End Users/Administrative Guide to Fast User Switching

End Users/Administrative Guide to Fast User Switching

There are 3 scenarios for Managing Fast User Switching settings for Windows Auth Client:

1. When the machine is “personal” (BYOD) and is NOT managed by the organization - the user who owns the device determines the setting - it is managed by the Student (or the Parent)

2. When the machine is owned by the organization and is not joined to a domain

3. When the machine is owned by the organization and is domain joined

   1. This would also apply to Intune managed devices

Note

Windows HOME edition doesn’t provide the tools for managing fast user switching - we can provide some guidance to change settings, but given the device is a home device, the parent/student is likely to use the out of the box Windows home experience, which probably should not be changed. Also note that Windows Home edition does not support being joined to a domain. Upgrade the edition of the operating system to pro or above for that feature.

Scenario 1: The machine is ‘personal’, and not managed by the organization.

• Follow the same steps as scenario 2 if desired - the student or parent will be responsible for managing their own device and configuring it accordingly

Scenario 2: The machine is not joined to a domain.

In this scenario, presumably, an administrator prepared the machine by installing Windows, or purchased a device that is preinstalled. Depending on the OS level/Edition, the admin has 2 choices on how to configure this settings.

1. Windows Home: does not come preloaded with GPEDIT.MSC - so the only choice for setting the value is by Regedit.  There is a way that can be used to get GPEdit to run on a home edition: Fix Gpedit.msc Not Found In Windows 10/Windows 11 As the article describes, there are many reasons why this isn’t functional, however, given the Home edition problem, the feature must be enabled under the heading “Install gpedit.msc in Windows Home Edition” - which provides command line instructions for installing the tool from Microsoft via an elevated command line prompt.

   1. i. FOR %F IN ("%SystemRoot%\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~*.mum") DO (DISM /Online /NoRestart /Add-Package:"%F")

      ii. FOR %F IN ("%SystemRoot%\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~*.mum") DO (DISM /Online /NoRestart /Add-Package:"%F")

   2. The alternative choice is to directly set the value via regedit.exe

2. Windows Pro or above: - GPEDIT.MSC can be directly executed

   1. in the search bar, type “edit group policy” and start the application (Windows 10/11) - select the best match as as shown here to start the application:

      1. 

         Open image-20241108-185219.png

         

   2. alternatively, press <windows key +> r key combination which will bring up the run command box

      1. type gpedit.msc and hit enter to start the group policy editor

      2. Alternatively, or use the search bar and select the best match as as shown here to start the application:

      3. Open image-20241108-193336.png

         

         

Once you have the Local Group Policy Editor running Navigate to Local Computer Policy → Computer Configuration → Administrative Templates → System → Logon in the left navigation bar, then in the right side window, Select Hide entry points for Fast User Switching - adjust this value as desired. When ready, restart the PC for the policy to apply.

Scenario 3: If the machine is domain joined, then the domain controller is responsible for managing this setting.

1. Microsoft provides documentation on how to configure policies.  This link provides examples for setting Branch Cache and Windows Firewall settings.  While we desire to set Fast User Switching settings: Use Group Policy to Configure Domain Member Client Computers we will use similar instructions here to describe the steps necessary to perform to Hide entry points for Fast User Switching

2. On a computer upon which the Active Directory Domain Services server role is installed, in Server Manager, click Tools, and then click Group Policy Management. The Group Policy Management console opens.

3. In the Group Policy Management console, expand the following path: Forest: http://example.com , Domains, http://example.com , Group Policy Objects, where http://example.com  is the name of the domain where the Fast User Switching client computer accounts that you want to configure are located.

4. Right-click Group Policy Objects, and then click New. The New GPO dialog box opens. In Name, type a name for the new Group Policy Object (GPO). For example, if you want to name the object FastUserSwitching Client Computers, type FastUserSwitching Client Computers. Click OK.

5. In the Group Policy Management console, ensure that Group Policy Objects is selected, and in the details pane right-click the GPO that you just created. For example, if you named your GPO FastUserSwitching Client Computers, right-click FastUserSwitching Client Computers. Click Edit. The Group Policy Management Editor console opens.

   1. This will launch the Group Policy Management Editor - which looks almost identical to the Local Group Policy Editor tool presented above.  

   2. As shown above with LGPE - navigate to FastUserSwitching Client Computers → Computer Configuration → Policies →  Administrative Policy definitions (ADMX files) retrieved from the local computer. → System → Logon

   3. Open image-20241108-191058.png

      

      

   4. Select and Configure the Hide entry points for Fast User Switching setting as desired

   5. The above has created a policy, but has not defined where the policy is applied.  After saving the policy, close the editor and return to the group policy management tool.

   6. There are 2 ways to apply this to a computer:

      1. Under Security Filtering, choose the computers the policy applies to.

         1. Remove “Authenticated Users” from the list

         2. click the Add… button

         3. in the Select User, Computer, or Group dialog, click the Object Types…

         4. Uncheck Built-in security principals, Groups and Users

         5. Check Computers

         6. Click OK

         7. Choose the computer names the policy is to apply to.

      2. Alternatively, you can apply this to an Organizational Unit that already has computers associated with it

         1. Note: In this scenario, the computers should be assigned/moved to the OU so that they only get the policies intended for that target

            1. (either using Active Directory Users and Computers (ADUC), or the add button button detailed above)

         2. Right click an existing OU

         3. Select “Link an Existing GPO…” menu option

         4. Select the policy  that was created above

         5. Click OK

      3. Alternative: Create a new OU

         1. Assign computers to the OU (either using Active Directory Users and Computers (ADUC), or the add button button detailed above)

         2. Apply the GPO to the OU as indicated above

   7. Application of the policy is governed by the Windows services related to policy (gpsvc - Group Policy Client).  

      1. To force policy to apply on a particular PC, from an elevated command prompt, type: gpupdate /force

Scenario 3a: The machine is Hybrid Intune Device managed.

1. For assistance with this configuration, please review the following article:Quickly Disable Fast User Switching Using Intune HTMD Blog