Besides the normal Windows user devices which we can configure with Microsoft Intune, we can configure other forms of devices. Think of kiosk devices, but also shared-multi user devices. This device type is a Windows device that doesn’t have a primary user but is shared between multiple users. It can be used in schools, where the devices are shared between multiple students and/ or teachers. But it can also be used in other shared device environments such as a factory.
Because these devices don’t have a primary user, Autopilot enrollment with self-deploying mode is ideal to set up this type of devices. We can use a Shared multi-user device profile to configure the device. This applies some policy settings by default and we have some configuration options for which we can make a choice. It for example blocks access to the local system drive and prohibits the use of OneDrive for file storage. All the available policy settings can be found in the docs.
We can complement these settings by configuring some additional settings, I also share a few of these in the post. But how you configure all these settings depends on your needs.
Configure the Autopilot deployment profile
I assume you already have registered your Windows devices in the Windows Autopilot service of your Intune tenant.
Self-deploying mode requires TPM 2.0.
Be aware of this know issue “Delete device record in Intune before reusing devices in self-deployment mode or Pre-Provisioning mode”. Windows Autopilot known issues can be found here.
We begin with configuring the Autopilot deployment profile. As described we use deployment mode Self-deploying, which is still in preview at the moment of writing. But MEM features that are in preview, are fully supported.
- Sign in to the Microsoft Endpoint Manager admin center
- Browse to Devices, Windows, Windows enrollment
- Choose Deployment profiles
- Click Create, Windows PC
- Give the deployment profile a Name
- Enter a Description (optional)
- Make your choice if you want to convert all targeted devices
- Click Next
- Set the Deployment mode to Self-deploying
- Make your choice for the other options
- Click Next
Finish the deployment profile by assigning the profile to a device group.
Configure the Shared multi-user device profile
The next step is to configure the Shared multi-user device profile. With this profile, several settings are applied to the devices, which partially lock down the device.
- Browse to Devices, Windows, Configuration profiles
- Click Create profile
- Select Windows 10 and later as Platform
- Select Templates as Profile type
- Select Shared multi-user device from the drop-down list
- Click Create
- Provide a profile Name
- Enter a Description (optional)
- Click Next
Now we need to make our choices for all the settings which we need to configure. Turn on Shared PC mode, to allow only one user to sign in at a time. Make a choice on the Guest account. Only allow sign-in by an (Azure) domain account, only allow guest account sign-in, or both. And configure all the other settings to your needs.
Read the Microsoft docs for an explanation of all the settings.
Finish the creation of the profile and assign the profile to a device group.
Configure additional settings
By applying the Shared multi-user device profile, we have already configured our Windows shared multi-user device. But we could apply some additional settings to these devices, based on our needs. I show a couple of these in this section.
An option to configure is the Start menu layout. For Windows 10 we have the option to use a Device restrictions profile to deploy a Start menu, which can’t be changed by the end-user. For Windows 11 we don’t have that option, but we still can configure a default start menu as described earlier in this post.
To configure the start menu for Windows 10 devices, we need to first export an already configured start menu on an existing device, after which we can import the exported XML file in the Intune profile. The step to export a start menu configuration is described here.
When you have exported the start menu, switch to the Intune portal and create a new Device restrictions profile.
In the Start section, we can import the start menu layout XML file.
There are also some other options related to the start menu, which you might want to configure for the shared devices.
We can also use a Settings Catalog profile to configure additional settings.
Maybe you want to restrict the user from shutting down the machine and remove the power options from start.
Disable access to registry editing tools or the command prompt.
Or turn off the Store application.
With the Settings Catalog, we are also able to configure Microsoft Edge. Think of setting a start page, publishing favorites or block installing Edge extensions.
Another option that might be handy in a shared device environment is to configure a daily recurrent reboot. To keep the device running smooth and finalize Windows and application updates, Windows devices should be rebooted regularly. We can easily configure this with the Reboot settings in the Settings Catalog profile.
With the above settings, we have further configured our Windows shared multi-user device.
Authentication
A subject to think of is the authentication used on these shared devices. When using only guest accounts it’s pretty simple, just click the guest account and you’re signed in.
But when using Azure AD accounts to sign in, you might consider using a passwordless solution instead of using a user account and password. Shared Windows devices a very suitable for passwordless solutions.
We have several passwordless solutions, like hardware security keys, fingerprint cards, and even a solution with a mobile phone as a FIDO device.
Have a look at the FIDO2 section of my blog for several blog posts related to the passwordless subject.
The end result
Let’s have a look at the end result of our configuration.
Depending on the value we set for the Guest account option, we are allowed to sign in to the device with a domain account.
Or we can sign in to the device with a Guest account.
Every time when we sign in with a guest account, a new (local) profile is created on the device. When multiple users sign in with a guest account during the day, they won’t see each others profile changes, history etc.
The pre-configured Start menu is in place.
The power options are not available.
Access to the OS drive is blocked.
Even if it’s a shared device, we can still use Office applications, like Teams.
OneDrive files are available from the Office applications.
And the favorites are published and available in the Edge browser.
That’s it for this blog post. Thanks for reading!
10 Comments
Hello, This is great! What I am running into is that if we log a user on with the “Guest” then they cannot access word exce etc without registering it or else it keeps yelling that it is unregistered. They are setup with shared office subs too.
Hello Peter,
Is there a good reason why you shoudln’t use self-deploying mode?
Hi Michaël,
No, but be aware of this “Delete device record in Intune before reusing devices in self-deployment mode or Pre-Provisioning mode”
https://docs.microsoft.com/en-us/mem/autopilot/known-issues#delete-device-record-in-intune-before-reusing-devices-in-self-deployment-mode-or-pre-provisioning-mode
Hello Peter,
Great article. Do you know if users without Intune licence are allowed to logon into the shared pc ?
We do have Intune device licence .
regards
Hi Tom,
According to the docs a device enrolled via Autopilot Self-Deploying mode are applicable for a device license.
https://docs.microsoft.com/nl-nl/troubleshoot/mem/intune/device-licenses-introduction#how-to-purchase-the-device-only-subscription
Regards,
Peter
Hi Peter,
This is a very helpful guide. Thank you!
I have one question. I have followed the guide and I’m applying all of the configuration profiles to a group of devices. This is mostly working fine except the restricting access to registry and command prompt. These settings seem to only be available as(User)profiles not devices so they do not work correctly with the Guest account. Do you know of any way to assign these profiles to the guest user or the device?
Hi Ryan, I had this issue and spent a while trying to work it out. Turns out you need to go into the Intune Education portal and block cmd, registry and powershell in that portal.
Take a look here https://call4cloud.nl/2020/06/blocking-administrative-apps-like-the-command-prompt-in-intune/
I am using shared device in an Education environment. I am running into a problem when I logoff or shutdown the device. Windows seems to terminate all processes, even an logoff script (tested in local policy). We want to forget the wifi setting (netsh command) but the logoff terminate all services. In a “normal” Intune device this is not the case. You can test this with Notepad. type sommething and then logoff. Normally Windows ask to save the document and prevents the logoff. In shared device mode you don’t get the question
Hello
How are you handling that when the first user signing to the device, the device will start going through user account setup?
When I pushing out an Intune image via sccm with the shared multi user json the computer fails on securing your hardware step of the setting up your device screen.
We have to use windows 10 enterpise or education.