Branding Components
Twice does Windows setup use an answer file to automate installation
(“unattend.xml”); once during the initial SETUP.EXE phase, and once
during the post-sysprep mini-setup phase. This is a critical component
in complete branding as it includes native settings to handle much of
the text-based configuration. It is also somewhat dynamic in that
SCCM/MDT can update the unattend.xml during the build process with
discovered information, thereby limiting the amount of additional
scripting an administrator needs to do and resulting in a branding more
tailored for the intended recipient. If you are not completely familiar
with the unattend.xml and how it works, make sure you download the
Windows 8 ADK so you have access to the
Windows System Image Manager (Windows SIM). Also ensure you are familiar with the different
configuration passes
Windows makes during setup so you can place information correctly.
I’ll cover where you can use the unattend.xml within the following
Areas of Branding,
and when referencing the subcomponents therein, I’ll be using the
placeholder “xxxxx” instead of the individual component’s “amd64″,
“wow64″ or “x86″ descriptor; you will need to adjust to match your
environment.
Group Policy also plays a role, a minor and optional role, but one
all the same. You can use Group Policies to change your branding from
“default but changeable” to “mandatory” for your desktops. I’ll cover
where you can implement Group Policy options when applicable.
Lastly, good old scripting. This is the workhorse for your branding
efforts, and serves as the backbone of most deployment mechanisms. For
almost every single configuration area, you’ll find yourself scripting a
delivery method.
The Default User’s Profile
I will talk more about this in the upcoming sections, but in addition
to branding over-all system areas, much of the branding happens within
the user profile area. Because of this, it is important to understand
what the “default user” (the non-existent user profile which forms the
base for all future created user profiles) is. Different versions of
Windows have had different methods of configuring this profile during a
deployment scenario, but starting with Windows Vista, Microsoft focused
on using the Local Administrator’s profile as the template. In a
deployment, that profile is configured as desired
prior to the
mini-setup. It is not, however, the default behavior of Windows setup
to use any template profile for the basis of future profiles. If you do
not tell Windows specifically to do this, Windows will instead create a
new generic profile based on settings found in a few different places.
There is also only one way to tell Windows to use the local
administrator’s profile as the default user template, and this is from
the unattend.xml file.
unattend.xml
Components
4 specialize
xxxxx_Microsoft-Windows-Shell-Setup_neutral
• CopyProfile
Make sure this is set or you will have unexpected results with each new user.
The Native OS Registry
Many areas will require you to make changes to the native Windows
registry, which isn’t immediately accessible when you are in WinPE. You
can load these registry hives while in WinPE using the
REG command. The two files you will need are:
- The native HKLM SOFTWARE hive:
?:\Windows\System32\Config\SOFTWARE
- The default user HKU hive:
?:\Users\Default\NTUSER.DAT
To differentiate these loaded hives from the native, I’ll reference them as
HKLM\WIN8LM and
HKLM\WIN8U respectively.
Activation
Be aware that there are areas of customization not available or used
if configured until Windows is activated. Those areas are noted in the
following sections.
Areas Of Branding
There are five areas of branding available to you in Windows 8:
Registered Organization
With little exception, any time you manually install Windows or any
application, they ask you for the Owner and Company name. When
configured for Windows, this information serves as the default
information for not only future application installations, but any time a
user or company name is required. There are two locations to set
organization information, one being the general Windows configuration,
and the second being the IE configuration. Even if you’re not using IE
as your desktop’s primary browser, its full integration with the OS
means that many built-in components and third party applications will
pull information from the IE settings so it is best to include the
information there. This area also includes a generic Home Page URL
location. It is a bit of a throw-back to the old days of
single-windowed browsing, and most multi-tabbed browsers allow you to
set multiple home pages, but this can still serve as go-to information
for some components and is a good place to put your corporate support
URL.
Configuration via Unattend.xml
This is the preferred and cleanest method for setting the
information, and for the general Windows owner and company information,
it can be set within the Generalize, Specialize, and OobeSystem
sections, as appropriate for when you are applying your unattend.xml.
unattend.xml
Components
4 specialize
xxxxx_Microsoft-Windows-IE-InternetExplorer_neutral
• CompanyName
• Home_Page
xxxxx_Microsoft-Windows-Shell-Setup_neutral
• RegisteredOrganization
• RegisteredOwner
Configuration via Direct Registry Edit
Depending on your desktop deployment build process, you may find it
preferable to set this information via a direct registry edit.
