Scenario: Shared PC Mode
Lab: Shared PC Mode ("Wipe on Logout")
- Type: Settings Catalog
- Goal: Enforce session isolation and data wiping.
each user will get a "fresh" desktop every time
This may result in slow login experiences. We can investigate if problematic.
| Category Shared PC | Value | Explanation |
|---|---|---|
| Account Model | Domain | Domain-joined users may sign in. |
| Deletion Policy | Delete immediately | Account profiles are deleted immediately after sign-out. |
| Enable Account Manager | true | Activates the service that deletes user profiles |
| Enable Shared PC Mode | true | Trigger configuring a device to Shared PC mode. |
| Maintenance Start Time | 180 | 3am start time of maintenance window. |
| Restrict Local Storage | true | Restricts user from using local storage. |
| Set Power Policies | false | Not defaults, set power policies explicitly elsewhere. |
| Sign In On Resume | true | Require signing in on waking from sleep. |
Lab: Power Settings ("Always Ready for Updates")
- Type: Settings Catalog
- Goal: Ensures machines never sleep so they can receive "Simultaneous" updates.
| Category System / Power Management | Value | Explanation |
|---|---|---|
| Turn Off the Hard Disk (plugged in) | 1200 | Ensure PC is awake for updates. |
| Turn off the display (plugged in) | 1200 | Turn off the monitor after 20 minutes. |
| Hard Disk Settings | 1200 | Spin down the drives after 20 minutes. |
| System Sleep Timeout | 0 | If student leaves machine logged in, it will not sleep and kill network connection - thus supporting updates. |
| Unattended Sleep Timeout Plugged In | 0 | Machines at login screen will not sleep and kill network connection - thus supporting updates. |
Lab: Device Restrictions (The "Clean" Look)
- Type: Settings Catalog
- Goal: Enforces the "Kiosk-like" visual restrictions without breaking File Explorer.
| Category/ Setting | Value | Explanation |
|---|---|---|
| Administrative Templates / Control Panel/ Prohibit access to Control Panel and PC settings | Enabled | Blocks tampering with OS settings |
| Administrative Templates / Personalization/ Prevent changing desktop background | Enabled | Blocks setting wallpaper. |
| Administrative Templates / Personalization/ Prevent changing lock screen image | Enabled | Maintains org branding. |
| Administrative Templates / Windows Components / File Explorer/ Hide these specified drives in My Computer | Restrict A, B, C and D drives only | Hides local drives to prevent browsing system files, mapped files visible. |
| Windows Hello For Business/ Use Windows Hello For Business (Device) | false | Prevent WHFB on shared machines. |
Lab: Windows Update Ring (The "Uniformity" Engine)
- Type: Update ring for Windows 10 and later
- Goal: Ensures all shared machines update simultaneously rather than staggering.
| Setting Name | Recommended Value | Why? |
|---|---|---|
| UPDATE SETTINGS | ||
| Microsoft product updates | Allow | Ensures Office/Edge get patched alongside Windows. |
| Windows drivers | Allow | Critical for Shared PC stability. |
| Quality update deferral period (days) | 0 | Critical: Ensures all machines see the update the moment it releases (Uniformity). |
| Feature update deferral period (days) | 0 | Same reason. We don't want fragmentation. |
| Upgrade Windows 10 devices... | No | Safety: Keep this "No". You should control major OS upgrades (e.g., moving to Windows 12) using a separate Feature Update policy, not this ring. |
| Enable pre-release builds | Not Configured | Critical: Labs must be on "General Availability" channel, not Insider/Beta channel. |
| USER EXPERIENCE SETTINGS | ||
| Automatic update behavior | Auto install and restart at maintenance time | Matches "Shared PC" maintenance window (3am). |
| Active hours start | 7 AM | Covers early usage. |
| Active hours end | 10 PM | Covers evening usage. |
| Option to pause Windows updates | Disable | Shared PC users should never be able to stop a security patch. |
| Option to check for Windows updates | Disable | Shared PC users should not be checking for updates. |
| Change notification update level | Disable all notifications... | Shared PC users should not be deciding whether to schedule reboots. |
| DEADLINE SETTINGS | ||
| Use deadline settings | Allow | Unlocks the settings below. |
| Deadline for feature updates | 2 (days) | Forces the install quickly. |
| Deadline for quality updates | 2 (days) | If a machine was off for the weekend, update it NOW. |
| Grace period | 0 (days) | Once the 2-day deadline hits, reboot immediately (during maintenance). |
| Auto reboot before deadline | Yes | If the machine is idle at the login screen, reboot to finish the patch. |
Lab: AppLocker (Block execution of unauthorized apps)
Type: Templates > Custom
Goal: Blocks unauthorized .exe files from Downloads or USB since the OS isn't frozen.
