WPSecure

Table of Contents

Summary

Keeping our commitment to simplicity, this guide offers clear, easy-to-follow instructions for installing and using the Windows Personalization Packager. The most effective way to familiarize yourself with the product is through hands-on experience. We invite you to try it out by clicking the button in the top right corner of your screen.

Did you know the WPSecure Personalization Packager only has 6 buttons? Create powerful deployment packages with ease. It's as simple as 1,2 and 3.

Terminology

Packaging Tool

(Packager)

Creates deployment packages that contain Desktop backgrounds, Outlook signatures and Screensavers that can be easily deployed to on-premises and Cloud-connected Windows devices.

Package

This is created using the Packager and is then deployed using software deployment utilities such as SCCM, Intune or similar tools.

Campaign Manager

This tool generates the campaign file that dictates the start and end dates and the priority of packages. The Campaign files are deployed in a manner identical to the Personalization packages.

Prerequisites

The Personalization packages created by the Packager and the Packager have the following prerequisites.

Components Prerequisite
PACKAGEWPSecure Windows Personalization packages are only certified for use with physical devices such as Desktops, Laptops, and Tablets, where users are not logged in concurrently (simultaneously).
PACKAGER

The verification process for the subscription of the Packager necessitates a live internet connection that can directly and unrestrictedly access the Microsoft identity platform on the URLs wpsecure.onmicrosoft.com and wpsecure.b2clogin.com. However, this requirement does not apply to the Personalization packages. 

ALLOperating System: Windows 10 20H2 or later, or a Microsoft-supported version of Windows 11.
ALL.NET Framework: Version 4.8 or later.
ALLProcessor: 1 gigahertz (GHz)  or  faster with 2 or more cores on a compatible 64-bit processor core (The packages work on x86 devices but are not supported).
ALLMemory: 4 GB RAM or greater.
ALLStorage: 64 GB or larger storage device.
ALLFunctional WMI and .NET Framework.
PACKAGENo local or global policies prevent changing desktop backgrounds, Outlook signatures, or screensavers in the user context.
PACKAGEAll necessary exceptions for AppLocker and other security products that may impede the seamless operation of WPSecure must be configured appropriately.
PACKAGEOutlook signature deployments are specific to the standard Microsoft Office 365 Outlook client. Unfortunately, email signatures do not work with other mail Windows-based clients like Thunderbird, Mailbird, eM Client, Mail for Windows 10/11, Outlook New app, and Opera Mail. 
ALLThe system must not have any faulty drivers, mainly those related to display, storage, or the processor.

Log location

The Personalization Packager records its progress, failures, and exceptions in the below log file.

				
					%temp%\wpsecure-packager.log
				
			

The Personalization package installer which runs as the SYSTEM user or as an elevated Administrator records its progress, failures, and exceptions in the below log file.

				
					%SystemDrive%\Windows\Temp\wpsecure-install.log
				
			

The Personalization package uninstaller which runs as the SYSTEM user or as an elevated Administrator records its progress, failures, and exceptions in the below log file.

				
					%SystemDrive%\Windows\Temp\wpsecure-uninstall.log
				
			

Following are the log files pertaining to loading, brokering, events, and selection of the Personalization packages.

				
					%temp%\wpsecure-xx.xx.xxxx.xxxx.log
%temp%\wpsecureloader.log
%temp%\wpsecurebr.log
				
			

Policies that get in the way.

The WPSecure Personalization Engine runs on the least-privilege principle: The goal is to keep the system safe. So, changes to desktop backgrounds, Outlook signatures, and Windows screensavers are done in the standard user context as non-admin.

Local and global policies that prevent end-users from changing desktop backgrounds and themes will conflict with the WPSecure desktop background processing engine. We recommend removing these policies and hiding the corresponding Windows Control Panel items or panels. 

Below are two policies that will prevent the WPSecure engine from changing the desktop background. So it is recommended to either remove or not configure them.

  1. Prevent Changing Desktop Background: This Group Policy can be found under User Configuration\Administrative Templates\Control Panel\Personalization. If this policy is enabled, it will prevent users from changing the desktop background.

