windows-itpro-docs/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md

title, description, ms.topic, ms.date

title	description	ms.topic	ms.date
Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune	Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune	how-to	06/01/2023

Disable Winlogon automatic restart sign-on (ARSO) for PDE

Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption (PDE). For this reason, in order to use PDE, ARSO needs to be disabled.

Disable Winlogon automatic restart sign-on (ARSO) in Intune

To disable ARSO using Intune, follow the below steps:

1. Sign in to the Microsoft Intune admin center
2. In the Home screen, select Devices in the left pane
3. In the Devices | Overview screen, under Policy, select Configuration Profiles
4. In the Devices | Configuration profiles screen, make sure Profiles is selected at the top, and then select Create profile
5. In the Create profile window that opens:
   1. Under Platform, select Windows 10 and later
   2. Under Profile type, select Templates
   3. When the templates appear, under Template name, select Administrative templates
   4. Select Create to close the Create profile window.
6. The Create profile screen will open. In the Basics page:
   1. Next to Name, enter Disable ARSO
   2. Next to Description, enter a description
   3. Select Next
7. In the Configuration settings page:
   1. On the left pane of the page, make sure Computer Configuration is selected
   2. Under Setting name, scroll down and select Windows Components
   3. Under Setting name, scroll down and select Windows Logon Options. You may need to navigate between pages on the bottom right corner before finding the Windows Logon Options option
   4. Under Setting name of the Windows Logon Options pane, select Sign-in and lock last interactive user automatically after a restart
   5. In the Sign-in and lock last interactive user automatically after a restart window that opens, select Disabled, and then select OK
   6. Select Next
8. In the Scope tags page, configure if necessary and then select Next
9. In the Assignments page:
   1. Under Included groups, select Add groups

      Note

      Make sure to select Add groups under Included groups and not under Excluded groups. Accidentally adding the desired device groups under Excluded groups will result in those devices being excluded and they won't receive the configuration profile.

   2. In the Select groups to include window that opens, select the groups that the configuration profile should be assigned to, and then select Select to close the Select groups to include window
   3. Under Included groups > Groups, ensure the correct group(s) are selected, and then select Next
10. In Review + create page, review the configuration to make sure everything is configured correctly, and then select Create

Additional PDE configurations in Intune

The following PDE configurations can also be configured using Intune:

Prerequisites

• Enable Personal Data Encryption (PDE)

Security hardening recommendations

• Disable kernel-mode crash dumps and live dumps
• Disable Windows Error Reporting (WER)/user-mode crash dumps
• Disable hibernation
• Disable allowing users to select when a password is required when resuming from connected standby

More information

• Personal Data Encryption (PDE)
• Personal Data Encryption (PDE) FAQ