This is a collection of aka.ms links that takes you straight to great Windows admin resources, which includes Windows, Cloud PC, Azure Virtual Desktop, Surface, and of course Intune. Enjoy! Use these links to quickly browse to more or less everyday admin tasks to save time.
This link guides you to enable Entra Kerberos for single-sign on to on-premises resources with modern authentication (passkeys and Windows Hello for Business).
Microsoft Defender for Endpoints Configuration Analyzer tool
Direct link to download the tool that let you check the configuration of Microsoft Defender for Endpoints agent on your Windows devices. More about the tool at Microsoft Learn.
This link takes you straight to the Windows Update for Business reports, which are actually not hosted inside Intune but in Azure > Monitor > Workbooks > Windows Update for Business report.
The Windows features I am covering in this article will give the following end-user benefits.
Improved user experience by:
having the applications that were open prior to restart automatically opened again after restart.
increasing productivity by letting the users continue their work instantly after having their device Windows patched.
Reducing the risk of data loss in applications in case of (unexpected) device restart.
Introduction to restartable applications
Windows 11 (and Windows 10) offers a feature that allows users to automatically restart apps and start them automatically when they sign back in after a device restarts. This will enhance productivity by ensuring that users can quickly resume their work after a restart, and also get back potentially unsaved data in some applications.
Examples of some of the most common and popular applications
The below table lists which applications that by default are automatically restarted when you enable the setting “Automatically save my restartable apps and restart them then I sign back in”. The rightmost column is a note if you manually enable each application to “survive” a device restart and what the user experience is in that scenario.
Application
Automatically restarted
Unsaved data restored
Manual activation of “Register this program for restart” *
Adobe Acrobat Reader
❌
–
Application restarted but files do not re-open and thereby no data is restored (for instance in PDF forms).
Adobe Photoshop
❌
–
Application restarted but does not remember open file.
GitHub Desktop
❌
–
Application not restarted.
Google Chrome
✅
N/A
N/A
Microsoft 365 Apps (Outlook, Word, Excel, OneNote etc.)
✅
✅ (partly Microsoft 365 Apps feature)
N/A
Microsoft Edge
✅
N/A
N/A
Microsoft Notepad
✅
✅ (Notepad feature)
N/A
Microsoft Paint
✅
✅
N/A
Microsoft PowerShell ISE
✅
✅ (PowerShell ISE feature)
N/A
Microsoft Registry Editor
✅
N/A
N/A
Mozilla Firefox
✅
N/A
N/A
Outlook (new)
✅
✅
N/A
Spotify (Store app)
✅
N/A
N/A
WhatsApp (Store app)
✅
N/A
N/A
Wireshark
❌
–
Application restarted but does not remember unsaved state.
Visual Studio Code
❌
–
Application restarted and data restored.
VLC Player (MSI install)
❌
–
Application restarted but does not remember open file.
Zoom Workplace
❌
–
Application restarted.
* Right click an EXE file and choose Compatibility and then check Register this program for restart.
Although some applications have their own mechanisms to recover data after an application is “killed”, enabling the setting to re-launch to some extent increases the chances of recovering and saving the data that was worked on.
The settings are found under Accounts > Sign-in options
For manual testing and verification, the settings in focus of this blog post is found in Settings > Accounts > Sign-in options.
Configure “Automatically save my restartable apps and restart them then I sign back in” via Intune
Configuring this setting centrally via Intune ensures that all users in an organization benefit from this feature without needing to configure it manually.
Create the following as a PowerShell script and via Intune push out as a Script (make sure it is deployed in user context as it will write to HKEY_CURRENT_USER):
Additional user experience improvement with enabling Automatic Sign-in after Windows patching
ARSO (Automatic Restart Sign-On) has been around for many years but is unknown to most Windows users and admins. This feature basically means that whenever you have installed Windows patches and the device reboots, the currently logged in user’s credentials will (securely) be used to automatically log the user in after reboot, while locking the screen.
The user experience gained is obvious. Whenever patch reboot happens, many users tend to perform other tasks or simply take a coffee. When ARSO is enabled and the user gets back, he or she will not have to wait for everything to load before being able to use the device and can start working instantly.
