FirstLogonCommands

FirstLogonCommands specifies commands to run the first time a user logs on to the computer. These commands run only once. FirstLogonCommands are not supported in Windows 10 in S mode.

Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image.

When a user with administrative privileges logs in for the first time, these commands are run with elevated access privileges.

If you create a user account that does not include administrative privileges, the following commands may not run:

• If User Account Control is enabled, then when that user logs in for the first time, a dialog box appears, prompting the user with an option to allow an administrator to apply the commands. If the user selects Cancel, these commands don’t run.
• If User Account Control is disabled, these commands don’t run.

The commands run after logon, prior to showing the desktop.

If the command launches a separate system process, the system process will run independently of the commands. This enables you to create commands that terminate quickly, allowing the user to reach the desktop faster.

Other processes, such as services, are not restricted by FirstLogonCommands and will continue to start or to terminate independently.

This command now works like Microsoft-Windows-Shell-Setup-LogonCommands-AsynchronousCommand: all commands using these unattend settings are now started at the same time, and no longer wait for the previous command to finish.

When you add a script using FirstLogonCommands, it will be triggered on the next boot, even if you boot into audit mode using Ctrl+Shift+F3. If you plan to use audit mode later, add the following setting to skip this script automatically: Microsoft-Windows-Deployment-Reseal-Mode = Audit.

Child Elements

Setting	Description
SynchronousCommand	Specifies a command to run the first time a user logs on to the computer, its description, and the order in which it is run.

Valid Configuration Passes

Parent Hierarchy

Applies To

For a list of the Windows editions and architectures that this component supports, see Microsoft-Windows-Shell-Setup.

XML Example

The following XML output shows how to specify two commands to run after first logon.

Windows Logon Scenarios

Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

This reference topic for the IT professional summarizes common Windows logon and sign-in scenarios.

The Windows operating systems require all users to log on to the computer with a valid account to access local and network resources. Windows-based computers secure resources by implementing the logon process, in which users are authenticated. After a user is authenticated, authorization and access control technologies implement the second phase of protecting resources: determining if the authenticated user is authorized to access a resource.

The contents of this topic apply to versions of Windows designated in the Applies to list at the beginning of this topic.

In addition, applications and services can require users to sign in to access those resources that are offered by the application or service. The sign-in process is similar to the logon process, in that a valid account and correct credentials are required, but logon information is stored in the Security Account Manager (SAM) database on the local computer and in Active Directory where applicable. Sign-in account and credential information is managed by the application or service, and optionally can be stored locally in Credential Locker.

To understand how authentication works, see Windows Authentication Concepts.

This topic describes the following scenarios:

Interactive logon

The logon process begins either when a user enters credentials in the credentials entry dialog box, or when the user inserts a smart card into the smart card reader, or when the user interacts with a biometric device. Users can perform an interactive logon by using a local user account or a domain account to log on to a computer.

The following diagram shows the interactive logon elements and logon process.

Windows Client Authentication Architecture

Local and domain logon

Credentials that the user presents for a domain logon contain all the elements necessary for a local logon, such as account name and password or certificate, and Active Directory domain information. The process confirms the user’s identification to the security database on the user’s local computer or to an Active Directory domain. This mandatory logon process cannot be turned off for users in a domain.

Users can perform an interactive logon to a computer in either of two ways:

Locally, when the user has direct physical access to the computer, or when the computer is part of a network of computers.

A local logon grants a user permission to access Windows resources on the local computer. A local logon requires that the user has a user account in the Security Accounts Manager (SAM) on the local computer. The SAM protects and manages user and group information in the form of security accounts stored in the local computer registry. The computer can have network access, but it is not required. Local user account and group membership information is used to manage access to local resources.

A network logon grants a user permission to access Windows resources on the local computer in addition to any resources on networked computers as defined by the credential’s access token. Both a local logon and a network logon require that the user has a user account in the Security Accounts Manager (SAM) on the local computer. Local user account and group membership information is used to manage access to local resources, and the access token for the user defines what resources can be accessed on networked computers.

A local logon and a network logon are not sufficient to grant the user and computer permission to access and to use domain resources.

Remotely, through Terminal Services or Remote Desktop Services (RDS), in which case the logon is further qualified as remote interactive.

After an interactive logon, Windows runs applications on behalf of the user, and the user can interact with those applications.

A local logon grants a user permission to access resources on the local computer or resources on networked computers. If the computer is joined to a domain, then the Winlogon functionality attempts to log on to that domain.

A domain logon grants a user permission to access local and domain resources. A domain logon requires that the user has a user account in Active Directory. The computer must have an account in the Active Directory domain and be physically connected to the network. Users must also have the user rights to log on to a local computer or a domain. Domain user account information and group membership information are used to manage access to domain and local resources.

Remote logon

In Windows, accessing another computer through remote logon relies on the Remote Desktop Protocol (RDP). Because the user must already have successfully logged on to the client computer before attempting a remote connection, interactive logon processes have successfully finished.

RDP manages the credentials that the user enters by using the Remote Desktop Client. Those credentials are intended for the target computer, and the user must have an account on that target computer. In addition, the target computer must be configured to accept a remote connection. The target computer credentials are sent to attempt to perform the authentication process. If authentication is successful, the user is connected to local and network resources that are accessible by using the supplied credentials.

