When a domain-joined Windows 11 PC shows the Welcome screen and then logs out before you can access the desktop, the system is failing to complete the user profile load. This loop prevents any interactive session, even for local administrators, and often occurs after a domain policy change, a password reset, or a corrupted user profile. The root cause is typically a broken user profile, a Group Policy setting that blocks logon, or a network connectivity issue that prevents the domain controller from validating credentials. This article explains why this happens and provides step-by-step fixes to restore normal logon behavior.
Key Takeaways: Fixing Boot-to-Welcome Logout Loop on Domain PCs
- Boot into Safe Mode using Advanced startup: Bypasses broken profiles and Group Policy to access the desktop for repairs.
- Delete the corrupt user profile via Registry: Removes the profile entry under
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileListto force a fresh profile creation on next logon. - Verify domain controller connectivity with
nltest /dsgetdc:Confirms the PC can reach a domain controller; if not, a VPN or network fix is needed first.
Why Windows 11 Logs Out Immediately After the Welcome Screen on a Domain PC
When a domain-joined Windows 11 computer boots, the Winlogon process loads the user profile after credential validation. If the profile is corrupt, the Local Group Policy restricts interactive logon, or the domain controller is unreachable, the system cannot finalize the profile load. Winlogon then terminates the session, returning the user to the lock screen or Welcome screen. Common triggers include a failed Windows Update that damaged the profile, a Group Policy that removed the user from the Interactive Logon right, or a network adapter that lost its DNS suffix required for domain discovery.
User Profile Corruption
The user profile stores settings, files, and registry data. If the NTUSER.DAT file or the profile registry key is damaged, Windows cannot load the profile. The session is killed and the user is logged out. This often happens after a forced shutdown, disk errors, or a failed profile migration.
Group Policy Blocking Interactive Logon
The Group Policy setting “Deny log on locally” or “Deny log on through Remote Desktop Services” can be applied to a user or group. If the user account is inadvertently added to a group that is denied interactive logon, the session terminates immediately after credential validation.
Domain Controller Unreachable
Windows 11 caches credentials for domain logon, but if the cached credentials are invalid or the system is forced to contact a domain controller for a policy refresh, a network failure causes the logon to fail. This is common after a VPN disconnection, a DNS misconfiguration, or a site-wide network outage.
Steps to Fix the Welcome-to-Logout Loop on a Domain PC
Perform these steps in order. The goal is to break the loop, repair the profile or policy, and restore normal logon.
Step 1: Boot into Safe Mode with Networking
- Access Advanced Startup
At the Welcome screen, hold the Shift key while clicking the Power icon and then Restart. The system reboots into the Choose an option screen. - Navigate to Safe Mode
Select Troubleshoot > Advanced options > Startup Settings > Restart. After reboot, press 5 or F5 for Safe Mode with Networking. - Log in with a local administrator account
If no local admin account exists, use the built-in Administrator account: type.\Administratorand use the local admin password. If you do not know the password, you may need to reset it using a password reset disk or another method.
Step 2: Delete the Corrupt User Profile
- Open Registry Editor
Press Win+R, typeregedit, and press Enter. Navigate toHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. - Identify the corrupt profile
Look for subkeys with names like S-1-5-21-… that have aProfileImagePathvalue pointing to the user’s folder. A corrupt profile often has aStatevalue of 0 or 2, or aRefCountvalue that is not 0. - Back up and delete the key
Right-click the key and select Export to save it. Then right-click again and Delete. Close Registry Editor. - Delete the user profile folder
Open File Explorer, navigate toC:\Users, and delete the folder matching the corrupt profile. If the folder is in use, restart the PC and try again.
Step 3: Verify and Fix Group Policy Interactive Logon Rights
- Open Local Security Policy
Press Win+R, typesecpol.msc, and press Enter. - Check deny logon policies
Navigate to Security Settings > Local Policies > User Rights Assignment. Double-click “Deny log on locally” and remove any user or group that should not be denied. Also check “Deny log on through Remote Desktop Services” if Remote Desktop is used. - Allow logon locally
Double-click “Allow log on locally” and ensure the affected user or theDomain Usersgroup is listed. If not, add them. Click OK. - Apply changes
Close secpol.msc and rungpupdate /forcein an elevated Command Prompt.
Step 4: Test Domain Controller Connectivity
- Open Command Prompt as administrator
Right-click Start and select Terminal (Admin). - Run nltest
Typenltest /dsgetdc:yourdomain.comreplacing yourdomain.com with your actual domain name. If the command returns a domain controller name, connectivity is working. If it returns an error, check DNS settings and network connectivity. - Check DNS suffix
Runipconfig /alland verify that the DNS suffix for the connection matches the domain name. If not, set it in Network Settings > Advanced > DNS > DNS suffix for this connection.
Step 5: Perform a System Restore to Before the Issue Started
- Open System Restore
In Safe Mode, press Win+R, typerstrui, and press Enter. - Choose a restore point
Select a restore point dated before the problem began. Follow the wizard to restore the system. This reverts system files, registry, and some Group Policy settings. - Reboot normally
After restoration, restart the PC and attempt a normal domain logon.
If the Logout Loop Continues After the Main Fix
“Another user is signed in” error on domain logon
This occurs when a user profile is partially loaded and locked. In Safe Mode, open Task Manager, go to the Users tab, and sign out all active sessions. Then delete the profile using the Registry method above.
Windows 11 boots to Welcome but no domain user appears
This indicates the PC lost its domain trust relationship. In Safe Mode, open an elevated Command Prompt and run Reset-ComputerMachinePassword -Server DCName -Credential DomainAdmin in PowerShell, or use netdom resetpwd /s:DCName /ud:Domain\Admin /pd:. Then rejoin the domain if necessary.
Safe Mode is also stuck in a logout loop
If Safe Mode fails, the issue is likely a corrupted system file or driver. Boot from a Windows 11 installation media, select Repair your computer, then Troubleshoot > Advanced options > Command Prompt. Run sfc /scannow /offbootdir=C:\ /offwindir=C:\Windows and DISM /Image:C:\ /Cleanup-Image /RestoreHealth.
| Item | Local Admin Logon | Domain User Logon |
|---|---|---|
| Profile storage location | C:\Users\LocalUsername | C:\Users\DomainUsername |
| Credential validation | Local SAM database | Domain controller via Kerberos or NTLM |
| Group Policy scope | Local Security Policy only | Domain GPOs plus Local Policy |
| Common failure mode | Corrupt local profile or password mismatch | Unreachable DC, corrupt domain profile, or denied logon right |
| Recovery method | Boot to Safe Mode, delete profile | Boot to Safe Mode, check DC connectivity, delete profile, verify GPO |
You can now identify and resolve the Welcome-to-logout loop on your domain-joined Windows 11 PC. Start by booting into Safe Mode with Networking, then delete the corrupt user profile from the Registry and the Users folder. If the issue persists, verify the Interactive Logon rights in Local Security Policy and confirm domain controller connectivity with nltest. As an advanced step, consider running a System Restore from a point before the problem began to revert any Group Policy or system file changes that triggered the loop.