Microsoft Endpoint Manager Shared Multi-User Device Profiles

In this article, I’m planning on uncovering a configuration profile in MEM which is known as the Shared Multi-User Device Profiles.

These profiles can be used and applied to the devices in the fleet which will be used by many users periodically and does not require to retain the data in the disk and have device restrictions over usage.

You can setup the login account in the Guest mode and have the option to enable the “Guest” account in the local computer.

“Guest” account in the local computer

An instance of the Guest account will be created with this task and if the instructions are provided to delete the profile immediately when logging off, then next time the user is login in to he computer, another instance will be activated. We will inspect that below.

How to configure the device profile?

Go to https://endpoint.microsoft.com/ > Devices > Configuration Profiles > Create profile >
Platform: Windows 10 and later
Profile Type: Templates

Select Shared multi-user device option > Hit Create

Provide the profile with a meaningful name and hit Next

The interface will look like this

Lets go through the options now

Shared PC mode: If you enable this option, this means only one user can login to the device at a time. If the next user required to login, then the 1st user needs to log off

Guest Account: This has few options to choose from.
Guest: An additional local Guest account will be created. This doesn’t require credentials to be entered.
Domain: Domain account (Active Directory or Azure AD) account will act as a Guest account in this scenario. This will be a named account but have limited access on the device.

Account Management: Enabling this setting will allow the admin to manage profile deletion (Account Deletion) features in the device

Account Deletion: This will give the option to delete the account immediately at logoff or when the disk space reaches a threshold or an inactive time reaches a threshold or both

Local Storage: This can be disabled so the user will be able to access the local drives

Power Policies: This basically prohibits the user from changing the power settings such as lid close behaviour, power button behaviour etc.

Sleep time out (in seconds): This will put the device in to sleep after the specified time. If not provided a number, 60 minutes will be default

Sign-in when PC wakes up: Simply set to enable, disable or not configured

Maintenance start time: Enter the number of minutes after midnight to make this feature active

Education policies: If this device is used in a school environment, you can enable the feature and the set of education policies will come in to play.
More on Education Policies can be found here
Login UI Behaviour

The instance of the Guest account

Final words

This config can be easily get up and running in an environment where you have to hand out devices to users or doesn’t really want to create accounts as they will not be using company provided systems with SSO enabled etc.

image credits: Call Center Vectors by Vecteezy