HKEY_LOCAL_MACHINE\WIN8LM\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\CompanyName
• CompanyName (REG_SZ)
HKEY_LOCAL_MACHINE\WIN8LM\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\Home_Page
• Home_Page (REG_SZ)
HKEY_LOCAL_MACHINE\WIN8LM\Microsoft\Windows NT\CurrentVersion
• RegisteredOrganization (REG_SZ)
• RegisteredOwner (REG_SZ)
OEM Information
Although
image branding (desktop / lock screen) is the most visible, OEM
branding is much more integrated and gives companies the ability to
customize the information displayed to the user when the
Settings\Control Panel\System page (System page) is displayed. OEM
Branding falls into two styles, which for this article I’ll reference as
“Standard” and “Help Customized”.
Figure: OEM Branding shows a
typical “Standard” configuration. Under the “System” section, user is
presented with the corporate logo, as well as information for
Manufacturer and Model. Below, in a section named after your
Manufacturer information is a Phone Number, Support Hours and the
Website URL. “Help Customized” (no image shown) is a bit more
complicated and outside the scope of this article, but summarized, it
involves developing your own Help & Support file which integrates
with Windows Help. When this approach is taken, the only thing the
System page displays is your corporate logo with a Support Information
link below it that when clicked opens the custom help file. You can
find more information on developing custom
Help & Support content on TechNet.
Configuration via Unattend.xml
This is the preferred and cleanest method for setting the information. There are a few items to note here. First, do not set
HelpCustomized (or set it to False) or you will wind up with the “Help Customized” configuration as described above. Second, the
Logo field
needs a full path and file name to your corporate image (see “Required
File System Changes” below). This can be either a hard coded path
(e.g., “
C:\Windows\…“) or an variable coded path (e.g., “
%WinDir%\…“).
The remaining fields are written without validation, so anything you
add to the fields will be displayed as-is, with the exception of
SupportURL which will become the link’s target.
unattend.xml
Components
4 specialize
xxxxx_Microsoft-Windows-Shell-Setup_neutral
OEMInformation
• HelpCustomized
• Logo
• Manufacturer
• Model
• SupportHours
• SupportPhone
• SupportURL
Configuration via Direct Registry Edit
Depending on your desktop deployment build process, you may find it
preferable to set this information via a direct registry edit. The same
rules that govern the
HelpCustomized and
Logo entries within the unattend.xml apply to the direct registry placement.
HKEY_LOCAL_MACHINE\WIN8LM\Microsoft\Windows NT\CurrentVersion
• Logo (REG_EXPAND_SZ)
• Manufacturer (REG_SZ)
• Model (REG_SZ)
• SupportHours (REG_SZ)
• SupportURL (REG_SZ)
• HelpCustomized (REG_DWORD)
Required File System Changes
Regardless of how you set this information, you will need to include
your corporate logo. This image is a 120×120 pixel 32-bit depth BMP
file. Although the file can be named and placed anywhere on your local
system, there is a 259 character limit to the path and name, so best
practices has you storing it in the following location:
?:\Windows\System32\oobe\info\info.bmp
You can find more information on the
OEMInformation configuration on TechNet.
Lock Screen
The
approach to the lock screen in Windows 7 was pretty straight forward,
making use of the OEM configuration setting to place the image, then
setting a value in the registry to ensure usage of the image. This
approach still works, but there is also a new method of setting an image
that is not tied to OEM configuration, but the default user profile
instead. I will cover both methods; they do not conflict with each
other so if you use both, you will not have any complications.
Image Configuration
Regardless of approach, the images used are the same. Unless you
have an extremely homogeneous environment, you will be deploying your
desktop image to multiple hardware platforms, and each platform will
have different default resolution. You want your image to look
correctly scaled on any resolution it is displayed on, and as such, you
will need to create an separate image file for each resolution within
your environment. I recommend you start with a “master” image, at a
resolution of 1900×1200 pixels, and save this as a JPG file no larger
than 256kb. Then for each target platform’s resolution, rework your
master image to the new resolution and save it as a new file, again as a
JPG and no larger than 256kb.
