Create a lock screen slideshow with more than one picture without GPO (because there’s none)

So I was tinkering with Windows 10 GPOs and had some free time to try and achieve some more than what the customer asked me to do. As we know there actually IS a policy that’s controlling the lock screen called “Force a specific default lock screen image” – you can find it in Computer Configuration > Policies > Administrative Templates > Control Panel > Personalization. Sooo, wait. There’s no way to choose what mode I want my lock screen to be?

DISCLAIMER: This is provided as is! Microsoft will (most likely – I didn’t ask them) not support any of the procedures I’m about the explain. In fact I don’t recommend you using this in a productive environment ever

THIS INSTRUCTION IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS INSTRUCTION INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS INSTRUCTION. – You have been warned.

I mean, you have those great options like… um.. yeah right. Slideshow! Imagine showing off multiple pictures from your marketing department before your screen goes into sleep (because I know you have those settings as well). That’d make really good advertisement and gives off a nice vibe of corporate design and in some cases corporate identity as well. Unfortunately you have no option of selecting this easily via GPO, there isn’t one last time I checked.

So, what to do?

EDIT: Please backup your Registry before changing anything described in this post. Even after you’ve backed your Registry, please don’t try this on a productive environment

If you guessed: Digging into the Registry you’re… well right. Procmon, Windows 10 ver. 1607 and some experiments later I found the following keys that control the behaviour of this window:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\SlideshowEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\SlideshowDirectoryPath2 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\RotatingLockScreenOverlayEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\RotatingLockScreenEnabled

So what does each key do?

  • Lock Screen\SlideshowEnabled: Selects the “Slideshow” option from the screenshot (notice: It only selects this)
  • Lock Screen\SlideshowDirectoryPath2: Sets another path the look for pictures besides default “My Pictures” folder
  • ContentDeliveryManager\RotatingLockScreenOverlayEnabled: This one was tricky to find. It controls the “Get fun facts, tips, tricks, and more on your lock screen” option if you select Slideshow as option.
  • ContentDeliveryManager\RotatingLockScreenEnabled: So why do we need this? We could enable Slideshow and be done with it right? Well while that’s true it looks just stupid if a user ever finds his way into those options (see next screenshot).

So, we’re good right? Setting a few keys with a policy, copy the files over to the local machine (because you don’t want direct UNC paths for pictures like this trust me) define the folder in SlideshowDirectoryPath2 or SlideshowDirectoryPath1 and bam! Slideshows for everyone. WRONG!

 

Microsoft was really clever on this one. I think because a lot of registry entries actually get send to Microsoft with telemetry, diagnostics or error reporting (choose your poison) they actually wanted to protect the privacy of customers here. For our cause one of the registry keys is a little… well difficult to handle: SlideshowDirectoryPath is not only encrypted its also base64, well slightly at least. I found out after google-ing a little that the method used for the encryption – or obfuscation, not really sure – is called “PIDL” or “pointer to an item identifier list”. A key would look like this:

2AAFA8BVlgkHDQ5eD3UsxkuR0yUjVDCAAAgGA4+u+PCAAABAf6KkpuDoA6El8mpEXDVQEAAAAAA which should be “%USERPROFILE%\Pictures”

It was very easy to find a script to encode what I needed here – but I was just lazy t.b.h. So I kept looking and found this and “Henrique HZBR” is the winner here. I can just copy the key from a machine that is configured properly and copy that key if I tell the registry to use REG_EXPAND_SZ instead of REG_SZ.

As an example, this is what C:\temp looks like: QEAFA8BUg/E0gouOpBhoYjAArADMdmBAvMkOcBAAAAAAAAAAAAAAAAAAAAAAAAQ4AEDAAAAAAkYS6nKEAQXZtBHAAoDAJAABA8uvJmU+pmYS6nqLAAAA1zUAAAAAhAAAAAAAAAAAAAAAAAAAAkfQpDAdAUGAtBAcAAAAUAwkAAAAnAw7+WIAAAQMTB1U32pr/3IH/PUgMSIQ6M6ctkGAAAAZAAAAA8BAAAALAAAA3BQaA4GAkBwbAcHAzBgLAkGAtBQbAUGAyBwcAkGA2BQZAMGAvBgbAQHAyBwbAwGAwBQYA4GAlBAbA8FAjBwdAUDAuBQMAgGAyAAdAgHA5BQZAcHA5BAAAAAAAAAAAAAAUAAAAA

TL;DR: So what do I need to do in the end?

  • Copy the pictures with a GPO, SCCM Packet or whatever you have available to the machine into the directory you want to use later. I used C:\temp for testing
  • Set a Windows machine with the desired config (see also BONUS below)
  • Copy the registry values as you need them
  • Add them under User Configuration\Preferences\Registry – don’t forget to choose REG_EXPAND_SZ for the SlideshowDirectoryPath
  • Roll the policy out to your users
  • Profit

I hope you liked what I found and I keep praying to Microsoft that they make this available in the near future as an option I can configure. Not one that I need to hack around to get what I want.

EDIT2: For some reason the entries get shifted if the user adds more paths. So be careful if you have some kind of baseline checking the registry value. The latest entry will always be SlideshowDirectoryPath1. The entry before that will become SlideshowDirectoryPath2 and so on. You can still overwrite SlideshowDirectoryPath1, but that will overwrite the last entry that was added. Fun fact: You can have SlideshowDirectoryPath9 – two digit numbers are not allowed. So maybe use SlideshowDirectoryPath9 if you love your users and want to give them 8 potential folders to add! Fun fact 2: If a user deletes an entry the other entries will keep the number.

BONUS: The options under “advanced” are controlled as follows:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\SlideshowIncludeCameraRoll controls “Include Camera Roll folders from this PC and OneDrive”
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\SlideshowOptimizePhotoSelection “Only use pictures that fit my screen”
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\SlideshowAutoLock “When my PC is inactive, show lock screen instead of turning off”
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\SlideshowDuration “Turn off screen after slideshow has played for” (30 Minutes would be 1800000, but you can set 15 Minutes as well (even though it doesn’t show in the GUI)

BONUS 2: SCCM script to use while deploying (this is just the basic 4 settings without the “advanced” options)