Scenario: Shared PC Mode

This scenario covers physical shared devices—lab computers, training room workstations, reception desks, and similar endpoints where multiple users share a single machine with session isolation and automatic profile cleanup.

Shared PC Mode in AVD is covered separately

Azure Virtual Desktop multi-session hosts use a lighter Shared PC Mode configuration focused on account lifecycle management and FSLogix integration. That configuration is covered in Scenario: Azure Virtual Desktop (AVD). The labs in this section are for physical shared hardware.

Lab: Shared PC Mode ("Wipe on Logout")

• Type: Settings Catalog
• Goal: Enforce session isolation and data wiping.

Each user will get a "fresh" desktop every time

This may result in slow login experiences. We can investigate if problematic.

Category Shared PC	Value	Explanation
Account Model	Azure AD	Entra-joined devices use Azure AD account model. Use Domain only for Hybrid/Domain-joined shared PCs.
Deletion Policy	Delete immediately	Account profiles are deleted immediately after sign-out.
Enable Account Manager	true	Activates the service that deletes user profiles
Enable Shared PC Mode	true	Trigger configuring a device to Shared PC mode.
Maintenance Start Time	180	3am start time of maintenance window.
Restrict Local Storage	true	Restricts user from using local storage.
Set Power Policies	false	Not defaults, set power policies explicitly elsewhere.
Sign In On Resume	true	Require signing in on waking from sleep.

Exempting Admin Accounts from Profile Deletion

Shared PC Mode's Account Manager is a device-level service — it deletes profiles for all non-active users after sign-out, regardless of group membership or Intune assignment. You cannot exempt admins via Intune policy assignment or filters.

However, Windows supports a registry-based exemption mechanism. Adding an account's SID to the SharedPC\Exemptions registry key tells the Account Manager to skip that profile during cleanup. Deploy this via an Intune PowerShell script assigned to the shared PC device group.

Why exempt admins?

The exemption preserves admin profiles for troubleshooting convenience — cached credentials, saved diagnostic tool layouts, and familiar shell configuration. It is not intended as a mechanism for staging user experience customizations via the legacy "configure and copy default profile" workflow. All student-facing customizations (browser settings, app associations, desktop shortcuts, etc.) should be delivered through Intune policies and scripts as documented in Customizing the Default Student Experience below.

Step 1 — Identify the admin account SIDs:

# Run on any machine where the admin accounts have signed in,
# or look up the SID in Entra ID / Active Directory.
# Example: look up a specific user
Get-AzureADUser -ObjectId "admin@roanoke.edu" | Select-Object DisplayName, OnPremisesSecurityIdentifier

Or for local accounts:

Get-LocalUser -Name "labadmin" | Select-Object Name, SID

Step 2 — Create the exemption script:

Save the following as Set-SharedPCExemptions.ps1. Replace the SID values with the actual SIDs of your admin accounts.

# Exempt admin accounts from Shared PC Mode profile deletion
# Deploy via Intune > Devices > Scripts > Add (Windows 10 and later)

$exemptionPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions"

# Create the Exemptions key if it doesn't exist
if (-not (Test-Path $exemptionPath)) {
    New-Item -Path $exemptionPath -Force | Out-Null
}

# Add each admin SID as a registry value (name = SID, value = 1)
$adminSIDs = @(
    "S-1-12-1-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX"  # admin1@roanoke.edu
    "S-1-12-1-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX"  # admin2@roanoke.edu
    # Add additional admin SIDs as needed
)

foreach ($sid in $adminSIDs) {
    New-ItemProperty -Path $exemptionPath -Name $sid -Value 1 -PropertyType DWord -Force | Out-Null
    Write-Output "Exempted SID: $sid"
}

Step 3 — Deploy via Intune:

1. Navigate to Intune > Devices > Scripts and remediations > Platform scripts > Add > Windows 10 and later
2. Upload Set-SharedPCExemptions.ps1
3. Run this script using the logged-on credentials: No — run as System
4. Enforce script signature check: No (or sign the script per your org policy)
5. Run script in 64-bit PowerShell host: Yes
6. Assign to the shared PC device group

How the exemption works

The Account Manager service checks HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions before deleting a profile. If the signed-out user's SID appears as a value under this key, the profile is preserved. All non-exempt profiles continue to be deleted per the Deletion Policy. The exemption survives reboots and Shared PC Mode maintenance windows.

