Besides the normal Windows user devices which we can configure with Microsoft Intune, we can configure other forms of devices. Think of kiosk devices, but also shared-multi user devices. This device type is a Windows device that doesn’t have a primary user but is shared between multiple users. It can be used in schools, where the devices are shared between multiple students and/ or teachers. But it can also be used in other shared device environments such as a factory.
Because these devices don’t have a primary user, Autopilot enrollment with self-deploying mode is ideal to set up this type of devices. We can use a Shared multi-user device profile to configure the device. This applies some policy settings by default and we have some configuration options for which we can make a choice. It for example blocks access to the local system drive and prohibits the use of OneDrive for file storage. All the available policy settings can be found in the docs.
We can complement these settings by configuring some additional settings, I also share a few of these in the post. But how you configure all these settings depends on your needs.
Configure the Autopilot deployment profile
I assume you already have registered your Windows devices in the Windows Autopilot service of your Intune tenant.
Self-deploying mode requires TPM 2.0.
Be aware of this know issue “Delete device record in Intune before reusing devices in self-deployment mode or Pre-Provisioning mode”. Windows Autopilot known issues can be found here.
We begin with configuring the Autopilot deployment profile. As described we use deployment mode Self-deploying, which is still in preview at the moment of writing. But MEM features that are in preview, are fully supported.
- Sign in to the Microsoft Endpoint Manager admin center
- Browse to Devices, Windows, Windows enrollment
- Choose Deployment profiles
- Click Create, Windows PC
- Give the deployment profile a Name
- Enter a Description (optional)
- Make your choice if you want to convert all targeted devices
- Click Next
- Set the Deployment mode to Self-deploying
- Make your choice for the other options
- Click Next
Finish the deployment profile by assigning the profile to a device group.
Configure the Shared multi-user device profile
The next step is to configure the Shared multi-user device profile. With this profile, several settings are applied to the devices, which partially lock down the device.
- Browse to Devices, Windows, Configuration profiles
- Click Create profile
- Select Windows 10 and later as Platform
- Select Templates as Profile type
- Select Shared multi-user device from the drop-down list
- Click Create
- Provide a profile Name
- Enter a Description (optional)
- Click Next
Now we need to make our choices for all the settings which we need to configure. Turn on Shared PC mode, to allow only one user to sign in at a time. Make a choice on the Guest account. Only allow sign-in by an (Azure) domain account, only allow guest account sign-in, or both. And configure all the other settings to your needs.
Read the Microsoft docs for an explanation of all the settings.
Finish the creation of the profile and assign the profile to a device group.
Configure additional settings
By applying the Shared multi-user device profile, we have already configured our Windows shared multi-user device. But we could apply some additional settings to these devices, based on our needs. I show a couple of these in this section.
An option to configure is the Start menu layout. For Windows 10 we have the option to use a Device restrictions profile to deploy a Start menu, which can’t be changed by the end-user. For Windows 11 we don’t have that option, but we still can configure a default start menu as described earlier in this post.
To configure the start menu for Windows 10 devices, we need to first export an already configured start menu on an existing device, after which we can import the exported XML file in the Intune profile. The step to export a start menu configuration is described here.
When you have exported the start menu, switch to the Intune portal and create a new Device restrictions profile.
In the Start section, we can import the start menu layout XML file.
There are also some other options related to the start menu, which you might want to configure for the shared devices.
We can also use a Settings Catalog profile to configure additional settings.
Maybe you want to restrict the user from shutting down the machine and remove the power options from start.
Disable access to registry editing tools or the command prompt.
Or turn off the Store application.
With the Settings Catalog, we are also able to configure Microsoft Edge. Think of setting a start page, publishing favorites or block installing Edge extensions.
Another option that might be handy in a shared device environment is to configure a daily recurrent reboot. To keep the device running smooth and finalize Windows and application updates, Windows devices should be rebooted regularly. We can easily configure this with the Reboot settings in the Settings Catalog profile.
With the above settings, we have further configured our Windows shared multi-user device.
A subject to think of is the authentication used on these shared devices. When using only guest accounts it’s pretty simple, just click the guest account and you’re signed in.
But when using Azure AD accounts to sign in, you might consider using a passwordless solution instead of using a user account and password. Shared Windows devices a very suitable for passwordless solutions.
We have several passwordless solutions, like hardware security keys, fingerprint cards, and even a solution with a mobile phone as a FIDO device.
Have a look at the FIDO2 section of my blog for several blog posts related to the passwordless subject.
The end result
Let’s have a look at the end result of our configuration.
Depending on the value we set for the Guest account option, we are allowed to sign in to the device with a domain account.
Or we can sign in to the device with a Guest account.
Every time when we sign in with a guest account, a new (local) profile is created on the device. When multiple users sign in with a guest account during the day, they won’t see each others profile changes, history etc.
The pre-configured Start menu is in place.
The power options are not available.
Access to the OS drive is blocked.
Even if it’s a shared device, we can still use Office applications, like Teams.
OneDrive files are available from the Office applications.
And the favorites are published and available in the Edge browser.
That’s it for this blog post. Thanks for reading!