This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. If you enable or do not configure this policy setting, the device securely saves the user's credentials (including the user name, domain and encrypted password) to configure automatic sign-in after a Windows Update restart. After the Windows Update restart, the user is automatically signed-in and the session is automatically locked with all the lock screen apps configured for that user. If you disable this policy setting, the device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts. Vulnerability: Enabling or not configuring this setting can compromise security as the device will automatically sign-in the last interactive user after Windows Update restarts the system, which a malicious agent could use to attack the device and network and may be contrary to your organization's security requirements. Counter Measure: Disable this setting Potential Impact: The device does not automatically sign-in after a Windows Update restart. Fix: (1) GPO: Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Logon OptionsSign-in last interactive user automatically after a system-initiated restart (2) REG: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem!DisableAutomaticRestartSignOn

[enable/disable]

(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options\Sign-in last interactive user automatically after a system-initiated restart (2) REG: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableAutomaticRestartSignOn