Configuring shared multi-user devices

This week is all about a recently introduced profile in Microsoft Intune to configure shared PC mode on a Windows 10 device. That profile is named Shared multi-user device profile. Something similar has been available already for a while via Intune for Education. The main use case for this profile are school devices that are shared between multiple students. In this post I’ll provide a brief introduction regarding shared PC mode, followed by the configuration (and the configuration options) of the Shared multi-user device profile. I’ll end this post by looking at the end-user experience.

Introduction

Let’s start with a short introduction about shared PC mode and immediately address the main use case. Shared PC mode s designed to be management- and maintenance-free with high reliability. A good example of devices that benefit from shared PC mode are school devices. These devices are typically shared between many students. By using the Shared multi-user device profile, the Intune administrator can turn on the shared PC mode feature to allow one user at a time. In that case, students can’t switch between different signed-in accounts on the shared device. When the student signs out, the administrator can also choose to remove all user-specific settings.

End-users can sign in to these shared devices with a guest account. After users sign-in, the credentials are cached. As they use the shared device, end-users only get access to features that are allowed by the administrator. For example, the administrator can choose when the shared device goes in to sleep mode, the administrator can choose if users can see and save files locally, the administrator can enable or disable power management settings, and much more. Administrators also control if the guest account is deleted when the user signs-off, or if inactive accounts are deleted when a threshold is reached.

Configuration

Now that it’s known what the main use case is of the the Shared multi-user device profile, let’s have a look at the configuration of the Shared multi-user device profile. The following four steps walk through the creation of the Shared multi-user device profile, including a short explanation with the different configuration options. After the creation of the profile, it can be assigned to a user and/or device group (just like any other profile).

1 Open the Azure portal and navigate to Intune > Device configuration > Profiles to open the Device configuration – Profiles blade;
2 On the Device configuration – Profiles blade, click Create profile to open the Create profile blade;
3a SMUD-CreateProfileOn the Create profile blade, provide the following information and click Settings to open the Shared multi-user blade;

  • Name: Provide a valid name for the profile;
  • Description: (Optional) Provide a description for the profile;
  • Platform: Select Windows 10 and later;
  • Profile type: Select Shared multi-user device;
  • Settings: See step 3b;
3b On the Shared multi-user device blade, provide the following configuration and click OK to return to the Create profile blade (see screenshot below);

  • Share PC mode: Select Enable to turn on shared PC mode. In shared PC mode, only one user can sign in to the device at a time. Another user can’t sign in until the first user signs out;
  • Guest account: Select Guest to create a guest account locally on the device that will be shown on the sign-in screen. These guest accounts don’t require any user credentials or authentication. Each time this account is used, a new local account is created;
  • Account management: Select Enable to turn on automatic deletion of accounts created by guests. These accounts will be deleted based on the account deletion configuration;
  • Account deletion: Select Immediately after log-out to make sure that created guests accounts are deleted immediately after log-out;
  • Local Storage: Select Disabled to prevent users from saving and viewing files on the hard drive of the device;
  • Power Policies: Select Enabled to prevent users from turning off hibernation, overriding all sleep actions, and changing the power settings;
  • Sleep time out (in seconds): Enter 60 (or any other value between 0 and 100) as the number of inactive seconds before the device goes into sleep mode;
  • Sign-in when PC wakes: Select Disabled to make sure that users don’t have to enter their username and password (they can use the guest account);
  • Maintenance start time (in minutes from midnight): Can be used to enter the time in minutes (0-1440) when automatic maintenance tasks, such as Windows Update, run.
  • Education policies: Select Enabled to use the recommended settings for devices used in schools, which are more restrictive. These settings are documented here;
SMUD-ShareMultiUserDevice.
4 Back on the Create profile blade, click Create.

Note: Besides configuring Windows Update, it is not recommended to set additional policies on devices configured with shared PC mode. The shared PC mode is optimized to be fast and reliable over time with minimal to no manual maintenance required.

End-user experience

Let’s end this post by looking at the end-user experience after assigning the Shared multi-user device profile. The first thing the end-user will notice is that it can click on the guest user account icon and simply click sign-in. No password will be required.

SMUD-Example01

Once logged on to the device, there are many places to look for a limited experience and specific configurations. I choose to show an important configuration related to the guest account and and few configurations related to available options to the end-user. Below on the right is an example of the guest accounts that are created. Every time the user logs off, the account will be disabled and a new account will be created. Below on the left and on the bottom are two examples related to permissions. It shows that the guest user can’t access the local C-drive and the Control Panel. It also confirms a statement at the beginning of this post; the main use case is schools. It clearly shows in the messages.

