deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo 2022-10-04 16:15:45 -04:00
parent 9df6474d24
commit 4e728aadc0
9 changed files with 283 additions and 236 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
windows/configuration/images/icons/accessibility.svg Normal file
View File

@ -0,0 +1,3 @@
<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M6.75001 3.25C6.75001 2.55964 7.30966 2 8.00001 2C8.69037 2 9.25001 2.55964 9.25001 3.25C9.25001 3.94036 8.69037 4.5 8.00001 4.5C7.30966 4.5 6.75001 3.94036 6.75001 3.25ZM8.00001 1C6.75737 1 5.75001 2.00736 5.75001 3.25C5.75001 3.42769 5.77061 3.60057 5.80955 3.76638L4.1981 3.11531C3.38523 2.78689 2.45661 3.17707 2.12226 3.98751C1.78682 4.8006 2.17658 5.72824 2.9921 6.05773L5 6.86897L5 9.25304L3.18661 12.6635C2.77397 13.4396 3.06858 14.4032 3.84463 14.8158C4.62069 15.2285 5.58431 14.9339 5.99695 14.1578L8.00028 10.3901L10.0037 14.158C10.4163 14.934 11.3799 15.2286 12.156 14.816C12.9321 14.4034 13.2267 13.4397 12.814 12.6637L11 9.252V6.86897L13.0079 6.05773C13.8234 5.72824 14.2132 4.80059 13.8777 3.98751C13.5434 3.17707 12.6148 2.78689 11.8019 3.11531L10.1905 3.76636C10.2294 3.60055 10.25 3.42768 10.25 3.25C10.25 2.00736 9.24265 1 8.00001 1ZM3.04668 4.36889C3.17149 4.06635 3.52005 3.91989 3.82349 4.04249L7.25078 5.42721C7.73138 5.62138 8.2686 5.62138 8.74921 5.42721L12.1765 4.04249C12.4799 3.91989 12.8285 4.06635 12.9533 4.36889C13.077 4.66879 12.9341 5.00902 12.6333 5.13055L10.6254 5.94179C10.2474 6.09449 10 6.46133 10 6.86897V9.252C10 9.41571 10.0402 9.57692 10.1171 9.72147L11.9311 13.1332C12.0844 13.4216 11.9749 13.7797 11.6865 13.9331C11.3981 14.0864 11.04 13.9769 10.8866 13.6885L8.88322 9.92064C8.50711 9.21327 7.49344 9.21326 7.11733 9.92064L5.114 13.6883C4.96065 13.9768 4.60252 14.0863 4.31411 13.9329C4.02569 13.7795 3.9162 13.4214 4.06955 13.133L5.88295 9.72251C5.9598 9.57796 6 9.41675 6 9.25304V6.86897C6 6.46133 5.75256 6.09449 5.3746 5.94179L3.3667 5.13055C3.06591 5.00902 2.92295 4.66879 3.04668 4.36889Z" fill="#0078D4" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.7 KiB

3
windows/configuration/images/icons/group-policy.svg Normal file
View File

@ -0,0 +1,3 @@
<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
<path d="M1792 0q53 0 99 20t82 55 55 81 20 100q0 53-20 99t-55 82-81 55-100 20h-128v1280q0 53-20 99t-55 82-81 55-100 20H256q-53 0-99-20t-82-55-55-81-20-100q0-53 20-99t55-82 81-55 100-20V256q0-53 20-99t55-82 81-55T512 0h1280zM128 1792q0 27 10 50t27 40 41 28 50 10h930q-34-60-34-128t34-128H256q-27 0-50 10t-40 27-28 41-10 50zm1280 128q27 0 50-10t40-27 28-41 10-50V256q0-68 34-128H512q-27 0-50 10t-40 27-28 41-10 50v1280h1024q26 0 45 19t19 45q0 26-19 45t-45 19q-25 0-49 9t-42 28q-18 18-27 42t-10 49q0 27 10 50t27 40 41 28 50 10zm384-1536q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10q-27 0-50 10t-40 27-28 41-10 50v128h128zm-1280 0h896v128H512V384zm0 256h256v128H512V640zm0 256h256v128H512V896zm0 256h256v128H512v-128zm640-512q53 0 99 20t82 55 55 81 20 100q0 17-4 33t-4 31v539l-248-124-248 124V960q0-14-4-30t-4-34q0-53 20-99t55-82 81-55 100-20zm0 128q-27 0-50 10t-40 27-28 41-10 50q0 27 10 50t27 40 41 28 50 10q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10zm136 549v-204q-30 20-65 29t-71 10q-36 0-71-9t-65-30v204l136-68 136 68z" fill="#0078D4" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

