How to sign out users when Windows shuts down

If you share a Windows PC with others, you may have noticed that users may appear as signed in after you log in to the operating system. A click on the Start button and another click on the user profile icon may reveal this.

Should not Windows sign out users when the system is shut down? Windows used to to this prior to the release of the Fall Creators Update for Windows 10.

When you shut down Windows then, all users were signed out automatically. You may have gotten a prompt reminding you that users were still signed in, but you could shut down the system and all signed in users were signed out as part of the process.

This changed with the release of the Fall Creators Update for Windows 10 in 2017. All Windows releases since then behave in the same way, including Windows 11.

Microsoft’s explanation for the feature

Updates for Windows require user specific processes that need to run before the installation of the update completes. These require that users are signed-in.

Previously, users had to wait for the completion of these processes after update installations.

Winlogon automatic restart sign-on is the official name of the feature introduced in the Fall Creators Update. Microsoft describes what it does in the following way:

When Windows Update initiates an automatic reboot, ARSO extracts the currently logged in user’s derived credentials, persists it to disk, and configures Autologon for the user. Windows Update running as system with TCB privilege initiates the RPC call.

In other words: Windows copies the current user’s credentials, copies them to disk and enables automatic sign-in for the user. The user will be signed in automatically after the final update reboot. The device is locked to protect the user’s session.

Managed and unmanaged devices are treated differently. Managed devices need TPM 2.0, SecureBoot, and BitLocker. Device encryption is used on unmanaged devices, but it is not a requirement.

How to sign out all users on shutdown in Windows

Microsoft introduced a new option in the Fall Creators Update that triggers the functionality. It is enabled by default.

Here is how you change the behavior on Windows 11:

1. Select Start and then Settings.
2. Go to Accounts.
3. Select Sign-in options.
4. Scroll down to “additional settings”.
5. Toggle “Use my sign-in info to automatically finish setting up after an update” to Off.

The path is slightly different on Windows 10 devices. You need to go to Settings > Accounts > Sign-in Options instead. There you find the preference under Privacy.

All users are signed out when the system is shut down from that moment forward.

Group Policy

You may also make the change to the configuration using the Group Policy Editor (not on Home editions, and requires Windows 10 version 1903 or newer):

1. Open Start.
2. Type gpedit.msc and load the Group Policy Editor result.
3. Go to Computer Configuration > Administrative Templates > Windows Components > Windows sign in Options.
4. Double-click on Sign-in and lock last interactive user automatically after a restart.
5. Set the policy to Disabled.
6. Close the Group Policy Editor.
7. Restart the PC.

Registry

You can also make the change in the Registry. This works on Home editions as well:

1. Open Start.
2. Type regedit.exe and select the Registry Editor result.
3. Confirm the UAC prompt with “yes”.
4. Go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
5. If the Dword DisableAutomaticRestartSignOn does not exist, do the following:
   • Right-click on System and select New > Dword (32-bit) Value.
   • Name it DisableAutomaticRestartSignOn.
6. Double-click on DisableAutomaticRestartSignOn and set its value to 1 to disable the feature.
7. Restart the PC.