- Allow non-admins to access Remote Desktop - Thu, Sep 28 2023
- Which WSUS products to select for Windows 11? - Tue, Sep 26 2023
- Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
What Windows displays on the logon screen affects both convenience and security. If it lists all users who have previously worked on the computer, then it saves them having to type in their name the next time they log on.
However, in some sensitive environments, you may not want to just conceal this logon history, but also hide information about users when logging on or unlocking the screen. This data could serve as a useful entry point for attacks by malicious players.
The relevant settings can be customized interactively, only in few cases. Their configuration is primarily done via group policies or MDM interfaces, and for obvious reasons, they are only found under the Computer Configuration branch. After all, it is about the appearance of the screen before a user logs on.
The relevant settings are scattered over two locations. All those whose names start with "Interactive logon" can be found under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. The others are located under Computer Configuration > Policies > Administrative Templates > System > Logon.
Hide (previously) logged-on accounts
By default, the logon screen shows the accounts that were last signed in. If you don't want to reveal who has been working on a computer, then enable the following:
- Interactive logon: Don't display last signed-in
The logon screen will then only show Other user above the logon form so that each user has to type in his name himself. Also, the list of active users disappears when you try to unlock a session.
Do not show logged-on users
At first glance, the following setting might serve the same purpose:
- Do not enumerate connected users on domain-joined computers
However, it only hides users who currently have a session open on the computer. This may be the case if someone has started a new session with fast user switching or if several users are working simultaneously on one RDS session host.
Show local accounts at logon
On workgroup machines, the logon screen displays all local accounts so that users can easily log on without entering their name. If the computer is a member of a domain, then the local accounts disappear from the logon screen because hardly anyone is working with them.
This can be changed by enabling the following setting:
- Enumerate local users on domain-joined computers
In most environments, however, you will not want to do this for security reasons because the names of the local admins will also be visible.
User information when unlocking a session
The input of credentials is also necessary if you want to unlock the screen. By default, Windows displays the name of the user who locked his session here. An attacker with physical access to the computer could therefore use his knowledge of this person to guess the password.
To hide who is logged on to this computer, you can customize the display of the name on the locked screen by configuring the following setting:
- Interactive logon: Display user information when the session is locked
It provides three options to customize user information:
- User display name, domain and user names: For a local logon, the user's full name; for a Microsoft account, their email address; and for a domain logon, "Domain\username".
- User display name only: The full name of the user who locked the session.
- Domain and user names only: "Domain\username only" is displayed for a domain logon.
- Do not display user information: Since Windows 10 1607, this option is no longer supported. If you select it, the full name of the user who locked the session appears.
If users disable the option Show account details such as my email address on the sign-in screen in the Settings app under Accounts > Sign-in options > Privacy, then only the username will be displayed regardless of which option one has selected for this policy.
There is another group policy specifically tailored for this purpose:
- Block user from showing account details on sign-in
Enabling this policy will suppress account details on the sign-in screen regardless of how the competing setting in the app has been configured.
Hide names after sign-in
Finally, Windows offers the option to suppress the display of the user's name after they have submitted their logon details. The setting responsible for this is:
- Interactive logon: Don't display username at sign-in
It is only effective if a user logs on using the Other user button. However, if his name appears on the logon screen and he clicks it to log on, he will be greeted with his name.
Therefore, this option is only useful in combination with the setting described above: Interactive logon: Don't display last signed-in, because it ensures that only Other user is available.
In security-critical environments, you might not want to show the history of the last logged-on users on the logon screen or display the name on the locked screen. This information could inspire potential attackers to engage in social engineering, for example.
Subscribe to 4sysops newsletter!
Microsoft, therefore, offers the option of customizing the appearance of the logon screen using group policies. This requires settings in two different places, which does not simplify the task. The same applies to unclear relationships between some policies.