Common Monitor Resolutions
• 900×1440
• 960×1280
• 1024×768
• 1024×1280
• 1280×768
• 1280×800
• 1280×1024
• 1360×768
• 1366×768
• 1440×900
• 1600×1200
• 1920×1080
• 1920×1200
Of course discovering resolutions for all your models may be time
consuming, and it will not take into consideration future resolutions,
so you may find it easier to just create some common resolutions, like
those listed in the call-out box, and leave it at that. Keep in mind
that many users have rotating monitors, which means that your image may
be displayed in portrait instead of landscape: 1024×768 is much
different than 768×1024.
One final design consideration for the image is the overall
background color. Windows uses a white text, so if your image has too
light a background, it will be difficult to see the clock/date displayed
when the unit is locked.
OEM Approach
This approach involves talking all your scaled images and dropping
them into a system folder. Windows will automatically pick the best
resolution image as the display resolution changes, using a default
image if a matching resolution image is not found.
With a copy of all your master images, rename each one to fit the pattern of
backgroundWidthxHeight.jpg where
Width and
Height are replaced with the resolution dimensions (e.g.,
background1024x768.jpg).
Pick one of the images (typically the largest resolution or the one
that will scale best if you have not provided an exact match resolution
image) and copy it to a new file named
backgroundDefault.jpg. Copy all those files to the following location:
?:\Windows\System32\oobe\info\backgrounds
After this, you need to update the native registry to instruct Windows to use the OEMBackground:
HKEY_LOCAL_MACHINE\WIN8LM\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
• OEMBackground=1 (REG_DWORD)
You can lock this down by using Group Policy as well:
Computer Configuration\Administrative Templates\System\Logon
“Always use custom logon background”
Default User Approach
This approach involves taking all your scaled images and dropping
them into a user-specific system folder. Windows will automatically
search that folder for the file that matches the currently set
resolution of the system. If it doesn’t find the file, a solid color is
displayed instead.
With a copy of all your master images, rename each one to fit the pattern of
LockScreen___Width_Height.jpg (three underscores after
LockScreen) where
Width and
Height are replaced with the resolution dimensions of the image (e.g.,
LockScreen___1900x1200.jpg), but padded to be 4 digits long (i.e., if your image is 1024×768, the file name is
LockScreen___1024x0768.jpg).
Unlike the OEM methods, you do not need to create a default image.
Create the folder structure listed below and copy all your files into
it.
?:\ProgramData\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z
Quick side note. Technically speaking, only one file, the one
matching the current resolution, is needed within the LockScreen_Z
folder. Windows isn’t enumerating all the files in the folder, only
looking for a file named after the resolution currently active. But as
these files are small, dumping all of them in does no harm and save you
discovery and automation work. Second, each time the display resolution
changes, Windows creates a new folder under the
…\ReadOnly subfolder patterned as
LockScreen_?
where the question mark is replace by a single letter starting with Z
and descending to A. If you have users that change resolution often,
such as the case with a swivel monitor, you might consider pre-creating
the
LockScreen_Y as well and populating it with the correct resolution files.
Because “
S-1-5-18”
is the static SID for the Local Administrator’s account, this becomes a
user-system folder and helps form the “default user profile”. No
registry configurations are needed for this section.
Alternative User Images
Unless locked down by Group Policy, users can change their lock
screen once Windows is activated. If they choose to do this, they are
given a default selection of 5 images and allowed to upload their own.
This also provides an additional area for corporate branding, providing
alternative corporate images to the default one you have implemented.
?:\Windows\Web\Screen
This is the folder location that contains the images. These can be
either JPG or PNG images, at a size which will scale down well
(1900×1200), and at any file size (they do not adhere to the 256kb
limit). These files have a specific naming convention, starting with
“IMG”, followed by a number starting at 100, and ending with the correct
file extension. Windows will start with
IMG100 and ascend until all sequential images are displayed.