  2. Desktop Wallpaper: This Group Policy can be found under User Configuration\Administrative Templates\Desktop\Desktop. If enabled, this policy will specify the desktop wallpaper and prevent the proper functioning of the WPSecure desktop background engine. 

Registry PathValue NameIncorrect Setting
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktopNoChangingWallPaper1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\SystemWallpaperExist
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\SystemWallpaperExist
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\SystemWallpaperStyle1 or 2
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\SystemWallpaperStyle1 or 2
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktopNoChangingWallPaper1

Note: The above table points out incorrect settings (settings that we do not need).

The best test is to change the desktop wallpaper image manually. If you can do this, your system will be ready to handle customization deployment using WPSecure packages.

After resolving all policy conflicts, including but not limited to those mentioned above, you may hide the Windows panels and menus associated with changing desktop backgrounds and themes. To clarify, the objective is to hide the controls for changing desktop backgrounds and themes rather than limiting access to these features.

Hide personalization items from control panel:

After removing polices that restrict users from changing the desktop background, you can hide these options from the Control Panel, using the Group Policy Editor. Here’s how:

  1. Open the Group Policy Editor by pressing the Windows key + R, typing gpedit.msc, and pressing Enter.
  2. In the left pane, navigate to User Configuration\Administrative Templates\Control Panel.
  3. In the right pane, double-click on Hide specified Control Panel items.
  4. Select Enabled and then click on the Show button next to List of disallowed Control Panel items.
  5. In the Value column, type Microsoft.Personalization and click on OK
  6. Click on Apply and then on OK to save your changes.

Note: Any changes to the Desktop backgrounds made by Users outside of standard methods (Which should now be hidden) will be overwritten by the WPSecure engine when they Unlock their devices.

Windows Personalization Packager installation

The Personalization Packager is available for download by clicking on the button located in the top right corner of this page. The download consists of a compressed ZIP file that contains a Microsoft Installer (MSI) file, accompanied by a Digital Signature issued by Sectigo, a reputable computer security service based in Roseland, New Jersey. To ensure the authenticity and safety of the installer, it is important to only download it from this website and not from any other source.

To install an MSI file on a Windows computer, you must first ensure that you are signed in as an administrator. Once you have located the MSI file, simply double-click it to run the installer and start the installation wizard. Follow the prompts to complete the installation process. Alternatively, you can use the Command Prompt or PowerShell to install an MSI file by using the command

				
					msiexec /i [location of MSI file]
				
			

The MSI installs the following applications.

  1. The Packager
  2. The Campaign Manager.

 

Desktop backgrounds, Outlook signatures and screensavers

Buy a subscription and register

Select the ‘Buy or Manage’ option from the top menu to acquire a subscription. Once your purchase is complete, navigate to the Personalization Packager. You’ll find a ‘sign up now’ link beneath the login screen. Click on this link to finalize your registration process.

Personalization Packager sign up window - Image 1

Complete the registration process using the email address supplied during purchase.

Personalization Packager sign up window - Image 2

The Personalization Packager

The Personalization Packager allows you to bundle your personalization elements, such as Desktop backgrounds, Outlook signatures, and screensavers, into a deployment package that can be easily deployed to locally networked and Cloud-connected devices.

The Personalization Packager creates self-contained personalization deployment packages that are deployed to Windows 10 and 11 devices.

Note: The Personalization deployment packages are x86-based assemblies that can run on both 64-bit and 32-bit (not supported) architectures. However, the Personalization Packager itself can only install and run on 64-bit machines.

The Personalization packager accepts 3 types of personalization items.

  1. Desktop backgrounds.
  2. Microsoft Outlook signatures.
  3. A Windows screensaver.
Desktop backgrounds

This module assigns unique desktop background images to each screen, ensuring that the image’s structure and message are preserved. For instance, a landscape-oriented computer monitor will be assigned a landscape background image, while a portrait-oriented monitor will be assigned a portrait background image. This ensures that the message remains clear.

If an image with the exact width and height of the screen is available, it will be assigned to that screen. If not, the desktop background engine will select an image with the same aspect ratio from a list of available images. If no such image is available, the engine will choose an image with the same orientation. If no such image is available, the engine will select the closest fitting image to the screen’s dimensions.