24
windows/configuration/images/icons/intune.svg Normal file
View File

@ -0,0 +1,24 @@
<svg id="a9ed4d43-c916-4b9a-b9ca-be76fbdc694c" xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
<defs>
<linearGradient id="aaede26b-698f-4a65-b6db-859d207e2da6" x1="8.05" y1="11.32" x2="8.05" y2="1.26" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#0078d4" />
<stop offset="0.82" stop-color="#5ea0ef" />
</linearGradient>
<linearGradient id="bc54987f-34ba-4701-8ce4-6eca10aff9e9" x1="8.05" y1="15.21" x2="8.05" y2="11.32" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#1490df" />
<stop offset="0.98" stop-color="#1f56a3" />
</linearGradient>
<linearGradient id="a5434fd8-c18c-472c-be91-f2aa070858b7" x1="8.05" y1="7.87" x2="8.05" y2="4.94" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#d2ebff" />
<stop offset="1" stop-color="#f0fffd" />
</linearGradient>
</defs>
<title>Icon-intune-329</title>
<rect x="0.5" y="1.26" width="15.1" height="10.06" rx="0.5" fill="url(#aaede26b-698f-4a65-b6db-859d207e2da6)" />
<rect x="1.34" y="2.1" width="13.42" height="8.39" rx="0.28" fill="#fff" />
<path d="M11.08,14.37c-1.5-.23-1.56-1.31-1.55-3h-3c0,1.74-.06,2.82-1.55,3a.87.87,0,0,0-.74.84h7.54A.88.88,0,0,0,11.08,14.37Z" fill="url(#bc54987f-34ba-4701-8ce4-6eca10aff9e9)" />
<path d="M17.17,5.91H10.29a2.31,2.31,0,1,0,0,.92H11v9.58a.33.33,0,0,0,.33.33h5.83a.33.33,0,0,0,.33-.33V6.24A.33.33,0,0,0,17.17,5.91Z" fill="#32bedd" />
<rect x="11.62" y="6.82" width="5.27" height="8.7" rx="0.12" fill="#fff" />
<circle cx="8.05" cy="6.41" r="1.46" opacity="0.9" fill="url(#a5434fd8-c18c-472c-be91-f2aa070858b7)" />
<path d="M14.88,10.82,13.76,9.7a.06.06,0,0,0-.1.05v.68a.06.06,0,0,1-.06.06H11v.83H13.6a.06.06,0,0,1,.06.06v.69a.06.06,0,0,0,.1,0L14.88,11A.12.12,0,0,0,14.88,10.82Z" fill="#0078d4" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.8 KiB

20
windows/configuration/images/icons/powershell.svg Normal file
View File

@ -0,0 +1,20 @@
<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
<defs>
<linearGradient id="a24f9983-911f-4df7-920f-f964c8c10f82" x1="9" y1="15.834" x2="9" y2="5.788" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#32bedd" />
<stop offset="0.175" stop-color="#32caea" />
<stop offset="0.41" stop-color="#32d2f2" />
<stop offset="0.775" stop-color="#32d4f5" />
</linearGradient>
</defs>
<title>MsPortalFx.base.images-10</title>
<g id="a7ef0482-71f2-4b7e-b916-b1c754245bf1">
<g>
<path d="M.5,5.788h17a0,0,0,0,1,0,0v9.478a.568.568,0,0,1-.568.568H1.068A.568.568,0,0,1,.5,15.266V5.788A0,0,0,0,1,.5,5.788Z" fill="url(#a24f9983-911f-4df7-920f-f964c8c10f82)" />
<path d="M1.071,2.166H16.929a.568.568,0,0,1,.568.568V5.788a0,0,0,0,1,0,0H.5a0,0,0,0,1,0,0V2.734A.568.568,0,0,1,1.071,2.166Z" fill="#0078d4" />
<path d="M4.292,7.153h.523a.167.167,0,0,1,.167.167v3.858a.335.335,0,0,1-.335.335H4.125a0,0,0,0,1,0,0V7.321a.167.167,0,0,1,.167-.167Z" transform="translate(-5.271 5.967) rotate(-45.081)" fill="#f2f2f2" />
<path d="M4.32,9.647h.523a.167.167,0,0,1,.167.167v4.131a0,0,0,0,1,0,0H4.488a.335.335,0,0,1-.335-.335v-3.8a.167.167,0,0,1,.167-.167Z" transform="translate(-0.504 23.385) rotate(-135.081)" fill="#e6e6e6" />
<rect x="7.221" y="12.64" width="4.771" height="1.011" rx="0.291" fill="#f2f2f2" />
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.4 KiB

