How to Set Up a Secure Shared Public PC with Intune

By /

The Practical Blueprint for Setting Up a Secure Shared Public PC with Microsoft Intune

Setting up a public computer in a library, reception area, or training lab isn’t just about plug‑and‑play—it’s about security, privacy, and usability. Here’s a no-nonsense guide you can follow to set up a locked-down, reliable shared PC using Microsoft Intune, so every user gets a fresh start and no personal data lingers after they finish.

1. Prepare the Device Right

Start with a device running Windows 10/11 Pro or Enterprise. These are the only editions that support Shared PC mode.
Plug in the device, turn it on, and join it to Azure AD (now called Entra ID) either with Autopilot for hands-off enrollment or manually. Make sure it’s assigned and managed by Intune from the start.

2. Enable Shared PC Mode in Intune

Log into the Intune Admin Center.
Create a new configuration profile:

  • Platform: Windows 10 and later
  • Profile type: Shared multi-user device template

Key settings:

  • Guest account enabled: Lets people sign in without personal accounts.
  • Account deletion: Auto‑remove accounts at sign‑out, or after inactivity, so no one’s details ever stick around.
  • Disable local storage: Stop people saving files locally (unless you really want to allow it).
  • Power settings: Adjust sleep/lock timers so the PC isn’t left idle or misused.

3. Lock Down Everything That Matters

Use AppLocker or Windows Defender Application Control to whitelist only the apps you want to run—think browsers, Office, and nothing off‑script.
Deploy a custom Start Menu and Taskbar layout through Intune so users only see what they need.
Block access to Control Panel and Settings to stop anyone from fiddling with system setup.
Apply browser policies to ensure history, cache, and cookies are nuked every time the browser closes.

4. Get Licensing Right

Use Microsoft 365 Device-based Licensing: this means Office apps just work on the device without needing every user to log in.
Don’t depend on user‑based licensing—it isn’t valid for truly public, anonymous devices.

5. Security & Privacy Boosts

  • Windows Defender: Switch on real-time protection and schedule scans.
  • BitLocker: Encrypt the drive so data at rest is safe from prying eyes.
  • Optionally apply Deep Freeze or a similar reset tool—so every reboot wipes the slate clean.
  • Set up USB policies based on need; if you allow USB drives, make sure they’re scanned for malware automatically.

6. Testing & Ongoing Monitoring

Test the setup with a regular, non-admin account—see what’s working and what’s not.
Turn on Endpoint Analytics in Intune to keep an eye on performance, crashes, and compliance.
Review the whole setup periodically and tune your policies if user needs or threats change.

The Result

With this blueprint, every user gets a fresh, clean desktop with access only to what they need, personal data is wiped after use, and the device remains secure and easy for IT to control and maintain.

Want an Intune configuration profile you can import and deploy to your public PC group instantly? Just ask, and you’ll get a ready-to-use JSON file that applies all these best practices in one go.

LinkedInCopyPinterestRedditTelegram

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top