What is Windows Spotlight
Windows Spotlight automatically displays a variety of high-resolution lock screen images. These come from various sources, including Bing searches, professional photographers, and Microsoft’s own collection. It's available on Windows Enterprise and Education editions only.
The images encompass a variety of subjects from nature scenes, cityscapes, and architectural marvels to keep a fresh login screen.
Beyond beautiful aesthetics, Spotlight also provides users with helpful tips to get the most out of the Windows experience. These tips cover various areas, such as highlighting new features, boosting productivity, and offering security advice. Additionally, it also gives interesting facts about the lock screen image itself, including location, photographer. If you deploy a custom lock screen or background image, the devices will use the custom image instead of the Windows Spotlight image.
Keeping the Spotlight On: Connectivity is Key
Spotlight relies on an internet connection to download new images and content. In order to be shown personalised content, feedback settings must be set correctly. These settings can be enabled in Privacy > Feedback & diagnostics.
Security Considerations: Weighing the Risks
The decision to use Spotlight comes down to security preferences. While highly unlikely, there’s a theoretical possibility of social engineering attacks, using cleverly crafted images to trick users into clicking a malicious link or revealing personal information through fake prompts.
It also gathers data on users usage patterns, preferences and interactions with content to tailor suggestions. This could raise privacy concerns for some users. Although Microsoft does work to ensure these connections are secure, there is always a potential for security vulnerabilities and privacy concerns.
Configuration options
Windows Spotlight is enabled by default, but it can be customized to suit your organization’s needs. There are various options available for configuration.
To configure a device for a single user, navigate to:
- Settings > Personalization > Background. To change the background image to Windows spotlight, select Windows spotlight from the Personalize your background drop-down menu
- Settings > Personalization > Lock screen. To change the lock screen image to Windows spotlight, select Windows spotlight from the Personalize your lock screen drop-down menu
When you need to configure multiple devices using advanced customization, you can use one of these options:
Configuration Service Provider (CSP): Commonly used for devices managed by a Mobile Device Management (MDM) solution, such as Microsoft Intune. CSPs can also be configured with provisioning packages, which are used at deployment time or for unmanaged devices. To configure Windows Spotlight, use the Experience Policy CSP.
Group Policy (GPO): Utilized for devices that are either Active Directory joined or Microsoft Entra hybrid joined and not managed by a device management solution. Group Policy can also be applied to devices that aren’t joined to an Active Directory domain by using the local group policy editor.
Policy settings
Below is a list of the policy settings to configure
| Policy name |
CSP |
GPO |
|
AllowSpotlightCollection |
Y |
N |
| AllowThirdPartySuggestionsInWindowsSpotlight |
Y |
Y |
| AllowWindowsSpotlight |
Y |
Y |
| AllowWindowsSpotlightOnActionCenter |
Y |
Y |
| AllowWindowsSpotlightOnSettings |
Y |
Y |
| AllowWindowsSpotlightWindowsWelcomeExperience |
Y |
Y |
| ConfigureWindowsSpotlightOnLockScreen |
Y |
Y |
How to disable Windows Spotlight via Group Policy (GP)
To establish the recommended configuration via GP, set the following UI path to Disabled:
| User Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Configure Windows spotlight on lock screen |
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
Default value
Enabled. (Windows Spotlight is set as the lock screen provider.)
Recommended setting
The recommended state for this setting is: Disabled.
On or Off? The Choice is Yours
Spotlight offers a visually appealing and informative lock screen experience. However, for some users, security is a top priority, and disabling it might give peace of mind.
With Windows Spotlight, for most users, the convenience likely outweighs the minimal security risk, but with hundreds of security settings, in an ever changing hostile environment, server hardening is crucial for a secure system. Having all settings correctly configured gives a clear conscience, and lets IT teams focus on more pressing matters knowing they are protected.
Subscribe to Email Updates
- Posts by Topic
- Center for Internet Security (20)
- Compliance (26)
- Configuration Settings (95)
- Domain Controller (3)
- IIS (5)
- NIST (10)
- NTLM (8)
- PCI (3)
- PowerShell (7)
- Remote Desktop Protocol (4)
- Security Account Manager (5)
- Security Guides (16)
- Server Message Block (1)
- SQL (8)
- System Hardening (20)
- TLS SSL (4)
- Vulnerabilities (23)
