Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Why does the Rublon Prompt loading time increase with a large number of local Windows users?

            Modified on Thu, 19 Mar at 1:31 PM

            When a Windows system has a very large number of local user accounts, the Rublon Prompt may appear with a significant delay during Windows Logon or RDP sign-in. On systems with several thousand local user accounts, the sign-in delay may increase to several minutes. In such cases, the delay can grow disproportionately as the number of local user accounts increases.


            Why Does This Happen?

            This behavior is caused by Windows, not by Rublon MFA.

            Our analysis showed that Windows logon performance degrades when a machine stores a very large number of local user accounts. The delay happens before the user reaches the Rublon MFA step. During that time, the user may only see the blurred Windows sign-in background with no interactive elements. After the delay, the standard Windows sign-in view is rendered, and the user can enter their password.


            This also explains why the same issue persists regardless of whether the user is set to Active or Bypass in Rublon MFA: the delay affects the first sign-in factor in Windows, and is not dependent on any Rublon MFA policy decision. The Rublon Prompt appears later only because it is part of the overall Windows sign-in flow.


            Microsoft documents the Interactive logon: Don’t display last signed-in policy. Windows also supports a policy to hide entry points for Fast User Switching. In our testing, enabling these Windows settings resolved the delay. 

            How to Fix It

            Note: Before applying the registry DontDisplayLastUserName change below, note that it is not necessary on all Windows Server systems because slowdown behavior is also affected by whether the Remote Desktop Session Host role is installed. During an in-depth investigation of this issue, Rublon analysts identified a link between the IsActiveSessionCountLimited() function and the DontDisplayLastUserName setting in the Windows logic responsible for enumerating local SAM users, which is the direct cause of this delay. According to Microsoft, the IsActiveSessionCountLimited() function returns false on Windows Server only when the Remote Desktop Session Host role is installed. In practice, this means the DontDisplayLastUserName registry change is not necessary on servers where the Remote Desktop Session Host role is already installed.


            On the affected Windows endpoint, open the Windows Registry and set the following value:


            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName = 1


            In our testing environment, this change was sufficient to resolve the issue.


            If the delay still occurs, also set:


            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = 1


            A reboot is not required after applying these changes.


            What Do These Settings Do?

            Setting DontDisplayLastUserName to 1 corresponds to the Windows security policy that tells Windows not to display the last signed-in user on the sign-in screen.


            Setting HideFastUserSwitching to 1 hides the Fast User Switching entry points. This setting is relevant in a different scenario than the main sign-in delay. If a user session is still active, for example, after selecting Lock instead of Sign out, the delay does not occur because the session has not been closed. In that case, the user can normally sign back in to the existing session. However, selecting the Switch user button makes Windows load the user-switching view, which can introduce a delay on systems with many local user accounts.


            Is This a Rublon MFA Issue?

            No. This is a Windows local account sign-in performance issue, not a Rublon MFA issue.


            The delay affects the Windows sign-in flow before the Rublon MFA step is shown. If you remove Rublon MFA, Windows will still experience the same underlying delay on systems with an unusually large number of local accounts. The fact that the fix is applied through Windows registry settings, not through Rublon MFA configuration change, is a strong indicator that the root cause is on the Windows side.


            Additional Recommendation

            If you need to manage very large numbers of users, using Active Directory is generally a better fit than storing thousands of local accounts on one machine. 


            Helpful Links

            Rublon MFA for Windows Logon & RDP - Documentation

            Why is the Rublon Prompt not appearing on Windows?

            How to speed up Rublon Prompt loading on Windows Logon & RDP 

            Interactive logon: Don’t display last signed-in - Microsoft

            Web Sign-In defeats the Fast User Switching policy - Microsoft

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0