In many FIPS 140-2 certificates, Windows must be placed into FIPS 140 mode as well as run in "single user mode". I am familiar with the local/group policy objects to enable FIPS mode. However, "single user mode" is almost always written in quotations (as I have done). No specific setting exists in GPO to enable this mode, and I have not found any details which indicate how to enable this mode of operation.
The best I've been able to find is that this means only one interactive user at any given time. Thus, I believe it is not a requirement that there is only one user account on the O/S, but rather a series of things that need to be configured to prevent multiple simultaneous interactive users. The only thing I can think of that might affect this is to disable incoming RDP/Remote Assistant.
What needs to be configured to prevent multiple concurrent interactive users in Windows workstations and servers?
EDIT: As most enterprises cannot allow only a single local login, I am looking to understand what constitutes restricting the environment to a single interactive session while not restricting multiple -- though not logged-in -- accounts.