This feature in combination with enabling “Automatically save my restartable apps and restart them then I sign back in” makes the user experience even so much better.
Configure Automatic Restart Sign-On via Intune
The Automatic Restart Sign-On settings are available as a Settings catalog in the two settings:
Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot.
Sign-in and lock last interactive user automatically after a restart.
Note: The sub-setting “Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot (Devices)” will enable you to use this mode only if BitLocker is in Enabled state.
“Automatically save my restartable apps and restart them then I sign back in” the equivalent to “shutdown /g“
The shutdown command has a “new” switch which is the /g switch:
Additional information and details on “Register this program for restart”
Let’s say you want an application to automatically start again after reboot, if it was running when the device was restarted, you can use central tools to push this out to all devices. What you need:
Using Compatibility Administrator (32 och 64-bit depending on what application architecture you are building the compat fix for). You can per EXE use “RegisterAppRestart” which is the equivalent to checking this on an EXE file by going to Properties > Compatibility.
Distribute the database/compatibility shim and apply it using the good old sdbinst.exe command.
Security concerns?
In everything we do in IT configuration management today, we should think about how this potentially impacts our security posture. There are no exceptions to this, so let’s see what the implications can be by enabling these two features:
Automatically save my restartable apps and restart them then I sign back in
Enabling this feature could pose as a risk as being used by malicious persons to achieve persistence on a device. Similar examples are available in the MITRE framework, Persistence, Tactic TA0003 – Enterprise | MITRE ATT&CK® . Always do your own assessment.
Sign-in and lock last interactive user automatically after a restart
User credentials are stored on disk temporarily so could be a concern. Microsoft have some security recommendations in their ARSO documentation, but like I mentioned, do your own assessment. Yes, any device can potentially be stolen. Does this mean that ARSO increase the risks of compromise or not, or make the device or credentials easier to compromise? In case of stolen device, there are other concerns, assumptions and measures you would take action on so back to the question, do ARSO increase the risk of compromise? Not necessarily! As always, using BitLocker with PIN will mitigate quite a few attack vectors.
Summary
Enabling Automatically save my restartable apps and restart them then I sign back inand Sign-in and lock last interactive user automatically after a restart will save time for everyone using a Windows device and at the same time it will reduce the risks of data loss. Now, if only more applications could support it.
This is a high-level summary of the specific needs, business impact and listing of current profile management options for your physical and virtual Windows 10 and 11 devices. The focus is how to get back to a state which can make you productive as soon as possible after a device reinstall or reset. This scenario of course also covers when you get a new device that replaces an older one.
Business impact
Most organizations have a policy that “we will troubleshoot a problem on a Windows device for X number of minutes, if we can’t solve it, let’s do a reinstall or reset”.
This might seem like a great policy that saves time for the service desk. But the numbers the management do not see is how much time have service desk have to spend on helping the user get back on track after the reinstall or reset? The same goes when user needs help transferring from one device to another as part of regular renewal of device. The potential time-saver here is enormous. If the user can get to a state that has everything the user needs available instantly, the user can become productive much quicker.
A consequence of having everything brought back quickly is that not only can the user be productive quicker, but the user will much more likely agree to a reinstall or reset when knowing the user can start working without hazzle again. It might also mean that you can reduce troubleshooting time from say 60 minutes down to 15 before you do a reinstall or reset. Overall a real time-saver and money-saver!
Needs and goals
High-level goals:
Getting back to a state where a user can start working as soon as possible after re-install or reset of the device, or even when switching device as part of hardware renewal.
“Everything back as it was” (more details on this below). I.e., the time the user needs to spend on getting back to a state that just works as before needs to be minimized.
Expanded description of goals:
All files and documents back as they were and accessible by user.
All required applications back as they were. (This is out of scope for this blog post as most organizations use ConfigMgr, Intune or a third-party software to deploy applications).
All relevant settings back:
Specific settings for line of business applications.
Outlook signatures and calendar settings etc.
Printers and printer settings.
