{
	"id": "535b02a7-f98e-4b6c-a702-8ef55e34919e",
	"created_at": "2026-04-06T00:15:29.055109Z",
	"updated_at": "2026-04-10T03:20:57.411501Z",
	"deleted_at": null,
	"sha1_hash": "9fc1edfd8f4351af398244bf642041dfa1e8fb4d",
	"title": "WindowsLogon Policy CSP",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 105135,
	"plain_text": "WindowsLogon Policy CSP\r\nBy officedocspr5\r\nArchived: 2026-04-05 15:50:09 UTC\r\nTip\r\nThis CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must\r\nspecify the data type in the SyncML as \u003cFormat\u003echr\u003c/Format\u003e . For details, see Understanding ADMX-backed\r\npolicies.\r\nThe payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders\r\nthat you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more\r\ninformation, see CDATA Sections.\r\nAllowAutomaticRestartSignOn\r\nScope Editions Applicable OS\r\n✅\r\nDevice\r\n❌ User\r\n✅ Pro\r\n✅ Enterprise\r\n✅ Education\r\n✅ IoT Enterprise / IoT Enterprise\r\nLTSC\r\n✅ Windows 10, version 1903 [10.0.18362] and\r\nlater\r\n./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn\r\nThis policy setting controls whether a device will automatically sign in and lock the last interactive user after the\r\nsystem restarts or after a shutdown and cold boot.\r\nThis only occurs if the last interactive user didn't sign out before the restart or shutdown.\r\nIf the device is joined to Active Directory or Microsoft Entra ID, this policy only applies to Windows Update\r\nrestarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.\r\nIf you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is\r\nautomatically signed in and the session is automatically locked with all lock screen apps configured for that\r\nuser after the device boots.\r\nhttps://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon\r\nPage 1 of 13\n\nAfter enabling this policy, you can configure its settings through the ConfigAutomaticRestartSignOn policy,\r\nwhich configures the mode of automatically signing in and locking the last interactive user after a restart or cold\r\nboot .\r\nIf you disable this policy setting, the device doesn't configure automatic sign in. The user's lock screen\r\napps aren't restarted after the system restarts.\r\nDescription framework properties:\r\nProperty name Property value\r\nFormat chr (string)\r\nAccess Type Add, Delete, Get, Replace\r\nTip\r\nThis is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML\r\nformat, refer to Enabling a policy.\r\nADMX mapping:\r\nName Value\r\nName AutomaticRestartSignOn\r\nFriendly Name Sign-in and lock last interactive user automatically after a restart\r\nLocation Computer Configuration\r\nPath Windows Components \u003e Windows Logon Options\r\nRegistry Key Name Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\r\nRegistry Value Name DisableAutomaticRestartSignOn\r\nADMX File Name WinLogon.admx\r\nConfigAutomaticRestartSignOn\r\nScope Editions Applicable OS\r\n✅\r\nDevice\r\n❌ User\r\n✅ Pro\r\n✅ Enterprise\r\n✅ Education\r\n✅ IoT Enterprise / IoT Enterprise\r\nLTSC\r\n✅ Windows 10, version 1903 [10.0.18362] and\r\nlater\r\nhttps://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon\r\nPage 2 of 13\n\n./Device/Vendor/MSFT/Policy/Config/WindowsLogon/ConfigAutomaticRestartSignOn\r\nThis policy setting controls the configuration under which an automatic restart and sign-on and lock occurs after a\r\nrestart or cold boot. If you chose \"Disabled\" in the \"Sign-in and lock last interactive user automatically after a\r\nrestart\" policy, then automatic sign-on won't occur and this policy doesn't need to be configured.\r\nIf you enable this policy setting, you can choose one of the following two options:\r\n1. \"Enabled if BitLocker is on and not suspended\" specifies that automatic sign-on and lock will only occur if\r\nBitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the\r\ndevice's hard drive at this time if BitLocker isn't on or suspended during an update. BitLocker suspension\r\ntemporarily removes protection for system components and data but may be needed in certain\r\ncircumstances to successfully update boot-critical components.\r\nBitLocker is suspended during updates if:\r\nThe device doesn't have TPM 2.0 and PCR7, or\r\nThe device doesn't use a TPM-only protector.\r\n2. \"Always Enabled\" specifies that automatic sign-on will happen even if BitLocker is off or suspended\r\nduring reboot or shutdown. When BitLocker isn't enabled, personal data is accessible on the hard drive.\r\nAutomatic restart and sign-on should only be run under this condition if you are confident that the\r\nconfigured device is in a secure physical location.\r\nIf you disable or don't configure this setting, automatic sign-on will default to the \"Enabled if BitLocker is\r\non and not suspended\" behavior.\r\nDescription framework properties:\r\nProperty name Property value\r\nFormat chr (string)\r\nAccess Type Add, Delete, Get, Replace\r\nTip\r\nThis is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML\r\nformat, refer to Enabling a policy.\r\nADMX mapping:\r\nName Value\r\nName ConfigAutomaticRestartSignOn\r\nhttps://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon\r\nPage 3 of 13\n\nName Value\r\nFriendly Name\r\nConfigure the mode of automatically signing in and locking last interactive user after a\r\nrestart or cold boot\r\nLocation Computer Configuration\r\nPath Windows Components \u003e Windows Logon Options\r\nRegistry Key\r\nName\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\r\nADMX File\r\nName\r\nWinLogon.admx\r\nDisableLockScreenAppNotifications\r\nScope Editions Applicable OS\r\n✅\r\nDevice\r\n❌ User\r\n✅ Pro\r\n✅ Enterprise\r\n✅ Education\r\n✅ IoT Enterprise / IoT Enterprise\r\nLTSC\r\n✅ Windows 10, version 1703 [10.0.15063] and\r\nlater\r\n./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DisableLockScreenAppNotifications\r\nThis policy setting allows you to prevent app notifications from appearing on the lock screen.\r\nIf you enable this policy setting, no app notifications are displayed on the lock screen.\r\nIf you disable or don't configure this policy setting, users can choose which apps display notifications on\r\nthe lock screen.\r\nDescription framework properties:\r\nProperty name Property value\r\nFormat chr (string)\r\nAccess Type Add, Delete, Get, Replace\r\nTip\r\nThis is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML\r\nformat, refer to Enabling a policy.\r\nhttps://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon\r\nPage 4 of 13\n\nADMX mapping:\r\nName Value\r\nName DisableLockScreenAppNotifications\r\nFriendly Name Turn off app notifications on the lock screen\r\nLocation Computer Configuration\r\nPath System \u003e Logon\r\nRegistry Key Name Software\\Policies\\Microsoft\\Windows\\System\r\nRegistry Value Name DisableLockScreenAppNotifications\r\nADMX File Name Logon.admx\r\nDontDisplayNetworkSelectionUI\r\nScope Editions Applicable OS\r\n✅\r\nDevice\r\n❌ User\r\n✅ Pro\r\n✅ Enterprise\r\n✅ Education\r\n✅ IoT Enterprise / IoT Enterprise\r\nLTSC\r\n✅ Windows 10, version 1703 [10.0.15063] and\r\nlater\r\n./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI\r\nThis policy setting allows you to control whether anyone can interact with available networks UI on the logon\r\nscreen.\r\nIf you enable this policy setting, the PC's network connectivity state can't be changed without signing into\r\nWindows.\r\nIf you disable or don't configure this policy setting, any user can disconnect the PC from the network or\r\ncan connect the PC to other available networks without signing into Windows.\r\nDescription framework properties:\r\nProperty name Property value\r\nFormat chr (string)\r\nAccess Type Add, Delete, Get, Replace\r\nhttps://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon\r\nPage 5 of 13\n\nTip\nThis is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML\nformat, refer to Enabling a policy.\nADMX mapping:\nName Value\nName DontDisplayNetworkSelectionUI\nFriendly Name Do not display network selection UI\nLocation Computer Configuration\nPath System \u003e Logon\nRegistry Key Name Software\\Policies\\Microsoft\\Windows\\System\nRegistry Value Name DontDisplayNetworkSelectionUI\nADMX File Name Logon.admx\nExample:\nHere's an example to enable this policy:\n300301./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUIchr \u003c![CDATA[]]\u003e https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon\nPage 6 of 13\n\nEnableFirstLogonAnimation\r\nScope Editions Applicable OS\r\n✅\r\nDevice\r\n❌ User\r\n✅ Pro\r\n✅ Enterprise\r\n✅ Education\r\n✅ IoT Enterprise / IoT Enterprise\r\nLTSC\r\n✅ Windows 10, version 1903 [10.0.18362] and\r\nlater\r\n./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableFirstLogonAnimation\r\nThis policy setting allows you to control whether users see the first sign-in animation when signing in to the\r\ncomputer for the first time. This applies to both the first user of the computer who completes the initial setup and\r\nusers who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in\r\nprompt for services during their first sign-in.