Step-by-Step: Configure Intune Shared PC Mode for Shift-Worker Windows PCs

This guide walks you through a clean, repeatable setup for Shared Windows PCs used by shift workers (multiple users per device, short sessions, minimal personalization, strong security).

---

Before You Start: Prerequisites Checklist

Requirements

• Windows 10/11 devices enrolled in Intune (Entra ID joined recommended).
• A dedicated device group for shared PCs.
• A clear decision on whether you want:
  • Named-user sign-in (each worker uses their own Entra ID account), or
  • Kiosk-style (single app or multi-app kiosk).

Create the device group (recommended approach)

Use a dynamic device group or a manual assigned group:

• Intune admin center → Groups → New group
• Type: Security
• Membership:
  • Dynamic rule (recommended if you can tag devices), or
  • Assigned group (simple and reliable)

Tip: Use a naming convention like:

• GRP-INTUNE-WIN-SharedPC-Devices

---

Step 1: Create the Shared PC Mode Policy

You can configure Shared PC mode using Settings catalog (preferred) or Templates depending on what’s available in your tenant. Use Settings catalog whenever possible for consistency.

Path

Intune admin center → Devices → Windows → Configuration profiles → Create profile

• Platform: Windows 10 and later
• Profile type: Settings catalog
• Name: WIN - Shared PC Mode - Shift Workers

---

Step 2: Add Shared PC Mode Settings (Recommended Baseline)

In Settings catalog, click Add settings, then search for:

• Shared PC

Add and configure these settings.

A. Enable Shared PC Mode

• Shared PC mode: Enable

B. Account and Profile Cleanup (Critical for shift workers)

These settings keep devices fast, clean, and reduce data leakage between shifts.

• Account management: Enable
• Delete user profiles automatically: Enable
• Delete user profiles after (days): 1 to 7
  • Use 1 day for strict environments (call centers, kiosks)
  • Use 3–7 days if users return frequently and you want faster sign-in
• Disk space threshold for cleanup: Enable
  • Set a reasonable threshold (example: 20–30% free space).
    If your environment doesn’t expose a threshold setting, focus on time-based cleanup.

C. Sign-in Experience and Noise Reduction

These reduce consumer prompts and “first run” distractions.

• Disable consumer features: Enable
• Disable first sign-in animation: Enable
• Disable Windows tips / suggestions: Enable (if available)
• Turn off Microsoft consumer experiences: Enable (often found under Experience settings)

D. Optional but Common for Shared PCs

Use these when you want stricter behavior:

• Block Microsoft account sign-in: Enable
• Disable Store app auto sign-in: Enable
• Disable OneDrive personal account: Enable (if used in your environment)

---

Step 3: Configure Fast Sign-Out and Session Hygiene (Recommended)

Shared PC mode helps, but you also want to prevent “session leftovers.”

Configure these via Settings catalog (where available)

Search and set:

• Turn off toast notifications (optional for shift devices)
• Disable lock screen notifications (optional)
• Disable recent items / jump lists (optional)

Add a practical sign-out control

You can support shift workers with a clean sign-out flow:

• Ensure the Sign out option is visible in Start.
• Avoid policies that hide power options unless required.

---

Step 4: Assign the Policy to Shared PC Devices

• Open the profile → Assignments
• Include: GRP-INTUNE-WIN-SharedPC-Devices
• Exclude: any admin/test devices if needed

---

Step 5: Add Supporting Baselines for Shared PCs (Strongly Recommended)

Shared PC mode is only one piece. For shift PCs, these are typically mandatory:

A. Security baseline (device-targeted)

Endpoint security → Security baselines

• Windows security baseline
• Microsoft Defender baseline (if applicable)

Assign to the device group.

B. BitLocker (device-targeted)

Endpoint security → Disk encryption

• Encrypt OS drive
• Store recovery keys in Entra ID

C. Defender + Firewall + ASR (device-targeted)

Endpoint security

• Antivirus
• Firewall
• Attack Surface Reduction rules (as appropriate)

---

Step 6: App Deployment Strategy for Shared PCs

Device-based required apps (recommended)

Deploy core apps as Required to the shared PC device group:

• Microsoft Edge
• Teams (machine-wide where possible)
• Line-of-business apps
• Security tools

Avoid user-based app installs for shared PCs

Per-user installs cause inconsistent behavior between shifts.

---

Step 7: Validation and Troubleshooting (What to Check)

A. Confirm policy applied

On a test device:

• Settings → Accounts → confirm shared behavior is active
• In Intune:
  • Devices → select device → Device configuration → check status

B. Confirm profile cleanup works

Sign in with a test user.
Sign out.
Wait for the cleanup window (or trigger storage pressure).
Confirm profiles are removed based on your configured threshold.

C. Common “it’s not cleaning up” causes

• The device hasn’t checked in yet (sync delay)
• The user never fully signed out (session stays active)
• Cleanup is configured for several days, so it’s working but not immediate
• Storage pressure threshold isn’t met

---

Recommended Defaults for Shift Workers (Quick Template)

Use this if you want a fast, safe baseline:

• Shared PC mode: Enabled
• Delete user profiles: Enabled
• Profile deletion after: 1–3 days
• Disable consumer features: Enabled
• Disable first sign-in animation: Enabled
• Block Microsoft accounts: Enabled
• Device-targeted security baseline: Enabled
• BitLocker + Defender + Firewall: Enabled
• Required apps deployed to device group: Enabled

---

Optional Enhancements (If You Want a “Gold Standard” Build)

If you want to take it further, you can add:

• Windows Update rings tuned for off-hours
• Delivery Optimization limits (to reduce bandwidth spikes)
• Storage Sense configuration
• Local admin control with LAPS
• Kiosk mode (single or multi-app) for ultra-locked down stations