MSEndpointMgr

Building lock down device – Part 3 (Shared PC mode)

For earlier posts, please find them here:

For more details how to configure Shared PC mode, you can read Maurice’s excellent post Building a shared pc mode kiosk with Microsoft Intune

Shared PC mode is very useful feature when building lock down device, most useful setting that I like is restrict access to local storage, there are other main features as well.

  • Account Models
  • Account management
  • Local Storage
  • Power Policy
  • Sleep time out
  • Sign in when PC wakes
  • Maintenance policy
  • Education Policies
  • Fast first sign in

I will focus talk about Account models, Account management and Local Storage in this post

Account Models

This option controls how users can sign-in on the PC. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC.  In my Shared PC mode settings, I have configured Account mode is Guest and domain user. This is how it looks when you enable Guest option, see below picture.

For a very long time, I thought this is ok to use. I choose “Guest”, click on Sign in, very easy, right? There are only two options, Other user and Guest, so it’s just 50% chance you know how to choose the correct account. Well, yes, it looks easy or an IT or someone that has a bit knowledge about computers, but not for everyone.

Asked from normal users, this logon screen is very confusing for public usage devices. The ideal of enable Guest account, you want people use Guest account, but why this Other user is in middle of log on screen asking work or school account? It really doesn’t make it easy to understand.

Hold on. You might wonder why not use Kiosk mode Assigned Access auto logon? I will talk about that in next post.

Account management

This is quite useful feature, I have seen lots of questions about how to delete user profile after log off, so this might be your solution, BUT still depends on your requirements. User profile deletion only works for four kind of account types:

  • new local accounts created by the Guest options
  • new local accounts created by the Kiosk options, includes Assigned Access auto logon account
  • Azure AD accounts
  • Active Directory domain accounts

This means, if you create normal local account, account management will not do anything with it.

Notes:

  • When you configure this settings, it applies slowly, so take cup of tea and wait a little.
  • When is using Guest account, it actually creates a new Guest account every time when Guest is logged off.
  • If you are using Azure AD account or Active Directory domain accounts with immediately delete profile, it takes about 30-45 seconds to delete the profile after logged off.

Local Storage

Set as True to restrict the user from saving or viewing local storage when using File Explorer.

When it is allowed access to local storage, we can see everything in File explorer.

When restrict access to local storage, explorer looks way more better, user can only access to Downloads folder. As you notice, user can access to external DVD drive

What is wrong?

Ok, restrict access to local storage looks working, file explorer is clean and nice, if I try to go any other folder then download, it gave me error. But is it already secure??

As in the official documents about this feature, it did mentioned it’s only for File Explorer ! Please don’t misunderstand that it is actually restrict access to local storage from everything. So let’t create a shortcut call cmd.bat in Download folder with run command: cmd.exe /c cmd.exe

Now run this cmd.bat file, it will call out the command prompt, and I will have access to local storage.

If you really want restrict to any storage, this setting is not enough. I will talk about bit more in next posts. https://msendpointmgr.com/2019/04/25/building-lock-down-device-part-4-kiosk-pc-mode/

Until next time.

Sandy Zeng

Sandy is an Enterprise Mobility MVP since 2018. She is an experienced Information Technology Specialist for over 10 years. Skilled in Microsoft Endpoint Manager (ConfigMgr and Intune), Windows 10 and security. Sandy's interests are mostly related to Microsoft Technologies, she has passions learning new skill sets to improve her professional career and also as her hobbies. She uses her expertise to help customers achieve their goals and solve their issues.

Sandy founded the https://sandyzeng.com blog and is now a blogger on MSEndPointMgr.

3 comments

  • Hello Zeng. Thanks for such amazing blogs. Did you ever talked about removing/skipping having the “Other User” from the login screen? will Fast first sign-in work? also: do you have a solution to logoff the guest session after a set amount of time?

    • Hello Manuel, you can’t skip or remove that “Other User” if you use Shared PC mode. Fast first sign-in works, but it doesn’t help with this “Other User” problem. And if you use Shared PC mode delete profile immediately after logoff, better not use first sign-in, it’s not useful in this case.
      For Auto logoff guest session, you can take a look my Idle notification tool. https://msendpointmgr.com/idle-notification-tool/

      • Thanks for the tip. I will try the idle tool, but you should sign the exe. It is being caught by AV software as not trusted. I push Symantec via Intune and deploying this will be really cumbersome. Regarding “Other user” I end up adding the message at logon as recommended in one of the SCConfigMgr article.

Sponsors

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.