\r\nIf you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users\r\nwith other accounts will see the sign-in animation.\r\nIf you disable this policy setting, users won't see the animation and Microsoft account users won't see the\r\nopt-in prompt for services.\r\nIf you don't configure this policy setting, the user who completes the initial Windows setup will see the\r\nanimation during their first sign-in. If the first user had already completed the initial setup and this policy\r\nsetting isn't configured, users new to this computer won't see the animation.\r\nNote\r\nThe first sign-in animation won't be shown on Server, so this policy will have no effect.\r\nDescription framework properties:\r\nProperty name Property value\r\nFormat int\r\nAccess Type Add, Delete, Get, Replace\r\nDefault Value 1\r\nAllowed values:\r\nValue Description\r\n0 Disabled.\r\nhttps://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon\r\nPage 7 of 13\n\nValue Description\r\n1 (Default) Enabled.\r\nGroup policy mapping:\r\nName Value\r\nName EnableFirstLogonAnimation\r\nFriendly Name Show first sign-in animation\r\nLocation Computer Configuration\r\nPath System \u003e Logon\r\nRegistry Key Name Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\r\nRegistry Value Name EnableFirstLogonAnimation\r\nADMX File Name Logon.admx\r\nEnableMPRNotifications\r\nScope Editions Applicable OS\r\n✅\r\nDevice\r\n❌ User\r\n✅ Pro\r\n✅ Enterprise\r\n✅ Education\r\n✅ IoT Enterprise / IoT Enterprise\r\nLTSC\r\n✅ Windows 11, version 22H2 [10.0.22621] and\r\nlater\r\n./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableMPRNotifications\r\nThis policy controls whether the user's password is included in the content of MPR notifications sent by winlogon\r\nin the system.\r\nIf you disable this setting or don't configure it, winlogon sends MPR notifications with empty password\r\nfields of the user's authentication info.\r\nIf you enable this setting, winlogon sends MPR notifications containing the user's password in the\r\nauthentication info.\r\nNote\r\nStarting in Windows Insiders build 25216, the behavior of EnableMPRNotifications policy was changed, and the\r\nGroup Policy was updated with the following text:\r\nhttps://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon\r\nPage 8 of 13\n\nFriendly name: Configure the transmission of the user's password in the content of MPR notifications sent\r\nby winlogon\r\nDescription: This policy controls whether the user's password is included in the content of MPR\r\nnotifications sent by winlogon in the system.\r\nIf you disable this setting or do not configure it, winlogon sends MPR notifications with empty\r\npassword fields of the user's authentication info.\r\nIf you enable this setting, winlogon sends MPR notifications containing the user's password in the\r\nauthentication info.\r\nDescription framework properties:\r\nProperty name Property value\r\nFormat chr (string)\r\nAccess Type Add, Delete, Get, Replace\r\nTip\r\nThis is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML\r\nformat, refer to Enabling a policy.\r\nADMX mapping:\r\nName Value\r\nName EnableMPRNotifications\r\nFriendly Name\r\nConfigure the transmission of the user's password in the content of MPR notifications\r\nsent by winlogon.\r\nLocation Computer Configuration\r\nPath Windows Components \u003e Windows Logon Options\r\nRegistry Key\r\nName\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\r\nRegistry Value\r\nName\r\nEnableMPR\r\nADMX File\r\nName\r\nWinLogon.admx\r\nEnumerateLocalUsersOnDomainJoinedComputers\r\nhttps://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon\r\nPage 9 of 13\n\nScope Editions Applicable OS\r\n✅\r\nDevice\r\n❌ User\r\n✅ Pro\r\n✅ Enterprise\r\n✅ Education\r\n✅ IoT Enterprise / IoT Enterprise\r\nLTSC\r\n✅ Windows 10, version 1803 [10.0.17134] and\r\nlater\r\n./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers\r\nThis policy setting allows local users to be enumerated on domain-joined computers.\r\nIf you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers.\r\nIf you disable or don't configure this policy setting, the Logon UI won't enumerate local users on domain-joined computers.\r\nDescription framework properties:\r\nProperty name Property value\r\nFormat chr (string)\r\nAccess Type Add, Delete, Get, Replace\r\nTip\r\nThis is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML\r\nformat, refer to Enabling a policy.\r\nADMX mapping:\r\nName Value\r\nName EnumerateLocalUsers\r\nFriendly Name Enumerate local users on domain-joined computers\r\nLocation Computer Configuration\r\nPath System \u003e Logon\r\nRegistry Key Name Software\\Policies\\Microsoft\\Windows\\System\r\nRegistry Value Name EnumerateLocalUsers\r\nADMX File Name Logon.admx\r\nhttps://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon\r\nPage 10 of 13\n\nHideFastUserSwitching\r\nScope Editions Applicable OS\r\n✅\r\nDevice\r\n❌ User\r\n✅ Pro\r\n✅ Enterprise\r\n✅ Education\r\n✅ IoT Enterprise / IoT Enterprise\r\nLTSC\r\n✅ Windows 10, version 1703 [10.0.15063] and\r\nlater\r\n./Device/Vendor/MSFT/Policy/Config/WindowsLogon/HideFastUserSwitching\r\nThis policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task\r\nManager.\r\nIf you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log\r\non or is logged-on to the computer that has this policy applied.\r\nThe locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager.\r\nIf you disable or don't configure this policy setting, the Switch User interface is accessible to the user in the\r\nthree locations.\r\nDescription framework properties:\r\nProperty name Property value\r\nFormat int\r\nAccess Type Add, Delete, Get, Replace\r\nDefault Value 0\r\nAllowed values:\r\nValue Description\r\n0 (Default) Disabled (visible).\r\n1 Enabled (hidden).\r\nGroup policy mapping:\r\nName Value\r\nName HideFastUserSwitching\r\nhttps://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon\r\nPage 11 of 13\n\nName Value\r\nFriendly Name Hide entry points for Fast User Switching\r\nLocation Computer Configuration\r\nPath System \u003e Logon\r\nRegistry Key Name Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\r\nRegistry Value Name HideFastUserSwitching\r\nADMX File Name Logon.admx\r\nOverrideShellProgram\r\nScope Editions Applicable OS\r\n✅\r\nDevice\r\n❌ User\r\n✅ Pro\r\n✅ Enterprise\r\n✅ Education\r\n✅ IoT Enterprise / IoT Enterprise\r\nLTSC\r\n✅ Windows 11, version 22H2 [10.0.22621.2338] and\r\nlater\r\n./Device/Vendor/MSFT/Policy/Config/WindowsLogon/OverrideShellProgram\r\nOverrideShellProgram policy allows IT admin to configure the shell program for Windows OS on a device. This\r\npolicy has the highest precedence over other ways of configuring the shell program. The policy currently supports\r\nbelow options: 1. Not Configured: Default shell will be launched. 2. Apply Lightweight Shell: Lightweight shell\r\ndoesn't have a user interface and helps the device to achieve better performance as the shell consumes limited\r\nresources over default shell. Lightweight shell contains a limited set of features which could be consumed by\r\napplications. This configuration can be useful if the device needs to have a continuous running user interface\r\napplication which would consume features offered by Lightweight shell. If you disable or don't configure this\r\npolicy setting, then the default shell will be launched.\r\nDescription framework properties:\r\nProperty name Property value\r\nFormat int\r\nAccess Type Add, Delete, Get, Replace\r\nDefault Value 0\r\nAllowed values:\r\nhttps://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon\r\nPage 12 of 13\n\nValue Description\r\n0 (Default) Not Configured.\r\n1 Apply Lightweight shell.\r\nRelated articles\r\nPolicy configuration service provider\r\nSource: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon\r\nhttps://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon"
	],
	"report_names": [
		"policy-csp-windowslogon"
	],
	"threat_actors": [],
	"ts_created_at": 1775434529,
	"ts_updated_at": 1775791257,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9fc1edfd8f4351af398244bf642041dfa1e8fb4d.pdf",
		"text": "https://archive.orkl.eu/9fc1edfd8f4351af398244bf642041dfa1e8fb4d.txt",
		"img": "https://archive.orkl.eu/9fc1edfd8f4351af398244bf642041dfa1e8fb4d.jpg"
	}
}