The Wallpaper Automation Script That Makes Assigned Access Work Smoothly

-

🚀 Secure Windows Kiosk Deployment with Assigned Access & Intune

This configuration demonstrates how to build a secure and controlled Windows kiosk environment using Assigned Access (Kiosk Mode) together with modern deployment tools like Windows Autopilot and Microsoft Intune.

📌 What This Script Does

Before applying the Assigned Access XML, you must run the following PowerShell script. The script is a fully local, Intune remediation‑optimized wallpaper and lockscreen manager. It guarantees that the kiosk device always uses the correct background and lockscreen images — stored locally on the system.

It is designed to work reliably even in offline, restricted, or library/public kiosk environments where cloud‑based personalization policies may fail.

🛡️ Key Capabilities (Summary)

  • Creates/maintains the folder C:\Kiosk
  • Uses two image files:
    • background.jpg → Desktop wallpaper
    • kiosk_lockscreen.jpg → Lock screen
  • Applies both images using HKLM PersonalizationCSP
  • Applies wallpaper for logged‑in kiosk users via HKCU
  • Creates an autorun script to ensure wallpaper loads on every new login
  • Creates a fallback lockscreen image in C:\Windows\Web\Screen
  • Fixes ACL permissions so any restricted kiosk user can read the image files
  • Runs as SYSTEM inside Intune Remediation (recommended)

🔄 Automatic Image Updates

If you replace the files in C:\Kiosk with new images:

  • The next Intune remediation cycle applies the new wallpaper/lockscreen
  • No restart required for lockscreen
  • Desktop wallpaper updates at next login (autorun script ensures this)

⚠️ Why This Script Is Required Before Assigned Access

Assigned Access can fail if images, paths or icons referenced in your XML do not exist yet. Running this script before applying the kiosk XML ensures that:

  • All required files exist and have correct access permissions
  • Wallpaper paths used by kiosk mode are already set
  • Regkeys such as PersonalizationCSP are present before lockdown
  • Your kiosk device boots into a fully configured visual environment

Below is the script exactly as used in the deployment.

PowerShell – Local Kiosk Wallpaper Manager 

# OnePRScript_LOCAL.ps1 – HELT LOKAL version (Device Script-optimerad)
# Sätter desktop- och låsskärmsbild från C:\IFObilder, låser via HKLM\PersonalizationCSP,
# fixar HKCU via autostartscript, skapar fallback i %SystemRoot%\Web\Screen.
# Körs som SYSTEM i Intune Device Script (Remediate-läge som standard).

[CmdletBinding()]
param(
    [string]$Action = 'Remediate',     # <-- VIKTIGT: Kör ALLTID Remediate
    [switch]$VerboseLogging
)

# ---- KONFIG (100% LOKAL) ----
$WorkingDir   = "C:\Kiosk"
$desktopFile  = "background.jpg"          
$lockFile     = "kiosk_lockscreen.jpg"    

$desktopPath  = Join-Path $WorkingDir $desktopFile
$lockPath     = Join-Path $WorkingDir $lockFile
$RegKey       = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP"
$WebScreenOut = Join-Path $env:SystemRoot "Web\Screen\kiosk_lockscreen_LOCAL.jpg"
$LogFile      = Join-Path $WorkingDir "SetKioskWallpaper_LOCAL.log"

# ---- LOGG ----
function Write-Log {
    param([string]$Message, [string]$Level = "INFO")
    try {
        $logDir = Split-Path $LogFile -Parent
        if (-not (Test-Path $logDir)) { New-Item -Path $logDir -ItemType Directory -Force | Out-Null }
        $line = "{0} [{1}] {2}" -f (Get-Date).ToString('yyyy-MM-dd HH:mm:ss'), $Level, $Message
        $line | Out-File -FilePath $LogFile -Append -Encoding UTF8
        if ($VerboseLogging) { Write-Host $line }
    } catch { }
}

# ---- KONTROLLERA ATT BILDERNA FINNS ----
function Test-LocalImages {
    if (-not (Test-Path $desktopPath -PathType Leaf)) {
        Write-Log "SAKNAS: $desktopPath" "ERROR"
        return $false
    }
    if (-not (Test-Path $lockPath -PathType Leaf)) {
        Write-Log "SAKNAS: $lockPath" "ERROR"
        return $false
    }
    Write-Log "Båda lokala bilderna finns: $desktopPath | $lockPath"
    return $true
}