The module can also recalibrate and assign appropriately sized images in response to changes in screen resolution, orientation, or the addition of another screen, thereby preventing distortion or cropping. This feature enables laptop users to seamlessly transition between desks without manually resetting their wallpaper when connecting to different external monitors, thereby saving time and effort.

The file size of each image must not exceed 10 MB, and we recommend keeping the total size of the personalization package under 500 MB.

Microsoft Outlook signatures

There are two types of Microsoft Outlook signatures: a ‘New message’ signature and a ‘Reply message’ signature. The total file size of each Outlook signature and its assets cannot exceed 10 MB.

New message signature: A new message signature is used when composing a new Microsoft Outlook message. It should include a ‘wpsecure_new.htm’ HTML file and optionally include a ‘wpsecure_new.txt’ file, a ‘wpsecure_new.rtf’ file, and an optional ‘wpsecure_new_files’ directory that contains resource files like images, CSS, etc.

Reply message signature: A reply message signature is used when replying to an email message. It should include a ‘wpsecure_reply.htm’ HTML file and optionally include a ‘wpsecure_reply.txt’ file, a ‘wpsecure_reply.rtf’ file, and an optional ‘wpsecure_reply_files’ directory that contains resource files like images, CSS, etc.

Use placeholders like {{az_displayname}}{{az_mobilephone}}, or {{az_jobtitle}} in the ‘wpsecure_new.htm’‘wpsecure_new.txt’‘wpsecure_reply.txt’, and ‘wpsecure_reply.txt’ files to automatically load user-specific data at runtime. The WPSecure Outlook signature engine replaces the placeholders with the information in the registry corresponding to each placeholder. If the Keypath does not exist, create it. For example, the following registry entry will replace the placeholder {{az_surname}}. 

Key path

HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\wpsecure\signature

Sub key

Billy.George@mycompany.email

Name

az_surname

Value

George

Type

REG_SZ

Azure AD users can automatically synchronize their account attributes (supported attributes are listed below) with the registry location mentioned above. Users can initiate the synchronization process by clicking on the StartMenu shortcut, created by running the below-specified executable and providing the necessary parameters. The executable is in the WPSecure application directory within the ProgramFiles (x86) directory. Users can click on the shortcut to trigger the synchronization.

				
					wpsecure-set.exe -source azure -tenantid 9fb4d4d6-7541-490f-a49a-111d3393731f -clientid 55eba948-6cdd-4b98-ad9b-7ff7b36138c6 -createsc
				
			

To enable Users to read their account attributes, an Azure app registration must be set up. The above-referenced TenantID and ClientID values will be generated during the Azure app registration. Microsoft documentation.

Open Entra ID console (a.k.a. Azure Portal) https://portal.azure.com/ and click on new “New Registration

Enter the following details and settings in the new registration window and save.

Name

WPSecure Signature Data Sync (This can be anything descriptive)

Supported account types

Accounts in this organizational directory only (OSD365 Limited only - Single tenant)

Redirect URI

http://localhost:5453 (Public client/native (mobile & desktop)

Allow public client flow

Yes

API Permissions

Microsoft Graph | User.Read

Open the newly created App registration and make the following changes.

Allow public client flow

Yes

API Permissions

Microsoft Graph | User.Read

If legacy Active Directory Services are used, User attributes will automatically synchronize (If your environment is setup correctly).

Attributes synchronized from Azure have a prefix of ‘az_‘.  Example: ‘az_attributename‘,
and the attributes synchronized from Active Directory Services have an ‘ad_‘ prefix. Example: ‘ad_attributename‘.

Using custom automation, You can manually create your placeholders or sync them from other sources. Example: ‘my_custom_attribute‘.

The following table outlines the supported attributes for Azure and Active Directory Services.

