deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 04:13:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Restructuring of configuration docset

Browse Source
This commit is contained in:
Paolo Matarazzo
2024-01-24 21:03:58 -05:00
parent 4f9b4027e9
commit 339d802a6a
201 changed files with 5538 additions and 6042 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/configuration/shared-pc/images/shared-pc-intune.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 201 KiB

BIN
windows/configuration/shared-pc/images/shared-pc-wcd.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 199 KiB

BIN
windows/configuration/shared-pc/images/sharedpc-guest-win11.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 458 KiB

BIN
windows/configuration/shared-pc/images/sharedpc-kiosk-win11se.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 563 KiB

150
windows/configuration/shared-pc/set-up-shared-or-guest-pc.md Normal file
View File

@ -0,0 +1,150 @@
---
title: Set up a shared or guest Windows device
description: Description of how to configured Shared PC mode, which is a Windows feature that optimizes devices for shared use scenarios.
ms.date: 11/08/2023
ms.topic: how-to
author: paolomatarazzo
ms.author: paoloma
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows 11 SE</b>
---
# Set up a shared or guest Windows device
**Shared PC** offers options to facilitate the management and optimization of shared devices. The customizations offered by Shared PC are listed in the following table.
| Area Name | Setting name and description|
|---|---|
|Shared PC mode | **EnableSharedPCMode** or **EnableSharedPCModeWithOneDriveSync**: when enabled, **Shared PC mode** is turned on and different settings are configured in the local group policy object (LGPO). For a detailed list of settings enabled by Shared PC Mode in the LGPO, see the [Shared PC technical reference](shared-pc-technical.md#enablesharedpcmode-and-enablesharedpcmodewithonedrivesync).<ul><li>This setting controls the API: [IsEnabled][UWP-1]</li></ul>|
| Account management | **EnableAccountManager**: when enabled, automatic account management is turned on. The following settings define the behavior of *account manager*: <ul><li> **DeletionPolicy**</li><li>**DiskLevelDeletion** </li><li>**DiskLevelCaching**</li><li>**InactiveThreshold**</li></ul>For more information, see the [Shared PC CSP documentation][WIN-3].<br><br>**AccountModel**: this option controls which types of users can sign-in to the device, and can be used to enable the Guest and Kiosk accounts. For more information, see the [Shared PC CSP documentation][WIN-3].<br><br>**KioskModeAUMID**: configures an application (referred as Application User Model ID - AUMID) to automatically execute when the kiosk account is used to sign in. A new account will be created and will use assigned access to only run the app specified by the AUMID. [Find the Application User Model ID of an installed app][WIN-7].<br><br>**KioskModeUserTileDisplayText**: sets the display text on the kiosk account if **KioskModeAUMID** has been set.|
| Advanced customizations | **SetEduPolicies**: when enabled, specific settings designed for education devices are configured in the LGPO. For a detailed list of settings enabled by SetEduPolicies in the LGPO, see [Shared PC technical reference](shared-pc-technical.md#setedupolicy).<ul><li>This setting controls the API: [IsEducationEnvironment][UWP-2]</li></ul>**SetPowerPolicies**: when enabled, different power settings optimized for shared devices are configured in the LGPO. For a detailed list of settings enabled by SetPowerPolicies in the LGPO, see [Shared PC technical reference](shared-pc-technical.md#setpowerpolicies).<br><br>**SleepTimeout**: specifies all timeouts for when the PC should sleep.<br><br>**SignInOnResume**: if enabled, specifies if the user is required to sign in with a password when the PC wakes from sleep.<br><br>**MaintenanceStartTime**: by default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update or Search indexing) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For a detailed list of settings enabled by MaintenanceStartTime, see [Shared PC technical reference](shared-pc-technical.md#maintenancestarttime).<br><br>**MaxPageFileSizeMB**: adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs.<br><br> **RestrictLocalStorage**: when enabled, users are prevented from saving or viewing local storage while using File Explorer.<ul><li>This setting controls the API: [ShouldAvoidLocalStorage][UWP-3]</li></ul>|
## Configure Shared PC
Shared PC can be configured using the following methods:
- Microsoft Intune/MDM
- Provisioning package (PPKG)
- PowerShell script
Follow the instructions below to configure your devices, selecting the option that best suits your needs.
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-2], and use the settings listed under the category **`Shared PC`**:
:::image type="content" source="./images/shared-pc-intune.png" alt-text="Screenshot that shows the Shared PC policies in the Intune settings catalog." lightbox="./images/shared-pc-intune.png" border="True":::