Using Group Policy to Disable Lock Screen Changes
If desired, you can restrict users from changing their background
image via Group Policy. This setting has no configuration options other
than Enabled or Disabled/Not Configured.
Computer Configuration\Administrative Templates\Control Panel\Personalization
“Prevent changing lock screen image”
Using Group Policy to Force a Specific Lock Screen Image
[Update: 12/20/12] The "
Windows 8 and Windows Server 2012 cumulative update: November 2012", which is comprised of several patches and updates (
KB 2770917)
introduced the ability to force a specific image for the Lock Screen.
This image can be a local or network share image. Microsoft recommends a
Dfs share for a network image for redundancy, but this obviously limits
you to a single image for all display resolutions. If you select a
local file, although all units will point to the same local file, you
can point to a common-named image that is specifically placed on the
local computer that matches that unit's display resolution, exactly as
you would do with the
defaultBackground.jpg image in the OEM Approach (if you take that approach, you could specify that file within the Group Policy).
Computer Configuration\Administrative Templates\Control Panel\Personalization
"Force a specific default lock screen image"
Start Screen
The
internet is filled with conversations over customizing the Start
Screen. Most of the original conversation threads focused around hacks
to change the color, then pick one of the included image patterns, and
finally to using your own image. I’ll say up front that I only cover
changing what Microsoft has made available for change, and as with all
other sections, I do not include any 3rd party utilities or other
file-hacking methods.
The Start Screen is simply a solid color with an “accent” patterned
overlaying it; nothing more, there is no “image”. Software you see that
promises to use a custom image are performing a trick by which they are
displaying an image over the solid background but under the tiles; it
is not actually there, it only is visible while the utility is running,
and the utility must be run on each user logon. What you can change is
the solid color and the accent image.
Color
Microsoft provides 24 stock color schemes you can use. These
corresponds to the image bar below. Please not that regardless of which
method you use to set this, you need to use the decimal value; the
registry will have a default view of the HEX value.
The desired method of changing this is using the unattend.xml:
unattend.xml
Components
7 oobeSystem
xxxxx_Microsoft-Windows-Shell-Setup_neutral
VisualEffects
• SystemDefaultBackgroundColor
This can also be set via the registry. Note that this is set at a per-user level, so you are updating the default user profile.
HKEY_LOCAL_MACHINE\WIN8U\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent
• ColorSet_Version3 (REG_DWORD)
The Accent Overlay
Microsoft provides 19 overlays, and a “no overlay” option for just a
solid color background. Changing the color scheme does not change the
accent overlay colors. You cannot alter the overlays or add any of your
own. At this time, the only method of changing the accent overlay is
via the registry. Note that this is a per-user setting.
HKEY_LOCAL_MACHINE\WIN8U\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent
• AccentId_v8.00 (REG_DWORD)
The value will match the following values, shown in their decimal form.
Although you cannot seem to choose the default accent overlay except
via the registry, you can disable the overlay via Group Policy:
Computer Configuration\Administrative Templates\Windows Components\Desktop Window Manager
“Use solid color for Start background”
One thing to note is that regardless of your direct registry
selection, the accent overlay change will not take affect until Windows
is activated.
Locking the Start Background
As noted above, you can set the color via unattend.xml or the
registry, and the accent overlay only via the registry. But you can
lock users from changing the color scheme and overlay via group policy:
Computer Configuration\Administrative Templates\Control Panel\Personalization
“Prevent changing start menu background”
Interestingly enough, this just removes the graphical ability; any
user with registry access can change the value and subsequently the
color and accent.
Desktop
If
you are familiar with the methods of setting this in Windows 7, you
will recognize this in Windows 8 as nothing has changed. Review the
Image Configuration information from the above
Lock Screen section as you will follow the same development principals.
Unlike the Lock Screen where you used all the images, for the desktop
you only use one. That image must match your target’s display
resolution as Windows will not scale it, and it must match the file
format and size as you are replacing system files.
Windows 8 uses a single default desktop background image for all profiles. That file is called
img0.jpg
and is in several places on your local computer. Because this is a
system file, you must change it in not only the easy to find location,
but any system file backup location. The system file backup location is
in a subfolder under
?:\Windows\winsxs
and is cryptically named to meet the Windows CPU platform, Windows
component, and service pack version. This means that it can vary from
computer to computer. An example of found locations would be as below,
where the first path is the easy one, and the second is the system
backup.