Network logon

A network logon can only be used after user, service, or computer authentication has taken place. During network logon, the process does not use the credentials entry dialog boxes to collect data. Instead, previously established credentials or another method to collect credentials is used. This process confirms the user’s identity to any network service that the user is attempting to access. This process is typically invisible to the user unless alternate credentials have to be provided.

To provide this type of authentication, the security system includes these authentication mechanisms:

Kerberos version 5 protocol

Public key certificates

Secure Sockets Layer/Transport Layer Security (SSL/TLS)

NTLM, for compatibility with Microsoft Windows NT 4.0-based systems

For information about the elements and processes, see the interactive logon diagram above.

Smart card logon

Smart cards can be used to log on only to domain accounts, not local accounts. Smart card authentication requires the use of the Kerberos authentication protocol. Introduced in Windows 2000 Server, in Windows-based operating systems a public key extension to the Kerberos protocol’s initial authentication request is implemented. In contrast to shared secret key cryptography, public key cryptography is asymmetric, that is, two different keys are needed: one to encrypt, another to decrypt. Together, the keys that are required to perform both operations make up a private/public key pair.

To initiate a typical logon session, a user must prove his or her identity by providing information known only to the user and the underlying Kerberos protocol infrastructure. The secret information is a cryptographic shared key derived from the user’s password. A shared secret key is symmetric, which means that the same key is used for both encryption and decryption.

The following diagram shows the elements and processes required for smart card logon.

Smart Card credential provider architecture

When a smart card is used instead of a password, a private/public key pair stored on the user’s smart card is substituted for the shared secret key, which is derived from the user’s password. The private key is stored only on the smart card. The public key can be made available to anyone with whom the owner wants to exchange confidential information.

For more information about the smart card logon process in Windows, see How smart card sign-in works in Windows.

Biometric logon

A device is used to capture and build a digital characteristic of an artifact, such as a fingerprint. This digital representation is then compared to a sample of the same artifact, and when the two are successfully compared, authentication can occur. Computers running any of the operating systems designated in the Applies to list at the beginning of this topic can be configured to accept this form of logon. However, if biometric logon is only configured for local logon, the user needs to present domain credentials when accessing an Active Directory domain.

Additional resources

For information about how Windows manages credentials submitted during the logon process, see Credentials Management in Windows Authentication.

How do I view login history for my PC using Windows 7

I want to see the login history of my PC including login and logout times for all user accounts.

I want to see the login history of my PC including login and logout times for all user accounts.

You can also use Windows® Even Viewer, to view log-in information.

How can I: Access Windows® Event Viewer?
1. Press + R and type “ eventvwr.msc” and click OK or press Enter.
2. Expand Windows Logs, and select Security.
3. In the middle you’ll see a list, with Date and Time,Source, Event ID
and Task Category. The Task Category pretty much explains the event,
Logon, Special Logon, Logoff and other details.

I hope you find this information useful. If you need any further assistance,
please feel free to contact me and let me know.

I hope this information was helpful…

Have a nice day…

Best regards,
Fisnik

Itknowledge24.com — Follow me on Twitter: http://twitter.com/itknowledge24
— UAC Trust Shortcut 2.0 is on its way.

145 people found this reply helpful

Was this reply helpful?

Sorry this didn’t help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How to disable first logon Hi animation using Registry or Group Policy in Windows 10

Windows 10 takes few minutes to set up your PC whenever you install Windows 10 or upgrade to a new version. During this time it starts a series of screens starting with ‘Hi‘. If you wish you can disable first sign-in animation using the Windows Registry or Group Policy Object. Of course, this will not speed up things, but the animation will only be turned off.

Disable first logon Hi animation in Windows 10

Local Group Policy Editor Method

We’ll begin with the Windows Group Policy Editor. To open it, launch the ‘Run’ dialog box, typed ‘gpedit.msc’ and hit Enter key.

Next, to go to Local Computer Policy > Computer Configuration > Administrative Templates > System > Logon.

Within Logon, on the right side, you’ll notice an option reading Show first sign-in animation. Double-click on this policy to open its Configuration box. Next set it to ‘Disabled’.

This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in. If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation. If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for services. If you do not configure this policy setting, the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer will not see the animation.

The action when confirmed will disable the Windows 10 “Hi” animation.

If your version of Windows 10 does not ship with the Group Policy Editor, you may use Policy Plus, or you may use the Registry editing method.

Using Windows Registry

Open Windows Registry Editor. For this, tap on the Windows-key +R simultaneously to launch the ‘Run’ dialog box. Type ‘regedit.exe’ in the empty field of the box and hit Enter. Confirm the UAC prompt and go to the following path-

Open the System folder, right-click in a space of the right-pane the right pane and select New > DWORD (32-bit Value).

Name the key EnableFirstLogonAnimation, double-click it and ensure its value is set to 0 to hide the animation.

Hereafter when you log into a new Windows 10 account, you will not notice logon Hi animation appearing. Instead, you’ll just see a spinning circle with the following message ‘Preparing Windows’.