Browser related settings, favorites, and history, including saved passwords.
Mapped SharePoint sites (Teams files) in File Explorer.
Settings for apps.
Solutions
Let’s have a look at what Microsoft technologies are available to solve the needs.
Personal files and documents
OneDrive for Business with Known Folder Move. If you have the possibility to use OneDrive for Business this is the best solution out there. Make sure to set the GPO or MDM setting to silently configure OneDrive to automatically have your OneDrive folder available after re-install or reset. Also set the policy setting “Enable Known Folder Move” to make sure that Desktop, Documents and Pictures folders are redirected to your OneDrive Folder. Reality check, do you know anyone who do NOT save stuff they need on the desktop? :)
Work Folders (which I typically call the internal OneDrive). Setting up Work Folders is easy, the role has existed in Windows Server since 2012 R2, thus requires a Windows File Server to setup and enable. Once you’ve setup Work Folders, use good old redirection of Documents and Desktop folders (and maybe Pictures as well) pointing to the local Work Folders directory just like it is done with Known Folder Move for OneDrive for Business.
Folder Redirection + offline files. Only two words: Stay away! (And migrate as soon as possible to OneDrive for Business or Work Folders if you are already using it). For some organizations I have worked with I have made it opt-in to use offline files, clearly stating the potential risks when opting in. Offline files cause user problems and have very high risk of user data loss.
Common or shared files and documents
SharePoint Sites (Teams files directories). Many users prefer to work with SharePoint sites and Teams files by syncing them to work with the files in File Explorer. There is no official way of having these remapped automatically after a reinstall or reset of a Windows device.
Settings
User Experience Virtualization (UE-V). I have many times referred to UE-V as the best thing since sliced bread. It is a technology that was released for about 10 years ago, with the intent to provide roaming of settings for Windows and applications (both Microsoft and any third party), using on-premises file shares. It also roams printers if you are not deploying those through other means.
Since Windows 10 version 1607 UE-V is integrated in the operating system. I’ve used UE-V quite a lot and this is a really good technology to get many settings back after a reinstall. In one case I could do a F12 reinstall of a Windows 10 device before going to lunch and after lunch I logged in and started working instantly, with all settings back. Those were the days!
Over time as applications are moving to the app’s world, UE-V has basically become less effective in its job. Also, after adding UE-V to Windows version 1607, UE-V has not gotten much love from Microsoft and as no development has been made for almost six years this is still something that most will benefit from, but sad to see that Microsoft do not care for this.
Enterprise State Roaming. About the same time that UE-V was integrated into Windows 10 we also saw the introduction of Enterprise State Roaming. This is a technology that use the cloud (a private protected and untouchable area) in Azure to store profile settings that roams with the user. For instance, background image, Windows theme settings and some other stuff is being roamed when enabling this through Azure AD. Sad to say, this feature is facing the same destiny as UE-V, with no new features or changes for the last six years or so.
Actually with Windows 11 the number of settings that roam using Enterprise State Roaming have decreased, now only roaming passwords, some Windows settings, and language preferences.
FSLogix profiles. Microsoft bought FSLogix and with that obtained their profile technology. This is a container-based profile solution used primarily in remote Windows solutions, such as Azure Virtual Desktop. Although the technology should be possible to use on physical machines as well, I haven’t many details regarding this and haven’t tried it our myself. One reason for this is that FSLogix profiles requires an Active Directory and is not yet (per January 2022) supported for Azure Active Directory, although this is announced in the future.
Edge profile sync. The new and lovely Edge has profile sync with roaming built-in which is very much appreciated. Sign in with your school or work account and off you go! You’ll also find some additional information on Configure Microsoft Edge enterprise sync | Microsoft Docs.
Outlook settings roaming. Finally you can roam your email signature and a bunch of other settings to the cloud – without doing anything other than making sure this option is enabled. Take a look at Outlook roaming options to get more information about this one.
Note1: Roaming profiles take care of both files and settings but like with folder redirection and offline files: Stay away from roaming profiles to make your life happier.
