--- title: Policy CSP - WindowsLogon description: Policy CSP - WindowsLogon ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque ms.date: 07/12/2018 --- # Policy CSP - WindowsLogon

## WindowsLogon policies

WindowsLogon/DisableLockScreenAppNotifications

WindowsLogon/DontDisplayNetworkSelectionUI

WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers

WindowsLogon/HideFastUserSwitching

WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart

**WindowsLogon/DisableLockScreenAppNotifications**

Home	Pro	Business	Enterprise	Education	Mobile	Mobile Enterprise

[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * Device

This policy setting allows you to prevent app notifications from appearing on the lock screen. If you enable this policy setting, no app notifications are displayed on the lock screen. If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: - GP English name: *Turn off app notifications on the lock screen* - GP name: *DisableLockScreenAppNotifications* - GP path: *System/Logon* - GP ADMX file name: *logon.admx*

**WindowsLogon/DontDisplayNetworkSelectionUI**

Home	Pro	Business	Enterprise	Education	Mobile	Mobile Enterprise

[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * Device

This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows. If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. Here is an example to enable this policy: ``` syntax 300 301 ./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI chr ]]> ``` > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: - GP English name: *Do not display network selection UI* - GP name: *DontDisplayNetworkSelectionUI* - GP path: *System/Logon* - GP ADMX file name: *logon.admx*

**WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers**

Home	Pro	Business	Enterprise	Education	Mobile	Mobile Enterprise

[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * Device

This policy setting allows local users to be enumerated on domain-joined computers. If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: - GP English name: *Enumerate local users on domain-joined computers* - GP name: *EnumerateLocalUsers* - GP path: *System/Logon* - GP ADMX file name: *logon.admx*

**WindowsLogon/HideFastUserSwitching**

Home	Pro	Business	Enterprise	Education	Mobile	Mobile Enterprise
	²	²	²	²

[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * Device

Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. ADMX Info: - GP English name: *Hide entry points for Fast User Switching* - GP name: *HideFastUserSwitching* - GP path: *System/Logon* - GP ADMX file name: *Logon.admx* The following list shows the supported values: - 0 (default) - Disabled (visible). - 1 - Enabled (hidden). To validate on Desktop, do the following: 1. Enable policy. 2. Verify that the Switch account button in Start is hidden.

**WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart**

Home	Pro	Business	Enterprise	Education	Mobile	Mobile Enterprise

[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * Device

This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. If you enable or do not configure this policy setting, the device securely saves the user's credentials (including the user name, domain and encrypted password) to configure automatic sign-in after a Windows Update restart. After the Windows Update restart, the user is automatically signed-in and the session is automatically locked with all the lock screen apps configured for that user. If you disable this policy setting, the device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: - GP English name: *Sign-in last interactive user automatically after a system-initiated restart* - GP name: *AutomaticRestartSignOn* - GP path: *Windows Components/Windows Logon Options* - GP ADMX file name: *WinLogon.admx*

Footnote: - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803.