ANAVEM
EnglishFrancais
ANAVEM
Reference
Languagefr
How to Customize Windows Login and Lock Screen Using Group Policy (GPO)

How to Customize Windows Login and Lock Screen Using Group Policy (GPO)

Learn to customize Windows login and lock screen backgrounds using Group Policy Objects in Active Directory environments. Configure corporate branding, legal notices, and prevent user modifications across Windows 11 Pro/Enterprise systems.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
March 17, 2026 15 min 7
mediumgroup-policy 8 steps 15 min

Why Customize Windows Login and Lock Screens with Group Policy?

Corporate branding and security compliance often require standardized login and lock screen experiences across enterprise Windows environments. Group Policy Objects (GPOs) provide centralized control over these visual elements while ensuring consistent security messaging and preventing unauthorized personalization changes.

As of 2026, Windows 11 24H2 and Windows Server 2025 maintain full support for login and lock screen customization through Active Directory Group Policy. This approach eliminates the need for manual configuration on individual machines and ensures compliance with corporate security policies.

What Are the Key Benefits of GPO-Based Screen Customization?

Implementing login and lock screen customization through Group Policy offers several advantages over manual configuration methods. You gain centralized management, automatic deployment to new domain-joined machines, and the ability to enforce legal notices required for compliance frameworks like SOX, HIPAA, or government security standards.

The GPO approach also provides granular control over user permissions, allowing you to prevent unauthorized changes to corporate branding while maintaining flexibility for specific user groups or departments that may require different configurations.

Related: KB890830 — Windows Malicious Software Removal Tool (MSRT)

Related: Set Up Windows LAPS with Microsoft Intune for Enhanced

Which Windows Editions Support GPO Login Customization?

This tutorial focuses on Windows 11 Pro, Enterprise, and Education editions, as well as Windows 10 Pro and Enterprise versions in Active Directory environments. Windows Home editions and LTSC (Long-Term Servicing Channel) versions have limited personalization capabilities and cannot implement these GPO-based customizations due to Microsoft's licensing restrictions.

Implementation Guide

Full Procedure

01

Install Group Policy Management Tools

First, ensure you have the Group Policy Management Console available on your domain controller or administrative workstation. On Windows Server 2022+, install RSAT tools if not already present.

Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0

Alternatively, install via Server Manager by navigating to Add Roles and Features > Features > Remote Server Administration Tools > Role Administration Tools > Group Policy Management Tools.

Pro tip: You can also install GPMC on Windows 11 Pro/Enterprise workstations to manage GPOs remotely without logging into the domain controller.

Verification: Open Run dialog (Windows + R), type gpmc.msc, and press Enter. The Group Policy Management Console should open without errors.

02

Create and Configure the Custom Login Screen GPO

Create a new Group Policy Object specifically for login and lock screen customization. This keeps your customizations organized and easy to manage.

Open Group Policy Management Console and navigate to your target Organizational Unit. Right-click the OU and select Create a GPO in this domain, and Link it here...

Name the GPO something descriptive like "Corporate Login Lock Screen Policy" and click OK. Right-click the newly created GPO and select Edit.

Navigate to: Computer Configuration > Policies > Administrative Templates > System > Logon

Find and double-click Always use custom logon background. Set it to Enabled and click OK.

Warning: This policy only works on Windows 11/10 Pro, Enterprise, and Education editions. It will not function on Home or LTSC editions due to personalization restrictions.

Verification: The policy should show as "Enabled" in the Group Policy Editor. You can also run gpresult /h C:\temp\gpo-report.html on a target machine after applying the policy to verify it's being received.

03

Prepare and Deploy Custom Login Background Image

Create the required directory structure and deploy your custom login background image. The image must meet specific requirements for proper display.