Assign the policy to a security group that contains as members the devices or users that you want to configure.
Alternatively, you can configure devices using a [custom policy][MEM-1] with the [SharedPC CSP][WIN-3].
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure devices using a provisioning package, [create a provisioning package][WIN-1] using WCD, and use the settings listed under the category **`SharedPC`**:
:::image type="content" source="./images/shared-pc-wcd.png" alt-text="Screenshot that shows the Shared PC policies in WCD." lightbox="./images/shared-pc-wcd.png" border="False":::
For a list and description of CSP settings exposed in Windows Configuration Designer, see the [SharedPC WCD reference][WIN-4].
Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created.
#### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell)
To configure devices using a PowerShell script, you can use the [MDM Bridge WMI Provider][WIN-6].
> [!TIP]
> PowerShell scripts can be executed as scheduled tasks via Group Policy.
> [!IMPORTANT]
> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account.
>
> To test a PowerShell script, you can:
> 1. [Download the psexec tool](/sysinternals/downloads/psexec)
> 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe`
> 1. Run the script in the PowerShell session
Edit the following sample PowerShell script to customize the settings that you want to configure:
```powershell
$namespaceName = "root\cimv2\mdm\dmmap"
$parentID="./Vendor/MSFT/Policy/Config"
$className = "MDM_SharedPC"
$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className
if (-not ($cimObject)) {
$cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance}
}
$cimObject.EnableSharedPCMode = $True
$cimObject.SetEduPolicies = $True
$cimObject.SetPowerPolicies = $True
$cimObject.MaintenanceStartTime = 0
$cimObject.SignInOnResume = $True
$cimObject.SleepTimeout = 0
$cimObject.EnableAccountManager = $True
$cimObject.AccountModel = 2
$cimObject.DeletionPolicy = 1
$cimObject.DiskLevelDeletion = 25
$cimObject.DiskLevelCaching = 50
$cimObject.RestrictLocalStorage = $False
$cimObject.KioskModeAUMID = ""
$cimObject.KioskModeUserTileDisplayText = ""
$cimObject.InactiveThreshold = 0
Set-CimInstance -CimInstance $cimObject
```
For more information, see [Using PowerShell scripting with the WMI Bridge Provider][WIN-5].
---
## Guidance for accounts on shared PCs
- When a device is configured in *shared PC mode* with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Microsoft Entra ID and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
- Local accounts that already exist on a PC won't be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new guest accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign out. To set a general policy on all local accounts, you can configure the following local Group Policy setting: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles**: **Delete User Profiles Older Than A Specified Number Of Days On System Restart**.
- The account management service supports accounts that are exempt from deletion. An account can be marked exempt from deletion by adding the account SID to the registry key: `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`. To add the account SID to the registry key using PowerShell, use the following example as a reference:
```powershell
$adminName = "LocalAdmin"
$adminPass = 'Pa$$word123'
invoke-expression "net user /add $adminName $adminPass"
$user = New-Object System.Security.Principal.NTAccount($adminName)
$sid = $user.Translate([System.Security.Principal.SecurityIdentifier])
$sid = $sid.Value;
New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
```
## Troubleshooting Shared PC
To troubleshoot Shared PC, you can use the following tools:
- Check the log `C:\Windows\SharedPCSetup.log`
- Check the registry keys under `HKLM\Software\Microsoft\Windows\CurrentVersion\SharedPC`
- `AccountManagement` key contains settings on how profiles are managed
- `NodeValues` contains what values are set for the features managed by Shared PC
## Technical reference
- For a list of settings configured by the different options offered by Shared PC mode, see the [Shared PC technical reference](shared-pc-technical.md).
- For a list of settings exposed by the SharedPC configuration service provider, see [SharedPC CSP][WIN-3].
- For a list of settings exposed by Windows Configuration Designer, see [SharedPC CSP][WIN-4].
-----------
[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package
[WIN-3]: /windows/client-management/mdm/sharedpc-csp
[WIN-4]: /windows/configuration/wcd/wcd-sharedpc
[WIN-5]: /windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider
[WIN-6]: /windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal
[WIN-7]: /previous-versions/windows/embedded/dn449300(v=winembedded.82)
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[MEM-2]: /mem/intune/configuration/settings-catalog
[UWP-1]: /uwp/api/windows.system.profile.sharedmodesettings
[UWP-2]: /uwp/api/windows.system.profile.educationsettings
[UWP-3]: /uwp/api/windows.system.profile.sharedmodesettings.shouldavoidlocalstorage

67
windows/configuration/shared-pc/shared-devices-concepts.md Normal file
View File

@ -0,0 +1,67 @@
---
title: Manage multi-user and guest Windows devices
description: options to optimize Windows devices used in shared scenarios, such touchdown spaces in an enterprise, temporary customer use in retail or shared devices in a school.
ms.date: 11/08/2023
ms.topic: concept-article
author: paolomatarazzo
ms.author: paoloma
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows 11 SE</b>
---
# Manage multi-user and guest Windows devices with Shared PC
Windows allows multiple users to sign in and use the same device, which is useful in scenarios like touchdown spaces in an enterprise, temporary customer use in retail or shared devices in a school.
As more users access the same device, more resources on the devices are used. This can lead to performance issues and a degraded user experience.
To optimize multi-user and guest devices, Windows provides options through a feature called *Shared PC*. These settings are designed to improve the experience for all users on the device, and to reduce the administrative overhead caused by the maintenance of multiple user profiles.
This article describes the different options available in Shared PC.
## Shared PC mode
A Windows device enabled for *Shared PC mode* is designed to be maintenance-free with high reliability. Devices configured in Shared PC mode have different settings designed to improve the experience for all users accessing a shared device.
## Account management
When *Account management* is configured, user profiles are automatically deleted to free up disk space and resources. Account management is performed both at sign-out time and during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out, based on disk space thresholds, or based on inactivity thresholds.
> [!IMPORTANT]
> Shared PC is designed to take advantage of maintenance time periods, which run while the device is not in use. Therefore, devices should be put to **sleep** instead of shut down, so that they can wake up to perform maintenance tasks.
> [!TIP]
> While Shared PC does not configure the Windows Update client, it is recommended to configure Windows Update to automatically install updates and reboot during maintenance hours. This will help ensure the device is always up to date without interrupting users when the device is in use.
### Account models
Shared PC offers the possibility to enable a **Guest** option on the sign-in screen. The Guest option doesn't require any user credentials or authentication, and creates a new local account each time it's used with access to the desktop. A **Guest button** is shown on the sign-in screen that a user can select.
:::image type="content" source="./images/sharedpc-guest-win11.png" alt-text="Windows 11 sign-in screen with Guest option enabled." border="True":::
Shared PC also offers a **Kiosk** mode, which automatically executes a specific application when the kiosk account signs-in. This is useful in scenarios where the device is accessed for a specific purpose, such as test taking in a school.
:::image type="content" source="./images/sharedpc-kiosk-win11se.png" alt-text="Windows 11 sign-in screen with Guest and Kiosk options enabled." border="True":::
## Advanced customizations
Shared PC offers advanced customizations for shared devices, such as specific settings for education devices, low end devices, and more.
Shared devices require special considerations regarding power settings. Shared PC makes it easy to configure power settings for shared devices. The power settings are configured in the local group policy object (LGPO).
> [!NOTE]
> For devices without Advanced Configuration and Power Interface (ACPI) wake alarms, Shared PC will override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods.
## Additional information
- To learn how to configure Shared PC, see [Set up a shared or guest Windows device](set-up-shared-or-guest-pc.md).
- For a list of settings configured by the different options offered by Shared PC, see the [Shared PC technical reference](shared-pc-technical.md).
- For a list of settings exposed by the SharedPC configuration service provider, see [SharedPC CSP][WIN-1].
- For a list of settings exposed by Windows Configuration Designer, see [SharedPC CSP][WIN-2].
<!--links-->
[WIN-1]: /windows/client-management/mdm/sharedpc-csp
[WIN-2]: /windows/configuration/wcd/wcd-sharedpc

126
windows/configuration/shared-pc/shared-pc-technical.md Normal file
View File

@ -0,0 +1,126 @@
---
title: Shared PC technical reference
description: List of policies and settings applied by the Shared PC options.
ms.date: 11/08/2023
ms.topic: reference
author: paolomatarazzo
ms.author: paoloma
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows 11 SE</b>
---
# Shared PC technical reference
This article details the settings configured by the different options of Shared PC.
> [!IMPORTANT]
> The behavior of some options have changed over time. This article describes the current settings applied by Shared PC.
## EnableSharedPCMode and EnableSharedPCModeWithOneDriveSync
EnableSharedPCMode and EnableSharedPCModeWithOneDriveSync are the two policies that enable **Shared PC mode**. The only difference between the two is that EnableSharedPCModeWithOneDriveSync enables OneDrive synchronization, while EnableSharedPCMode disables it.
When enabling Shared PC mode, the following settings in the local GPO are configured:
| Policy setting | Status |
|--|--|
| Security Settings/Local Policies/Security Options/User Account Control: Behavior of elevation prompt for standard user | Automatically deny elevation requests |
| Security Settings/Local Policies/Security Options/Interactive logon: Don't display last signed-in | Enabled |
| Control Panel/Personalization/Prevent enabling lock screen slide show | Enabled |
| System/Logon/Block user from showing account details on sign-in | Enabled |
| System/Logon/Enumerate local users on domain-joined computers | Disabled |
| System/Logon/Hide entry points for Fast User Switching | Enabled |
| System/Logon/Show first sign-in animation | Disabled |
| System/Logon/Turn off app notifications on the lock screen | Enabled |
| System/Logon/Turn off picture password sign-in | Enabled |
| System/Logon/Turn on convenience PIN sign-in | Disabled |
| Windows Components/App Package Deployment/Allow a Windows app to share application data between users | Enabled |
| Windows Components/Biometrics/Allow the use of biometrics | Disabled |
| Windows Components/Biometrics/Allow users to log on using biometrics | Disabled |
| Windows Components/Biometrics/Allow domain users to log on using biometrics | Disabled |
| Windows Components/Data Collection and Preview Builds/Disable pre-release features or settings | Disabled (all experimentations are turned off) |
| Windows Components/Data Collection and Preview Builds/Do not show feedback notifications | Enabled |
| Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds | Disabled |
| Windows Components/File Explorer/Show lock in the user tile menu | Disabled |
| Windows Components/File History/Turn off File History | Enabled |
| Windows Components/OneDrive/Prevent the usage of OneDrive for file storage |**Enabled** if using EnableSharedPCMode<br><br>**Disabled** is using EnableSharedPCModeWithOneDriveSync |
| Windows Components/Windows Hello for Business/Use biometrics | Disabled |
| Windows Components/Windows Hello for Business/Use Windows Hello for Business | Disabled |
| Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart | Disabled |
| Extra registry setting | Status |
|-------------------------------------------------------------------------------------------------------------------|----------|
| Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0 |
| Software\Policies\Microsoft\Windows\PreviewBuilds\AllowBuildPreview () | 0 |
## SetEDUPolicy
By enabling SetEDUPolicy, the following settings in the local GPO are configured:
| Policy setting | Status |
|--|--|
| System/User Profiles/Turn off the advertising ID | Enabled |
| Windows Components/Cloud Content/Do not show Windows tips | Enabled |
| Windows Components/Cloud Content/Turn off Microsoft consumer experiences | Enabled |
## SetPowerPolicies
By enabling SetPowerPolicies, the following settings in the local GPO are configured:
| Policy setting | Status|
|--|--|
| System/Power Management/Button Settings/Select the lid switch action (on battery) | Enabled > Sleep |
| System/Power Management/Button Settings/Select the lid switch action (plugged in) | Enabled > Sleep |
| System/Power Management/Button Settings/Select the Power button action (on battery) | Enabled > Sleep |
| System/Power Management/Button Settings/Select the Power button action (plugged in) | Enabled > Sleep |
| System/Power Management/Button Settings/Select the Sleep button action (on battery) | Enabled > Sleep |
| System/Power Management/Button Settings/Select the Sleep button action (plugged in) | Enabled > Sleep |
| System/Power Management/Energy Saver Settings/Energy Saver Battery Threshold (on battery) | Enabled > 70% |
| System/Power Management/Sleep Settings/Allow standby states (S1-S3) when sleeping (on battery) | Enabled |
| System/Power Management/Sleep Settings/Allow standby states (S1-S3) when sleeping (plugged in) | Enabled |
| System/Power Management/Sleep Settings/Specify the system hibernate timeout (on battery) | 0 (Hibernation disabled) |
| System/Power Management/Sleep Settings/Specify the system hibernate timeout (plugged in) | 0 (Hibernation disabled) |
| System/Power Management/Sleep Settings/Turn off hybrid sleep (on battery) | Enabled |
| System/Power Management/Sleep Settings/Turn off hybrid sleep (plugged in) | Enabled |
## MaintenanceStartTime
By enabling MaintenanceStartTime, the following settings in the local GPO are configured:
| Policy setting | Status|
|--------------------------------------------------------------------------------------|--------------------------------|
| Windows Components/Maintenance Scheduler/Automatic Maintenance Activation Boundary | 2000-01-01T00:00:00 (midnight) |
| Windows Components/Maintenance Scheduler/Automatic Maintenance Random Delay | Enabled PT2H (2 hours) |
| Windows Components/Maintenance Scheduler/Automatic Maintenance WakeUp Policy | Enabled |
## SignInOnResume
By enabling SignInOnResume, the following settings in the local GPO are configured:
| Policy setting | Status|
|--|--|
| System/Logon/Allow users to select when a password is required when resuming from connected standby | Disabled |
| System/Power Management/Sleep Settings/Require a password when a computer wakes (on battery) | Enabled |
| System/Power Management/Sleep Settings/Require a password when a computer wakes (plugged in) | Enabled |
## EnableAccountManager
By enabling Enableaccountmanager, the following schedule task is turned on: `\Microsoft\Windows\SharedPC\Account Cleanup`.
## Shared PC APIs and app behavior
Applications can take advantage of Shared PC mode with the following three APIs:
- [**IsEnabled**][API-1] - This API informs applications when the device is configured for shared use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences.
- [**ShouldAvoidLocalStorage**][API-2] - This API informs applications when the PC has been configured to not allow the user to save to the local storage of the PC. Instead, only cloud save locations should be offered by the app or saved automatically by the app.
- [**IsEducationEnvironment**][API-3] - This API informs applications when the PC is used in an education environment. Apps may want to handle diagnostic data differently or hide advertising functionality.
-----------
[API-1]: /uwp/api/windows.system.profile.sharedmodesettings.isenabled
[API-2]: /uwp/api/windows.system.profile.sharedmodesettings.shouldavoidlocalstorage
[API-3]: /uwp/api/windows.system.profile.educationsettings