Forum Discussion
Shared single-user device?
Hello everyone,
I'm totally new to Azure AD / Intune (for education) / Endpoint manager. We have Microsoft 365 A3 subscription.
I've been searching for information and struggling with this task for more than a few weeks and am still unable to find the optimal solution. We have a really simple and (I bet) pretty usual scenario so I'm really intrigued that there is no already a bunch of information about this or already predefined templates, configuration policies or similar.
I work in a school wherein classrooms many teachers use the same device. We have a few classrooms and each classroom has it's own device (I have created AAD user account for each device / classroom).
We store PPT presentations, Word and PDF files, media files and everything on SharePoint folder, which devices (user accounts) have access to.
I'm unable to use Kiosk mode for this because we need a bunch of applications to work with - Office apps of course, video player, file manager, PDF reader, codec pack and a lot of other apps. Also, as I've already mentioned, we need access to Sharepoint and to la ocal file server, and a bunch of other things, so we can't so much restrict privileges and user experience - Kisok mode is definitely out. Also, as we have static user account predefined for classroom device (teachers won't have M365 accounts at all, and we don't wanna complicate with this at all), we have dedicated A3 accounts for those desktop devices - Shared multiple-user is definitely out.
So, I'm left with custom configuration policies, devices restrictions and scripts. And I was able to configure a 90% of desired things to the device, but there is one task that I'm unsure how to achieve - autologon with a dedicated predefined user account. I don't want to explain and let users (teachers) know our user account password so they could start using our device - we need to do that for them in advance. I'm aware of Autologon app but, as I've seen so far, this isn't possible to configure via Intune (unable to provide user credentials). Also, if it would be possible to do such thing, there would come up another problem - when device going to sleep (which happens 99% of the time), the user would be asked to provide a password after waking up the device. Once again, I don't want to burden teachers with that info. Also, it would be a security hole probably, as everyone would know our username/password credentials.
The second option would be to create AAD account without password, which is also impossible as much as I know.
So, my question is simple - is there a way to remove the password prompt, or somehow to adjust autologon and disable windows lock screen (after device waking up)?
Hi LjubisaLivac
Like Moe_Kinani turning on Auto logon is not recommended.
If you want multiple users to use a single Azure AD account on a PC without giving them the account password I would suggest that you configure a Windows Hello PIN on the PCs in question. The PIN code is stored localy on the device and can not be used to sign-in to the account any where else.
You can use Intune to enforce a Windows Hello policy (Set minimum requirement etc) but the you will have to configure the PIN localy on the PC. Once setup users can use this PIN to sign-into the PC.
Integrate Windows Hello for Business with Microsoft Intune - Microsoft Intune | Microsoft Docs
- Moe_KinaniBronze ContributorHi, You need to configure your devices shared Multi Users accounts. The student or teacher will login with guest account that doesn’t need credentials. You can also configure sleep settings… etc.
Auto Logon or no password for Azure AD is something against Azure Practices, I wouldn’t go this route.
Here is a great guide on how to configure shared Azure AD device using Intune:
https://www.petervanderwoude.nl/post/configuring-shared-multi-user-devices/
Moe- LjubisaLivacCopper Contributor
Moe_Kinani Hi and thanks for the help! This could definitely solve me the issue,
but there is (I hope) one last step that I should overcome - If we use Guest account, is there a way somehow to add Guest access to SharePoint folder (I need to create them access in windows explorer, like in this pic):
- Moe_KinaniBronze ContributorYes, user is still able to access his account with Guest account and save to the pc if configured in the setting.
Check this out-
https://www.inthecloud247.com/configure-a-windows-shared-multi-user-device-with-intune/
- Pontus_JohanssonCopper Contributor
Hi LjubisaLivac
Like Moe_Kinani turning on Auto logon is not recommended.
If you want multiple users to use a single Azure AD account on a PC without giving them the account password I would suggest that you configure a Windows Hello PIN on the PCs in question. The PIN code is stored localy on the device and can not be used to sign-in to the account any where else.
You can use Intune to enforce a Windows Hello policy (Set minimum requirement etc) but the you will have to configure the PIN localy on the PC. Once setup users can use this PIN to sign-into the PC.
Integrate Windows Hello for Business with Microsoft Intune - Microsoft Intune | Microsoft Docs- LjubisaLivacCopper ContributorHi Pontus_Johansson and thanks for the great idea! I'll take that into account, and maybe choose it as the solution!