Configuring shared multi-user devices

This week is all about a recently introduced profile in Microsoft Intune to configure shared PC mode on a Windows 10 device. That profile is named Shared multi-user device profile. Something similar has been available already for a while via Intune for Education. The main use case for this profile are school devices that are shared between multiple students. In this post I’ll provide a brief introduction regarding shared PC mode, followed by the configuration (and the configuration options) of the Shared multi-user device profile. I’ll end this post by looking at the end-user experience.

Introduction

Let’s start with a short introduction about shared PC mode and immediately address the main use case. Shared PC mode s designed to be management- and maintenance-free with high reliability. A good example of devices that benefit from shared PC mode are school devices. These devices are typically shared between many students. By using the Shared multi-user device profile, the Intune administrator can turn on the shared PC mode feature to allow one user at a time. In that case, students can’t switch between different signed-in accounts on the shared device. When the student signs out, the administrator can also choose to remove all user-specific settings.

End-users can sign in to these shared devices with a guest account. After users sign-in, the credentials are cached. As they use the shared device, end-users only get access to features that are allowed by the administrator. For example, the administrator can choose when the shared device goes in to sleep mode, the administrator can choose if users can see and save files locally, the administrator can enable or disable power management settings, and much more. Administrators also control if the guest account is deleted when the user signs-off, or if inactive accounts are deleted when a threshold is reached.

Configuration

Now that it’s known what the main use case is of the the Shared multi-user device profile, let’s have a look at the configuration of the Shared multi-user device profile. The following four steps walk through the creation of the Shared multi-user device profile, including a short explanation with the different configuration options. After the creation of the profile, it can be assigned to a user and/or device group (just like any other profile).

1 Open the Azure portal and navigate to Intune > Device configuration > Profiles to open the Device configuration – Profiles blade;
2 On the Device configuration – Profiles blade, click Create profile to open the Create profile blade;
3a SMUD-CreateProfileOn the Create profile blade, provide the following information and click Settings to open the Shared multi-user blade;

  • Name: Provide a valid name for the profile;
  • Description: (Optional) Provide a description for the profile;
  • Platform: Select Windows 10 and later;
  • Profile type: Select Shared multi-user device;
  • Settings: See step 3b;
3b On the Shared multi-user device blade, provide the following configuration and click OK to return to the Create profile blade (see screenshot below);

  • Share PC mode: Select Enable to turn on shared PC mode. In shared PC mode, only one user can sign in to the device at a time. Another user can’t sign in until the first user signs out;
  • Guest account: Select Guest to create a guest account locally on the device that will be shown on the sign-in screen. These guest accounts don’t require any user credentials or authentication. Each time this account is used, a new local account is created;
  • Account management: Select Enable to turn on automatic deletion of accounts created by guests. These accounts will be deleted based on the account deletion configuration;
  • Account deletion: Select Immediately after log-out to make sure that created guests accounts are deleted immediately after log-out;
  • Local Storage: Select Disabled to prevent users from saving and viewing files on the hard drive of the device;
  • Power Policies: Select Enabled to prevent users from turning off hibernation, overriding all sleep actions, and changing the power settings;
  • Sleep time out (in seconds): Enter 60 (or any other value between 0 and 100) as the number of inactive seconds before the device goes into sleep mode;
  • Sign-in when PC wakes: Select Disabled to make sure that users don’t have to enter their username and password (they can use the guest account);
  • Maintenance start time (in minutes from midnight): Can be used to enter the time in minutes (0-1440) when automatic maintenance tasks, such as Windows Update, run.
  • Education policies: Select Enabled to use the recommended settings for devices used in schools, which are more restrictive. These settings are documented here;
SMUD-ShareMultiUserDevice.
4 Back on the Create profile blade, click Create.

Note: Besides configuring Windows Update, it is not recommended to set additional policies on devices configured with shared PC mode. The shared PC mode is optimized to be fast and reliable over time with minimal to no manual maintenance required.

End-user experience

Let’s end this post by looking at the end-user experience after assigning the Shared multi-user device profile. The first thing the end-user will notice is that it can click on the guest user account icon and simply click sign-in. No password will be required.

SMUD-Example01

Once logged on to the device, there are many places to look for a limited experience and specific configurations. I choose to show an important configuration related to the guest account and and few configurations related to available options to the end-user. Below on the right is an example of the guest accounts that are created. Every time the user logs off, the account will be disabled and a new account will be created. Below on the left and on the bottom are two examples related to permissions. It shows that the guest user can’t access the local C-drive and the Control Panel. It also confirms a statement at the beginning of this post; the main use case is schools. It clearly shows in the messages.

SMUD-Example02

More information

For more information regarding Windows 10 shared multi-user devices and configuring those devices in Microsoft Intune, please refer to the following articles:

59 thoughts on “Configuring shared multi-user devices”

  1. How about OneDrive and shared multi user device. Can you lock a device for the C-drive but OneDrive is still available?

    Reply
  2. Hi Peter, how would this work from a licensing view point. Since the user would not be getting any intune user policy would you recommend licensing the user or the device?

