Forum Discussion

LjubisaLivac's avatar
LjubisaLivac
Copper Contributor
Mar 20, 2022

Shared single-user device?

Hello everyone,

I'm totally new to Azure AD / Intune (for education) / Endpoint manager. We have Microsoft 365 A3 subscription. 
I've been searching for information and struggling with this task for more than a few weeks and am still unable to find the optimal solution. We have a really simple and (I bet) pretty usual scenario so I'm really intrigued that there is no already a bunch of information about this or already predefined templates, configuration policies or similar.
I work in a school wherein classrooms many teachers use the same device. We have a few classrooms and each classroom has it's own device (I have created AAD user account for each device / classroom).
We store PPT presentations, Word and PDF files, media files and everything on SharePoint folder, which devices (user accounts) have access to.

I'm unable to use Kiosk mode for this because we need a bunch of applications to work with - Office apps of course, video player, file manager, PDF reader, codec pack and a lot of other apps. Also, as I've already mentioned, we need access to Sharepoint and to la ocal file server, and a bunch of other things, so we can't so much restrict privileges and user experience - Kisok mode is definitely out. Also, as we have static user account predefined for classroom device (teachers won't have M365 accounts at all, and we don't wanna complicate with this at all), we have dedicated A3 accounts for those desktop devices - Shared multiple-user is definitely out.
So, I'm left with custom configuration policies, devices restrictions and scripts. And I was able to configure a 90% of desired things to the device, but there is one task that I'm unsure how to achieve - autologon with a dedicated predefined user account. I don't want to explain and let users (teachers) know our user account password so they could start using our device - we need to do that for them in advance. I'm aware of Autologon app but, as I've seen so far, this isn't possible to configure via Intune (unable to provide user credentials). Also, if it would be possible to do such thing, there would come up another problem - when device going to sleep (which happens 99% of the time), the user would be asked to provide a password after waking up the device. Once again, I don't want to burden teachers with that info. Also, it would be a security hole probably, as everyone would know our username/password credentials.

The second option would be to create AAD account without password, which is also impossible as much as I know.

So, my question is simple - is there a way to remove the password prompt, or somehow to adjust autologon and disable windows lock screen (after device waking up)?

  • Hi LjubisaLivac 

     

    Like Moe_Kinani turning on Auto logon is not recommended.

     

    If you want multiple users to use a single Azure AD account on a PC without giving them the account password I would suggest that you configure a Windows Hello PIN on the PCs in question. The PIN code is stored localy on the device and can not be used to sign-in to the account any where else.

     

    You can use Intune to enforce a Windows Hello policy (Set minimum requirement etc) but the you will have to configure the PIN localy on the PC. Once setup users can use this PIN to sign-into the PC.
    Integrate Windows Hello for Business with Microsoft Intune - Microsoft Intune | Microsoft Docs

     

Resources