Documentation

Summary

In keeping with our commitment to simplicity, this guide offers clear and easy-to-follow instructions for installing and using the Windows Personalization Packager. The most effective way to familiarize yourself with the product is through hands-on experience. We invite you to try it out by clicking the button in the top right corner of your screen.

Did you know the WPSecure Personalization Packager only has 6 buttons? Create powerful deployment packages with ease. It's as simple as 1,2 and 3.

Terminology

This document uses the below terminology to explain the product features.

The Packager: Creates deployment packages that contain Desktop backgrounds, Outlook signatures, and Screensavers that can be easily deployed to on-premises and Cloud-connected Windows devices.
The Packages: These are created using the Packager and are then deployed using software deployment utilities such as SCCM, Intune, or similar tools.
The Campaign Manager: This tool generates the campaign file that dictates the start and end dates and the priority of packages. The Campaign files are deployed in a manner identical to the Personalization packages.

Prerequisites

The Personalization packages created by the Packager and the Packager have the following prerequisites:

WPSecure Windows Personalization packages are only certified for use with physical devices such as Desktops, Laptops, and Tablets, where users are not logged in concurrently (simultaneously).
The verification process for the subscription of the Packager necessitates a live internet connection that can directly and unrestrictedly access the Microsoft identity platform on the URLs wpsecure.onmicrosoft.com and wpsecure.b2clogin.com. However, this requirement does not apply to the Personalization packages.
Operating System: Windows 10 20H2 or later, or a Microsoft-supported version of Windows 11.
.NET Framework: Version 4.8 or later.
Processor: 1 gigahertz (GHz)  or  faster with 2 or more cores on a compatible 64-bit processor core (The packages work on x86 devices but are not supported).
Memory: 4 GB RAM or greater.
Storage: 64 GB or larger storage device.
Functional WMI and .NET Framework.
No local or global policies prevent changing desktop backgrounds, Outlook signatures, or screensavers in the user context.
All necessary exceptions for AppLocker and other security products that may impede the seamless operation of WPSecure must be properly configured.
The system must not have any faulty drivers.

Log location

The Personalization Packager records its progress, failures, and exceptions in the below log file.

				
					%temp%\wpsecure-packager.log

The Personalization package installer which runs as the SYSTEM user or as an elevated Administrator records its progress, failures, and exceptions in the below log file.

				
					%SystemDrive%\Windows\Temp\wpsecure-install.log

The Personalization package uninstaller which runs as the SYSTEM user or as an elevated Administrator records its progress, failures, and exceptions in the below log file.

				
					%SystemDrive%\Windows\Temp\wpsecure-uninstall.log

Following are the log files pertaining to loading, brokering, events, and selection of the Personalization packages.

				
					%temp%\wpsecure-xx.xx.xxxx.xxxx.log
%temp%\wpsecureloader.log
%temp%\wpsecurebr.log

Dealing with policy conflicts

Local and global policies that prevent end-users from changing desktop backgrounds and themes may conflict with the WPSecure desktop background processing engine. We recommend removing these policies and instead hiding the corresponding Windows Control Panel items.

Listed below are two of the conflicting policies that can prevent users from changing the desktop background (There might be more). These policies may conflict with the WPSecure desktop background processing engine, so it is recommended to either remove or not configure them.

Prevent Changing Desktop Background: This Group Policy can be found under User Configuration\Administrative Templates\Control Panel\Personalization. If this policy is enabled, it will prevent users from changing the desktop background.
Desktop Wallpaper: This Group Policy can be found under User Configuration\Administrative Templates\Desktop\Desktop. If this policy is enabled, it will specify the desktop wallpaper and prevent the proper functioning of WPSecure desktop background engine.
Prevent changing desktop background: This policy prevents users from adding, changing, or deleting the background design of the desktop. When enabled, the “Desktop Background” section in the Personalization window in the Control Panel is disabled. Users cannot change the desktop background by right-clicking an image and clicking Set as Desktop Background.
Active Desktop Wallpaper: This policy lets you specify the desktop background (“wallpaper”) used for all users. It also prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (.bmp) or JPEG (.jpg) file.
Enforce a default desktop background: Using the Local Group Policy to enforce a desktop background, prevents users from changing the image.

Registry Path	Value Name
`HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop`	`NoChangingWallPaper`
`HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System`	`Wallpaper`
`HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System`	`WallpaperStyle`

To ensure that these policies do not conflict with the WPSecure desktop background processing engine, it is recommended to either remove or not configure them. This can be done by opening the Group Policy Editor and navigating to the appropriate policy location. From there, you can either set the policy to “Not Configured” to remove any conflicts.

After resolving all policy conflicts, including but not limited to those mentioned above, you may proceed to hide the Windows panels and menus associated with changing desktop backgrounds and themes. To clarify, the objective is to hide the controls for changing desktop backgrounds and themes, rather than limiting access to these features.

Note: The Personalization Packages are designed to operate within the user’s context, thereby safeguarding the entire SYSTEM from code-behind-image-based attacks. In the event that a code-savvy employee attempts to alter the Desktop background, the WPSecure engine will automatically restore it to its original state upon the next trigger.

Hide personalization items from control panel:

After removing polices that restrict users from changing the desktop background, you can hide these options from the Control Panel, using the Group Policy Editor. Here’s how:

Open the Group Policy Editor by pressing the Windows key + R, typing gpedit.msc, and pressing Enter.
In the left pane, navigate to User Configuration\Administrative Templates\Control Panel.
In the right pane, double-click on Hide specified Control Panel items.
Select Enabled and then click on the Show button next to List of disallowed Control Panel items.
In the Value column, type Microsoft.Personalization and click on OK.
Click on Apply and then on OK to save your changes.

Hide personalization items from desktop right-click context menus:

To hide these options from the right-click menus on the desktop, you can use the Registry Editor. Here’s how:

Open the Registry Editor by pressing the Windows key + R, typing regedit, and pressing Enter.
In the left pane, navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
Right-click on an empty space in the right pane and select New > DWORD (32-bit) Value.
Name the new value NoViewContextMenu and set its value to 1.
Close the Registry Editor.

Windows Personalization Packager installation

The Personalization Packager is available for download by clicking on the button located in the top right corner of this page. The download consists of a compressed ZIP file that contains a Microsoft Installer (MSI) file, accompanied by a Digital Signature issued by Sectigo, a reputable computer security service based in Roseland, New Jersey. To ensure the authenticity and safety of the installer, it is important to only download it from this website and not from any other source.

To install an MSI file on a Windows computer, you must first ensure that you are signed in as an administrator. Once you have located the MSI file, simply double-click it to run the installer and start the installation wizard. Follow the prompts to complete the installation process. Alternatively, you can use the Command Prompt or PowerShell to install an MSI file by using the command

				
					msiexec /i [location of MSI file]

For more detailed instructions, please refer to the official Microsoft documentation.

The MSI installs the following applications.

The Packager
The Campaign Manager.

Buy a subscription and register

Select the ‘Buy or Manage’ option from the top menu to acquire a subscription. Once your purchase is complete, navigate to the Personalization Packager. You’ll find a ‘sign up now’ link beneath the login screen. Click on this link to finalize your registration process.

Complete the registration process using the email address supplied during purchase.

The Personalization Packager

The Personalization Packager allows you to bundle your personalization elements, such as Desktop backgrounds, Outlook signatures, and screensavers, into a deployment package that can be easily deployed to locally networked and Cloud-connected devices.

The Personalization Packager creates self-contained personalization deployment packages that are deployed to Windows 10 and 11 devices.

Note: The Personalization deployment packages are x86-based assemblies that can run on both 64-bit and 32-bit (not supported) architectures. However, the Personalization Packager itself can only install and run on 64-bit machines.

The Personalization packager accepts 3 types of personalization items.

Desktop backgrounds.
Microsoft Outlook signatures.
A Windows screensaver.

Desktop backgrounds

This module assigns unique desktop background images to each screen, ensuring that the image’s structure and message are preserved. For instance, a landscape-oriented computer monitor will be assigned a landscape background image, while a portrait-oriented monitor will be assigned a portrait background image. This ensures that the message remains clear.

If an image with the exact width and height of the screen is available, it will be assigned to that screen. If not, the desktop background engine will select an image with the same aspect ratio from a list of available images. If no such image is available, the engine will choose an image with the same orientation. If no such image is available, the engine will select the closest fitting image to the dimensions of the screen.