Note 2: As apps in Windows always store their configuration and user specific data in a standardized location. That is C:\Users\%username%\AppData\Local\Packages\%AppName%\ which means Microsoft should be able to provide a supported way of roaming these settings.
What settings can you use?
Depending on how your Windows devices are managed you can use some or all these technologies. This is applicable for Windows 10, Windows 11, Windows 365 as well as Azure Virtual Desktop. Note: All technologies below are not necessarily supported for all physical and virtual use cases.
Active Directory Joined
Hybrid Azure AD Joined
Azure AD Joined
User Experience Virtualization (UE-V)
Yes, pointing to file share
Yes, pointing to file share
Yes, pointing to OneDrive for Business local folder*
Enterprise State Roaming
No
Yes
Yes
FSLogix profiles
Yes
Yes
No (not supported yet)
Edge profile sync
Yes
Yes
Yes
Outlook settings roaming
Yes
Yes
Yes
Summary of what profile technologies are available for various Windows device join types.
Summary of what profile technologies are supported officially by Microsoft.
* Technically it will work, but likely not supported by Microsoft for Windows 365 nor Azure Virtual Desktop. ** Supported only for personal pools – not multi-session Windows 10 or 11, nor Windows Server. *** For Azure Virtual Desktop, currently there is no support for Azure AD Joined devices.
Summary
With the existing Microsoft tools and technologies, you can reach a state where most of the stuff you want back actually is configured and brought back automatically. Getting the files and documents back is easy. Edge profile sync and Outlook settings roaming are a no-brainer and should be used by everyone.
UE-V and Enterprise State Roaming are not developed anymore but they still fill a purpose and can be very useful to save time, starting today, as they are very easy to get started with and has a very low implementation cost. FSLogix profiles are primarily intended for datacenter hosted solutions.
With those facts, there is a strong need for Microsoft to strengthen profile management to make it the true time-saver it can be. IT management would very much appreciate it I can assure. But the ones that would appreciate this the most are the end users!
This is one of the most mysterious problems I’ve encountered! Anyone who can provide input is more than welcome to ping me on Twitter or Teams, or help by entering some basic information in this form.
UPDATE September 6, 2022: Update the problem description as the Web sign-in setting is also causing problems using Cloud PC (Windows 365): “Another user is signed in. If you continue, they’ll be disconnected. Do you want to sign in anyway?”. See more below under “Problem #2”.
UPDATE July 6, 2022: A response from Microsoft leads to the root cause being Web sign-in being enabled, which is in preview (and has been for quite a few years) and is also unsupported. Still does not explain the extreme intermittent occurrence of the problem but at least a great indicator and something to validate.
UPDATE July 5, 2022: Added this form to gather and hopefully be able to get to the root cause. Also, I’ve gotten indications on a potential causes leading to the New user state, more below.
Problem #1
You restart your Windows 10 or Windows 11 device (Azure AD Joined + MEM/Intune enrolled) and after the restart, instead of displaying the last logged on user, the only account on the sign-in screen is an account named “New User”.
This happens extremely rarely, but I’ve seen it a few times. The “New User” comes from nowhere and if you click Switch user it just returns to the same view as below.
I have seen the problem a few times for multiple Windows 10 versions back to at least Windows 10 v1909, and on multiple devices from multiple vendors. Unfortunately I’ve seen it once on a Windows 11 device as well. The other day this problem hit a colleague of mine as well so it’s not just me :) .
Problem #2
Cloud PCs established as part of Windows 365, in Azure AD Joined mode, experience the sign-in message that Other user is already logged in, every time when logging in (and even after restart):
Another user is signed in. If you continue, they’ll be disconnected. Do you want to sign in anyway?
Cause
I’ve gotten reports (thanks to the community) with a response from Microsoft leads to the root cause being Web sign-in being enabled, which is in preview (and has been for quite a few years) and is also unsupported.
This is also true for the environments where I have seen this problem occur so this is the most likely cause of the “New user” phenomena causing Problem #1!
For Problem #2 this setting is confirmed to be the problem – as that problem was very easy to reproduce!
You must be logged in to post a comment.