3
windows/configuration/images/icons/provisioning-package.svg Normal file
View File

@ -0,0 +1,3 @@
<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
<path d="M1544 128q75 0 143 30t120 82 82 120 31 144v328q0 26-19 45t-45 19q-26 0-45-19t-19-45V507q0-50-20-95t-55-80-80-55-96-21H346q16 15 27 28t11 36q0 26-19 45t-45 19q-26 0-45-19L147 237q-19-19-19-45t19-45L275 19q19-19 45-19t45 19 19 45q0 23-11 36t-27 28h1198zm-57 896q0 24 22 43t50 39 50 46 23 63q0 21-12 51t-30 61-37 59-33 44q-31 37-79 37-20 0-42-8t-44-17-41-17-35-8q-15 0-24 6t-14 15-8 20-5 24l-17 91q-6 34-25 52t-45 27-55 10-57 2h-5q-27 0-58-1t-58-11-47-28-26-53l-20-116q-2-14-14-26t-28-12q-20 0-40 7t-42 17-43 17-43 8q-50 0-80-37-14-16-32-43t-35-59-29-61-12-52q0-39 22-64t50-45 49-38 23-43q0-25-22-43t-50-39-50-45-23-64q0-22 12-52t30-60 37-58 33-45q31-37 79-37 20 0 42 7t43 17 40 17 36 8q21 0 32-11t16-30 8-41 7-46 11-45 24-38q12-12 29-19t37-10 40-5 39-1h15q27 0 57 1t58 11 46 28 26 53l20 116q3 18 16 27t31 10q17 0 37-7t41-17 42-17 42-8q23 0 44 10t36 28q14 17 32 44t36 58 29 61 12 52q0 39-22 64t-50 45-49 38-23 43zm-128 0q0-37 12-64t31-50 45-42 52-42q-13-30-29-58t-36-54q-36 13-76 29t-80 16q-24 0-44-6t-42-18q-33-19-51-42t-27-51-13-59-11-67q-16-2-32-3t-33-1q-17 0-33 1t-32 3q-7 35-11 66t-14 58-28 52-51 43q-21 13-41 18t-45 6q-40 0-79-16t-76-30q-38 51-66 112 26 22 51 42t45 42 32 50 12 65q0 37-12 64t-31 50-45 42-52 42q13 30 29 58t36 54q35-13 74-29t79-16q32 0 61 10t52 30 39 46 22 58l17 99q17 2 32 3t33 1q17 0 33-1t33-3q5-30 9-59t13-57 24-52 43-43q23-15 48-23t53-9q18 0 38 5t40 12 39 15 37 14q38-51 66-112-26-22-51-42t-45-42-32-50-12-65zm-207 0q0 27-10 50t-27 40-41 28-50 10q-27 0-50-10t-41-27-27-40-10-51q0-27 10-50t27-40 41-28 50-10q26 0 49 10t41 27 28 41 10 50zm768 832q0 26-19 45l-128 128q-19 19-45 19t-45-19-19-45q0-23 11-36t27-28H504q-75 0-143-30t-120-82-82-120-31-144v-328q0-26 19-45t45-19q26 0 45 19t19 45v325q0 50 20 95t55 80 80 55 96 21h1195q-14-14-26-28t-12-36q0-26 19-45t45-19q26 0 45 19l128 128q19 19 19 45z" fill="#0078D4" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.9 KiB

