There’s a new trick in the quest for Windows 10 logon nirvana – introducing FastFirstSignIn.
Specifically this for those of you using Windows 10 (whether this be ordinary Windows 10, or brokered through Citrix Virtual Apps/RDSH/WVD/Horizon/Parallels/etc.), there’s a nifty new trick in town you can use to make a helluva difference.
My original logon times article is here, although it will be undergoing a detailed series of updates soon. A critical part of this for Windows 10 users is the removal of UWP apps from the image, wherever possible. This makes a major difference to the first logon time (because it is first logon time we are concerned about in non-persistent environments such as we often find in Citrix Virtual Apps and Desktops). Unfortunately, the removal process is a bit of a pain and involves a touch of PowerShell hit-and-miss. Sometimes you inadvertently remove apps you want to keep, sometimes you end up trying to remove apps you can’t remove, sometimes they reprovision themselves – you know the drill. Soon you get into the realms of UWP whack-a-mole, and ongoing maintenance is something busy administrators don’t need adding to their already-overflowing workloads.
However, if you’re on Windows 10 1809 or higher, you can bypass the provisioning of UWP apps entirely by using this little routine on your machines during the build. Massive credit due to Nicke Kallen for discovering this awesome black magic and sharing it.
Firstly, fire up a WIndows 10 image higher than 1809. I’m using 1909.
Install the Windows Assessment and Deployment Kit on your machine with the default settings.
Run the Windows Imaging and Configuration Designer tool
Click on Advanced Provisioning
Give the project a name and click Next
Choose “All Windows desktop editions” from the next menu, click Next
Click Finish and it will load the settings.
Expand Runtime settings | Policies | Authentication | EnableFastFirstSignIn and change the property to Enabled
Expand Runtime settings | SharedPC | AccountModel and change the property to Domain-joined only
Expand Runtime settings | SharedPC | EnableSharedPCMode and change the property to TRUE
Click on Export | Provisioning package
Give the package a name and change the Owner to IT Admin, then click Next
Click Next, select where to save the package (make a note of the path), click Next again, and then click Build
Close the Windows Config Designer
Make sure the package file generated is in an area accessible from your golden image
Access your golden image and open an administrative PowerShell session
Run the following command
Install-ProvisioningPackage -PackagePath “pathtopackage\packagename.ppkg” -QuietInstall
The package will install
Now, next time you log on to the system this provisioning package has been run on, you should see an appreciable difference in logon time – the video underneath shows the difference. Essentially, the UWP app provisioning is not run, shaving a big chunk (almost 50 seconds in the video!) off from the logon time.
Probably worth mentioning that SharedPC mode does a few odd things to the interface – essentially it works by enabling a bunch of local GPO settings, rather bizarrely. It does things like remove the Lock option from Explorer, but more pertinently, it disables the use of OneDrive storage via the GPO settings. However, what you can do is simply configure domain- or OU-level GPO settings to override these, so that you get the required settings with the benefit of the fast sign-in. A full list of the settings in use is available in this document.