There’s a new trick in the quest for Windows 10 logon nirvana – introducing FastFirstSignIn.
Specifically this for those of you using Windows 10 (whether this be ordinary Windows 10, or brokered through Citrix Virtual Apps/RDSH/WVD/Horizon/Parallels/etc.), there’s a nifty new trick in town you can use to make a helluva difference.
My original logon times article is here, although it will be undergoing a detailed series of updates soon. A critical part of this for Windows 10 users is the removal of UWP apps from the image, wherever possible. This makes a major difference to the first logon time (because it is first logon time we are concerned about in non-persistent environments such as we often find in Citrix Virtual Apps and Desktops). Unfortunately, the removal process is a bit of a pain and involves a touch of PowerShell hit-and-miss. Sometimes you inadvertently remove apps you want to keep, sometimes you end up trying to remove apps you can’t remove, sometimes they reprovision themselves – you know the drill. Soon you get into the realms of UWP whack-a-mole, and ongoing maintenance is something busy administrators don’t need adding to their already-overflowing workloads.
However, if you’re on Windows 10 1809 or higher, you can bypass the provisioning of UWP apps entirely by using this little routine on your machines during the build. Massive credit due to Nicke Kallen for discovering this awesome black magic and sharing it.
Implementation
Firstly, fire up a WIndows 10 image higher than 1809. I’m using 1909.
Install the Windows Assessment and Deployment Kit on your machine with the default settings.
Run the Windows Imaging and Configuration Designer tool
Click on Advanced Provisioning
Give the project a name and click Next
Choose “All Windows desktop editions” from the next menu, click Next
Click Finish and it will load the settings.
Expand Runtime settings | Policies | Authentication | EnableFastFirstSignIn and change the property to Enabled
Expand Runtime settings | SharedPC | AccountModel and change the property to Domain-joined only
Expand Runtime settings | SharedPC | EnableSharedPCMode and change the property to TRUE
Click on Export | Provisioning package
Give the package a name and change the Owner to IT Admin, then click Next
Click Next, select where to save the package (make a note of the path), click Next again, and then click Build
Click Finish
Close the Windows Config Designer
Make sure the package file generated is in an area accessible from your golden image
Access your golden image and open an administrative PowerShell session
Run the following command
Install-ProvisioningPackage -PackagePath “pathtopackage\packagename.ppkg” -QuietInstall
The package will install
Now, next time you log on to the system this provisioning package has been run on, you should see an appreciable difference in logon time – the video underneath shows the difference. Essentially, the UWP app provisioning is not run, shaving a big chunk (almost 50 seconds in the video!) off from the logon time.
Probably worth mentioning that SharedPC mode does a few odd things to the interface – essentially it works by enabling a bunch of local GPO settings, rather bizarrely. It does things like remove the Lock option from Explorer, but more pertinently, it disables the use of OneDrive storage via the GPO settings. However, what you can do is simply configure domain- or OU-level GPO settings to override these, so that you get the required settings with the benefit of the fast sign-in. A full list of the settings in use is available in this document.
This is fantastic, I’m an IT manager in a college so this is big for us!
Can this be run retrospectively on in place installation and as part of a MDT task?
Thank you
Matthew Wood
As far as I know, yes. However pay careful attention to the article linked at the end and be sure to test overriding any of the policies set locally. Given that you’re in education though, this is ideal for a lot of your device base, possibly.
Hi James!
I ran through this on my home-lab Win 10 golden image just now, works great! Definitely a faster logon
Owen
So given your recent article on NOT using Mandatory profiles anymore, where does this fall within the whole setup/deployment process for an Education environment? Do I still need to create a reference image? Do I still use the Decrapifier to get rid of unwanted provisioned apps? Do I use this article to improve logon times? Do I use the Schools PC app to provision PC’s within school? I’m very confused which path I should be taking!
The profile is just one piece in the entire setup. I’d still use a reference image and keep that as lean as possible in terms of apps. I’d also definitely look to use as many logon optimizations as are necessary, but make sure that you validate each one correctly. Set a logon time that you are happy to accept and aim to stay at that level – no sense spending weeks on saving just half a second, for example. Of course, make sure you are baselining and testing properly so you understand the KPI implications of each change you make.
Ideally, you should look to make your provisioning process as automated as possible. Maybe look into code-based deployment and evergreen scripts. We’ve had great success with these. I also recommend using things like the BIS-F tool, VMware OSOT or Citrix Optimizer to help with other performance adjustments (even in non-RDSH environments).
Don’t tell anyone 🙂 but I am actually starting work on a series of logon times articles looking at each step in the process and the impacts of each optimization at each stage. This should allow you to target the optimizations you choose a lot more sensibly
Hi James !
