![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 68%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
For that kind of environment, you might want to consider mixing approaches rather than relying on a single mode everywhere, because the tradeoffs are different depending on how locked down each device needs to be.
Kiosk mode is the most restrictive and predictable option. It’s suitable in scenarios where the device is meant to run a single app or a very small set of apps, like check-in terminals or customer-facing stations. It reduces your attack surface and session complexity because users don’t really “log in” in the traditional sense. The downside is that it’s rigid, and once you need multiple apps, file access, or any flexibility, it starts to feel like you’re fighting the platform.
Shared PC mode is more aligned with front desk and shift worker scenarios. It’s designed for high-turnover logins with minimal persistence. It automatically cleans up profiles, enforces fast sign-in/sign-out, and can be combined with policies that restrict local storage and background processes. This works well when users still need a full desktop but you don’t want profile sprawl or long-term data left behind. The challenge is that it doesn’t solve everything by itself, especially around app configuration, identity consistency, and conditional access.
In practice, you can layer shared PC mode with Intune or Group Policy to enforce things like OneDrive Known Folder Move, Edge or browser session restrictions, and conditional access tied to device compliance. That’s where the “custom solution” aspect comes in, not by replacing shared mode, but by tightening the edges. For example, enforcing sign-out behavior, clearing browser sessions, and limiting which apps can cache credentials often requires additional policy tuning.
If you’re seeing complexity grow, it’s often a sign that device roles aren’t clearly segmented. Kiosks should be extremely locked down and simple. Shared productivity devices should lean on shared PC mode with cleanup and cloud-backed user state. If a device needs persistence or personalization, it may no longer belong in the shared category at all.
If you want something concrete to compare against, a shared PC configuration via CSP might look like this:
./Vendor/MSFT/SharedPC/EnableSharedPCMode = true
./Vendor/MSFT/SharedPC/AccountModel = 0
./Vendor/MSFT/SharedPC/DeleteAccounts = true
./Vendor/MSFT/SharedPC/DeletionPolicy = 0
./Vendor/MSFT/SharedPC/DiskLevelDeletion = 50
And then layered with policies like:
Computer Configuration\Administrative Templates\System\User Profiles\Delete user profiles older than a specified number of days on system restart
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin