Windows 10 and newer settings to manage shared devices using Intune

Intune may support more settings than the settings listed in this article. Not all settings are documented, and won’t be documented. To see the settings you can configure, create a device configuration profile, and select Settings Catalog. For more information, see Settings catalog.

Windows 10 and newer devices, such as the Microsoft Surface, can be used by many users. Devices that have multiple users are called shared devices, and are a part of mobile device management (MDM) solutions.

Using Microsoft Intune, end-users can sign in to these shared devices with a guest account. As they use the device, they only get access to features you allow. As the Intune administrator, you configure access, choose when accounts are deleted, control power management settings, and more for your shared Windows 10 devices.

This article describes some of the settings you can configure in a device configuration profile. When the profile is created in Intune, you deploy or assign the profile to device groups in your organization. You can also assign this profile to device groups with mixed device types and Windows OS versions.

For more information on this feature in Intune, see Control access, accounts, and power features on shared PC or multi-user devices. For more information on the Windows CSP, see SharedPC CSP.

Before your begin

Shared multi-user device settings

These settings use the SharedPC CSP.

Shared PC mode: Enable turns on shared PC mode. In this mode, only one user signs in to the device at a time. Another user can’t sign in until the first user signs out. When set to Not configured (default), Intune doesn’t change or update this setting.

Guest account: Choose to create a Guest option on the sign-in screen. Guest accounts don’t require any user credentials or authentication. This setting creates a new local account each time it’s used. Your options:

• Guest: Only allows a local guest account to sign in to the device.
• Domain: Only allows an Azure Active Directory (AD) domain account to sign in to the device.
• Guest and domain: Allows a local guest account, or an Azure Active Directory (AD) domain account to sign in to the device.

Account management: Choose if accounts are automatically deleted. Your options:

Not configured (default): Intune doesn’t change or update this setting.

Enabled: Accounts created by guests, and accounts in AD and Azure AD are automatically deleted from the devices. When a user signs off the device, or when system maintenance runs, these accounts are removed from the devices.

• Account Deletion: Choose when accounts are deleted:
  • At storage space threshold
  • At storage space threshold and inactive threshold
  • Immediately after log-out

• Start delete threshold(%): Enter a percentage (0-100) of disk space. When the total disk/storage space drops below the value you enter, the cached accounts are deleted. It continuously deletes accounts to reclaim disk space. Accounts that are inactive the longest are deleted first.
• Stop delete threshold(%): Enter a percentage (0-100) of disk space. When the total disk/storage space meets the value you enter, the deleting stops.
• Inactive account threshold: Enter the number of consecutive days before deleting the account that hasn’t signed in, from 0-60 days.

Disabled: The local, AD, and Azure AD accounts created by guests stay on the device, and aren’t deleted.

Local Storage: With local storage, users can save and view files on the device’s hard drive. Your options:

• Not configured (default): Intune doesn’t change or update this setting.
• Enabled: Allows users to see and save files locally using File Explorer.
• Disabled: Prevents users from saving and viewing files on the device’s hard drive.

Power Policies: Allow or prevent users from changing the power settings. Your options:

• Not configured (default): Intune doesn’t change or update this setting.
• Enabled: Users can hibernate the device, can close the lid to sleep the device, and change the power settings.
• Disabled: Users can’t turn off hibernate, can’t override all sleep actions (such as closing the lid), and can’t change the power settings.

Sleep time out (in seconds): Enter the number of inactive seconds (0-18000) before the device goes into sleep mode. 0 means the device never sleeps. If you don’t set a time, the device goes to sleep after 3600 seconds (60 minutes).

Sign-in when PC wakes: Choose if users must sign in after the device comes out of sleep mode. Your options:

• Not configured (default): Intune doesn’t change or update this setting.
• Enabled: Requires users to sign in with a password when device comes out of sleep mode.
• Disabled: Users don’t have to enter their username and password.

Maintenance start time (in minutes from midnight): Enter the time in minutes (0-1440) when automatic maintenance tasks, such as Windows Update, run. The default start time is midnight, or zero ( 0 ) minutes. Change the start time by entering a start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter 120 . If you want maintenance to begin at 8 PM, enter 1200 .

When set to Not configured (default), Intune doesn’t change or update this setting.

Education policies: Choose if policies for education environment are enabled. Your options:

• Not configured (default): Intune doesn’t change or update this setting.
• Enabled: Uses the recommended settings for devices used in schools, which are more restrictive.
• Disabled: The default and recommended education policies aren’t used.

For more information on what the education policies do, see Windows 10 configuration recommendations for education customers.

Set up a shared or guest PC (opens another docs web site) is a great resource on this Windows 10 feature, including concepts and group policies that can be set in shared mode.

Windows 10 Enterprise multi-session FAQ

This article answers frequently asked questions and explains best practices for Windows 10 Enterprise multi-session.

What is Windows 10 Enterprise multi-session?

Windows 10 Enterprise multi-session, formerly known as Windows 10 Enterprise for Virtual Desktops (EVD), is a new Remote Desktop Session Host that allows multiple concurrent interactive sessions. Previously, only Windows Server could do this. This capability gives users a familiar Windows 10 experience while IT can benefit from the cost advantages of multi-session and use existing per-user Windows licensing instead of RDS Client Access Licenses (CALs). For more information about licenses and pricing, see Windows Virtual Desktop pricing.

How many users can simultaneously have an interactive session on Windows 10 Enterprise multi-session?

How many interactive sessions that can be active at the same time relies on your system’s hardware resources (vCPU, memory, disk, and vGPU), how your users use their apps while signed in to a session, and how heavy your system’s workload is. We suggest you validate your system’s performance to understand how many users you can have on Windows 10 Enterprise multi-session. To learn more, see Windows Virtual Desktop pricing.

