I got a question week about setting lock screen picture not working when the picture is in OneDrive. Personal I never use OneDrive or any other service that requires a login token when deploying pictures or other settings down to a windows 10 client with Intune. The reason for this is, if for some reason the device is not able to authenticate then my setting will not apply, I love to use Azure file storage for this one – do to that is it both secure and we can embed the authentication token in the link that we deploy to the end user device. But if you don’t have a Azure subscription then just use the free Azure service with 5GB of Azure Blob Storage – just be sure that you are in control of the service, not like OneDrive where a SharePoint administrator or a security administrator can change the security settings on OneDrive that may effect your policy.
Note : Supported in Windows 10 Enterprise and Education SKUs
How to upload the picture to Azure Blob Storage:
First of all if you already have a Azure Storage account you can skip this section if not then start the Azure portal search for free service find the Azure Blob Storage and click create
Click start free
Click Start free – and follow the guide to sign up
Once you are finish search for storage account and click add
- Create a resource group if you not have any or just use a existent one
- Enter you Storage account name : osdintune
- Click Review+ create
- Click create if all the information is correct
- Click Open in Explorer – you need the Azure Storage Explorer installed
- Create a folder
- Upload your picture
- Click Change Access Tier
- Change when the access token expiry – remember when it expires your end users will not have access to the picture any more and the Intune policy will have no effect.
- Copy the URL with the access token embedded
- Click Close
Now you are ready to create your Intune profile:
Start the Microsoft 365 Device Management portal
- Click Device configuration
- Click Profiles
- Click Create profile
Then there is the two setting – one for Lockscreen picture and one for desktop bagground picture – you can easy create both setting in the same profile – in this example I have done it.
- Name : Windows 10 – Personalization
- Platform : Windows 10 and later
- Profile type : Device restrictions
- Click : Settings
- Click : Locked Screen Experience
- Enter the URL in “Locked screen picture URL”
- Name : Windows 10 – Personalization
- Platform : Windows 10 and later
- Profile type : Device restrictions
- Click : Settings
- Click : Personalization
- Enter the URL in “Desktop background picture URL”
Last for the End user experience:
Remember like for any other policy or device restriction the end user cannot change the behavior that the IT admin has setup on the end user device – but for some companies it is very important to have the company branding on every thing including desktop background and lock screen.
End user experience for background picture.
In Intune there is not a easy way of setting background picture for different screen resolutions, this one will also choose a fit.
End user experience for lock screen picture.
Read more:
Cloud First 
Great idea, we utilize this but im stunned it requires Enterprise and it does not work on Pro. Please fix this for Pro also!
This only works on enterprise edition. Please update your article and point this out.
@Rkast, you can use bginfo to deploy desktop backgrounds but takes a bit to set up.
It is pointed out in the note on the blogpost and have been since I wrote it
Hello Per,
Thanks for this great article.
We have a customer who requires the lockscreen images to be displayed as slideshow. They use GPO in the local premise to achieve this. However, they are now moving completely on cloud and would want have to have the same functionality.
Any ideas on how to achieve this would be greatly appreciated.
Thanks a lot,
Ashika
to apply on Windows 10 Pro, use the mode below
You will need to create 3 different Profiles
1. One will be for set a Desktop wallpaper
2. The second one will be for Lock Screen Image
3. And the third one will be for the Education Policy since you are using Win 10 PRO
Using a separate profile for each one, so on that they can deploy without errors.
You are going to use this configuration for each OMA-URI
• OMA-URI – Desktop image: ./Vendor/MSFT/Personalization/DesktopImageUrl
• OMA-URI – Lock screen image: ./Vendor/MSFT/Personalization/LockScreenImageUrl
• Data type: String
• Value: [\]
• In this value can be a http(s) url, or a file url;
• In this value can be a jpg, jpeg or png image.
• OMA-URI- Education Policy ./Vendor/MSFT/SharedPC/SetEduPolicies
• Data type: boolean
• Value: True
Hello, is it possible to lock the screen Windows Hello in case of lost or stolen ?
Just out of curiosity, why blob and not file shares?
Blob is easy to access from all devices. You can use a file share as well – just be sure that the device have access to the file share at the time the policy are applying