On each target machine (or via GPO file deployment), create the following directory:

mkdir "C:\Windows\System32\oobe\info\backgrounds"

Copy your custom background image to this location and rename it to backgroundDefault.jpg. The image specifications are critical:

  • Format: JPG only
  • Resolution: 1920x1080 pixels
  • File size: Under 256KB
  • Aspect ratio: 16:9

You can automate this deployment using a startup script in your GPO. Navigate to Computer Configuration > Policies > Windows Settings > Scripts > Startup and add a batch script:

@echo off
if not exist "C:\Windows\System32\oobe\info\backgrounds" mkdir "C:\Windows\System32\oobe\info\backgrounds"
copy "\\domain.com\sysvol\domain.com\scripts\backgroundDefault.jpg" "C:\Windows\System32\oobe\info\backgrounds\backgroundDefault.jpg" /Y
Pro tip: Store your master image file in the SYSVOL share for centralized deployment. This ensures all domain computers receive the same image automatically.

Verification: Check that the file exists at C:\Windows\System32\oobe\info\backgrounds\backgroundDefault.jpg and verify the file size is under 256KB using dir command.

04

Configure Custom Lock Screen Image

Set up a custom lock screen image that will be enforced across all domain computers. This is separate from the login screen background.

In the Group Policy Editor, navigate to: Computer Configuration > Policies > Administrative Templates > Control Panel > Personalization

Find and enable Force a specific default lock screen and logon image. In the options section, specify the path to your lock screen image:

C:\Windows\Web\Screen\corporate-lock.jpg

Create a startup script to deploy the lock screen image:

copy "\\domain.com\sysvol\domain.com\scripts\corporate-lock.jpg" "C:\Windows\Web\Screen\corporate-lock.jpg" /Y

The lock screen image should also follow the same specifications as the login background: JPG format, 1920x1080 resolution, under 256KB.

Verification: After applying the policy and rebooting, lock the workstation (Windows + L) to see if the custom lock screen appears. You can also check the registry value:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" -Name "LockScreenImage"
05

Add Legal Notice and Security Messages

Configure legal notices that appear before users can log in. This is crucial for corporate compliance and security policies.

Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Configure these two policies:

1. Interactive logon: Message title for users attempting to log on

Set this to something like: AUTHORIZED ACCESS ONLY

2. Interactive logon: Message text for users attempting to log on

Set this to your legal notice, for example:

This system is for authorized users only. All activities are monitored and recorded. Unauthorized access is prohibited and may result in prosecution under applicable laws. By continuing, you acknowledge and consent to monitoring.
Warning: Legal notices can delay the login process. Keep messages concise but comprehensive. Users must click OK before they can proceed to enter credentials.

Verification: Restart a target machine and observe the legal notice dialog before the login screen appears. The message should display exactly as configured.

06

Prevent Users from Changing Login and Lock Screen Settings

Lock down personalization settings to prevent users from overriding your corporate branding and security configurations.

Configure these policies under Computer Configuration > Policies > Administrative Templates > Control Panel > Personalization:

1. Enable Prevent changing lock screen and logon image

2. Enable Prevent changing desktop background

3. Navigate to User Configuration > Policies > Administrative Templates > System > User Profiles and enable Prevent changing lock screen camera and slide show

Additionally, you can hide the personalization settings entirely by enabling Prohibit access to Control Panel and PC settings under User Configuration, though this may be too restrictive for most environments.

Pro tip: Create a security group for executives or specific departments that need personalization access, then use GPO security filtering to exclude them from these restrictive policies.

Verification: Log in as a standard user and attempt to access Settings > Personalization. The lock screen and background options should be grayed out or hidden entirely.

07

Apply GPO and Force Policy Updates

Link your GPO to the appropriate Organizational Units and force immediate policy application across your domain.

In Group Policy Management Console, ensure your GPO is linked to the correct OUs containing your target computers. You can also link it at the domain level if you want it to apply to all computers.