Why does my application report Windows 10 Enterprise multi-session as a Server operating system?

Windows 10 Enterprise multi-session is a virtual edition of Windows 10 Enterprise. One of the differences is that this operating system (OS) reports the ProductType as having a value of 3, the same value as Windows Server. This property keeps the OS compatible with existing RDSH management tooling, RDSH multi-session-aware applications, and mostly low-level system performance optimizations for RDSH environments. Some application installers can block installation on Windows 10 multi-session depending on whether they detect the ProductType is set to Client. If your app won’t install, contact your application vendor for an updated version.

Can I run Windows 10 Enterprise multi-session on-premises?

Windows 10 Enterprise multi-session can’t run in on-premises production environments because it’s optimized for the Windows Virtual Desktop service for Azure. It’s against the licensing agreement to run Windows 10 Enterprise multi-session outside of Azure for production purposes. Windows 10 Enterprise multi-session won’t activate against on-premises Key Management Services (KMS).

Can I upgrade a Windows 10 VM to Windows 10 Enterprise multi-session?

No. It’s not currently possible to upgrade an existing virtual machine (VM) that’s running Windows 10 Professional or Enterprise to Windows 10 Enterprise multi-session. Also, if you deploy a Windows 10 Enterprise multi-session VM and then update the product key to another edition, you won’t be able to switch the VM back to Windows 10 Enterprise multi-session and will need to redeploy the VM.

How do I customize the Windows 10 Enterprise multi-session image for my organization?

You can start a VM in Azure with Windows 10 Windows 10 Enterprise multi-session and customize it by installing LOB applications, sysprep/generalize, and then create an image using the Azure portal.

To get started, create a VM in Azure with Windows 10 Enterprise multi-session. Instead of starting the VM in Azure, you can download the VHD directly. After that, you’ll be able to use the VHD you downloaded to create a new Generation 1 VM on a Windows 10 PC with Hyper-V enabled.

Customize the image to your needs by installing LOB applications and sysprep the image. When you’re done customizing, upload the image to Azure with the VHD inside. After that, get Windows Virtual Desktop from the Azure Marketplace and use it to deploy a new host pool with the customized image.

How do I manage Windows 10 Enterprise multi-session after deployment?

You can use any supported configuration tool, but we recommend Configuration Manager version 1906 because it supports Windows 10 Enterprise multi-session. We’re currently working on Microsoft Intune support.

Can Windows 10 Enterprise multi-session be Azure Active Directory (AD)-joined?

Windows 10 Enterprise multi-session is currently supported to be hybrid Azure AD-joined. After Windows 10 Enterprise multi-session is domain-joined, use the existing Group Policy Object to enable Azure AD registration. For more information, see Plan your hybrid Azure Active Directory join implementation.

Where can I find the Windows 10 Enterprise multi-session image?

Windows 10 Enterprise multi-session is in the Azure gallery. To find it, navigate to the Azure portal and search for the Windows 10 Enterprise for Virtual Desktops release. For an image integrated with Microsoft 365 Apps for enterprise, go to the Azure portal and search for Microsoft Windows 10 + Microsoft 365 Apps for enterprise.

Which Windows 10 Enterprise multi-session image should I use?

The Azure gallery has several releases, including Windows 10 Enterprise multi-session, version 1809, and Windows 10 Enterprise multi-session, version 1903. We recommend using the latest version for improved performance and reliability.

Which Windows 10 Enterprise multi-session versions are supported?

Windows 10 Enterprise multi-session, versions 1809 and later are supported and are available in the Azure gallery. These releases follow the same support lifecycle policy as Windows 10 Enterprise, which means the March release is supported for 18 months and the September release for 30 months.

Which profile management solution should I use for Windows 10 Enterprise multi-session?

We recommend you use FSLogix profile containers when you configure Windows 10 Enterprise in non-persistent environments or other scenarios that need a centrally stored profile. FSLogix ensures the user profile is available and up-to-date for every user session. We also recommend you use your FSLogix profile container to store a user profile in any SMB share with appropriate permissions, but you can store user profiles in Azure page blob storage if necessary. Windows Virtual Desktop users can use FSLogix at no additional cost. FSLogix comes pre-installed on all Windows 10 Enterprise multi-session images, but the IT admin is still responsible for configuring the FSLogix profile container.

For more information about how to configure an FSLogix profile container, see Configure the FSLogix profile container.

Which license do I need to access Windows 10 Enterprise multi-session?

For a full list of applicable licenses, see Windows Virtual Desktop pricing.

Why do my apps disappear after I sign out?

This happens because you’re using Windows 10 Enterprise multi-session with a profile management solution like FSLogix. Your admin or profile solution configured your system to delete user profiles when users sign out. This configuration means that when your system deletes your user profile after you sign out, it also removes any apps you installed during your session. If you want to keep the apps you installed, you’ll need to ask your admin to provision these apps for all users in your Windows Virtual Desktop environment.

How do I make sure apps don’t disappear when users sign out?

Most virtualized environments are configured by default to prevent users from installing additional apps to their profiles. If you want to make sure an app doesn’t disappear when your user signs out of Windows Virtual Desktop, you have to provision that app for all user profiles in your environment. For more information about provisioning apps, check out these resources:

How do I make sure users don’t download and install apps from the Microsoft Store?

You can disable the Microsoft Store app to make sure users don’t download extra apps beyond the apps you’ve already provisioned for them.

To disable the Store app:

1. Create a new Group Policy.
2. Select Computer Configuration >Administrative Templates >Windows Components.
3. Select Store.
4. Select Store Application.
5. Select Disabled, then select OK.
6. Select Apply.

Next steps

To learn more about Windows Virtual Desktop and Windows 10 Enterprise multi-session: