Configuring shared multi-user devices

This week is all about a recently introduced profile in Microsoft Intune to configure shared PC mode on a Windows 10 device. That profile is named Shared multi-user device profile. Something similar has been available already for a while via Intune for Education. The main use case for this profile are school devices that are shared between multiple students. In this post I’ll provide a brief introduction regarding shared PC mode, followed by the configuration (and the configuration options) of the Shared multi-user device profile. I’ll end this post by looking at the end-user experience.

Introduction

Let’s start with a short introduction about shared PC mode and immediately address the main use case. Shared PC mode s designed to be management- and maintenance-free with high reliability. A good example of devices that benefit from shared PC mode are school devices. These devices are typically shared between many students. By using the Shared multi-user device profile, the Intune administrator can turn on the shared PC mode feature to allow one user at a time. In that case, students can’t switch between different signed-in accounts on the shared device. When the student signs out, the administrator can also choose to remove all user-specific settings.

End-users can sign in to these shared devices with a guest account. After users sign-in, the credentials are cached. As they use the shared device, end-users only get access to features that are allowed by the administrator. For example, the administrator can choose when the shared device goes in to sleep mode, the administrator can choose if users can see and save files locally, the administrator can enable or disable power management settings, and much more. Administrators also control if the guest account is deleted when the user signs-off, or if inactive accounts are deleted when a threshold is reached.

Configuration

Now that it’s known what the main use case is of the the Shared multi-user device profile, let’s have a look at the configuration of the Shared multi-user device profile. The following four steps walk through the creation of the Shared multi-user device profile, including a short explanation with the different configuration options. After the creation of the profile, it can be assigned to a user and/or device group (just like any other profile).

1	Open the Azure portal and navigate to Intune > Device configuration > Profiles to open the Device configuration – Profiles blade;
2	On the Device configuration – Profiles blade, click Create profile to open the Create profile blade;
3a	On the Create profile blade, provide the following information and click Settings to open the Shared multi-user blade; Name: Provide a valid name for the profile; Description: (Optional) Provide a description for the profile; Platform: Select Windows 10 and later; Profile type: Select Shared multi-user device; Settings: See step 3b;
3b	On the Shared multi-user device blade, provide the following configuration and click OK to return to the Create profile blade (see screenshot below); Share PC mode: Select Enable to turn on shared PC mode. In shared PC mode, only one user can sign in to the device at a time. Another user can’t sign in until the first user signs out; Guest account: Select Guest to create a guest account locally on the device that will be shown on the sign-in screen. These guest accounts don’t require any user credentials or authentication. Each time this account is used, a new local account is created; Account management: Select Enable to turn on automatic deletion of accounts created by guests. These accounts will be deleted based on the account deletion configuration; Account deletion: Select Immediately after log-out to make sure that created guests accounts are deleted immediately after log-out; Local Storage: Select Disabled to prevent users from saving and viewing files on the hard drive of the device; Power Policies: Select Disabled to prevent users from turning off hibernation, overriding all sleep actions, and changing the power settings; Sleep time out (in seconds): Enter 60 (or any other value between 0 and 100) as the number of inactive seconds before the device goes into sleep mode; Sign-in when PC wakes: Select Disabled to make sure that users don’t have to enter their username and password (they can use the guest account); Maintenance start time (in minutes from midnight): Can be used to enter the time in minutes (0-1440) when automatic maintenance tasks, such as Windows Update, run. Education policies: Select Enabled to use the recommended settings for devices used in schools, which are more restrictive. These settings are documented here;
—	.
4	Back on the Create profile blade, click Create.

Note: Besides configuring Windows Update, it is not recommended to set additional policies on devices configured with shared PC mode. The shared PC mode is optimized to be fast and reliable over time with minimal to no manual maintenance required.

End-user experience

Let’s end this post by looking at the end-user experience after assigning the Shared multi-user device profile. The first thing the end-user will notice is that it can click on the guest user account icon and simply click sign-in. No password will be required.

Once logged on to the device, there are many places to look for a limited experience and specific configurations. I choose to show an important configuration related to the guest account and and few configurations related to available options to the end-user. Below on the right is an example of the guest accounts that are created. Every time the user logs off, the account will be disabled and a new account will be created. Below on the left and on the bottom are two examples related to permissions. It shows that the guest user can’t access the local C-drive and the Control Panel. It also confirms a statement at the beginning of this post; the main use case is schools. It clearly shows in the messages.

More information

For more information regarding Windows 10 shared multi-user devices and configuring those devices in Microsoft Intune, please refer to the following articles:

• Windows 10 and later settings to manage shared devices using Intune: https://docs.microsoft.com/en-us/intune/shared-user-device-settings-windows
• Control access, accounts, and power features on shared PC or multi-user devices using Intune: https://docs.microsoft.com/en-us/intune/shared-user-device-settings
• Set up a shared or guest PC with Windows 10: https://docs.microsoft.com/en-us/windows/configuration/set-up-shared-or-guest-pc
• Windows 10 configuration recommendations for education customers: https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education