Windows 8 Lock Screen Policy

February 20th, 2013 by Luke

In November 2012 Microsoft released an update for Windows 8 and Server 2012 (KB2770917) that added the ability to “Enable enterprise customers to customize the default lock screen.” This meant the addition of a Group Policy that enabled control of the Lock Screen.

Although specifically for enterprise customers, I was looking for a way to programmatically change the Lock Screen across all install types – so I began to investigate. Sure enough, after installing the update, the option to “Force a specific default lock screen image” appeared in Group Policy. Although I could set this policy, as highlighted below, it would only be applied on domain-joined or enterprise machines.

forcelogonscreen

I traced the checking of this policy back to Windows.UI.Immersive.dll in the %SYSTEMROOT%\System32 directory. As of the November update a function named LockScreenPathFromGroupPolicy() made an appearance in this DLL. Roughly translated the function looks like this:

lockscreencode

The EnterpriseCustomizationAllowed() function is also a new addition, with LockScreenPathFromGroupPolicy() currently being the only function that makes this check.

From here it was a matter of removing this check and letting the function follow on whether the user was in an enterprise setting or not. In assembly, the check looks like the following:

enterprisecheck

To remove the check, open Windows.UI.Immersive.dll in your favourite editor and NOP (0×90) 9 bytes at offset 0x4607A (x86) or 0x560A5 (x64).

I have found no reason why this policy is “enterprise only” and have experienced no side effects from performing the above mentioned patch, however, your mileage may vary.

  • Fleres4

    I am still at Windows 7, but i am glad there is people like you who share with the world this tweaks.

  • Ben Reaves

    Any idea as to whether this will work with Windows 8.1 Pro? By default, v8.1 doesn’t call this update, as it was released after KB2770917, and those features are baked in. This means that on a default/clean installation of Windows 8.1, completely updated, KB2770917 doesn’t exist and will need to be downloaded manually. The question is whether this patch can be done without checking KB2770917, or whether the update, when downloaded manually, is compatible with Windows 8.1.