Active DirectoryAzure (Entra)Description
ad_telephonenumberaz_businessphones1Phone number associated with the user.
ad_laz_cityCity where the user is located.
ad_companyaz_companynameName of the user’s company or organization.
ad_caz_countryCountry code or name where the user resides.
ad_departmentaz_departmentDepartment or team within the organization.
ad_displaynameaz_displaynameUser’s display name (usually first and last name).
ad_employeeidaz_employeeidUnique identifier for the employee.
ad_facsimiletelephonenumberaz_faxnumberFax number associated with the user.
ad_givennameaz_givennameUser’s first name.
ad_titleaz_jobtitleJob title or position within the organization.
ad_mailaz_mailEmail address of the user.
ad_mailnicknameaz_mailnicknameUnique nickname for the user’s email address.
ad_mobileaz_mobilephoneMobile phone number of the user.
ad_officeaz_officelocationPhysical office location or workspace.
ad_postalcodeaz_postalcodePostal code or ZIP code of the user’s address.
ad_staz_stateState or region where the user resides.
ad_streetaddressaz_streetaddressStreet address of the user.
ad_snaz_surnameUser’s last name or surname.
ad_userprincipalnameaz_userprincipalnamePrincipal name used for authentication (usually the email address).
Windows screensaver

 The file size of the screensaver video file must be at most 50 MB. Import a video with the .MP4 file extension. WPSecure utilizes MP4 files, also known as MPEG-4 video files, for Screensaver.

Ensure that the videos used are of high resolution and quality. This will help to create a visually appealing and professional-looking screensaver.

The Personalization Packager does not control Screensaver settings like ‘Wait‘ or ‘On resume, display logon screen.‘ Set these values using Global or Local Policies. Ensure there are no Policies preventing users from changing the Screensaver is being applied.

Using the Personalization packager

You can launch the Personalization Packager from the start menu. Upon opening the application, you will be presented with the ‘Terms of Use and Service’ page. Please take a moment to review it.

If you would like to try the Packager before purchasing a subscription, you can click on the ‘Click on this link to try the demo’ button located in the top right corner of the screen.

If you have already purchased a subscription, you can access the full version of the Personalization Packager by clicking on the ‘Click here to agree to the terms and start the application’ button.

You can log in using your subscription’s email address and password. If you do not know or remember your password, click the “Forgot your password” link. A password reset email will be sent to the email address if such a subscription exists. If you have logged in before and your access token has not expired, the authentication will happen silently and the authentication box will not appear.

A successful login process should land you on the following Screen. All the action concerning the Windows Personalization Packager happens on this Screen. The layout is simplistic, and the process is self-explaining.

Listed below are the actions triggered by each button on this page.

Import desktop background images from the folder: To import multiple images in JPG format, click on this button. A file explorer window will open, allowing you to select a folder containing the images you want to import. Please note that the packager only allows up to 90 desktop background images of varying dimensions and orientations. Each image should not exceed 10 MB, and the Image Width and Height cannot be a decimal/fraction. If any of these conditions are not met, the import process may fail.

Import Outlook signature: Import a Microsoft Outlook signature HTM file.

Import screensaver: Import a video file in MP4 file format.

Remove selected items: Select an item from the list to remove it.

Remove all items: Click this button to remove all items in the list. This can be useful when you want to clear out all existing items before uploading new ones, or if you want to start fresh with a new personalization package.

Create personalization package: Use this button to export the personalization package to a folder. A personalization package is a collection of all the settings and files you have imported or created for your desktop backgrounds, Outlook signatures, and screensavers.  The selected destination folder has to be empty. The personalization package creation process creates two folders: general_install and intune_install.

The general_install folder contains installation files for deployment via enterprise software management tools like Microsoft Endpoint Configuration Manager (SCCM). Run the ‘wpsecure-install.exe’ to install the personalization package. More details regarding the enterprise installation and uninstallation process are in the ‘documentation.html’ file.

The intune_install folder contains the ‘wpsecure-install.intunewin’ file to be uploaded to the Microsoft Endpoint Device Management portal (Intune). The command-line for this is identical to the general install.

The process also creates a documentation.html file that provides all the information required to deploy the personalization package, like package version, install command line, uninstall command line, and detection methods.

Desktop Personalization deployment

The image below displays the Packager interface when one or more personalization items have been loaded. To preview the content, click on each item.

Note: Please refrain from altering the items while in preview mode. Doing so will result in a fatal error and cause the process to fail.

If one or more items should fail import, the following screen will report the failed item. You can understand the problem better by looking at the log file in the following location.