SMUD-Example02

More information

For more information regarding Windows 10 shared multi-user devices and configuring those devices in Microsoft Intune, please refer to the following articles:

49 thoughts on “Configuring shared multi-user devices”

  1. How about OneDrive and shared multi user device. Can you lock a device for the C-drive but OneDrive is still available?

  2. Hi Peter, how would this work from a licensing view point. Since the user would not be getting any intune user policy would you recommend licensing the user or the device?

  3. We have some devices we need to setup with shared=pc mode.
    the users wants to sync there own onedrive.
    is this possible with custom shared-pc?

  4. Hi Peter,
    Are the apps accessible to all users on a sharedPC?

    I distribute a specific exe/MSI standalone application to a user using MDM on a shared pc and is installed. When the first user logs out and the next user logs in, will the second user have access to the app that was distributed to user 1 and installed by him?

  5. What would be your suggestion for this scenario. I have setup the shared device profile and the self deploying autopilot profile however the autopilot profile is unable to assign because the pc doesn’t have tpm 2.0 chip in it. So when the devices is wiped what would be the best way to join that device to Azure because if we use a standard user account I believe the device will be assigned to that user which we wouldn’t want since it’s a shared pc.

  6. Update – I have gone with the Multi-App SelfDeploying Kiosk mode for my solution. I do wish I could leverage the account maintenance with my Kiosk account (delete/re-create on log out and maintenance etc) but it does not appear to be possible (no affect applying shared pc mode after or with Kiosk mode).

    Thanks for the great articles!
    Cheers

  7. We are seeing that licensed users with full domain accounts log into Shared Devices cannot use OneDrive, it either does not load or when run as admin causes a “Blocked” message. Where can we change this config? Can see no options via Azure Portal to Block Apps or Unblock them – we do no blocking of OneDrive on our network but it has enabled somehow for these users.

    Is this by design? Please advise where i can change this configuration. Thanks!

  8. Hi Oli & Peter,

    I have just experienced the same issue with a test deployment of Multi-User Devices via an Autopilot rollout. It appears that even when leveraging the new Per Machine Install of OneDrive, the users cannot load the OneDrive App. I did notice that the old OneDrive for Business (Groove.exe) does operate however this is a legacy application and does not support Known Folder Move, Autoconfiguration and other InTune based ADMX configurations, which is not ideal.

    From what I can see from other discussions and Microsoft documentation is that only Windows 10 VDA via Azure or VDI with persistent profiles is supported. This would, I believe, rules out Multi-User Devices.

    Happy for your thoughts, experiences and knowledge, as I hope I am incorrect with these findings.

    Best Regards,
    Brad Vander Reest

  9. Hi ,

    I have came across a scenario to Migrate from work space one to Intune where IPADs and Android devices are shared between multiple users , please suggest if InTune support this scenario & can we configured Devices in Shared Mode.

    Regards
    MSB

  10. Shared PC could be great but why have MS blocked OneDrive! It’s nuts.
    Now I’ve basically re-created most of the shared pc manually.
    Let’s hope this changes in the future.

  11. @Joe Matthews. Did you manage to get a work around for getting OD working on a shared PC? I can’t believe this doesn’t appear to work

  12. OneDrive for Business is blocker by default in the Shared PC config. You can enable it by using a powershell script which adds the DWORD ‘DisableFileSyncNGSC’.

    # Author: Revesh Manbodh
    # This script will enable OneDrive for business.
    # Value 1 is enable | Value 0 is disable

    $registryPath = “HKLM:\Software\Policies\Microsoft\Windows\OneDrive”
    $Name = “DisableFileSyncNGSC”
    $value = “0”
    IF(!(Test-Path $registryPath))
    {
    New-Item -Path $registryPath -Force | Out-Null
    New-ItemProperty -Path $registryPath -Name $name -Value $value `
    -PropertyType DWORD -Force | Out-Null}
    ELSE {
    New-ItemProperty -Path $registryPath -Name $name -Value $value `
    -PropertyType DWORD -Force | Out-Null}

  13. Revesh Manbodh I tried adding this in Intune but it fails to deploy the PowerShell script. Any ideas?

  14. Hello Peter,

    Do you have a solution for printing? For guest users we want to add a printer automatically. How do you manage this?

