Welcome to this guide to Intune-Powered Windows 11 Shared Devices! π In this journey, I will explore the world of shared devices, understand their significance in different places, and discover how Microsoft Intune can be a trusted companion in making their management a breeze.
Table Of Contents
Shared Devices Unveiled
Shared devices are like friendly helpers that multiple people can use. Imagine a computer in a library or at a school that different folks take turns using throughout the day. These devices are pretty awesome in classrooms, offices, and public spaces because they save resources and provide access to everyone. π
In the world of Windows 11, a shared device is simply a computer or a tablet used by multiple people. Instead of having your own personal laptop, you’re sharing this one with others. It’s like the community computer that everyone takes turns using.
Shared devices come in handy in a bunch of places. Think about schools, where students use the same computer during different classes. Or workplaces, where different employees might need to check stuff on the same computer.
Why Smooth Management Matters
Now, if we didn’t have good tools to manage these shared devices, it could get messy. Imagine logging in to a shared computer and finding someone else’s stuff everywhere. Or maybe you can’t use the needed programs because someone else messed with the settings. It would be chaos! β not fun, right? That’s why managing shared devices well is super important. Imagine if every time you used a shared device, it was exactly how you needed it to be. That’s the magic of effective device management! πΌ
Microsoft Intune to the Rescue
And here’s where our hero, Microsoft Intune, enters the stage! π¦ΈββοΈ Intune is like a super-smart tool that helps organize and look after shared Windows 11 devices. It’s like having a tech-savvy friend who sets up the devices, installs the right stuff, and ensures they behave nicely for everyone. Plus, it does all this while you sit back and sip your favorite drink.
So, are you ready to dive into the world of shared devices and discover the wonders of Intune? Let’s embark on this exciting journey together as we unravel the secrets behind Intune-Powered Windows 11 Shared Devices! π
Streamlining Onboarding with Autopilot
Imagine a magic wand for device setup β that’s Autopilotπͺ It’s a special tool from Microsoft that helps us get our shared Windows 11 devices up and running without the usual hassle. It’s like having a helper robot that does the heavy lifting for us. Autopilot takes care of setting things up behind the scenes, making sure devices are ready for action.
Device Registration and Assignment
Think of this as telling Autopilot which devices are in the game. It’s like inviting them to the Autopilot party. We make a list of devices we want to set up using Autopilot and tag some of these as shared devices.
Group Tags
Group Tags are like magical labels you put on your devices. They help you sort Autopilot devices into different groups based on their use. It’s like having folders for your apps and games but for devices!
Dynamic Device Groups
It’s as easy as ABC! When a new device joins your team, you give it a Group Tag. Like saying, “Hey, you’re part of the art class!” And that’s it β you’ve added a device to a special group.
In practice, we use Entra ID dynamic device groups to sort devices based on the group tag.

The example above is for a dynamic device group of devices with a group tag set to “LAB”. The rule syntax used is like this: (device.devicePhysicalIds -any (_ -eq “[OrderID]:LAB”))
Autopilot Deployment Profile
Autopilot Deployment Profiles are like magical guides that help your devices know exactly how to set themselves up. The following example is an Autopilot deployment profile for shared devices.

This is targeted to the dynamic device group holding all the LAB devices. The profile instructs the device to self-deploy to the tenant using a given name template. This ensures the device is not tied to any particular user.
Please note: One prerequisite for a self-deployed Autopilot onboarding is a device with a physical TPM 2.0 chip – no virtual TPM as stated in my blog about my Intune LAB environment.
Enrollment Status Page
The Autopilot devices that deploy themselves will be assigned a dedicated Enrollment Status Page. This page is designed to cater specifically to the requirements of this type of enrollment, which aims to facilitate a swift and seamless process.
My lab environment has the following ESP for shared devices:

This targets the group holding the shared devices (not the users).
Hardware Hash Unlocking Device Magic
Each device has a hardware hash that makes setting up devices with Autopilot as easy as waving a wand. Imagine you have a special key to open your secret toy box β that’s exactly what a Hardware Hash does for your devices.
Think of a Hardware Hash as a special code that each device carries. It’s like a secret handshake between the device and Autopilot. This code tells Autopilot, “Hey, I’m a trusted friend. Let’s set up together!”
Setting up devices was a bit tricky, like solving a puzzle. But with a Hardware Hash, the puzzle pieces magically fit together. It makes sure only the right devices can join your setup party.
When you get a new device, it comes with its own Hardware Hash. You share this code with Autopilot, and it knows you’re ready to roll. We can even designate the device to a given role by attaching the Group tag to the hardware hash, like the role of a shared device. Just like giving a secret signal to your best friend!