				
					%temp%\wpsecure-packager.log
				
			

The Campaign Manager

This tool creates a campaign file. The campaign file gets mass deployed to devices. The file name of the campaign file is ‘wpsecure.campaigns’. The file contains information regarding each personalization package’s start dateend date, and priority. Click the add new campaign button below to add a new campaign and the remove selected items button to remove one or more campaigns. You can open the Campaign Manager from the Windows start menu. A successful sign-in will land you on the following Screen.

Click on the add new campaign button to create a new campaign. Alternatively, click on Import an existing campaign file to open campaigns saved into a previously saved campaigns file.

Campaign number: Assign a positive numeric value. While this does not have technical value, this value is used to maintain uniqueness.

Package version: This is the version corresponding to the Personalization package. You’ll find the value in the documentation.html file of the Package installer.

Start and End dates: When the campaign will start and end.

Campaign Priority: This numeric value plays a crucial role in conflict resolution. In scenarios where two Personalization packages share the same schedule, and the WPSecure personalization engine encounters a conflict, the Priority value determines which Personalization package takes precedence.

Group number: Assign a collection of Users the same ‘Group number’ and target specific Personalization Packages to them based on a schedule. The group number can be assigned to a User using the command below. This command has to be run in the User context.

				
					wpsecure-set.exe -groupid 1475
				
			

Click the buttons below to either import an existing campaign file or generate a new campaign file. The file name of the campaign file is ‘wpsecure.campaigns’.

The window after adding a campaign or importing an existing campaign file will look similar to the below window.

The campaign generation process creates two folders: general_install and intune_install. The general_install folder contains installation files for deployment via enterprise software management tools like Microsoft Endpoint Configuration Manager (SCCM). Run the ‘wpsecurecc.exe’ file to copy the campaign file to the correct location.

The intune_install folder contains the ‘wpsecurecc.intunewin’ file that can be uploaded to the Microsoft Endpoint Device Management portal (Intune). The command line for this is identical to the general install.

The process also creates a documentation.html file that provides all the information required to deploy the campaign file, like install command line, uninstall command line, and detection methods. Save this file for future reference regarding the personalization Package versions, start dates, end dates, and priority.

Once the campaign file has been deployed to Windows 10 and 11 devices, the Personalization Packages corresponding to the best-fitting campaign listed in the campaign file will be triggered.

Picking order

As mentioned, you can install up to 5 WPSecure Personalization Packages on each device. The list below gives you an idea of how the WPSecure engine will pick the right package.
Is the package installed locally?
Is there a Campaigns file?
List campaigns that have an active schedule.
Limit lists to only campaigns that target the Users GroupID.
Generate a list of packages sorted by campaign priority.
Do a secondary sort based on the package version hierarchy. 
Add the Default package version to the bottom of the list if not already in the above list.
Add the remaining locally installed packages to the bottom of the list without the packages excluded by the Campaign file.

WPSecure engine would pick based on the above criteria for Desktop wallpapers, Outlook signature, and Windows screensaver.

The final pick might activate desktop wallpapers from a specific package but Outlook signature and Screensaver from others.

You could create priorities, defaults, and catch-alls in multiple ways using the combination of the Campaign file, setting default packages, and package version hierarchies.

We recommend first creating a default package and rolling out this package to all your Windows 10 and 11 devices. Include Desktop backgrounds, Outlook signature, and Windows screensaver in this package.

WPSecure commands

The executable is in the WPSecure application directory within the ProgramFiles (x86) directory.

Default Personalization Package

You can make a specific package version as a default version. The package set as default will be overridden by packages referenced in the campaign file. Run this command as administrator.

				
					wpsecure-set.exe -dpv 20.24.0225.1230
				
			

Disable or enable the WPSecure management engine.

There may be instances where it is desirable to disable WPSecure without uninstalling the WPSecure Windows Personalization Packages. Run as administrator.

				
					wpsecure-set.exe -disable
				
			
				
					wpsecure-set.exe -enable
				
			

Campaign Group number

Assign a collection of Users with the same ‘Group number’ and target specific Personalization Packages to them based on a schedule. The group number can be assigned to a User using the command below.