If an admin account changes (e.g., a new IT staff member), update the script with the new SID and re-deploy. Intune will re-run the script on the next check-in cycle.

Admin Maintenance Procedure

The Device Restrictions policy (Control Panel block, hidden drives) applies to every user on the lab PC, including administrators. When an admin needs to perform maintenance — configure desktop settings, update the default profile, install software — they need a way to temporarily work without these restrictions.

The portal-based approach is slow and error-prone. Unassigning the policy in the Intune admin center requires the device to check in (up to 8 hours on the automatic cycle, or ~5 minutes with a manual sync), then the admin must sign out and back in for the HKCU settings to clear, then reverse the entire process when done. If the admin forgets to reassign the policy afterward, the lab PC runs unrestricted until someone notices. For a team managing dozens of lab machines, this creates operational risk every time routine maintenance is performed.

The recommended approach: override the restrictions locally with PowerShell. The admin runs a script that clears the restriction registry values for their current session, does their work, and signs out. The Intune policy reasserts itself automatically on the next check-in — no portal changes, no manual sync, no risk of leaving the machine in an unrestricted state.

Step 1 — Run the override script:

Open PowerShell as the signed-in admin and run:

# Temporarily unhide drives (0 = show all drives)
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoDrives" -Value 0

# Temporarily re-enable Control Panel and Settings
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoControlPanel" -Value 0

# Restart Explorer to apply changes immediately (no sign-out needed)
Stop-Process -Name explorer -Force; Start-Process explorer

After Explorer restarts, all drives are visible and Control Panel is accessible.

Step 2 — Perform maintenance:

Configure the desktop, install software, update bookmarks, modify the default profile (C:\Users\Default), or perform any other maintenance tasks.

Step 3 — Sign out:

When maintenance is complete, sign out normally. The overrides exist only in the admin's HKCU hive for the current session. The next time the device checks in to Intune (automatic 8-hour cycle or next user sign-in), the policy rewrites the restriction values. No manual re-enablement required.

Why this is safe

The override modifies the admin's own HKCU registry values — not the policy itself. The Intune policy remains assigned to the device and continues to enforce restrictions for every other user who signs in. Even if the admin forgets to sign out, the next student who signs in gets a fresh HKCU hive with the policy-enforced restrictions applied. The only window of reduced restriction is the admin's own active session, which is the intent.

Lab: Power Settings ("Always Ready for Updates")

• Type: Settings Catalog
• Goal: Ensures machines never sleep so they can receive "Simultaneous" updates.

Category System / Power Management	Value	Explanation
Turn Off the Hard Disk (plugged in)	1200	Ensure PC is awake for updates.
Turn off the display (plugged in)	1200	Turn off the monitor after 20 minutes.
Hard Disk Settings	1200	Spin down the drives after 20 minutes.
System Sleep Timeout	0	If student leaves machine logged in, it will not sleep and kill network connection - thus supporting updates.
Unattended Sleep Timeout Plugged In	0	Machines at login screen will not sleep and kill network connection - thus supporting updates.

Lab: Device Restrictions (The "Clean" Look)

• Type: Settings Catalog
• Goal: Enforces the "Kiosk-like" visual restrictions without breaking File Explorer.

Admin experience on restricted lab machines

These restrictions apply device-wide — they affect every user who signs in, including administrators. This is intentional: all user experience customizations should be delivered through Intune policy (see Customizing the Default Student Experience below), not through manual admin configuration.

Admins who need to browse system files can type C:\ directly in the File Explorer address bar — the "Hide drives" policy hides drive icons from the navigation pane but does not block path access. For Settings and Control Panel access, admins can use PowerShell (Get-AppxPackage, Set-ItemProperty, etc.) or mmc.exe snap-ins.

Category/ Setting	Value	Explanation
Administrative Templates / Control Panel/ Prohibit access to Control Panel and PC settings	Enabled	Blocks tampering with OS settings.
Administrative Templates / Personalization/ Prevent changing desktop background	Enabled	Blocks setting wallpaper.
Administrative Templates / Personalization/ Prevent changing lock screen image	Enabled	Maintains org branding.
Administrative Templates / Windows Components / File Explorer/ Hide these specified drives in My Computer	Restrict A, B, C and D drives only	Hides local drives to prevent browsing system files, mapped drives visible. Admins can still access drives by typing the path directly in File Explorer.
Windows Hello For Business/ Use Windows Hello For Business (Device)	false	Prevent WHFB on shared machines.

Lab: Windows Update Ring (The "Uniformity" Engine)

• Type: Update ring for Windows 10 and later
• Goal: Ensures all shared machines update simultaneously rather than staggering.

Relationship to the organization-wide ring strategy

This ring is a dedicated policy for shared devices. It operates independently of the IT/Dev, Pilot, General Ops, and Critical Ops rings described in Mobile & Endpoint Security: Windows Update Rings. Do not assign shared PC devices to any of those rings.

Setting Name	Recommended Value	Why?
UPDATE SETTINGS
Microsoft product updates	Allow	Ensures Office/Edge get patched alongside Windows.
Windows drivers	Allow	Critical for Shared PC stability.
Quality update deferral period (days)	0	Critical: Ensures all machines see the update the moment it releases (Uniformity).
Feature update deferral period (days)	0	Same reason. We don't want fragmentation.
Upgrade Windows 10 devices...	No	Safety: Keep this "No". You should control major OS upgrades (e.g., moving to Windows 12) using a separate Feature Update policy, not this ring.
Enable pre-release builds	Not Configured	Critical: Labs must be on "General Availability" channel, not Insider/Beta channel.
USER EXPERIENCE SETTINGS
Automatic update behavior	Auto install and restart at maintenance time	Matches "Shared PC" maintenance window (3am).
Active hours start	7 AM	Covers early usage.
Active hours end	10 PM	Covers evening usage.
Option to pause Windows updates	Disable	Shared PC users should never be able to stop a security patch.
Option to check for Windows updates	Disable	Shared PC users should not be checking for updates.
Change notification update level	Disable all notifications...	Shared PC users should not be deciding whether to schedule reboots.
DEADLINE SETTINGS
Use deadline settings	Allow	Unlocks the settings below.
Deadline for feature updates	2 (days)	Forces the install quickly.
Deadline for quality updates	2 (days)	If a machine was off for the weekend, update it NOW.
Grace period	0 (days)	Once the 2-day deadline hits, reboot immediately (during maintenance).
Auto reboot before deadline	Yes	If the machine is idle at the login screen, reboot to finish the patch.

Lab: AppLocker (Block execution of unauthorized apps)

Type: Templates > Custom

Goal: Blocks unauthorized .exe files from Downloads or USB since the OS isn't frozen.

Setting Name	Value	Description
AppLocker Application Control	Enforce Components	Turns on the enforcement engine.
Exe Rules	Allow: C:\Windows\*, C:\Program Files\*, C:\Program Files (x86)\*	Allows installed software and system files to run.
Exe Rules (Default Behavior)	Block	Implicitly blocks anything not in the allowed paths (e.g., portable games on USB).

Name: Enforce EXE Restrictions

Description: Blocks everything not in Windows or Program Files

OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/EXE/Policy (Make sure there are no spaces in this path)

Data type: String

Value: Paste the entire XML code block below:

<RuleCollection Type="Exe" EnforcementMode="Enabled">
  <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="All files for Administrators" Description="Allows members of the Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
    <Conditions>
      <FilePathCondition Path="*" />
    </Conditions>
  </FilePathRule>
  <FilePathRule Id="9428c9b1-60d4-493f-b839-9d1da1692257" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-5-32-545" Action="Allow">
    <Conditions>
      <FilePathCondition Path="%WINDIR%\*" />
    </Conditions>
  </FilePathRule>
  <FilePathRule Id="921f6095-f287-4605-bf53-277437833072" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-5-32-545" Action="Allow">
    <Conditions>
      <FilePathCondition Path="%PROGRAMFILES%\*" />
    </Conditions>
  </FilePathRule>
  <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Program Files (x86) folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files (x86) folder." UserOrGroupSid="S-1-5-32-545" Action="Allow">
    <Conditions>
      <FilePathCondition Path="%OSDRIVE%\Program Files (x86)\*" />
    </Conditions>
  </FilePathRule>
</RuleCollection>

Lab: Office 365 Licensing

Type: Settings Catalog

Goal: Prevents licensing errors on shared hardware.

Category	Setting Name	Value	Description
Microsoft Office 2016 (Machine) \ Licensing Settings	Use shared computer activation	Enabled	Allows unlimited users to activate Office on the machine without consuming their 5-device limit.

Lab: Start Menu

Type: Templates > Device Restrictions

Goal: Pins academic apps to the Start Menu/Taskbar.

Setting Name	Value	Description
Start menu layout	[Upload XML File]	XML file pinning Word, Excel, Chrome, and required apps.

Start menu layout: Paste the entire XML code block below:

<LayoutModificationTemplate
    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
    Version="1">
  <LayoutOptions StartTileGroupCellWidth="6" />
  <DefaultLayoutOverride>
    <StartLayoutCollection>
      <defaultlayout:StartLayoutGroup Name="Lab Tools">
        <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk" />
        <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="Microsoft.Windows.Explorer" />
        <start:DesktopApplicationTile Size="2x2" Column="4" Row="0" DesktopApplicationID="Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App" />

        <start:DesktopApplicationTile Size="2x2" Column="0" Row="2" DesktopApplicationID="Microsoft.Office.WINWORD.EXE.15" />
        <start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationID="Microsoft.Office.EXCEL.EXE.15" />
        <start:DesktopApplicationTile Size="2x2" Column="4" Row="2" DesktopApplicationID="Microsoft.Office.POWERPNT.EXE.15" />
      </defaultlayout:StartLayoutGroup>
    </StartLayoutCollection>
  </DefaultLayoutOverride>
  <CustomTaskbarLayoutCollection PinListPlacement="Replace">
    <defaultlayout:TaskbarLayout>
      <taskbar:TaskbarPinList>
        <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk" />
        <taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer" />
        <taskbar:DesktopApp DesktopApplicationID="Microsoft.Office.WINWORD.EXE.15" />
        <taskbar:DesktopApp DesktopApplicationID="Microsoft.Office.EXCEL.EXE.15" />
        <taskbar:DesktopApp DesktopApplicationID="Microsoft.Office.POWERPNT.EXE.15" />
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
  </CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>

---

Customizing the Default Student Experience

A common legacy pattern for shared lab PCs is for an admin to sign in, manually configure the desktop (bookmarks, app defaults, shortcuts, printer mappings), and then copy that profile to C:\Users\Default so every new user inherits those settings. This pattern should be retired:

• Profile copies are per-machine — changes don't propagate to other lab PCs without repeating the process on each one
• Windows updates can reset or invalidate the default profile registry hive, requiring the copy to be redone
• Shared PC Mode's "delete immediately" policy actively fights the pattern by wiping profiles on sign-out
• There is no reliable way to test or audit what's in a manually configured profile

The replacement: Deliver every customization through Intune policy or platform script. Changes propagate automatically to all lab machines, survive Windows updates, and produce auditable policy records.

Browser Configuration (Edge)

Type: Settings Catalog — Administrative Templates > Microsoft Edge

Setting	Value	What it replaces
Configure the home page URL	https://portal.roanoke.edu (or your institution's portal)	Manually setting the homepage in Edge
Configure the new tab page URL	Same as above, or about:blank	New tab page configuration
Configure Managed Bookmarks	JSON array of bookmarks (see below)	Manually adding bookmarks
Configure the default search provider	Enabled, with search URL for your preferred provider	Changing default search engine
Control which extensions are installed silently	Extension IDs for any required browser extensions	Manually installing extensions

Managed Bookmarks example (paste into the "Configure Managed Bookmarks" value field):

[
  {"toplevel_name": "College Resources"},
  {"name": "Student Portal", "url": "https://portal.roanoke.edu"},
  {"name": "Library", "url": "https://library.roanoke.edu"},
  {"name": "Canvas LMS", "url": "https://roanoke.instructure.com"},
  {"name": "Office 365", "url": "https://www.office.com"}
]

Default Application Associations

Type: Settings Catalog

Setting: Default Associations Configuration File

What it replaces: Manually setting "Open with" defaults in Settings and copying the profile.

How to create the XML:

1. On a reference machine, configure the desired default app associations (e.g., .pdf → Adobe Acrobat, .docx → Word)

2. Export the associations:

   DISM /Online /Export-DefaultAppAssociations:"C:\IT_Tools\DefaultAppAssociations.xml"

3. In the Settings Catalog policy, upload the exported XML under Default Associations Configuration File

This applies device-wide — every user who signs in gets the same default app associations without any profile copy.

Desktop Shortcuts

Type: Intune Platform Script

What it replaces: Manually creating desktop shortcuts and copying the profile.

Deploy a PowerShell script that creates shortcuts in C:\Users\Public\Desktop. Public Desktop shortcuts appear for every user on the machine automatically.

# Deploy via Intune > Devices > Scripts > Platform scripts
# Run as: System | Run in 64-bit host: Yes

$publicDesktop = "C:\Users\Public\Desktop"
$shell = New-Object -ComObject WScript.Shell

# Example: Canvas LMS shortcut
$shortcut = $shell.CreateShortcut("$publicDesktop\Canvas LMS.lnk")
$shortcut.TargetPath = "https://roanoke.instructure.com"
$shortcut.IconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,0"
$shortcut.Save()

# Example: Student Portal shortcut
$shortcut = $shell.CreateShortcut("$publicDesktop\Student Portal.lnk")
$shortcut.TargetPath = "https://portal.roanoke.edu"
$shortcut.IconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,0"
$shortcut.Save()

Printer Mappings

Type: Settings Catalog (Universal Print) or Intune Platform Script

Option 1 — Universal Print (preferred): If the college uses Universal Print, deploy printer mappings via the Settings Catalog Universal Print policy. This provisions printers automatically for every user on the device.

Option 2 — Platform Script: For traditional print servers, deploy a PowerShell script:

# Deploy via Intune > Devices > Scripts > Platform scripts
# Run as: System | Run in 64-bit host: Yes

# Add network printer
Add-PrinterPort -Name "IP_Lab_Printer" -PrinterHostAddress "10.1.50.25" -ErrorAction SilentlyContinue
Add-Printer -Name "Lab Building A - HP LaserJet" -DriverName "HP Universal Printing PCL6" -PortName "IP_Lab_Printer" -ErrorAction SilentlyContinue

# Set as default
(Get-WmiObject -Query "SELECT * FROM Win32_Printer WHERE Name='Lab Building A - HP LaserJet'").SetDefaultPrinter() | Out-Null

File Explorer Defaults

Type: Settings Catalog — Administrative Templates > File Explorer

Setting	Value	What it replaces
Default folder for the Open File Dialog	This PC	Changing File Explorer's default open location
Turn off caching of thumbnails	Enabled	Reduces profile size on shared PCs
Turn off display of recent search entries	Enabled	Prevents student search history from persisting

Office First-Run and Privacy Prompts

Type: Settings Catalog — Administrative Templates > Microsoft Office

Setting	Value	What it replaces
Disable First Run Movie	Enabled	Suppresses the Office "Welcome" animation on every new profile
Disable First Run on application boot	Enabled	Skips the "What's New" pane
Disable Opt-in Wizard on first run	Enabled	Suppresses the privacy/telemetry opt-in prompt
Send personal information	Disabled	Prevents Office from prompting for optional connected experiences

Notification Suppression

Type: Settings Catalog — Administrative Templates > Notifications

Setting	Value	What it replaces
Turn off toast notifications on the lock screen	Enabled	Prevents notifications from appearing on the lock screen between student sessions
Turn off Notifications Network Usage	Enabled	Reduces unnecessary network traffic on shared hardware

What about per-user accessibility settings?

Accessibility preferences (high contrast, display scaling, narrator, magnifier) are intentionally per-user settings. Forcing them device-wide via policy would create problems for users who don't need them. If specific lab machines require accessibility defaults (e.g., an accessibility-focused lab), create a separate Settings Catalog policy with the appropriate display and ease-of-access settings and assign it to that device group only.