The hardware hash can be given to you by your distributor or OEM, or you can manually harvest them and register devices with Windows Autopilot. You can find more detailed information in Microsoft’s official documentation for Windows Autopilot registration.

The picture above shows a manual hardware hash harvesting with direct upload to the Windows Autopilot service using a privileged account in the tenant.
The commands in my example are based on the Get-WindowsAutopilotInfo script found in the PowerShell gallery which was originally developed by Michael Niehaus. You could also check out other graphical tools like the Autopilot Import GUI from Ugur Koc, or the Autopilot Tool from MVP Nicklas Ahlberg.
Powershell -NoProfile -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutopilotInfo
get-windowsautopilotinfo -GroupTag βLABβ -online
PowerShellThe device will be visible in Windows Autopilot devices found in Intune, and you will see the deployment profile assigned.

Now, it is time to reboot the device and let Autopilot do its magic.
Restart-Computer -Force
PowerShellOnce you become comfortable with this process, it’s helpful to know a couple more attributes for the “get-windowsautopilotinfo” script.

The “-assign” switch ensures that the script returns when the device receives the assigned profile, while the “-reboot” option automates the device reboot once the profile is assigned.

This is particularly useful for quickly adding devices without manually checking the portal for profile assignments. Thanks to my friend Bruce Sa for sharing this knowledgeπ
Autopilot truly makes device onboarding a cakewalk.

(The manual routine for adding a device to the Windows Autopilot service could have been more streamlined like we see in some “alternative solutions” π)
Configurations Made Easy with Intune
When preparing our shared computers, we’ve got a secret weapon: Intune Configuration Profiles. These profiles are like magic spells that let us tweak and adjust everything we need. Imagine having the power to choose security settings and even give computers a branded cool look β that’s what configuration profiles do!
Let’s roll up our sleeves and start configuring the basic setup for our awesome shared devices! πͺπ₯οΈπ
The Shared PC Configuration Profile
To tailor the experience for the shared PC, I will create a device configuration profile based on the Settings Catalog. This profile will be assigned to the dynamic group of shared devices.
The basic settings in the policy are set as follows:

These settings will ensure the computer is configured as a shared device, and we can set household preferences on the device. All these options are described in detail in Microsoft’s documentation, and you should tune these for your liking. The details of the shared PC settings are outlined in Microsoft’s documentation.
The Shared PC Tuning Profile
To tune the settings even more, I am creating another custom policy to add some custom OMA-URI settings.

The following settings are configured in this policy:
Name | OMA-URI | Data Type | Value |
---|---|---|---|
Disable first sign-in animation | ./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableFirstLogonAnimation | Integer | 0 |
Skip ESP user status page | ./Device/Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage | Boolean | True |
Note that the setting for disabling the first sign-in animation is now available through the Settings catalog as “Enable First Logon Animation” under the “Windows Logon” category.

These settings form the basic minimum of configuring a shared device, and they can be supplemented with more configuration profiles fitting the needs of the device and the company.
The OneDrive For Business Sync Profile
To easily access files shared in OneDrive for Business, we must enable the sync, set known-folder-move, and enable files on demand. I typically do this in a separate policy.

This example policy enables the OneDrive file sync (1). This setting might seem strange with a space in the product name (One Drive) and some legendary double negotiations and mind-bending details in the information available when hovering over the i-symbol.
Next is to configure silently sign-in (2), setting the important config to use OneDrive files on-demand (3) before setting the config to move known folders silently (4).
Please be aware of the setting we made in the policy earlier, which is to set “Restrict Local Storage” to true.

