By default, the Windows logon screen displays some information about the current user as well as accounts that have previously logged onto the system. These can be specifically hidden using Group Policy settings. In some cases, however, it is not immediately clear what these settings do or how they interact with each other.

What Windows displays on the logon screen affects both convenience and security. If it lists all users who have previously worked on the computer, then it saves them having to type in their name the next time they log on.

However, in some sensitive environments, you may not want to just conceal this logon history, but also hide information about users when logging on or unlocking the screen. This data could serve as a useful entry point for attacks by malicious players.

The relevant settings can be customized interactively, only in few cases. Their configuration is primarily done via group policies or MDM interfaces, and for obvious reasons, they are only found under the Computer Configuration branch. After all, it is about the appearance of the screen before a user logs on.

The relevant settings are scattered over two locations. All those whose names start with "Interactive logon" can be found under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. The others are located under Computer Configuration > Policies > Administrative Templates > System > Logon.

Group policies for configuring Windows logon

Group policies for configuring Windows logon

Hide (previously) logged-on accounts

By default, the logon screen shows the accounts that were last signed in. If you don't want to reveal who has been working on a computer, then enable the following:

  • Interactive logon: Don't display last signed-in

The logon screen will then only show Other user above the logon form so that each user has to type in his name himself. Also, the list of active users disappears when you try to unlock a session.

After hiding the last logged on users Windows shows only Other user

After hiding the last logged on users Windows shows only Other user

Do not show logged-on users

At first glance, the following setting might serve the same purpose:

  • Do not enumerate connected users on domain-joined computers

However, it only hides users who currently have a session open on the computer. This may be the case if someone has started a new session with fast user switching or if several users are working simultaneously on one RDS session host.

By default Windows shows all users with an active session on the computer

By default Windows shows all users with an active session on the computer

Show local accounts at logon

On workgroup machines, the logon screen displays all local accounts so that users can easily log on without entering their name. If the computer is a member of a domain, then the local accounts disappear from the logon screen because hardly anyone is working with them.

This can be changed by enabling the following setting:

  • Enumerate local users on domain-joined computers

In most environments, however, you will not want to do this for security reasons because the names of the local admins will also be visible.

User information when unlocking a session

The input of credentials is also necessary if you want to unlock the screen. By default, Windows displays the name of the user who locked his session here. An attacker with physical access to the computer could therefore use his knowledge of this person to guess the password.

To hide who is logged on to this computer, you can customize the display of the name on the locked screen by configuring the following setting:

  • Interactive logon: Display user information when the session is locked
Options for configuring user information on the screen to unlock a session

Options for configuring user information on the screen to unlock a session

It provides three options to customize user information:

  • User display name, domain and user names: For a local logon, the user's full name; for a Microsoft account, their email address; and for a domain logon, "Domain\username".
  • User display name only: The full name of the user who locked the session.
  • Domain and user names only: "Domain\username only" is displayed for a domain logon.
  • Do not display user information: Since Windows 10 1607, this option is no longer supported. If you select it, the full name of the user who locked the session appears.
Display only when selecting domains and usernames

Display only when selecting domains and usernames

If users disable the option Show account details such as my email address on the sign-in screen in the Settings app under Accounts > Sign-in options > Privacy, then only the username will be displayed regardless of which option one has selected for this policy.

Option to configure the user info on the logon screen in the Settings app

Option to configure the user info on the logon screen in the Settings app

There is another group policy specifically tailored for this purpose:

  • Block user from showing account details on sign-in

Enabling this policy will suppress account details on the sign-in screen regardless of how the competing setting in the app has been configured.

Hide names after sign-in

Finally, Windows offers the option to suppress the display of the user's name after they have submitted their logon details. The setting responsible for this is:

  • Interactive logon: Don't display username at sign-in

It is only effective if a user logs on using the Other user button. However, if his name appears on the logon screen and he clicks it to log on, he will be greeted with his name.

Therefore, this option is only useful in combination with the setting described above: Interactive logon: Don't display last signed-in, because it ensures that only Other user is available.

Hide username after successful logon

Hide username after successful logon

Summary

In security-critical environments, you might not want to show the history of the last logged-on users on the logon screen or display the name on the locked screen. This information could inspire potential attackers to engage in social engineering, for example.

Subscribe to 4sysops newsletter!

Microsoft, therefore, offers the option of customizing the appearance of the logon screen using group policies. This requires settings in two different places, which does not simplify the task. The same applies to unclear relationships between some policies.

avataravatar
3 Comments
  1. Yehuda M 3 months ago

    Its not working when you configure autologon
    do you have solutions ?

  2. Allan 3 months ago

    This is good information. One can’t be too careful.

  3. PallE 1 week ago

    Windows client 10 in a domain constantly showed me _only_ the local admin account on the logon screen until I actively set “Show local accounts at logon” from “not configured” to disabled!

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account