When we talk about devices and modern devices in education we also are saying Intune for Education, in this blog post I will show how to use Windows Autopilot and Intune for Education to provision a shared device nice and easy.
In many education cases I have been involved in there is one student per device – but there is also devices with many users on it. In that case the end user experience is not the best – that is why Windows 10 shared device settings is a great feature.
Pre requisition :
- Intune for Education
- Windows Autopilot configured
- Device imported in autopilot
- Device running Windows insider build 17672 or later
- Physical TPM 2.0 chip
- Ethernet connection
Note: If you not have Ethernet connection at the first startup point, Windows AutoPilot will show the regional and keyboard page, and prompt for a Wifi connection,
What is Shared PC mode:
Windows 10, version 1607, introduced shared PC mode, which optimizes Windows 10 for shared use scenarios, fast login and automatic cleanup in unused user profile. A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen.
How to setup Shared PC mode with Intune for Education:
Start Intune for Education portal : https://intuneeducation.portal.azure.com
Click on Groups
- Select All Autopilot SharedDevice
- Click Settings
For information on creating a group for AutoPilot Shared Devices – ee my blogpost on How to auto assign Windows Autopilot profiles in Intune
- Expand “Shared device settings”
- Click Enable
Optimize devices for shared use
Optimizing devices for shared use also enables “Remove built in apps” under Basic device settings and “Block access to local storage” under Device sharing settings. You can disable those settings without affecting other settings for shared use
This setting is automatically turned on when the “Optimize devices for shared use” setting is turned on. The following apps are fully removed from your users’ computers when this setting is turned on:
- 3DBuilder
- Bing Weather
- Desktop App Installer
- Get Started
- Microsoft Office Hub
- Solitaire Collection
- One Connect
- Windows Feedback Hub
- Xbox
- Groove Music
- Calendar
Note: If you have enabled Intune Enrollment Status Page (Preview) this will show up for every user on the Shared device
Read more about Enrollment Status Page (Preview)
Policies set by the Shared PC mode
| Policy name | Value | When set? |
| Admin Templates > Control Panel > Personalization | ||
| Prevent enabling lock screen slide show | Enabled | Always |
| Prevent changing lock screen and logon image | Enabled | Always |
| Admin Templates > System > Power Management > Button Settings | ||
| Select the Power button action (plugged in) | Sleep | SetPowerPolicies=True |
| Select the Power button action (on battery) | Sleep | SetPowerPolicies=True |
| Select the Sleep button action (plugged in) | Sleep | SetPowerPolicies=True |
| Select the lid switch action (plugged in) | Sleep | SetPowerPolicies=True |
| Select the lid switch action (on battery) | Sleep | SetPowerPolicies=True |
| Admin Templates > System > Power Management > Sleep Settings | ||
| Require a password when a computer wakes (plugged in) | Enabled | SignInOnResume=True |
| Require a password when a computer wakes (on battery) | Enabled | SignInOnResume=True |
| Specify the system sleep timeout (plugged in) | SleepTimeout | SetPowerPolicies=True |
| Specify the system sleep timeout (on battery) | SleepTimeout | SetPowerPolicies=True |
| Turn off hybrid sleep (plugged in) | Enabled | SetPowerPolicies=True |
| Turn off hybrid sleep (on battery) | Enabled | SetPowerPolicies=True |
| Specify the unattended sleep timeout (plugged in) | SleepTimeout | SetPowerPolicies=True |
| Specify the unattended sleep timeout (on battery) | SleepTimeout | SetPowerPolicies=True |
| Allow standby states (S1-S3) when sleeping (plugged in) | Enabled | SetPowerPolicies=True |
| Allow standby states (S1-S3) when sleeping (on battery) | Enabled | SetPowerPolicies=True |
| Specify the system hibernate timeout (plugged in) | Enabled, 0 | SetPowerPolicies=True |
| Specify the system hibernate timeout (on battery) | Enabled, 0 | SetPowerPolicies=True |
| Admin Templates>System>Power Management>Video and Display Settings | ||
| Turn off the display (plugged in) | SleepTimeout | SetPowerPolicies=True |
| Turn off the display (on battery | SleepTimeout | SetPowerPolicies=True |
| Admin Templates>System>Power Management>Energy Saver Settings | ||
| Energy Saver Battery Threshold (on battery) | 70 | SetPowerPolicies=True |
| Admin Templates>System>Logon | ||
| Show first sign-in animation | Disabled | Always |
| Hide entry points for Fast User Switching | Enabled | Always |
| Turn on convenience PIN sign-in | Disabled | Always |
| Turn off picture password sign-in | Enabled | Always |
| Turn off app notification on the lock screen | Enabled | Always |
| Allow users to select when a password is required when resuming from connected standby | Disabled | SignInOnResume=True |
| Block user from showing account details on sign-in | Enabled | Always |
| Admin Templates>System>User Profiles | ||
| Turn off the advertising ID | Enabled | SetEduPolicies=True |
| Admin Templates>Windows Components | ||
| Do not show Windows Tips | Enabled | SetEduPolicies=True |
| Turn off Microsoft consumer experiences | Enabled | SetEduPolicies=True |
| Microsoft Passport for Work | Disabled | Always |
| Prevent the usage of OneDrive for file storage | Enabled | Always |
| Admin Templates>Windows Components>Biometrics | ||
| Allow the use of biometrics | Disabled | Always |
| Allow users to log on using biometrics | Disabled | Always |
| Allow domain users to log on using biometrics | Disabled | Always |
| Admin Templates>Windows Components>Data Collection and Preview Builds | ||
| Toggle user control over Insider builds | Disabled | Always |
| Disable pre-release features or settings | Disabled | Always |
| Do not show feedback notifications | Enabled | Always |
| Allow Telemetry | Basic, 0 | SetEduPolicies=True |
| Admin Templates>Windows Components>File Explorer | ||
| Show lock in the user tile menu | Disabled | Always |
| Admin Templates>Windows Components>Maintenance Scheduler | ||
| Automatic Maintenance Activation Boundary | MaintenanceStartTime | Always |
| Automatic Maintenance Random Delay | Enabled, 2 hours | Always |
| Automatic Maintenance WakeUp Policy | Enabled | Always |
| Admin Templates>Windows Components>Windows Hello for Business | ||
| Use phone sign-in | Disabled | Always |
| Use Windows Hello for Business | Disabled | Always |
| Use biometrics | Disabled | Always |
| Admin Templates>Windows Components>OneDrive | ||
| Prevent the usage of OneDrive for file storage | Enabled | Always |
| Windows Settings>Security Settings>Local Policies>Security Options | ||
| Interactive logon: Do not display last user name | Enabled, Disabled when account model is only guest | Always |
| Interactive logon: Sign-in last interactive user automatically after a system-initiated restart | Disabled | Always |
| Shutdown: Allow system to be shut down without having to log on | Disabled | Always |
| User Account Control: Behavior of the elevation prompt for standard users | Auto deny | Always |
Read more:
Set up a shared or guest PC with Windows 10
Cloud First 
Dear Per,
Thank you for your great post.
Could you please let us know that how we can delete AutoPilot Devices from Azure/Intune Portal or Microsoft Business Store, if that device are not in active state..
TIA!
Richa
can i delete default apps on a shared device with self deployment mode? i tried uninstall with msfb but i doesnt uninstall.