    Reply
  3. We have some devices we need to setup with shared=pc mode.
    the users wants to sync there own onedrive.
    is this possible with custom shared-pc?

    Reply
  4. Hi Peter,
    Are the apps accessible to all users on a sharedPC?

    I distribute a specific exe/MSI standalone application to a user using MDM on a shared pc and is installed. When the first user logs out and the next user logs in, will the second user have access to the app that was distributed to user 1 and installed by him?

    Reply
  5. What would be your suggestion for this scenario. I have setup the shared device profile and the self deploying autopilot profile however the autopilot profile is unable to assign because the pc doesn’t have tpm 2.0 chip in it. So when the devices is wiped what would be the best way to join that device to Azure because if we use a standard user account I believe the device will be assigned to that user which we wouldn’t want since it’s a shared pc.

    Reply
  6. Update – I have gone with the Multi-App SelfDeploying Kiosk mode for my solution. I do wish I could leverage the account maintenance with my Kiosk account (delete/re-create on log out and maintenance etc) but it does not appear to be possible (no affect applying shared pc mode after or with Kiosk mode).

    Thanks for the great articles!
    Cheers

    Reply
  7. We are seeing that licensed users with full domain accounts log into Shared Devices cannot use OneDrive, it either does not load or when run as admin causes a “Blocked” message. Where can we change this config? Can see no options via Azure Portal to Block Apps or Unblock them – we do no blocking of OneDrive on our network but it has enabled somehow for these users.

    Is this by design? Please advise where i can change this configuration. Thanks!

    Reply
  8. Hi Oli & Peter,

    I have just experienced the same issue with a test deployment of Multi-User Devices via an Autopilot rollout. It appears that even when leveraging the new Per Machine Install of OneDrive, the users cannot load the OneDrive App. I did notice that the old OneDrive for Business (Groove.exe) does operate however this is a legacy application and does not support Known Folder Move, Autoconfiguration and other InTune based ADMX configurations, which is not ideal.

    From what I can see from other discussions and Microsoft documentation is that only Windows 10 VDA via Azure or VDI with persistent profiles is supported. This would, I believe, rules out Multi-User Devices.

    Happy for your thoughts, experiences and knowledge, as I hope I am incorrect with these findings.

    Best Regards,
    Brad Vander Reest

    Reply
  9. Hi ,

    I have came across a scenario to Migrate from work space one to Intune where IPADs and Android devices are shared between multiple users , please suggest if InTune support this scenario & can we configured Devices in Shared Mode.

    Regards
    MSB

    Reply
  10. Shared PC could be great but why have MS blocked OneDrive! It’s nuts.
    Now I’ve basically re-created most of the shared pc manually.
    Let’s hope this changes in the future.

    Reply
  11. @Joe Matthews. Did you manage to get a work around for getting OD working on a shared PC? I can’t believe this doesn’t appear to work

    Reply
  12. OneDrive for Business is blocker by default in the Shared PC config. You can enable it by using a powershell script which adds the DWORD ‘DisableFileSyncNGSC’.

    # Author: Revesh Manbodh
    # This script will enable OneDrive for business.
    # Value 1 is enable | Value 0 is disable

    $registryPath = “HKLM:\Software\Policies\Microsoft\Windows\OneDrive”
    $Name = “DisableFileSyncNGSC”
    $value = “0”
    IF(!(Test-Path $registryPath))
    {
    New-Item -Path $registryPath -Force | Out-Null
    New-ItemProperty -Path $registryPath -Name $name -Value $value `
    -PropertyType DWORD -Force | Out-Null}
    ELSE {
    New-ItemProperty -Path $registryPath -Name $name -Value $value `
    -PropertyType DWORD -Force | Out-Null}

    Reply
  13. Hello Peter,

    Do you have a solution for printing? For guest users we want to add a printer automatically. How do you manage this?

    Thank you,

    Wietse

    Reply
  14. Hi Peter,

    I’ve enabled these features through Intune on some devices, major issue that I’m currently facing is that the computer isn’t responding to the shutdown & restart button in the start menu anymore. The only way the shutdown works is by doing this from PowerShell (restart-computer -Force). Pressing ALT+F4 also works, the shutdown window notifies me about other users being logged in and after that I’m able to continue anyway.

    Is this expected behaviour?

    Reply
  15. Hi Peter,

    You mention “Power Policies: Select Disabled to prevent users from turning off hibernation, overriding all sleep actions, and changing the power settings”

    Should that not be set to Enabled to have the mentioned restrictions applied?

    Also it appears the “Sleep time out (in seconds)” setting is ambiguous in its description and function. There is a discussion going on about this here: https://github.com/MicrosoftDocs/IntuneDocs/issues/2916

    Dan

    Reply
  16. I don’t get it and this is mainly due to the completely confusing documentation from Microsoft. Do I understand that it is not possible to manage policies for deleting the local guest accounts independently from the cloudbased Azure user accounts? For example, why can’t I set up policies so that guest accounts are always deleted immediately after logging off, but Azure user accounts are only deleted after the hard drive has become 90% full? If I set that the guest accounts should be deleted immediately after logging off, I lose the ability to make settings for the other cloud based user accounts. Also, it seems that the Azure user accounts are not deleted after logging out, but only the guest accounts, which I find even more confusing. Am I getting something wrong here? What do you think?

