Skip to content

The Ultimate Guide to Intune-Powered Windows 11 Shared Devices

Welcome to this guide to Intune-Powered Windows 11 Shared Devices! πŸš€ In this journey, I will explore the world of shared devices, understand their significance in different places, and discover how Microsoft Intune can be a trusted companion in making their management a breeze.

Shared Devices Unveiled

Shared devices are like friendly helpers that multiple people can use. Imagine a computer in a library or at a school that different folks take turns using throughout the day. These devices are pretty awesome in classrooms, offices, and public spaces because they save resources and provide access to everyone. 🌟

In the world of Windows 11, a shared device is simply a computer or a tablet used by multiple people. Instead of having your own personal laptop, you’re sharing this one with others. It’s like the community computer that everyone takes turns using.

Shared devices come in handy in a bunch of places. Think about schools, where students use the same computer during different classes. Or workplaces, where different employees might need to check stuff on the same computer.

Why Smooth Management Matters

Now, if we didn’t have good tools to manage these shared devices, it could get messy. Imagine logging in to a shared computer and finding someone else’s stuff everywhere. Or maybe you can’t use the needed programs because someone else messed with the settings. It would be chaos! – not fun, right? That’s why managing shared devices well is super important. Imagine if every time you used a shared device, it was exactly how you needed it to be. That’s the magic of effective device management! πŸ’Ό

Microsoft Intune to the Rescue

And here’s where our hero, Microsoft Intune, enters the stage! πŸ¦Έβ€β™‚οΈ Intune is like a super-smart tool that helps organize and look after shared Windows 11 devices. It’s like having a tech-savvy friend who sets up the devices, installs the right stuff, and ensures they behave nicely for everyone. Plus, it does all this while you sit back and sip your favorite drink.

So, are you ready to dive into the world of shared devices and discover the wonders of Intune? Let’s embark on this exciting journey together as we unravel the secrets behind Intune-Powered Windows 11 Shared Devices! 🌐

Streamlining Onboarding with Autopilot

Imagine a magic wand for device setup – that’s AutopilotπŸͺ„ It’s a special tool from Microsoft that helps us get our shared Windows 11 devices up and running without the usual hassle. It’s like having a helper robot that does the heavy lifting for us. Autopilot takes care of setting things up behind the scenes, making sure devices are ready for action.

Device Registration and Assignment

Think of this as telling Autopilot which devices are in the game. It’s like inviting them to the Autopilot party. We make a list of devices we want to set up using Autopilot and tag some of these as shared devices.

Group Tags

Group Tags are like magical labels you put on your devices. They help you sort Autopilot devices into different groups based on their use. It’s like having folders for your apps and games but for devices!

Dynamic Device Groups

It’s as easy as ABC! When a new device joins your team, you give it a Group Tag. Like saying, “Hey, you’re part of the art class!” And that’s it – you’ve added a device to a special group.

In practice, we use Entra ID dynamic device groups to sort devices based on the group tag.

The example above is for a dynamic device group of devices with a group tag set to “LAB”.

Autopilot Deployment Profile

Autopilot Deployment Profiles are like magical guides that help your devices know exactly how to set themselves up. The following example is an Autopilot deployment profile for shared devices.

This is targeted to the dynamic device group holding all the LAB devices. The profile instructs the device to self-deploy into the tenant with a given name template. This ensures the device is not tied to any particular user.

Please note: One prerequisite for a self-deployed Autopilot onboarding is a device with a physical TPM 2.0 chip – no virtual TPM as stated in my blog about my Intune LAB environment.

Enrollment Status Page

The Autopilot devices that deploy themselves will be assigned a dedicated Enrollment Status Page. This page is designed to cater specifically to the requirements of this type of enrollment, which aims to facilitate a swift and seamless process.

My lab environment has the following ESP for shared devices:

This targets the group holding the shared devices (not the users).

Hardware Hash Unlocking Device Magic

Each device has a hardware hash that makes setting up devices with Autopilot as easy as waving a wand. Imagine you have a special key to open your secret toy box – that’s exactly what a Hardware Hash does for your devices.

Think of a Hardware Hash as a special code that each device carries. It’s like a secret handshake between the device and Autopilot. This code tells Autopilot, “Hey, I’m a trusted friend. Let’s set up together!”

Setting up devices was a bit tricky, like solving a puzzle. But with a Hardware Hash, the puzzle pieces magically fit together. It makes sure only the right devices can join your setup party.

When you get a new device, it comes with its own Hardware Hash. You share this code with Autopilot, and it knows you’re ready to roll. We can even designate the device to a given role by attaching the Group tag to the hardware hash, like the role of a shared device. Just like giving a secret signal to your best friend!

