockScreenImageUrl. The requested operation is not supported.
[2025-10-30T16:09:27] [INFO] DesktopImageUrl now='' (Status= Unknown)
[2025-10-30T16:09:27] [INFO] LockScreenImageUrl now='' (Status= Unknown)
[2025-10-30T16:09:27] [INFO] Restarting Explorer shell...
[2025-10-30T16:09:27] [INFO] Explorer restarted.
[2025-10-30T16:09:27] [INFO] Wallpaper policy removal completed successfully.

Notes

• Both scripts must execute as SYSTEM to access the MDM Bridge Provider.

• If the wallpaper has not yet been applied, a device restart should trigger the deployment. To enforce this, enable the Force Reboot option on the Fileset.

• Enterprise/Education SKUs support these CSPs natively; Pro requires SharedPC Edu Policies.

• Image URIs must be valid:

  • For local paths → file:///C:/path/to/image.jpg

  • For network/HTTP → https://domain.com/wallpaper.jpg

• Using file:/// path improves reliability because it doesn’t rely on external network access, and if you use https:// you should only use a URL that is on a server you control because otherwise that image could go away or could change at any time..

• When enforced via CSP, the wallpaper is locked, and users cannot change it until the CSP node is cleared.

• Registry mirror cleanup ensures Settings no longer display stale wallpaper values.
  

Related Content

• Microsoft: Personalization CSP Documentation