    Reply
  17. Hi Peter, thanks a lot. But which rules are applied to the Azure Accounts then? What happens, if C:\ runs out of space, are there any automatic deletions then?! Is there anybody who tested this?

    Reply
  18. Hi Peter, great tutorial and thank you for providing a good explanation of some of the features. I may be asking a silly question and I’d like to apologise in advance if I’ve completely missed the boat here, but I have the following scenario and I’m not 100% sure which way to set it up.

    We have a small team of 15 users, each with their own managed W10 PC. Everything works as expected. However, sometimes some of the team travel and take one of the company laptops with them. We have 4 which are shared among the staff. People simply grab one when they need it and put it back when they’re done.

    Could you please advise me if a shared policy on the laptops is the right way to deal with this. The laptops are shared, but a Guest account would never be used (or setup) because the only people using them would be staff via AzureAD. If a shared policy is the correct way to go: how would you configure it? It not, could you please advise.

    Hopefully this makes sense and any help and advice would greatly be appreciated.

    Thank you

    Reply
  19. Hi Peter,

    Great article. From what I understand this functionality is mainly targeted at guest and multi user devices, however I am wondering if this is also applicable for the following scenario:
    I have a compliant MacBook that is registered with my user account. However, when I log in with an admin account AAD refuses access because the device is not registered with this particular admin account.

    Is there also a way to create some kind of “dual login” for a user account and an admin account?

    Thanks, Kees

    Reply
  20. Hi Peter,

    Thanks for your answer, I understand. I think I will just drop the question at Microsoft an hear what they say.
    There is not very much to find regarding this topic on the internet. 😉

    Reply
  21. Peter,
    Our Shared PC config would be used in a classroom setting, where a device could be grabbed by any student, used for an hour, and logged out. I think this was the original intent of the profile from Microsoft’s perspective. All logins are Microsoft AAD logins. No guest accounts are used. OneDrive functionality is needed for all. The local profiles are not removed at logout as expected or is that expectation incorrect? Also the company portal is not functional for user2 through user999 – only the first user. How can I make this more functional for every student? Thanks!

    Reply
  22. Hi Peter

    I have the same issue as PattyR. Shared PC policy is in place with the following:

    Shared PC mode: Enable
    Local Storage: Enabled
    Power Policies: Enabled
    Sign-in when PC wakes: Enabled
    Education policies: Disabled

    Yet any user outside the user that enrolled the device cannot access anything in the Company Portal. The portal displays a message of, ‘This device is already assigned to someone in your organisation. Contact company support about becoming the primary user. You can continue to use Company Portal but functionality will be limited.

    Reply
  23. can a kiosk profile and a multi user share profile be applied on a single device ?
    and if possible please share any article as per your answer.
    Thanks

    Reply
  24. Hi Peter,

    first of all, thanks for the amazing posts regarding Intune. I really have gotten a lot of information from your site which helped me further in our Intune-quest.

    I do have a question for you regarding this post.
    I’ve setup multi-user in EM+S for our regular desktops. These are so called flexible work machines. What I do notice is that when I log off the Guest account on a machine with that policy and logon with our DEM (admin) account it has the same restricted access as the Guest account. So I cannot open File Explorer of open the Control Panel. I would have expected that this should be possible because I use an Admin account to logon to this machine. What are your thoughts about this? Is this normal or should I have more local rights when I logon with the DEM account?

    Thank you for your reply.

    Reply
  25. Hi Peter, thank for this article. This is 100% what I need to configure in my school.

    2 questions:
    At each connection, a new profile directory is created under C:\Users (shpctac0fff8, shpctac0fff9, etc).
    In your article, you say that the account is disabled at each logoff but it is not deleted. And it takes about 250 Mb.
    I expected that these directories to be deleted automatically at logoff but it seams it is not the case.
    In our school, a lot of different people will use these share computers. A directory like shpctac0fff8 takes about 250 Mb.
    If there are 20 different sessions created a day, it makes 20 x 250 Mb = 5Gb a day.
    After one month the disk will be full.
    This is strange because in the configuration profile, I configured it to have the account deleted at logoff.
    Did I miss something? How to force the deletion of these profile directories? Or maybe it is deleted during maintenance? Or at the next reboot after maintenance? Can you clarify this?

    In the configuration profile, I selected ‘guest account and Domain accounts’. I see that it is not possible to connect with my Domain account anymore. Is it not the goal of this option?

    Thanks for you help,
    Laurent Gousenbourger

    Reply
  26. Hello Peter

    Thanks for this post.
    I have now implemented it and it works pretty well.

    But I have the problem, that the customer need to use the Office 365 Apps (Word,PowerPoint).
    So, is there a possibility to activate Office? If I register Office with an Account it got saved in the userprofile and on the next logoff it got deleted because of the guest rule. Do you manage this?

    Thanks
    Noah

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.