I followed your procedure and actually my logon went from 40 to 20s
for a first connection (domain account) on a Windows 10 2004 machine.
I noticed in your video that you suppress the jrankin accounts but that you do not reboot the machine.
I followed your procedure a second time and rebooted (back to snapshot with fastfirstsigning package) the machine instead of reconnecting me immediately after deleting
the local profile, my login then remains at 40s (first connection for user1, domain account). If I log off user1 and log in with user2 (domain account too), logging in takes 15 seconds. I use instant clone, so my machines are destroyed after each logout.
Do you have any idea how to keep these 15-20 seconds at login.
Thank you for all the help you bring to the community.
Not sure I quite follow? Are you saying your second logon always goes back to 40 seconds? This process is meant to reduce the first logon time only, but I shouldn’t expect logons to then increase.
sorry, i explained it wrong. I have done several tests since my message. If I start the virtual machine (with the Fastfirstsignin package) and I connect immediately with user1, it takes 40 s. If I log out and log back in with user1 (but this is not a good test since the account has just been created in c: \ users \ user1) or user2 (the account does not exist on the machine), then login takes 15 seconds for both. It is as if a service is slow to start after the machine has started. Finally, I created a Pool (view7), and the login remains good at 15 seconds, it increases to 35s by adding a volume apps.
Thank you for your answer.
Are these Windows 10? I normally recommend pre-booting and auto-logon for Windows 10 machines to get the logons snappy.
After testing this, some users have complained that “Quick Access” is missing from the File Explorer navigation pane.
It appears that others have had the same issue when settings Shared PC specifically, and it seems to be by design with SharedPC (rather than policy setting). I’m still investigating.
Yep, there are some facets of the environment that need resetting. Quick Access should be a NameSpace entry in the Registry, I would think.
Hello Mr B, have you been able to resolve the issue with Quick Access missing from the Navigation pane? We’re having the same issue and so far, not able to resolve, don’t want to have to undo the FastSignIn because of it…
Has anyone been able to resolve the missing “Quick Access” from File Explorer?
This may be a dead thread, but Quick Access may be enabled or disabled by the following registry key and a (recommended) reboot:
REM Hide Quick Access
reg ADD “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer” /v HubMode /t REG_DWORD /d 1 /f
REM Enable Quick Access
reg ADD “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer” /v HubMode /t REG_DWORD /d 0 /f
Hi Daniel,
Tried the suggestion, doesn’t look like HubMode applies in this mode. Didn’t see Quick Access appear after reboot.
Hi James, Does default user customization work with this method?
Yes, I think it should. It’s only some policies that appear to be mandated.
Hi James,
Does FastFirstSignIn work after a sysprep?
We capture the image with Microsoft MDT, or it’s better to install the package within the TaskSequence?
best regards
Didn’t try sysprepping afterwards. It might be better done with a Task Sequence.
Hi James,
great article! I would like to know if anyone has already found a solution for DeepL access. I have tried many approaches here, but none seem to work….. Do you have a clue here?
Sorry, what is “DeepL access”?
Sorry, a typo – I meant “Quick Access” in Explorer …
After applying the settings to an client, the Quick Access in Windows Explorer is shown at opening in the folder path but on the left side in the navigation pane the quick access is missing and I can’t revert this. I checked all the solutions I found in the net (Restore ClassID, HubMode in Windows Explorer, Revert all the Policy changes from the FastSignIN Pakage one by one – to see if the problem is located at the Local Group Policy and all the settings described in the Microsoft Site https://docs.microsoft.com/en-us/windows/configuration/set-up-shared-or-guest-pc, https://docs.microsoft.com/en-us/windows/configuration/set-up-shared-or-guest-pc)
So many thanks for the great article!
I am getting The term ‘Install-ProvisioningPackage’ is not recognized as the name of a cmdlet,
function, script file, or operable program. I am running PS as Admin. Does anyone know why this is happening?
I answered my own previous question. This works on Windows 10 but not Server OS. Is there a comparable command for Server 2019?
Install-ProvisioningPackage -PackagePath “C:\FastSignIn\FastSignIn.ppkg” -QuietInstall
If this is a good optimization for Citrix, our farm is running Server 2019. Do we know if these tweaks still apply to the Server OS?
I never tried this on a Server OS, not sure it applies to anything apart from Win10
Hi James, Is it possible even possible to install a ppkg on Windows Server 2022, I cannot find how to anywhere so I think it is not possible, the powershell appelets do not exist. Sny sugestions would help. We have server 2022 publishing citrix applications.
Thanks
I think it’s purely a single-session feature, but will have a look if I get a minute.