# ---- REMEDIATE ----
function Do-Remediate {

    # 1. Skapa mapp om den saknas
    if (-not (Test-Path $WorkingDir)) {
        New-Item -Path $WorkingDir -ItemType Directory -Force | Out-Null
        Write-Log "Skapade $WorkingDir"
    }

    # 2. Kontrollera att bilderna finns
    if (-not (Test-LocalImages)) {
        throw "En eller båda bilderna saknas i $WorkingDir"
    }

    # 3. Sätt ACL så alla kan läsa bilderna
    try {
        $sid = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545") 
        $inherit = [System.Security.AccessControl.InheritanceFlags]::None
        $prop    = [System.Security.AccessControl.PropagationFlags]::None
        foreach ($f in @($desktopPath, $lockPath)) {
            $acl = Get-Acl $f
            $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($sid, "ReadAndExecute", $inherit, $prop, "Allow")
            $acl.SetAccessRule($rule)
            Set-Acl -Path $f -AclObject $acl
        }
        Write-Log "ACL uppdaterad på bilderna"
    } catch { Write-Log "ACL FEL: $($_.Exception.Message)" "WARN" }

    # 4. HKLM PersonalizationCSP
    try {
        if (-not (Test-Path $RegKey)) { New-Item -Path $RegKey -Force | Out-Null }

        Set-ItemProperty -Path $RegKey -Name "DesktopImagePath"    -Value $desktopPath -Force
        Set-ItemProperty -Path $RegKey -Name "LockScreenImagePath" -Value $lockPath    -Force

        Set-ItemProperty -Path $RegKey -Name "DesktopImageStatus" -Value 1 -Force
        Set-ItemProperty -Path $RegKey -Name "LockScreenImageStatus" -Value 1 -Force

        Write-Log "PersonalizationCSP uppdaterad"
    } catch { Write-Log "CSP FEL: $($_.Exception.Message)" "WARN" }

    # 5. Fallback-bild
    try {
        Copy-Item -Path $lockPath -Destination $WebScreenOut -Force
        $acl  = Get-Acl $WebScreenOut
        $sid  = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($sid,"ReadAndExecute","None","None","Allow")
        $acl.SetAccessRule($rule)
        Set-Acl -Path $WebScreenOut -AclObject $acl
        Write-Log "Fallback kopierad"
    } catch { Write-Log "Fallback FEL: $($_.Exception.Message)" "WARN" }

    # 6. HKCU (om inte SYSTEM)
    try {
        if ($env:USERNAME -and $env:USERNAME -notin @('defaultuser100000','SYSTEM')) {
            Set-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name "Wallpaper" -Value $desktopPath -Force
            Set-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name "WallpaperStyle" -Value "2" -Force
            Set-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name "TileWallpaper" -Value "0" -Force
            rundll32.exe user32.dll,UpdatePerUserSystemParameters 1, True, 20
            Write-Log "HKCU uppdaterad"
        }
    } catch { Write-Log "HKCU FEL: $($_.Exception.Message)" "WARN" }

    # 7. Autostart-script för framtida inloggningar
    try {
        $scriptPath = "C:\Users\Public\SetKioskWallpaper_LOCAL.ps1"
        $content = @"
Set-ItemProperty 'HKCU:\Control Panel\Desktop' -Name 'Wallpaper' -Value '$desktopPath'
Set-ItemProperty 'HKCU:\Control Panel\Desktop' -Name 'WallpaperStyle' -Value '2'
Set-ItemProperty 'HKCU:\Control Panel\Desktop' -Name 'TileWallpaper' -Value '0'
rundll32.exe user32.dll,UpdatePerUserSystemParameters 1, True, 20
"@
        $content | Out-File -FilePath $scriptPath -Encoding UTF8 -Force

        $startup = "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
        if (-not (Test-Path $startup)) { New-Item -Path $startup -ItemType Directory -Force | Out-Null }

