Forum Discussion
Best practices for managing non-user assigned devices with Intune
Hi,
I’m a former SCCM administrator now working at a company that is an Intune-only shop. Our environment is Hybrid Azure AD Joined and we have a Group Policy that performs an Automatic MDM Enrollment into Intune for any new Windows PC that gets domain joined. While this process works very well for devices that are assigned specifically to a single end-user, we are running into challenges with PCs that are not intended to be assigned to a specific end user. For this discussion, I’ll refer to these as “Shared” or “Kiosk” PCs.
Intune seems to be “assigning” either the last user that logged into them or the user that logs in the most as the “Primary user”. This creates a problem for us from an administrative perspective as we’d prefer to assign a single generic “Intune Shared PC Management” account to these devices instead (to indicate they are not tied to one user). Ideally, this account would function like a service account to be used just to manage the PCs we set up as Shared and Kiosk (to push apps, apply patches, policies, configs, etc.).
I’ve searched online for guidance on how to set something like this up in Intune and the closest I have found is this article on Device Enrollment Manager (DEM) accounts:
https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-manager-enroll
I have tried using a DEM account for this purpose and seem to be getting mixed results (the device must be manually enrolled with the DEM account and some Intune features don’t seem to work for DEM-assigned devices). I’m starting to think DEM accounts are not intended as a long-term management solution for shared devices. Surely some other Intune Admin out there has encountered this situation as well. Can anyone here tell me how they manage non-user assigned devices in Intune? Also, are any of you aware of any good articles out there on how to manage non-user assigned devices in Intune?
Thanks in advance!
3 Replies
Best way to do this is as follows:
Use for enrolment Autopilot Self Deploying mode, this is not mandatory but is really nice and hands off feature, highly recommended: https://learn.microsoft.com/en-us/autopilot/self-deploying
After this best is to use Shared Device Mode on the device:
This the Doc: https://learn.microsoft.com/en-us/mem/intune/configuration/shared-user-device-settings-windows
This is the CSP: https://learn.microsoft.com/en-us/windows/client-management/mdm/sharedpc-csp
This is nice extra resource: https://www.inthecloud247.com/configure-a-windows-shared-multi-user-device-with-intune/
This one is really nice: https://skotheimsvik.no/the-ultimate-guide-to-intune-powered-windows-11-shared-devices
Here is a really clear writeup about Primary users: https://learn.microsoft.com/en-us/mem/intune/remote-actions/find-primary-user
------
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Thanks for the reply. I'm having a busy morning, but I skimmed the articles you linked, and all that content looks really useful. Give me a day or two to process it and I'll revert back if I have further questions. Also, last night I read an article that stated one way to convert a PC that already onboarded with a Primary user to Shared mode was just to simply remove the Primary user and set it to "None". I'll have to experiment with that as well.
- Removing the primary user appears to have solved my issue.
Thanks!