| Setting Name | Value | Description |
|---|---|---|
| AppLocker Application Control | Enforce Components | Turns on the enforcement engine. |
| Exe Rules | Allow: C:\Windows\*, C:\Program Files\*, C:\Program Files (x86)\* | Allows installed software and system files to run. |
| Exe Rules (Default Behavior) | Block | Implicitly blocks anything not in the allowed paths (e.g., portable games on USB). |
Name: Enforce EXE Restrictions
Description: Blocks everything not in Windows or Program Files
OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/EXE/Policy (Make sure there are no spaces in this path)
Data type: String
Value: Paste the entire XML code block below:
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="All files for Administrators" Description="Allows members of the Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="9428c9b1-60d4-493f-b839-9d1da1692257" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-5-32-545" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="921f6095-f287-4605-bf53-277437833072" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-5-32-545" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Program Files (x86) folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files (x86) folder." UserOrGroupSid="S-1-5-32-545" Action="Allow">
<Conditions>
<FilePathCondition Path="%OSDRIVE%\Program Files (x86)\*" />
</Conditions>
</FilePathRule>
</RuleCollection>
Lab: Office 365 Licensing
Type: Settings Catalog
Goal: Prevents licensing errors on shared hardware.
| Category | Setting Name | Value | Description |
|---|---|---|---|
| Microsoft Office 2016 (Machine) \ Licensing Settings | Use shared computer activation | Enabled | Allows unlimited users to activate Office on the machine without consuming their 5-device limit. |
Lab: Start Menu
Type: Templates > Device Restrictions
Goal: Pins academic apps to the Start Menu/Taskbar.
| Setting Name | Value | Description |
|---|---|---|
| Start menu layout | [Upload XML File] | XML file pinning Word, Excel, Chrome, and required apps. |
Start menu layout: Paste the entire XML code block below:
<LayoutModificationTemplate
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayoutGroup Name="Lab Tools">
<start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="Microsoft.Windows.Explorer" />
<start:DesktopApplicationTile Size="2x2" Column="4" Row="0" DesktopApplicationID="Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App" />
<start:DesktopApplicationTile Size="2x2" Column="0" Row="2" DesktopApplicationID="Microsoft.Office.WINWORD.EXE.15" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationID="Microsoft.Office.EXCEL.EXE.15" />
<start:DesktopApplicationTile Size="2x2" Column="4" Row="2" DesktopApplicationID="Microsoft.Office.POWERPNT.EXE.15" />
</defaultlayout:StartLayoutGroup>
</StartLayoutCollection>
</DefaultLayoutOverride>
<CustomTaskbarLayoutCollection PinListPlacement="Replace">
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk" />
<taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer" />
<taskbar:DesktopApp DesktopApplicationID="Microsoft.Office.WINWORD.EXE.15" />
<taskbar:DesktopApp DesktopApplicationID="Microsoft.Office.EXCEL.EXE.15" />
<taskbar:DesktopApp DesktopApplicationID="Microsoft.Office.POWERPNT.EXE.15" />
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.