If the setting to restrict local storage is true, end users cannot browse the content in OneDrive for Business using File Explorer. They can, however, find the content using the OneDrive option found in the Open blade within the office applications. If users need to be able to browse files and folders using File Explorer, you need to set this setting to false.
Shared Application Experience
Some applications might need special configurations to work in a shared computer environment. One example is the Microsoft 365 Apps portfolio.
Shared Computer Activation for Microsoft 365 Apps
When Microsoft 365 Apps have shared computer activation enabled, it does not affect the limit on the number of devices on which a user can install and activate the software. Normally, this limit is set to 5 PCs per user. Shared computer activation is essential when multiple individuals use the same computer, each logging in with their own accounts.
This is described in detail by Microsoft: Overview of shared computer activation for Microsoft 365 Apps – Deploy Office | Microsoft Learn
My favorite way of installing Microsoft 365 apps follows the routine outlined by MVP Jan Ketil Skanke at the MSEndpointMGR blog: Installing M365 Apps as Win32 App in Intune – MSEndpointMgr. A central part of this routine is the XML config file. This file can be easily created in the Microsoft 365 Apps admin center (https://config.office.com), and you will find the option to pick shared computer activation there.

Exporting the XML file from the Microsoft 365 Apps admin center will reflect this setting.

If the property “SharedComputerLicensing” holds the value “1”, you can add this to your shared PCs. Create a separate installation for this and target it to your shared devices. Using the Autopilot Enrollment Status Page, you can set the devices to wait for this application when provisioning.

The screenshot above details the ESP targeted to shared devices, blocked for user sign-in until the Microsoft 365 Apps with shared computer activation are installed.
The Shared PC Experience
Let’s roll up our sleeves and get hands-on with testing to see how Windows locks down its user interface when it’s in shared mode on a shared PC. Let’s dive in and see how Microsoft Intune ensures a secure and controlled experience for all users on shared devices.
Signing In
The shared PC won’t remember past logins, meaning users must type in their full username and password every time they sign in. This can be a bit of a hassle, especially if you are used to passwordless options.
I’ve noticed that the shared PC usually prefers passwordless sign-in methods, like using a security key, which I’ve discussed in previous blog posts. This requires your devices to be prepared for the FIDO2 sign-in, as my previous blog post shows. Using a FIDO2 key, you can sign in without typing a username or password on the device. Just insert the key to your device (1), provide your pin/fingerprint (2), and you should be signed in (3).

However, you can still choose the traditional username and password method by exploring the sign-in options. Nevertheless, the security key approach makes much sense for shared devices. This method makes the sign-in process speedy, efficient, and highly secure!
Application Installations
As long as the device is marked as a shared device with no primary user in Intune, all logged in users can install applications from Company Portal as long as the application is assigned as available to user groups.

Read more about this at Microsoft documentation Find the primary user of a Microsoft Intune device. | Microsoft Learn. MVP JΓΆrgen Nilsson has written a great blog post regarding Managing shared devices and app deployment in Intune – CCMEXEC.COM – Enterprise Mobility
Limited Local Access
There is limited local access for the users signing in to the shared device.

The Shared PC mode locks down the system to secure it from changes and misconfigurations.
Troubleshooting
Hanging on ESP Device Setup
Using the regular ESP setting for the shared devices resulted in a hanging experience during device setup.

Using Michael Niehaus‘s excellent script for Windows Autopilot diagnostics I could get some information on the Enrollment status page:

This was easily solved by creating a separate ESP page for the shared device project that is targeted at the devices, not users.

With this in place, the ESP runs through!
Verify Configuration
Looking at the file C:\Windows\SharedPCSetup.log will give you an idea of the configuration implemented on the device.

As the screenshot shows, this device has the “EnableSharedPCModeWithOneDrive Sync” setting.
OneDrive Can’t Sync
OneDrive sync gives the error code 0x8004deea.

A new setting called “EnableSharedPCModeWithOneDriveSync” should be to target the OneDrive sync as mentioned in Shared PC technical reference. The documentation clearly describes two settings:
EnableSharedPCMode and EnableSharedPCModeWithOneDriveSync are the two policies that enable Shared PC mode. The only difference between the two is that EnableSharedPCModeWithOneDriveSync enables OneDrive synchronization, while EnableSharedPCMode disables it.
The settings for Share PC in the Settings catalog do not reflect this option since it can only set “Enable Shared PC Mode” to either True or False. No option is available to enable the OneDrive sync.

The prerequisite for the EnableSharedPCModeWithOneDriveSync is Windows 11, version 22H2 [10.0.22621], as specified on the setting in the SharedPC CSP.

This challenge has also been pointed out by MVP James Robinson in a tweet recently.
I’ve been diving into various creative solutions to navigate this challenge, and it seems there’s a secret sauce simmering behind the scenes that I’m eager to uncover!
The SharedPCSetup.log indicates EnableSharedPCModeWithOneDriveSync is configured, but still, my device gives the error code “0x8004deea” and OneDrive can’t sync.