The module is also capable of recalibrating and assigning appropriately sized images in response to changes in screen resolution, orientation, or the addition of another screen, thereby preventing distortion or cropping. This feature enables laptop users to seamlessly transition between desks without having to manually reset their wallpaper when connecting to different external monitors, thereby saving time and effort.

A personalization package must include at least one desktop background image in JPG format. The file size of each image must not exceed 10 MB, and we recommend keeping the total size of the personalization package under 500 MB.

Microsoft Outlook signatures

The Microsoft Outlook engine is an adjunct feature to the Desktop background feature (A personalization package must include at least one desktop background image in JPG format). There are two types of Microsoft Outlook signatures: a ‘New message’ signature and a ‘Reply message’ signature. The total file size of each Outlook signature and its assets cannot exceed 10 MB.

New message signature: A new message signature is used when composing a new Microsoft Outlook message. It should include a ‘wpsecure_new.htm’ HTML file and optionally include a ‘wpsecure_new.txt’ Text file and an optional ‘wpsecure_new_files’ directory that contains resource files like images, CSS, etc.

Reply message signature: A reply message signature is used when replying to an email message. It should include a ‘wpsecure_reply.htm’ HTML file and optionally include a ‘wpsecure_reply.txt’ Text file and an optional ‘wpsecure_reply_files’ directory that contains resource files like images, CSS, etc.

Use placeholders like {{last_name}}, {{email_address}}, or {{job_title}} in the ‘wpsecure_new.htm’, ‘wpsecure_new.txt’, ‘wpsecure_reply.txt’, and ‘wpsecure_reply.txt’ files to automatically load user-specific data at runtime. The WPSecure Outlook signature engine replaces the placeholders with the information in the registry corresponding to each placeholder. If the Key path does not exist create it. For example, the placeholder {{last_name}} will be replaced by the following registry entry.

Key path	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\wpsecure\signature
Name	last_name
Value	John Doe
Type	REG_SZ

Windows screensaver

The screensaver engine is an adjunct feature to the Desktop background feature (A personalization package must include at least one desktop background image in JPG format). The file size of the screensaver file must be at most 20 MB.

In terms of input quality for the screensaver, it’s important to ensure that the images or videos used are of high resolution and quality. This will help to create a visually appealing and professional-looking screensaver.

There are several tools available that can be used to create custom screensavers for Windows. One way to create a screensaver is to use the built-in tool in Windows 10. You can arrange your desired screensaver photos in a folder of your choice, then access the Personalize applet by right-clicking anywhere on the desktop. From there, you can select the Lock Screen tab and then go to Screen saver settings. In the window that opens, select Photos from the dropdown menu and configure the settings according to your preferences.

Another option is to use a third-party tool such as Canva or Adobe Spark. These tools offer a range of templates and design elements that can be used to create custom wallpapers and screensavers. With these tools, you can easily upload your own images or choose from a library of stock images to create a unique and personalized screensaver.

Windows Personalization packager actions

You can launch the Windows Personalization Packager from the start menu. Upon opening the application, you will be presented with the ‘Terms of Use and Service’ page. Please take a moment to review it. If you would like to try the Packager before purchasing a subscription, you can click on the ‘Click on this link to try the demo’ button located in the top right corner of the screen.

If you have already purchased a subscription, you can access the full version of the Personalization Packager by clicking on the ‘Click here to agree to the terms and start the application’ button.

You can log in using your subscription’s email address and password. If you do not know or remember your password, click the “Forgot your password” link. A password reset email will be sent to the email address if such a subscription exists. If you have logged in before and your access token has not expired, the authentication will happen silently and the authentication box will not appear.

A successful login process should land you on the following Screen. All the action concerning the Windows Personalization Packager happens on this Screen. The layout is simplistic, and the process is self-explaining.

Listed below are the actions triggered by each button on this page.

Import desktop background images from folder: This button enables you to import multiple images in JPG format from a selected folder. The packager only allows up to 90 desktop background images of varying dimensions and orientations. The size of each image cannot exceed 10 MB. Image Width and Height cannot be a decimal/fraction.