The hardware hash can be given to you by your distributor or OEM, or you can manually harvest them and register devices with Windows Autopilot. You can find more detailed information in Microsoft’s official documentation for Windows Autopilot registration.

The picture above shows a manual hardware hash harvesting with direct upload to the Windows Autopilot service using a privileged account in the tenant.

The commands in my example are based on the Get-WindowsAutopilotInfo script found in the PowerShell gallery originally developed by Michael Niehaus. You could also check out other graphical tools like the Autopilot Import GUI from Ugur Koc, or the Autopilot Tool from MVP Nicklas Ahlberg.

Powershell -NoProfile -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutopilotInfo
get-windowsautopilotinfo  -GroupTag β€œLAB” -online
PowerShell

The device will be visible in Windows Autopilot devices found in Intune, and you will see the deployment profile assigned.

Now, it is time to reboot the device and let Autopilot do its magic.

shutdown -r -t 0
PowerShell

Once you become comfortable with this process, it’s helpful to know a couple more attributes for the “get-windowsautopilotinfo” script.

The “-assign” switch ensures that the script returns when the device receives the assigned profile, while the “-reboot” option automates the device reboot once the profile is assigned.

This is particularly useful for quickly adding devices without manually checking the portal for profile assignments. Thanks to my friend Bruce Sa for sharing this knowledgeπŸ™

Autopilot truly makes device onboarding a cakewalk.

(The manual routine for adding a device to the Windows Autopilot service could have been more streamlined like we see in some “alternative solutions” 🍊)

Configurations Made Easy with Intune

When preparing our shared computers, we’ve got a secret weapon: Intune Configuration Profiles. These profiles are like magic spells that let us tweak and adjust everything we need. Imagine having the power to choose security settings and even give computers a branded cool look – that’s what configuration profiles do!

Let’s roll up our sleeves and start configuring the basic setup for our awesome shared devices! πŸͺ„πŸ–₯οΈπŸ”’

The Shared PC Configuration Profile

To tailor the experience for the shared PC, I will create a device configuration profile based on the Settings Catalog. This profile will be assigned to the dynamic group of shared devices.

The basic settings in the policy are set as follows:

Intune-Powered Windows 11 Shared Devices

These settings will ensure the computer is configured as a shared device, and we can set household preferences on the device. All these options are described in detail in Microsofts documentation.

The Shared PC Tuning Profile

To tune the settings even more, I am creating another custom policy to add some custom OMA-URI settings.

The following settings are configured in this policy:

NameOMA-URIData TypeValue
Disable first sign-in animation./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableFirstLogonAnimationInteger0
Skip ESP user status page./Device/Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPageBooleanTrue

These settings form the basic minimum of configuring a shared device, and they can be supplemented with more configuration profiles fitting the needs of the device and the company.

The Shared PC Experience

Let’s roll up our sleeves and get hands-on with testing to see how Windows locks down its user interface when it’s in shared mode on a shared PC. Let’s dive in and see how Microsoft Intune ensures a secure and controlled experience for all users on shared devices. πŸš€πŸ”’πŸ–₯️

Signing In

The shared PC won’t remember past logins, meaning users must type in their full username and password every time they sign in. This can be a bit of a hassle.

I’ve noticed that the shared PC usually prefers passwordless sign-in methods, like using a security key, which I’ve discussed in previous blog posts.

However, you can still choose the traditional username and password method by exploring the sign-in options. Nevertheless, the security key approach makes much sense for shared devices. This method makes the sign-in process speedy, efficient and highly secure!

Limited Local Access

There is limited local access for the users signing in to the shared device.

The Shared PC mode locks down the system to secure it from changes and misconfigurations.

Troubleshooting

Hanging on ESP Device Setup

Using the regular ESP setting for the shared devices resulted in a hanging experience during device setup.

Using Michael Niehaus‘s excellent script for Windows Autopilot diagnostics I could get some information on the Enrollment status page:

This was easily solved by doing a separate ESP page for the shared device project targeted to the devices – not users.

With this in place, the ESP runs through!

Verify Configuration

Looking at the file C:\Windows\SharedPCSetup.log will give you an idea of the configuration implemented on the device.

As the screenshot shows, this device has the “EnableSharedPCModeWithOneDrive Sync” setting.

OneDrive Can’t Sync

OneDrive sync gives the error code 0x8004deea.

A new setting called “EnableSharedPCModeWithOneDriveSync” should be to target the OneDrive sync as mentioned in Shared PC technical reference. The documentation clearly describes two settings:

EnableSharedPCMode and EnableSharedPCModeWithOneDriveSync are the two policies that enable Shared PC mode. The only difference between the two is that EnableSharedPCModeWithOneDriveSync enables OneDrive synchronization, while EnableSharedPCMode disables it.

