This will be a shorter post where I share some standard configurations to get OneDrive Sync working with Shared PC mode. I will include some extra policies that are beneficial to have on a Shared PC and an example on a Conditional Access policy to help Shared PC auto-sign in to OneDrive if you have MFA required (You should).
Creating the deployment profile
A shared pc does not have a primary user and is not assigned to a specific user so will start by creating a deployment profile with deployment mode set to Self-Deploying.
Go to Intune – Devices – Windows – Enrollment – Deployment profiles and create a new profile.
Configure the enrollment profile to fit your needs but make sure you set Deployment mode to Self-Deploying.
Assign the profile to a device group.
Shared PC configuration policy
We will start with creating the basic required Shared PC policy. You can do this using the template or you can do this using settings catalog. In this case I have picked settings catalog so I can easily export it and you can import it.
I will just mention some settings here but this is the basic configuration and you can off course change the settings to fit your requirements.
Technical reference for Shared PC
Shared PC device settings documentation
With this configuration we require the user to sign-in and guest account is not enabled. (Account Model) We also do an automatic cleanup of user profiles when the disk starts to become full or when the user have not logged into the device for 30 days or more. (Inactivity Threshold, Enabled Account Manager, Disk Level Caching, Disk Level Deletion)
OneDrive Sync configuration
So we want our users to have OneDrive sync enabled on the Shared PC’s so they can easily access and work with their files. We will need to create two policies here, one will be to activate the OneDrive Sync function on Shared PC’s and the other one will be to configure how OneDrive acts and works.
Enable OneDrive Sync on Shared PC
We need to create a custom profile to enable OneDrive sync for a shared pc.
Shared PC CSP settings documentation
- Create a new profile – Templates – Custom
Name: EnableSharedPCModeWithOneDriveSync
Description: Enable OneDrive Sync for Shared PC's
OMA-URI: ./Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync
Data type: Boolean
Value: True
Assign it to the device group for your shared pc’s
We have now enabled OneDrive Sync for Shared PC’s.
You will need to use an import tool for this config, i recommend:
IntuneManagement from Micke K
OneDrive Settings (User Experience and functions)
Now we will configure how OneDrive works when the user sign’s into a Shared PC. This might also be different for you based on your requirements, however my experience is that this works very well for the end-user.
You need to fill in your own TenantID and Tenant Association Key if you are using this, if not remove it from the configuration.
Download OneDrive Settings Configuration
MFA and OneDrive automatic sign-in
If MFA is required for all cloud apps (it should be) then when your user first sign’s in to the Shared PC the MFA requirement is not fulfilled for OneDrive, this is because the Windows sign-in is using single authentication. So how can we work around this and still be secure?
Well we need will need to exclude our Shared Devices from our standard conditional access policy that requires MFA for all cloud apps and create a separate conditional access policy that only targets the Shared Devices.
I know exclusions are not a good thing, but in some cases the end-user experience might require some tweaking to find a balance between security and function.
Depending on your license you can use different security functions in your conditional access policy and you will have to decide what works best for your organization based on risk and benefits. Below is an example CA policy created for Shared Devices.
User risk
Sign-in risk
Locations – Trusted networks
Session – Sign-in frequency – Every time
Filter for devices to only target shared PC’s
The above is just an example, you might want to tag device and only allow this on specific device but review your security and your requirements before doing this.
Configure SKIP ESP page
This is not required but might improve the user experience depending on your configurations.
Basically this will skip the ESP page for the user signing into Windows and the end-user don’t experience an extra screen/delay. (If you install user assigned application on Shared PC’s then the end-users might get to the desktop before the application have finished installing as an example.
- Create a new profile – Templates – Custom
Name: Skip enrollment status page
Description: Skip enrollment status page
OMA-URI: ./Device/Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
Data type: Boolean
Value: True
You need to use an import tool like IntuneManager from Micke K
That’s it you have now setup a SharedPC with OneDrive sync, you would need to add other configs for your requirements but this will allow your end-users to use OneDrive sync on a SharedPC.