Import Outlook signature: Allows you to import a Microsoft Outlook signature HTM file.

Import screensaver: Import a screensaver file with a .scr file extension.

Remove selected items: Select an item from the list to remove it.

Remove all items: Click this button to remove all items in the list. Helps with clearing out items before uploading new items.

Create personalization package: Use this button to export the personalization package to a folder. The selected destination folder has to be empty. The personalization package creation process creates two folders: general_install and intune_install.

The general_install folder contains installation files for deployment via enterprise software management tools like Microsoft Endpoint Configuration Manager (SCCM). Run the ‘wpsecure-install.exe’ to install the personalization package. More details regarding the enterprise installation and uninstallation process are in the ‘documentation.html’ file.

The intune_install folder contains the ‘wpsecure-install.intunewin’ file that can be uploaded to the Microsoft Endpoint Device Management portal (Intune). The command-line for this is identical to the general install.

The process also creates a ‘documentation.html’ file that provides all the information required to deploy the personalization package, like package version, install command line, uninstall command line, and detection methods.

The image below displays the Packager interface when one or more personalization items have been loaded. To preview the content, click on each item.

Note: Please refrain from altering the items while in preview mode. Doing so will result in a fatal error and cause the process to fail.

If one or more items should fail import, the following screen will report the failed item. You can understand the problem better by looking at the log file in the following location.

				
					%temp%\wpsecure-packager.log

The Campaign Manager

This tool creates a campaign file. The campaign file gets mass deployed to devices. The file name of the campaign file is ‘wpsecure.campaigns’. The file contains information regarding each personalization package’s start date, end date, and priority. Click the add new campaign button below to add a new campaign and the remove selected items button to remove one or more campaigns. You can open the Campaign Manager from the Windows start menu. A successful sign-in will land you on the following Screen.

Click on the add new campaign button to create a new campaign. Alternatively, click on Import an existing campaign file to open campaigns saved into a previously saved campaigns file.

The campaign number is the unique identifier of the campaign. The package version serves as a unique identifier for the locally installed personalization package. This information can be found within the ‘documentation.html’ file located in the personalization package. The start date specifies when a particular personalization package will begin running on the device, while the end date indicates when it will cease to operate. The priority setting assists the WPsecure engine in resolving conflicts that may arise during overlapping campaigns. Additionally, the group number is an integer value representing a collection of users. If the value of this field matches that of the following registry key, the campaign takes precedence. A value of ‘0’ indicates that the campaign targets all groups. Use external scripts to set the registry value.

Key path	HKEY_CURRENT_USER\Control Panel\Desktop
Name	wpsecurecampaigngroupid
Value	2334
Type	REG_SZ

Click the buttons below to either import an existing campaign file or generate a new campaign file. The file name of the campaign file is ‘wpsecure.campaigns’.

The window after adding a campaign or importing an existing campaign file will look similar to the below window.

The campaign generation process creates two folders: general_install and intune_install. The general_install folder contains installation files for deployment via enterprise software management tools like Microsoft Endpoint Configuration Manager (SCCM). Run the ‘wpsecurecc.exe’ file to copy the campaign file to the correct location.

The intune_install folder contains the ‘wpsecurecc.intunewin’ file that can be uploaded to the Microsoft Endpoint Device Management portal (Intune). The command line for this is identical to the general install.

The process also creates a ‘documentation.html’ file that provides all the information required to deploy the campaign file, like install command line, uninstall command line, and detection methods. Save this file for future reference regarding the personalization Package versions, start dates, end dates, and priority.

Once the campaign file has been deployed to Windows 10 and 11 devices, the Personalization Packages corresponding to the best-fitting campaign listed in the campaign file will be triggered.

Disable WPSecure

There may be instances where it is desirable to disable WPSecure without uninstalling the WPSecure Windows Personalization Packages. Similarly, there may be scenarios where it is necessary to install WPSecure packages but postpone their activation until a later date. In such cases, the WPSecure loader can be disabled by modifying the following registry key.

Key path	HKEY_LOCAL_MACHINE\SOFTWARE\wpsecure
Name	wpsecuredisabled
Value	1
Type	REG_SZ

Useful links

Deploy Windows Personalization packages using Microsoft Intune – Click here.

Table of Contents