    Thank you,

    Wietse

  15. Hi Peter,

    I’ve enabled these features through Intune on some devices, major issue that I’m currently facing is that the computer isn’t responding to the shutdown & restart button in the start menu anymore. The only way the shutdown works is by doing this from PowerShell (restart-computer -Force). Pressing ALT+F4 also works, the shutdown window notifies me about other users being logged in and after that I’m able to continue anyway.

    Is this expected behaviour?

  16. Hi Peter,

    You mention “Power Policies: Select Disabled to prevent users from turning off hibernation, overriding all sleep actions, and changing the power settings”

    Should that not be set to Enabled to have the mentioned restrictions applied?

    Also it appears the “Sleep time out (in seconds)” setting is ambiguous in its description and function. There is a discussion going on about this here: https://github.com/MicrosoftDocs/IntuneDocs/issues/2916

    Dan

  17. I don’t get it and this is mainly due to the completely confusing documentation from Microsoft. Do I understand that it is not possible to manage policies for deleting the local guest accounts independently from the cloudbased Azure user accounts? For example, why can’t I set up policies so that guest accounts are always deleted immediately after logging off, but Azure user accounts are only deleted after the hard drive has become 90% full? If I set that the guest accounts should be deleted immediately after logging off, I lose the ability to make settings for the other cloud based user accounts. Also, it seems that the Azure user accounts are not deleted after logging out, but only the guest accounts, which I find even more confusing. Am I getting something wrong here? What do you think?

  18. Hi Peter, thanks a lot. But which rules are applied to the Azure Accounts then? What happens, if C:\ runs out of space, are there any automatic deletions then?! Is there anybody who tested this?

  19. Hi Peter, great tutorial and thank you for providing a good explanation of some of the features. I may be asking a silly question and I’d like to apologise in advance if I’ve completely missed the boat here, but I have the following scenario and I’m not 100% sure which way to set it up.

    We have a small team of 15 users, each with their own managed W10 PC. Everything works as expected. However, sometimes some of the team travel and take one of the company laptops with them. We have 4 which are shared among the staff. People simply grab one when they need it and put it back when they’re done.

    Could you please advise me if a shared policy on the laptops is the right way to deal with this. The laptops are shared, but a Guest account would never be used (or setup) because the only people using them would be staff via AzureAD. If a shared policy is the correct way to go: how would you configure it? It not, could you please advise.

    Hopefully this makes sense and any help and advice would greatly be appreciated.

    Thank you

  20. Hi Paul,
    Depends on what you want to achieve. When you want those users to have the best experience, the multi-user configuration might not be the best option.
    Regards, Peter

  21. Hi Peter,

    Great article. From what I understand this functionality is mainly targeted at guest and multi user devices, however I am wondering if this is also applicable for the following scenario:
    I have a compliant MacBook that is registered with my user account. However, when I log in with an admin account AAD refuses access because the device is not registered with this particular admin account.

    Is there also a way to create some kind of “dual login” for a user account and an admin account?

    Thanks, Kees

  22. Hi Peter,

    Thanks for your answer, I understand. I think I will just drop the question at Microsoft an hear what they say.
    There is not very much to find regarding this topic on the internet. 😉

  23. Peter,
    Our Shared PC config would be used in a classroom setting, where a device could be grabbed by any student, used for an hour, and logged out. I think this was the original intent of the profile from Microsoft’s perspective. All logins are Microsoft AAD logins. No guest accounts are used. OneDrive functionality is needed for all. The local profiles are not removed at logout as expected or is that expectation incorrect? Also the company portal is not functional for user2 through user999 – only the first user. How can I make this more functional for every student? Thanks!

  24. Hi Peter

    I have the same issue as PattyR. Shared PC policy is in place with the following:

    Shared PC mode: Enable
    Local Storage: Enabled
    Power Policies: Enabled
    Sign-in when PC wakes: Enabled
    Education policies: Disabled

    Yet any user outside the user that enrolled the device cannot access anything in the Company Portal. The portal displays a message of, ‘This device is already assigned to someone in your organisation. Contact company support about becoming the primary user. You can continue to use Company Portal but functionality will be limited.

  25. can a kiosk profile and a multi user share profile be applied on a single device ?
    and if possible please share any article as per your answer.
    Thanks

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.