22
windows/configuration/images/icons/registry.svg Normal file
View File

@ -0,0 +1,22 @@
<svg id="b9b1f1bd-1131-4ac5-b607-ad500ee51398" data-name="fluent_icons" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="18" height="18" viewBox="0 0 18 18">
<defs>
<linearGradient id="b0b22e7a-bfc7-4dec-91e9-5f981ed97407" x1="8.55" y1="0.41" x2="8.48" y2="18.62" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#76bc2d" />
<stop offset="0.32" stop-color="#73b82c" />
<stop offset="0.65" stop-color="#6cab29" />
<stop offset="0.99" stop-color="#5e9724" />
<stop offset="1" stop-color="#5e9624" />
</linearGradient>
<linearGradient id="e827adc5-7c19-488a-9b2c-abb70d46ae5e" x1="14.75" y1="5.9" x2="14.75" y2="1.1" gradientTransform="translate(18.1 -11.21) rotate(90)" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#0078d4" />
<stop offset="0.17" stop-color="#1c84dc" />
<stop offset="0.38" stop-color="#3990e4" />
<stop offset="0.59" stop-color="#4d99ea" />
<stop offset="0.8" stop-color="#5a9eee" />
<stop offset="1" stop-color="#5ea0ef" />
</linearGradient>
</defs>
<title>Icon-general-18</title>
<path d="M6.27,13.29h4.49v4.49H6.27ZM1,3.43V7.3h4.5V2.81H1.65A.63.63,0,0,0,1,3.43ZM1,17.16a.63.63,0,0,0,.63.62H5.52V13.29H1Zm0-4.62h4.5V8.05H1Zm10.49,5.24h3.87a.62.62,0,0,0,.62-.62V13.29H11.51ZM6.27,12.54h4.49V8.05H6.27Zm5.24-4.49v4.49H16V8.05ZM6.27,7.3h4.49V2.81H6.27Z" fill="url(#b0b22e7a-bfc7-4dec-91e9-5f981ed97407)" />
<rect x="12.2" y="1.14" width="4.8" height="4.8" rx="0.25" transform="translate(5.14 15.21) rotate(-64.59)" fill="url(#e827adc5-7c19-488a-9b2c-abb70d46ae5e)" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.6 KiB

3
windows/configuration/images/icons/windows-os.svg Normal file
View File

@ -0,0 +1,3 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 2048 2048" width="18" height="18" >
<path d="M0 0h961v961H0V0zm1087 0h961v961h-961V0zM0 1087h961v961H0v-961zm1087 0h961v961h-961v-961z" fill="#0078D4" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 215 B