This command has to be run in the User context.

				
					wpsecure-set.exe -groupid 1475
				
			

Logging

When something goes wrong within a complex system like WPSecure, log files provide a detailed list of events that occurred before the malfunction. This information helps troubleshoot issues effectively. You can turn ON and OFF logging by using the following command. Run as administrator. Default is ON. ‘el‘ = Enable and ‘dl‘ = Disable.

				
					wpsecure-set.exe -el
				
			
				
					wpsecure-set.exe -dl
				
			

Real-time Loading

This value determines if WPSecure packages load immediately after installation or wait until the user locks/unlocks the screen. Run as administrator. Default is enabled. ‘eroi‘ = Enable and ‘droi‘ = Disable.

				
					wpsecure-set.exe -eroi
				
			
				
					wpsecure-set.exe -droi
				
			

Screensaver

It is not ideal for the Screensaver to run endlessly. So, by default, it will return to the lockscreen after a 60-minute run. This setting can be changed using the below command. In this example, the Screensaver will return to the lockscreen after a 120-minute run. Input is in minutes.

This has to be run as an administrator.

				
					wpsecure-set.exe -ssrtls 120
				
			

AD Group Policy or Intune Configuration Service Provider usually sets the below value. But sometimes, the values have to be reinforced. This value pertains to the initiation of the Screensaver. How long after the device is idle should the Screensaver start? Make this value the same as other Providers who enforce the same setting. In the below example, the Screensaver timeout is set to 360 seconds or 6 minutes. Input is in minutes.

This command has to run in the User context.

				
					wpsecure-set.exe -ssto 360
				
			

AD Group Policy or Intune Configuration Service Provider usually sets the below value. But sometimes, the values have to be reinforced. Show the login screen after Screensaver exits. ‘0‘ does not return to the login screen, and ‘1‘ returns to the login screen.

This command has to run in the User context.

				
					wpsecure-set.exe -ssis 1
				
			

Outlook Signature

Azure AD users can automatically synchronize their account attributes (supported attributes are listed below) with the registry location mentioned above. Users can initiate the synchronization process by clicking on the StartMenu shortcut, created by running the below-specified executable and providing the necessary parameters. Users can click on the shortcut to trigger the synchronization. The command below has to be run as administrator.

				
					wpsecure-set.exe -source azure -tenantid 9fb4d4d6-7541-490f-a49a-111d3393731f -clientid 55eba948-6cdd-4b98-ad9b-7ff7b36138c6 -createsc
				
			

The above shortcut can be removed using the following command. The last personalization package that gets uninstalled from a device will also remove the shortcut. The command has to be issued as an administrator.

				
					wpsecure-set.exe -smsssc
				
			

To enable Users to read their account attributes, an Azure app registration must be set up. The above-referenced TenantID and ClientID values will be generated during the Azure app registration. Microsoft documentation.

If your organization uses legacy Active Directory Services, run the command below in the User context.

				
					wpsecure-set.exe -source ad
				
			

The WPSecure Outlook signature processing engine sets the default ‘New’ and ‘Reply’ message signatures. If the user changes the default signatures, the engine will replace the defaults at the next event trigger. This allows users to add or use another signature during the current session.

Run the following command as administrator to prevent users from changing the defaults. The default setting is “enabled“.

				
					wpsecure-set.exe -dsigchange
				
			

Run the following command as administrator to allow users to change the defaults.

				
					wpsecure-set.exe -esigchange
				
			

The Win32 Microsoft Outlook 365 client can sync Outlook Signatures to the Cloud—the questions about “When” and “How” are not fully documented. The below setting will request Outlook to sync the email signatures to the Cloud when the Outlook client is opened. (it’s up to Outlook to honor the request. The sync will only work if your Outlook 365 Client has the roaming settings enabled) 

To disable this option, run the following command as the administrator. The Outlook client might still sync your signatures if the roaming setting is enabled. This option will prevent the WPSecure engine from requesting the Outlook client to sync the email signatures when the Outlook client starts. The default setting is “enabled“.

				
					wpsecure-set.exe -dsigstc
				
			

Run the following command as administrator to enable the setting mentioned above.

				
					wpsecure-set.exe -esigstc
				
			

Useful links

Deploy Windows Personalization packages using Microsoft Intune – Click here.