The settings for Share PC in the Settings catalog do not reflect this option since it can only set “Enable Shared PC Mode” to either True or False. No option is available to enable the OneDrive sync.

The prerequisite for the EnableSharedPCModeWithOneDriveSync is Windows 11, version 22H2 [10.0.22621], as specified on the setting in the SharedPC CSP.

This challenge has also been pointed out by MVP James Robinson in a tweet recently.

I’ve been diving into various creative solutions to navigate this challenge, and it seems there’s a secret sauce simmering behind the scenes that I’m eager to uncover!

The SharedPCSetup.log indicates EnableSharedPCModeWithOneDriveSync is configured, but still, my device gives the error code “0x8004deea” and OneDrive can’t sync.

The following concludes the steps I have tested this far trying to get OneDrive sync running on shared PCs:

  1. Remove the setting to enable Share PC mode from the policy based on the Settings Catalog, since this is unaware of the OneDrive sync option.
  2. Set the EnableSharedPCModeWithOneDriveSync setting by using OMA-URI setting in a custom policy.
  3. Enable access to local storage by disabling the “Restrict Local Storage” policy based on the Settings Catalog as a tip found in Peter van der Woude‘s blog post.
  4. Setting the “Disable One Drive Fil Sync” policy in the “Settings catalog” to “Sync Enabled”, as mentioned by MVP James Robinson on Twitter/X.
  5. Make sure Windows on the endpoint is up to date.

Please drop me a comment if you have insights to share related to the get OneDrive sync running on the shared deviceπŸ™

Wrapping Up Shared Device Mastery

It’s time to put all the pieces together and see the big picture of managing shared devices with the help of Microsoft Intune.

We dived into the world of Windows 11, where shared devices are like community gadgets, shared among people for different purposes. It’s all about resource efficiency and accessibility, making them a fantastic fit for schools, workplaces, and beyond.

The importance of smooth management became clear as day. Without good tools, shared devices could turn into chaos with settings messed up and personal stuff everywhere. But don’t worry; we had a superhero on our side – Microsoft Intune!

Intune swoops in as the tech-savvy friend who sets up devices, installs the right stuff, and keeps things running smoothly. We’ve explored the magical Autopilot, a tool that turns device setup into child’s play. Like a magic wand, Autopilot ensures devices are ready for action with minimal fuss.

We embraced Group Tags, those nifty labels that keep devices organized into different groups based on their use. Think of them as folders for devices.

Dynamic Device Groups, our trusty sidekick, helps us easily sort devices into their proper places. It’s like sending devices to the right party, ensuring they’re where they should be.

The Hardware Hash, our secret key, unlocked device magic with Autopilot. Like a handshake between devices and Autopilot, it ensures only the right devices join the setup party where Group Tags send them to the right room.

And then there’s Intune Configuration Profiles, our magic spells for device tweaking. They allow us to customize device settings, add security layers, and give devices a branded look. Imagine having the power to make every device just the way we want it!

So there you have it – the complete journey from understanding shared devices to taming them with the help of Microsoft Intune. We’ve uncovered the hidden secrets, learned the tools of the trade, turned device management into a breeze, and still found some missing pieces to work on.

Thank you for joining this adventure. Now, you’re armed with the knowledge to navigate the world of shared devices confidently. May your shared devices always be organized, secure, and ready for action! πŸš€πŸ“±πŸŒ

Published inEndpointIntuneMicrosoft 365Windows

7 Comments

  1. Darren Mason Darren Mason

    Nice guide, thanks.
    I managed to enable Onedrive sync on shared PCs using two OMA-URI settings:
    – DisableOneDriveFileSync – Integer = 0 (
    ./Device/Vendor/MSFT/Policy/Config/System/DisableOneDriveFileSync)
    – MDMWinsOverGP – Integer = 1 (
    ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP)

    • Thanks for verifying a running OneDrive sync at your side Darren.πŸ™
      I have tested the “Disable OneDrive File Sync” through the Settings Catalog, but never got it to work. OneDriveFileSync
      I was getting pretty confused by the wording in that setting and the settings tips😢

  2. Danie Danie

    Could you add some information around Licensing requirements and limitations for a device enrolled as multi-user device. If you look at the documentation for self-deployment mode there are no users associated to these devices so your license would require Device-only Subscription and this also impacts policies that are pinned or only applies to user accounts. https://learn.microsoft.com/en-us/mem/intune/fundamentals/licenses?ref=blog.skymadesimple.io#device-only-licenses

  3. Hello,
    nice guide, thanks.

    I managed to enable Onedrive sync on shared PCs using Configuration settings:

    Control Policy Conflict –> MDM Wins OVER GP –> The MDM policy is used and the GP policy is blocked.

    System –> Disable One Drive File Sync –> Sync enabled.

Leave a Reply

Your email address will not be published. Required fields are marked *