304
windows/configuration/set-up-shared-or-guest-pc.md
View File

@ -1,42 +1,39 @@
---
title: Set up a shared or guest PC with Windows 10/11
description: Windows 10 and Windows has shared PC mode, which optimizes Windows client for shared use scenarios.
ms.prod: w10
author: lizgt2000
ms.author: lizlong
ms.topic: article
title: Set up a shared or guest Windows device
description: Description of how to configured Shared PC mode, which is a Windows feature that optimizes devices for shared use scenarios.
ms.date: 10/15/2022
ms.prod: windows
ms.technology: windows
ms.topic: reference
ms.localizationpriority: medium
ms.reviewer: sybruckm
author: paolomatarazzo
ms.author: paoloma
ms.reviewer:
manager: aaroncz
ms.collection: highpri
ms.collection:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# Set up a shared or guest PC with Windows 10/11
# Set up a shared or guest Windows device
*Shared PC* is a Windows feature that optimizes Windows clients for shared use scenarios, such as touchdown spaces in an enterprise, temporary customer use in retail or shared devices in a school.
**Applies to**
## Shared PC mode
A Windows device enabled for *Shared PC mode* is designed to be maintenance-free with high reliability. Devices configured in Shared PC mode allow sign in of one user at a time. When a device is locked, the signed in user can be signed out at the lock screen.
- Windows 10
- Windows 11
## Account models
Shared PC offers the possibility to enable a **Guest** option on the sign-in screen. The Guest option doesn't require any user credentials or authentication, and creates a new local account each time it's used.
Windows also offers an **Assigned access** or **kiosk** mode. Shared PC can be configured to enable a the **Guest** option and execute a specific application in kiosk mode.
Windows client has a *shared PC mode*, which optimizes Windows client for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows client Pro, Pro Education, Education, and Enterprise.
> [!NOTE]
> If you're interested in using Windows client for shared PCs in a school, see [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education.
## Shared PC mode concepts
A Windows client PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen.
### Account models
It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Guest** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used. Windows client has a **kiosk mode** account. Shared PC mode can be configured to enable a **Kiosk** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used to run a specified app in assigned access (kiosk) mode.
### Account management
When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Guest** and **Kiosk** options. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. In Windows client, an inactive option is added which deletes accounts if they haven't signed in after a specified number of days.
## Account management
When the account management service is configured, user profiles are automatically deleted to free up disk space and resources. The deletion process applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Guest** and **Kiosk** options. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. In Windows client, an inactive option is added which deletes accounts if they haven't signed in after a specified number of days.
### Maintenance and sleep
Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not in use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods.
While shared PC mode does not configure Windows Update itself, it is strongly recommended to configure Windows Update to automatically install updates and reboot (if necessary) during maintenance hours. This will help ensure the PC is always up to date and not interrupting users with updates.
While shared PC mode does not configure Windows Update itself, it is recommended to configure Windows Update to automatically install updates and reboot during maintenance hours. This will help ensure the PC is always up to date and not interrupting users with updates.
Use one of the following methods to configure Windows Update:
@ -46,14 +43,7 @@ Use one of the following methods to configure Windows Update:
[Learn more about the AllowAutoUpdate settings](/windows/client-management/mdm/policy-configuration-service-provider#Update_AllowAutoUpdate)
### App behavior
Apps can take advantage of shared PC mode with the following three APIs:
- [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings) - This informs apps when the PC has been configured for shared use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences.
- [ShouldAvoidLocalStorage](/uwp/api/windows.system.profile.sharedmodesettings) - This informs apps when the PC has been configured to not allow the user to save to the local storage of the PC. Instead, only cloud save locations should be offered by the app or saved automatically by the app.
- [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) - This informs apps when the PC is used in an education environment. Apps may want to handle diagnostic data differently or hide advertising functionality.
### Customization
Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring Shared PC mode for Windows](#configuring-shared-pc-mode-for-windows). The options are listed in the following table.
@ -78,9 +68,17 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |
[Policies: Authentication](wcd/wcd-policies.md#authentication) (optional related setting) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts.
## Configuring Shared PC mode for Windows
## Configure Shared PC mode
You can configure Windows to be in shared PC mode in a couple different ways:
The configuration of Shared PC can be done using:
- Microsoft Intune/MDM
- a provisioning package (PPKG)
- PowerShell
Follow the instructions below to configure your devices, selecting the option that best suits your needs.
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To set up a shared device policy for Windows client in Intune, complete the following steps:
@ -111,9 +109,13 @@ You can configure Windows to be in shared PC mode in a couple different ways:
11. From this point on, you can configure any additional settings youd like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**.
- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows client that's already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**.
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
![Shared PC settings in ICD.](images/icd-adv-shared-pc.png)
[Create a provisioning package][WIN-1] using Windows Configuration Designer with the following settings:
Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created.
#### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell)
- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the [MDM_SharedPC class](/windows/win32/dmwmibridgeprov/mdm-sharedpc). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:
@ -138,216 +140,46 @@ You can configure Windows to be in shared PC mode in a couple different ways:
Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC
```
### Create a provisioning package for shared use
1. [Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md)
2. Open Windows Configuration Designer.