?:\Windows\web\wallpaper\windows
?:\Windows\winsxs\xxxxx_microsoft-windows-s..l-wallpaper-windows_[Ver]
Because of this, it is best to not attempt a direct replacement, but
rather query your local file system and update as found. A quick WMI
query to return the locations is as follows:
SELECT Path FROM CIM_DataFile WHERE FileName=”img0” AND Extension=”jpg” and Drive=”?:”
The update process is as follows: Query your local system for each instance of
img0.jpg. For each instance found, take your correctly sized image, rename it to
img0.jpg, and replace the native file.
Locking the Desktop Wallpaper
You can lock users out of changing the desktop wallpaper via Group Policy:
User Configuration\Administrative Templates\Control Panel\Personalization
“Prevent changing desktop background”
Account Profile
The last area of branding are the Account Pictures. First introduced
with Windows Vista, these have matured from the more simplistic smaller
images to more dynamic profile objects that are used quite extensively
within Windows.
The two figures to the right show two versions of the Account Picture.
Figure: Profile Large shows the image as it appears on the lock screen, while
Figure: Profile Small
shows it as it appears on the Start Screen. Although a user is unable
to change their account picture until Windows is activated, you can set
the default images displayed ahead of time.
If you do use the GUI to change the account picture, Windows will
create scaled images to match the display need. This can result in the
single image looking incorrect at one of the scaled sized. As you can
see from the figures however, you are not actually bound to a single
account picture.
Three images are used by Windows for the default Account Pictures.
These image default as all PNG files at a depth of 32-bit. Although not
immediately clear when interacting with Windows, the three sizes are
448×448 pixels, 200×200 pixels, and 40×40 pixels.
Figure: Profile Large,
although displayed at logon and when you are personalizing the profile
is at a 200×200 pixel size, it is actually 448×448 pixels and
subsequently scaled down.
Figure: Profile Small is actually the 40×40 pixels image. Create your master images to match as follows:
| File Name |
File Type |
Diminsions |
Bit Depth |
| GUEST.BMP |
Bitmap |
488×488 |
32-bit |
| GUEST.PNG |
PNG |
488×488 |
32-bit |
| USER.BMP |
Bitmap |
488×488 |
32-bit |
| USER.PNG |
PNG |
488×488 |
32-bit |
| USER-200.PNG |
PNG |
200×200 |
32-bit |
| USER-40.PNG |
PNG |
40×40 |
32-bit |
Very similar to the desktop’s
img0.jpg
described in the Desktop section, all of the PNG files are system files
located in both an easy to find common folder, and a more difficult
system backup folder:
?:\ProgramData\Microsoft\User Account Pictures
?:\Windows\winsxs\xxxxx_microsoft-windows-usertiles-client_[Ver]
Therefore, as with the Desktop image, a query/replace approach is best:
SELECT Path FROM CIM_DataFile WHERE FileName=”[filename]” AND Extension=”png” and Drive=”?:”
Where
[filename] is
replaced with “USER”, “GUEST”, “USER-200″ and “USER-40″ in
succession. This leaves you with the two BMP files, which you place
into the
..\User Account Pictures directory, overwriting the images currently there.
Locking the Account Picture
As with other sections, you can user Group Policy to keep users from changing their account pictures.
User Configuration\Administrative Templates\Control Panel\User Accounts
“Apply the default account picture to all users”
Conclusion
There are quite a few tasks that must be done to fully brand your
desktop with the corporate identity. The most daunting and time
consuming is development of the lock screen and desktop backgrounds as
scale-sensitive items such as logos, photos, and text can go from
looking polished to looking amateur quickly. Back-filling an
in-production or post-setup desktop build is extremely difficult, so a
higher attention to configuration timing during deployment is needed.
Scripting and automation are absolutely your best friends here,
shrinking the time taken to incorporate all these components to seconds
while giving your build the ability to dynamically change environmental
settings as needed. Windows 8 may have introduced many challenges to
administrators, but corporate branding doesn’t need to be one of them.