To force immediate policy application on target machines, run these commands:

gpupdate /force
shutdown /r /t 0

For remote policy updates across multiple machines, use PowerShell:

Invoke-GPUpdate -Computer "Computer1","Computer2" -Force -RandomDelayInMinutes 0

You can also schedule the policy update for all computers in an OU:

Get-ADComputer -Filter * -SearchBase "OU=Workstations,DC=domain,DC=com" | ForEach-Object { Invoke-GPUpdate -Computer $_.Name -Force }

Verification: Generate a Group Policy Results report to confirm all policies are applying correctly:

gpresult /h C:\temp\gpo-results.html

Open the HTML report and verify your custom login/lock screen policies appear under "Computer Configuration" with "Winning GPO" showing your policy name.

08

Test and Troubleshoot Common Issues

Verify your implementation works correctly and resolve common problems that may occur during deployment.

Test the complete login experience:

1. Restart a target machine completely

2. Verify the legal notice appears first

3. Confirm the custom login background displays

4. Log in and lock the screen (Windows + L) to test the lock screen image

Common troubleshooting steps:

If images don't appear, check these registry values:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "UseOEMBackground"
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" -Name "LockScreenImage"

Check Group Policy event logs for errors:

Get-WinEvent -LogName "Microsoft-Windows-GroupPolicy/Operational" | Where-Object {$_.LevelDisplayName -eq "Error"} | Select-Object -First 10

If policies aren't applying, verify the computer account has the correct permissions and the GPO is linked properly. Use gpresult /r for a quick overview of applied policies.

Warning: Image files that are too large (over 256KB) or in the wrong format will cause the custom backgrounds to fail silently. Always verify file specifications before deployment.

Verification: Document your testing results and create a rollback plan by noting the default Windows behavior before implementing these changes.

Frequently Asked Questions

Can I customize Windows 11 Home edition login screen with Group Policy?+
No, Windows 11 Home edition does not support Group Policy-based login screen customization. This feature requires Windows 11 Pro, Enterprise, or Education editions joined to an Active Directory domain. Home edition users must use registry modifications or third-party tools, which are not recommended for enterprise environments.
What image specifications are required for custom Windows login backgrounds?+
Custom login background images must be in JPG format with 1920x1080 resolution and file size under 256KB. The aspect ratio should be 16:9 for optimal display. Images exceeding these specifications will fail to display, and the system will revert to the default Windows background without error notifications.
How do I troubleshoot Group Policy login screen customization not working?+
First, verify the GPO is linked correctly and run 'gpupdate /force' followed by a reboot. Check that image files exist in the correct paths and meet size requirements. Use 'gpresult /h report.html' to confirm policy application and examine the Group Policy event logs for errors. Ensure target machines are Windows Pro/Enterprise editions.
Can users override corporate login screen settings on domain computers?+
Users cannot override login screen settings when properly configured through Group Policy. The 'Prevent changing lock screen and logon image' policy blocks access to personalization settings. However, local administrators might still modify registry settings, so consider implementing additional security measures like removing local admin rights for standard users.
Does Windows login screen customization work with Azure AD joined devices?+
Traditional Group Policy login screen customization requires on-premises Active Directory and does not work with Azure AD-only environments. For Azure AD joined devices, you must use Microsoft Intune device configuration profiles or Windows Autopilot to achieve similar customization results through modern device management policies.
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#group-policy#windows-security#active-directory

Further Intelligence

Deepen your knowledge with related resources

How to Install Office 365 Offline for Enterprise Deployment
tutorial
General

How to Install Office 365 Offline for Enterprise Deployment

Deep Dive
How to Bulk Import Active Directory Users from CSV Using PowerShell
tutorial
DevOps

How to Bulk Import Active Directory Users from CSV Using PowerShell

Deep Dive
How to Deploy and Configure Remote Desktop Services (RDS) on Windows Server
tutorial
Networking

How to Deploy and Configure Remote Desktop Services (RDS) on Windows Server

Deep Dive

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...