        $lnk = Join-Path $startup "KioskWallpaper.lnk"
        $shell = New-Object -ComObject WScript.Shell
        $shortcut = $shell.CreateShortcut($lnk)
        $shortcut.TargetPath = "powershell.exe"
        $shortcut.Arguments = "-WindowStyle Hidden -ExecutionPolicy Bypass -File `"$scriptPath`""
        $shortcut.Save()

        Write-Log "Autostart-skript skapat"
    } catch { Write-Log "Autostart FEL: $($_.Exception.Message)" "WARN" }
}

# ---- HUVUD ----
Write-Log "START OnePRScript_LOCAL Action=$Action"

try {
    Do-Remediate
    Write-Log "Remediate: ALLT FIXAT"
    exit 0
} catch {
    Write-Output "FEL: $($_.Exception.Message)"
    Write-Log "KRITISKT FEL: $($_.Exception.Message)" "ERROR"
    exit 1
}

Kommentarer

Skicka en kommentar

Populära inlägg i den här bloggen

🚀 Force Reinstallation of an Intune App

-
Bild
  – When Intune refuses to reinstall a program you’ve already removed Sometimes an application deployed through Microsoft Intune won’t reinstall even after you’ve manually uninstalled it. That’s because Intune tracks installation status using both registry entries and detection rules to decide whether an app is already present. Here’s how to fully reset that state and force a reinstallation — step by step. 💡 Why Intune won’t reinstall the app When a Win32 app is deployed via Intune, the Intune Management Extension stores app metadata in the Windows registry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps This registry data tells Intune which apps are installed, when, and by which user. On every policy sync, Intune checks the detection rule defined for the app. If the detection rule still reports the app as “installed” — even though you removed it — Intune will skip reinstallation . 🔧 Step-by-Step Guide 1️⃣ Uninstall the App F...
Read more »

🔵Troubleshooting Intune Device Enrollments: Understanding GUIDs, Registry Paths, and EnterpriseMgmt Tasks

-
Bild
This guide explains how to diagnose Intune MDM issues on a Windows device by using two key locations: Task Scheduler → EnterpriseMgmt Registry → HKLM\SOFTWARE\Microsoft\Enrollments These two locations always contain matching GUID folders , and together they show the full state of the device’s MDM enrollment. 📌 Introduction: Why do these GUID folders exist? When a Windows device enrolls into Intune (MDM) , Windows generates a unique GUID folder for that enrollment. That GUID is used in two places: 🔹 1. Task Scheduler Task Scheduler → Microsoft → Windows → EnterpriseMgmt → {GUID} This folder contains scheduled jobs that handle: MDM sync certificate renewal policy retrieval push notification handling 🔹 2. Registry HKLM\SOFTWARE\Microsoft\Enrollments\{GUID} This folder contains detailed information: tenant ID enrollment type certificate thumbprints renewal status MDM server URLs device identity 👉 Both folders describe the same en...
Read more »

🚀 Windows Autopilot Self-Deploying Mode — Zero-Touch Setup That Feels Like Magic

-
Bild
Just imagine this: You unwrap a brand-new PC or reinstall Windows 11 from scratch… and before you even touch the keyboard, the device automatically: ✅ Joins Microsoft Entra ID (Azure AD) ✅ Syncs all Intune apps, settings, and policies ✅ Lands straight on the sign-in screen — ready for the user No technician. No clicks. No wasted time. That’s Windows Autopilot Self-Deploying Mode — effortless, hands-free provisioning that just works. The only prerequisite? Register the device’s Hardware Hash (HWID) in Intune first. Here’s the cleanest 10-minute setup guide to make it happen — perfect for brand-new or freshly reinstalled devices. ⚡ Step-by-Step: Configure Windows Autopilot Self-Deploying Mode in Under 10 Minutes 1️⃣ Start Fresh Use a new PC or perform a clean Windows 11 installation (OOBE stage). 2️⃣ Insert a USB Drive 3️⃣ Identify the Drive Letter Press Shift + F10 , open PowerShell, and run: Get-Volume Find your USB drive letter (e.g., E:). 4️⃣ Run the Script Execute: .\auto...
Read more »