Forum Discussion
Intune Shared-Device Configuration - Disallow Entra Login
Hello everyone,
I am encountering an issue with our shared device setup in Intune.
Our organization manages devices through Intune, and we have configured shared devices specifically for external guests who only need access to a laptop and Microsoft Office products. While the setup generally works as expected, we’ve noticed an issue where users are still able to log in using Entra (Azure AD) accounts from our tenant, despite setting the Guest account configuration to "Guest" in Intune.
We would like to restrict access solely to the local guest account and prevent users from logging in with Entra accounts.
Our current configuration for the shared device profile is as follows:
Shared multi-user device settings:
- Shared PC mode: Enabled
- Guest account: Guest
- Account management: Enabled
- Account Deletion: At storage space threshold and inactive threshold
- Start delete threshold (%): 20
- Stop delete threshold (%): 50
- Inactive account threshold: 30
- Local Storage: Enabled
- Power Policies: Enabled
- Sleep timeout (in seconds): 600
- Sign-in when PC wakes: Enabled
- Maintenance start time (minutes from midnight): 60
- Education policies: Disabled
Is there a way to enforce this restriction, allowing only the local guest account and blocking Entra user access? Any guidance on this matter would be greatly appreciated.
Thank you for your assistance.
2 Replies
What other policies do you have applied? If you have anything "User Rights related", I would look at "Allow Local Log On". Default setting is Administrators, Backup Operators, and Users.
Removing Users and replacing with the name of the local account should work for you.
I can't remember if Shared PC Configuration sets the Guest account to a specific name or not. If you are not renaming your Guest account, you could add that to the configuration as I'm not sure if it's a random account or not.
Possible solution:
- Rename guest account to a standard.
- Allow local logon, set to Administrators, Backup Operators, specific Guest account (or Guests group)
- This will remove Users from the local logon
- Make sure you're only applying this to the Shared PCs, as nobody would be able to logon for normal workstations :)
Accounts Rename guest account - security policy setting - Windows 10 | Microsoft Learn
Allow log on locally - security policy setting - Windows 10 | Microsoft Learn
Did you ever solve this? Seems like the default (and wrong) behavior. Guest only should be guest only.
