Configuring shared multi-user devices

This week is all about a recently introduced profile in Microsoft Intune to configure shared PC mode on a Windows 10 device. That profile is named Shared multi-user device profile. Something similar has been available already for a while via Intune for Education. The main use case for this profile are school devices that are shared between multiple students. In this post I’ll provide a brief introduction regarding shared PC mode, followed by the configuration (and the configuration options) of the Shared multi-user device profile. I’ll end this post by looking at the end-user experience.

Introduction

Let’s start with a short introduction about shared PC mode and immediately address the main use case. Shared PC mode s designed to be management- and maintenance-free with high reliability. A good example of devices that benefit from shared PC mode are school devices. These devices are typically shared between many students. By using the Shared multi-user device profile, the Intune administrator can turn on the shared PC mode feature to allow one user at a time. In that case, students can’t switch between different signed-in accounts on the shared device. When the student signs out, the administrator can also choose to remove all user-specific settings.

End-users can sign in to these shared devices with a guest account. After users sign-in, the credentials are cached. As they use the shared device, end-users only get access to features that are allowed by the administrator. For example, the administrator can choose when the shared device goes in to sleep mode, the administrator can choose if users can see and save files locally, the administrator can enable or disable power management settings, and much more. Administrators also control if the guest account is deleted when the user signs-off, or if inactive accounts are deleted when a threshold is reached.

Configuration

Now that it’s known what the main use case is of the the Shared multi-user device profile, let’s have a look at the configuration of the Shared multi-user device profile. The following four steps walk through the creation of the Shared multi-user device profile, including a short explanation with the different configuration options. After the creation of the profile, it can be assigned to a user and/or device group (just like any other profile).

1 Open the Azure portal and navigate to Intune > Device configuration > Profiles to open the Device configuration – Profiles blade;
2 On the Device configuration – Profiles blade, click Create profile to open the Create profile blade;
3a SMUD-CreateProfileOn the Create profile blade, provide the following information and click Settings to open the Shared multi-user blade;

  • Name: Provide a valid name for the profile;
  • Description: (Optional) Provide a description for the profile;
  • Platform: Select Windows 10 and later;
  • Profile type: Select Shared multi-user device;
  • Settings: See step 3b;
3b On the Shared multi-user device blade, provide the following configuration and click OK to return to the Create profile blade (see screenshot below);

  • Share PC mode: Select Enable to turn on shared PC mode. In shared PC mode, only one user can sign in to the device at a time. Another user can’t sign in until the first user signs out;
  • Guest account: Select Guest to create a guest account locally on the device that will be shown on the sign-in screen. These guest accounts don’t require any user credentials or authentication. Each time this account is used, a new local account is created;
  • Account management: Select Enable to turn on automatic deletion of accounts created by guests. These accounts will be deleted based on the account deletion configuration;
  • Account deletion: Select Immediately after log-out to make sure that created guests accounts are deleted immediately after log-out;
  • Local Storage: Select Disabled to prevent users from saving and viewing files on the hard drive of the device;
  • Power Policies: Select Disabled to prevent users from turning off hibernation, overriding all sleep actions, and changing the power settings;
  • Sleep time out (in seconds): Enter 60 (or any other value between 0 and 100) as the number of inactive seconds before the device goes into sleep mode;
  • Sign-in when PC wakes: Select Disabled to make sure that users don’t have to enter their username and password (they can use the guest account);
  • Maintenance start time (in minutes from midnight): Can be used to enter the time in minutes (0-1440) when automatic maintenance tasks, such as Windows Update, run.
  • Education policies: Select Enabled to use the recommended settings for devices used in schools, which are more restrictive. These settings are documented here;
SMUD-ShareMultiUserDevice.
4 Back on the Create profile blade, click Create.

Note: Besides configuring Windows Update, it is not recommended to set additional policies on devices configured with shared PC mode. The shared PC mode is optimized to be fast and reliable over time with minimal to no manual maintenance required.

End-user experience

Let’s end this post by looking at the end-user experience after assigning the Shared multi-user device profile. The first thing the end-user will notice is that it can click on the guest user account icon and simply click sign-in. No password will be required.

SMUD-Example01

Once logged on to the device, there are many places to look for a limited experience and specific configurations. I choose to show an important configuration related to the guest account and and few configurations related to available options to the end-user. Below on the right is an example of the guest accounts that are created. Every time the user logs off, the account will be disabled and a new account will be created. Below on the left and on the bottom are two examples related to permissions. It shows that the guest user can’t access the local C-drive and the Control Panel. It also confirms a statement at the beginning of this post; the main use case is schools. It clearly shows in the messages.

