Set up a shared or guest Windows device
Shared PC offers options to facilitate the management and optimization of shared devices. The customizations offered by Shared PC are listed in the following table.
|Area Name||Setting name and description|
|Shared PC mode||EnableSharedPCMode or EnableSharedPCModeWithOneDriveSync: when enabled, Shared PC mode is turned on and different settings are configured in the local group policy object (LGPO). For a detailed list of settings enabled by Shared PC Mode in the LGPO, see the Shared PC technical reference.
|Account management||EnableAccountManager: when enabled, automatic account management is turned on. The following settings define the behavior of account manager:
AccountModel: this option controls which types of users can sign-in to the device, and can be used to enable the Guest and Kiosk accounts. For more information, see the Shared PC CSP documentation.
KioskModeAUMID: configures an application (referred as Application User Model ID - AUMID) to automatically execute when the kiosk account is used to sign in. A new account will be created and will use assigned access to only run the app specified by the AUMID. Find the Application User Model ID of an installed app.
KioskModeUserTileDisplayText: sets the display text on the kiosk account if KioskModeAUMID has been set.
|Advanced customizations||SetEduPolicies: when enabled, specific settings designed for education devices are configured in the LGPO. For a detailed list of settings enabled by SetEduPolicies in the LGPO, see Shared PC technical reference.
SleepTimeout: specifies all timeouts for when the PC should sleep.
SignInOnResume: if enabled, specifies if the user is required to sign in with a password when the PC wakes from sleep.
MaintenanceStartTime: by default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update or Search indexing) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For a detailed list of settings enabled by MaintenanceStartTime, see Shared PC technical reference.
MaxPageFileSizeMB: adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs.
RestrictLocalStorage: when enabled, users are prevented from saving or viewing local storage while using File Explorer.
Configure Shared PC
Shared PC can be configured using the following methods:
- Microsoft Intune/MDM
- Provisioning package (PPKG)
- PowerShell script
Follow the instructions below to configure your devices, selecting the option that best suits your needs.
To configure devices using Microsoft Intune, create a Settings catalog policy, and use the settings listed under the category
Assign the policy to a security group that contains as members the devices or users that you want to configure.
Guidance for accounts on shared PCs
When a device is configured in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through Guest and Kiosk will be deleted automatically at sign out.
Local accounts that already exist on a PC won't be deleted when turning on shared PC mode. New local accounts that are created using Settings > Accounts > Other people > Add someone else to this PC after shared PC mode is turned on won't be deleted. However, any new guest accounts created by the Guest and Kiosk options on the sign-in screen (if enabled) will automatically be deleted at sign out. To set a general policy on all local accounts, you can configure the following local Group Policy setting: Computer Configuration > Administrative Templates > System > User Profiles: Delete User Profiles Older Than A Specified Number Of Days On System Restart.
The account management service supports accounts that are exempt from deletion. An account can be marked exempt from deletion by adding the account SID to the registry key:
HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\. To add the account SID to the registry key using PowerShell, use the following example as a reference:
$adminName = "LocalAdmin" $adminPass = 'Pa$$word123' invoke-expression "net user /add $adminName $adminPass" $user = New-Object System.Security.Principal.NTAccount($adminName) $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) $sid = $sid.Value; New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
Troubleshooting Shared PC
To troubleshoot Shared PC, you can use the following tools:
- Check the log
- Check the registry keys under
AccountManagementkey contains settings on how profiles are managed
NodeValuescontains what values are set for the features managed by Shared PC
- For a list of settings configured by the different options offered by Shared PC mode, see the Shared PC technical reference.
- For a list of settings exposed by the SharedPC configuration service provider, see SharedPC CSP.
- For a list of settings exposed by Windows Configuration Designer, see SharedPC CSP.