The Windows features I am covering in this article will give the following end-user benefits.
- Improved user experience by:
- having the applications that were open prior to restart automatically opened again after restart.
- increasing productivity by letting the users continue their work instantly after having their device Windows patched.
- Reducing the risk of data loss in applications in case of (unexpected) device restart.
Introduction to restartable applications
Windows 11 (and Windows 10) offers a feature that allows users to automatically restart apps and start them automatically when they sign back in after a device restarts. This will enhance productivity by ensuring that users can quickly resume their work after a restart, and also get back potentially unsaved data in some applications.
Examples of some of the most common and popular applications
The below table lists which applications that by default are automatically restarted when you enable the setting “Automatically save my restartable apps and restart them then I sign back in”. The rightmost column is a note if you manually enable each application to “survive” a device restart and what the user experience is in that scenario.
Application | Automatically restarted | Unsaved data restored | Manual activation of “Register this program for restart” * |
Adobe Acrobat Reader | ❌ | – | Application restarted but files do not re-open and thereby no data is restored (for instance in PDF forms). |
Adobe Photoshop | ❌ | – | Application restarted but does not remember open file. |
GitHub Desktop | ❌ | – | Application not restarted. |
Google Chrome | ✅ | N/A | N/A |
Microsoft 365 Apps (Outlook, Word, Excel, OneNote etc.) | ✅ | ✅ (partly Microsoft 365 Apps feature) | N/A |
Microsoft Edge | ✅ | N/A | N/A |
Microsoft Notepad | ✅ | ✅ (Notepad feature) | N/A |
Microsoft Paint | ✅ | ✅ | N/A |
Microsoft PowerShell ISE | ✅ | ✅ (PowerShell ISE feature) | N/A |
Microsoft Registry Editor | ✅ | N/A | N/A |
Mozilla Firefox | ✅ | N/A | N/A |
Outlook (new) | ✅ | ✅ | N/A |
Spotify (Store app) | ✅ | N/A | N/A |
WhatsApp (Store app) | ✅ | N/A | N/A |
Wireshark | ❌ | – | Application restarted but does not remember unsaved state. |
Visual Studio Code | ❌ | – | Application restarted and data restored. |
VLC Player (MSI install) | ❌ | – | Application restarted but does not remember open file. |
Zoom Workplace | ❌ | – | Application restarted. |
* Right click an EXE file and choose Compatibility and then check Register this program for restart.
Although some applications have their own mechanisms to recover data after an application is “killed”, enabling the setting to re-launch to some extent increases the chances of recovering and saving the data that was worked on.
The settings are found under Accounts > Sign-in options
For manual testing and verification, the settings in focus of this blog post is found in Settings > Accounts > Sign-in options.
Configure “Automatically save my restartable apps and restart them then I sign back in” via Intune
Configuring this setting centrally via Intune ensures that all users in an organization benefit from this feature without needing to configure it manually.
Create the following as a PowerShell script and via Intune push out as a Script (make sure it is deployed in user context as it will write to HKEY_CURRENT_USER):
$Path = "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$Name = "RestartApps"
$Type = "DWORD"
$Value = "1"
Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type $Type
Additional user experience improvement with enabling Automatic Sign-in after Windows patching
ARSO (Automatic Restart Sign-On) has been around for many years but is unknown to most Windows users and admins. This feature basically means that whenever you have installed Windows patches and the device reboots, the currently logged in user’s credentials will (securely) be used to automatically log the user in after reboot, while locking the screen.
The user experience gained is obvious. Whenever patch reboot happens, many users tend to perform other tasks or simply take a coffee. When ARSO is enabled and the user gets back, he or she will not have to wait for everything to load before being able to use the device and can start working instantly.
This feature in combination with enabling “Automatically save my restartable apps and restart them then I sign back in” makes the user experience even so much better.
Configure Automatic Restart Sign-On via Intune
The Automatic Restart Sign-On settings are available as a Settings catalog in the two settings:
- Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot.
- Sign-in and lock last interactive user automatically after a restart.
Note: The sub-setting “Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot (Devices)” will enable you to use this mode only if BitLocker is in Enabled state.
More information about this: Winlogon automatic restart sign-on (ARSO) | Microsoft Learn
“Automatically save my restartable apps and restart them then I sign back in” the equivalent to “shutdown /g“
The shutdown command has a “new” switch which is the /g switch:
Additional information and details on “Register this program for restart”
Let’s say you want an application to automatically start again after reboot, if it was running when the device was restarted, you can use central tools to push this out to all devices. What you need:
- Windows ADK, Download and install the Windows ADK | Microsoft Learn and specifically “Application Compatibility Tools” within Windows ADK.
- Using Compatibility Administrator (32 och 64-bit depending on what application architecture you are building the compat fix for). You can per EXE use “RegisterAppRestart” which is the equivalent to checking this on an EXE file by going to Properties > Compatibility.
- Distribute the database/compatibility shim and apply it using the good old sdbinst.exe command.
Security concerns?
In everything we do in IT configuration management today, we should think about how this potentially impacts our security posture. There are no exceptions to this, so let’s see what the implications can be by enabling these two features:
Automatically save my restartable apps and restart them then I sign back in
Enabling this feature could pose as a risk as being used by malicious persons to achieve persistence on a device. Similar examples are available in the MITRE framework, Persistence, Tactic TA0003 – Enterprise | MITRE ATT&CK® . Always do your own assessment.
Sign-in and lock last interactive user automatically after a restart
User credentials are stored on disk temporarily so could be a concern. Microsoft have some security recommendations in their ARSO documentation, but like I mentioned, do your own assessment. Yes, any device can potentially be stolen. Does this mean that ARSO increase the risks of compromise or not, or make the device or credentials easier to compromise? In case of stolen device, there are other concerns, assumptions and measures you would take action on so back to the question, do ARSO increase the risk of compromise? Not necessarily! As always, using BitLocker with PIN will mitigate quite a few attack vectors.
Summary
Enabling Automatically save my restartable apps and restart them then I sign back in and Sign-in and lock last interactive user automatically after a restart will save time for everyone using a Windows device and at the same time it will reduce the risks of data loss. Now, if only more applications could support it.
You must be logged in to post a comment.