SMUD-Example02

More information

For more information regarding Windows 10 shared multi-user devices and configuring those devices in Microsoft Intune, please refer to the following articles:

27 thoughts on “Configuring shared multi-user devices”

  1. How about OneDrive and shared multi user device. Can you lock a device for the C-drive but OneDrive is still available?

  2. Hi Peter, how would this work from a licensing view point. Since the user would not be getting any intune user policy would you recommend licensing the user or the device?

  3. We have some devices we need to setup with shared=pc mode.
    the users wants to sync there own onedrive.
    is this possible with custom shared-pc?

  4. Hi Peter,
    Are the apps accessible to all users on a sharedPC?

    I distribute a specific exe/MSI standalone application to a user using MDM on a shared pc and is installed. When the first user logs out and the next user logs in, will the second user have access to the app that was distributed to user 1 and installed by him?

  5. What would be your suggestion for this scenario. I have setup the shared device profile and the self deploying autopilot profile however the autopilot profile is unable to assign because the pc doesn’t have tpm 2.0 chip in it. So when the devices is wiped what would be the best way to join that device to Azure because if we use a standard user account I believe the device will be assigned to that user which we wouldn’t want since it’s a shared pc.

  6. Update – I have gone with the Multi-App SelfDeploying Kiosk mode for my solution. I do wish I could leverage the account maintenance with my Kiosk account (delete/re-create on log out and maintenance etc) but it does not appear to be possible (no affect applying shared pc mode after or with Kiosk mode).

    Thanks for the great articles!
    Cheers

  7. We are seeing that licensed users with full domain accounts log into Shared Devices cannot use OneDrive, it either does not load or when run as admin causes a “Blocked” message. Where can we change this config? Can see no options via Azure Portal to Block Apps or Unblock them – we do no blocking of OneDrive on our network but it has enabled somehow for these users.

    Is this by design? Please advise where i can change this configuration. Thanks!

  8. Hi Oli & Peter,

    I have just experienced the same issue with a test deployment of Multi-User Devices via an Autopilot rollout. It appears that even when leveraging the new Per Machine Install of OneDrive, the users cannot load the OneDrive App. I did notice that the old OneDrive for Business (Groove.exe) does operate however this is a legacy application and does not support Known Folder Move, Autoconfiguration and other InTune based ADMX configurations, which is not ideal.

    From what I can see from other discussions and Microsoft documentation is that only Windows 10 VDA via Azure or VDI with persistent profiles is supported. This would, I believe, rules out Multi-User Devices.

    Happy for your thoughts, experiences and knowledge, as I hope I am incorrect with these findings.

    Best Regards,
    Brad Vander Reest

  9. Hi ,

    I have came across a scenario to Migrate from work space one to Intune where IPADs and Android devices are shared between multiple users , please suggest if InTune support this scenario & can we configured Devices in Shared Mode.

    Regards
    MSB

  10. Shared PC could be great but why have MS blocked OneDrive! It’s nuts.
    Now I’ve basically re-created most of the shared pc manually.
    Let’s hope this changes in the future.

  11. @Joe Matthews. Did you manage to get a work around for getting OD working on a shared PC? I can’t believe this doesn’t appear to work

  12. OneDrive for Business is blocker by default in the Shared PC config. You can enable it by using a powershell script which adds the DWORD ‘DisableFileSyncNGSC’.

    # Author: Revesh Manbodh
    # This script will enable OneDrive for business.
    # Value 1 is enable | Value 0 is disable

    $registryPath = “HKLM:\Software\Policies\Microsoft\Windows\OneDrive”
    $Name = “DisableFileSyncNGSC”
    $value = “0”
    IF(!(Test-Path $registryPath))
    {
    New-Item -Path $registryPath -Force | Out-Null
    New-ItemProperty -Path $registryPath -Name $name -Value $value `
    -PropertyType DWORD -Force | Out-Null}
    ELSE {
    New-ItemProperty -Path $registryPath -Name $name -Value $value `
    -PropertyType DWORD -Force | Out-Null}

  13. Revesh Manbodh I tried adding this in Intune but it fails to deploy the PowerShell script. Any ideas?

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.