The following concludes the steps I have tested to get OneDrive sync running on shared PCs:
- Remove the setting to enable Share PC mode from the policy based on the Settings Catalog, since this is unaware of the OneDrive sync option.
- Set the EnableSharedPCModeWithOneDriveSync setting by using OMA-URI setting in a custom policy.
- Enable access to local storage by disabling the “Restrict Local Storage” policy based on the Settings Catalog as a tip found in Peter van der Woude‘s blog post.
- Setting the “Disable One Drive Fil Sync” policy in the “Settings catalog” to “Sync Enabled”, as mentioned by MVP James Robinson on Twitter/X.
- Make sure Windows on the endpoint is up to date.
Please drop me a comment if you have insights to share related to the get OneDrive sync running on the shared deviceπ
Wrapping Up Shared Device Mastery
It’s time to put all the pieces together and see the big picture of managing shared devices with the help of Microsoft Intune.
We dived into the world of Windows 11, where shared devices are like community gadgets, shared among people for different purposes. It’s all about resource efficiency and accessibility, making them a fantastic fit for schools, workplaces, and beyond.
The importance of smooth management became clear as day. Without good tools, shared devices could turn into chaos with settings messed up and personal stuff everywhere. But don’t worry; we had a superhero on our side β Microsoft Intune!
Intune swoops in as the tech-savvy friend who sets up devices, installs the right stuff, and keeps things running smoothly. We’ve explored the magical Autopilot, a tool that turns device setup into child’s play. Like a magic wand, Autopilot ensures devices are ready for action with minimal fuss.
We embraced Group Tags, those nifty labels that keep devices organized into different groups based on their use. Think of them as folders for devices.
Dynamic Device Groups, our trusty sidekick, helps us easily sort devices into their proper places. It’s like sending devices to the right party, ensuring they’re where they should be.
The Hardware Hash, our secret key, unlocked device magic with Autopilot. Like a handshake between devices and Autopilot, it ensures only the right devices join the setup party where Group Tags send them to the right room.
And then there’s Intune Configuration Profiles, our magic spells for device tweaking. They allow us to customize device settings, add security layers, and give devices a branded look. Imagine having the power to make every device just the way we want it!
So there you have it β the complete journey from understanding shared devices to taming them with the help of Microsoft Intune. We’ve uncovered the hidden secrets, learned the tools of the trade, turned device management into a breeze, and still found some missing pieces to work on.
Thank you for joining this adventure. Now, you’re armed with the knowledge to navigate the world of shared devices confidently. May your shared devices always be organized, secure, and ready for action! ππ±π
Nice guide, thanks.
I managed to enable Onedrive sync on shared PCs using two OMA-URI settings:
– DisableOneDriveFileSync – Integer = 0 (
./Device/Vendor/MSFT/Policy/Config/System/DisableOneDriveFileSync)
– MDMWinsOverGP – Integer = 1 (
./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP)
Thanks for verifying a running OneDrive sync at your side Darren.π
I have tested the “Disable OneDrive File Sync” through the Settings Catalog, but never got it to work.
I was getting pretty confused by the wording in that setting and the settings tipsπΆ
Could you add some information around Licensing requirements and limitations for a device enrolled as multi-user device. If you look at the documentation for self-deployment mode there are no users associated to these devices so your license would require Device-only Subscription and this also impacts policies that are pinned or only applies to user accounts. https://learn.microsoft.com/en-us/mem/intune/fundamentals/licenses?ref=blog.skymadesimple.io#device-only-licenses
[…] The Ultimate Guide to Intune-Powered Windows 11 Shared Devices […]
Hello,
nice guide, thanks.
I managed to enable Onedrive sync on shared PCs using Configuration settings:
Control Policy Conflict –> MDM Wins OVER GP –> The MDM policy is used and the GP policy is blocked.
System –> Disable One Drive File Sync –> Sync enabled.
Thanks for sharing your experience Bernhard! I will check this out ASAP π
[…] The Ultimate Guide to Intune-Powered Windows 11 Shared Devicesby Simon SkotheimsvikSeptember 4, 2023 […]
Hi Simon.
How would you approach the situation, where a shared device is using by both users with E3 and users with F3. In regards to Office I know how to avtivate shared license, but Is it possible to hide Office apps for F3 users, as they don’t have license to use local installer Office.