3. On the **Start page**, select **Advanced provisioning**.
4. Enter a name and (optionally) a description for the project, and click **Next**.
5. Select **All Windows desktop editions**, and click **Next**.
6. Click **Finish**. Your project opens in Windows Configuration Designer.
7. Go to **Runtime settings** > **SharedPC**. [Select the desired settings for shared PC mode.](#customization)
8. On the **File** menu, select **Save.**
9. On the **Export** menu, select **Provisioning package**.
10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
11. Set a value for **Package Version**.
> [!TIP]
> You can make changes to existing packages and change the version number to update previously applied packages.
12. (*Optional*) In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
> [!IMPORTANT]
> We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
13. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
14. Click **Next**.
15. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
16. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
17. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
- Shared network folder
- SharePoint site
- Removable media (USB/SD) (select this option to apply to a PC during initial setup)
### Apply the provisioning package
Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). For more information, see [Apply a provisioning package](./provisioning-packages/provisioning-apply-package.md).
> [!NOTE]
> If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost.
---
## Guidance for accounts on shared PCs
* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
- When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign-out.
* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign-out.
* On a Windows PC joined to Azure Active Directory:
* By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
* With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
- Local accounts that already exist on a PC won't be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new guest accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign-out. To set a general policy on all local accounts, you can configure the following local Group Policy setting: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles**: **Delete User Profiles Older Than A Specified Number Of Days On System Restart**.
* Local accounts that already exist on a PC wont be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new guest accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign-out. To set a general policy on all local accounts, you can configure the following local Group Policy setting: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles**: **Delete User Profiles Older Than A Specified Number Of Days On System Restart**.
- The account management service supports accounts that are exempt from deletion. An account can be marked exempt from deletion by adding the account SID to the registry key: `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`.
- To add the account SID to the registry key using PowerShell:
* If admin accounts are necessary on the PC
* Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
* Create admin accounts before setting up shared PC mode, or
* Create exempt accounts before signing out when turning shared pc mode on.
```powershell
$adminName = "LocalAdmin"
$adminPass = 'Pa$$word123'
invoke-expression "net user /add $adminName $adminPass"
$user = New-Object System.Security.Principal.NTAccount($adminName)
$sid = $user.Translate([System.Security.Principal.SecurityIdentifier])
$sid = $sid.Value;
New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
```
* The account management service supports accounts that are exempt from deletion.
* An account can be marked exempt from deletion by adding the account SID to the registry key: `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`.
* To add the account SID to the registry key using PowerShell:
## Shared PC APIs and app behavior
```powershell
$adminName = "LocalAdmin"
$adminPass = 'Pa$$word123'
iex "net user /add $adminName $adminPass"
$user = New-Object System.Security.Principal.NTAccount($adminName)
$sid = $user.Translate([System.Security.Principal.SecurityIdentifier])
$sid = $sid.Value;
New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
```
Applications can take advantage of Shared PC mode with the following three APIs:
## Policies set by shared PC mode
- [**IsEnabled**][API-1] - This API informs applications when the device is configured for shared use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences.
- [**ShouldAvoidLocalStorage**][API-2] - This API informs applications when the PC has been configured to not allow the user to save to the local storage of the PC. Instead, only cloud save locations should be offered by the app or saved automatically by the app.
- [**IsEducationEnvironment**][API-3] - This API informs applications when the PC is used in an education environment. Apps may want to handle diagnostic data differently or hide advertising functionality.
Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.
## Technical reference
> [!IMPORTANT]
> It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
- For a list of settings configured by the different options offered by Shared PC mode, see the [Shared PC technical reference](shared-pc-technical.md).
- For a list of settings exposed by the SharedPC configuration service provider, see [SharedPC CSP][WIN-3].
### Admin Templates > Control Panel > Personalization
-----------
|Policy Name| Value|When set?|
|--- |--- |--- |
|Prevent enabling lock screen slide show|Enabled|Always|
|Prevent changing lock screen and logon image|Enabled|Always|
[API-1]: /uwp/api/windows.system.profile.sharedmodesettings
[API-2]: /uwp/api/windows.system.profile.sharedmodesettings
[API-3]: /uwp/api/windows.system.profile.educationsettings
### Admin Templates > System > Power Management > Button Settings
|Policy Name| Value|When set?|
|--- |--- |--- |
|Select the Power button action (plugged in)|Sleep|SetPowerPolicies=True|
|Select the Power button action (on battery)|Sleep|SetPowerPolicies=True|
|Select the Sleep button action (plugged in)|Sleep|SetPowerPolicies=True|
|Select the lid switch action (plugged in)|Sleep|SetPowerPolicies=True|
|Select the lid switch action (on battery)|Sleep|SetPowerPolicies=True|
### Admin Templates > System > Power Management > Sleep Settings
|Policy Name| Value|When set?|
|--- |--- |--- |
|Require a password when a computer wakes (plugged in)|Enabled|SignInOnResume=True|
|Require a password when a computer wakes (on battery)|Enabled|SignInOnResume=True|
|Specify the system sleep timeout (plugged in)|*SleepTimeout*|SetPowerPolicies=True|
|Specify the system sleep timeout (on battery)|*SleepTimeout*|SetPowerPolicies=True|
|Turn off hybrid sleep (plugged in)|Enabled|SetPowerPolicies=True|
|Turn off hybrid sleep (on battery)|Enabled|SetPowerPolicies=True|
|Specify the unattended sleep timeout (plugged in)|*SleepTimeout*|SetPowerPolicies=True|
|Specify the unattended sleep timeout (on battery)|*SleepTimeout*|SetPowerPolicies=True|
|Allow standby states (S1-S3) when sleeping (plugged in)|Enabled|SetPowerPolicies=True|
|Allow standby states (S1-S3) when sleeping (on battery)|Enabled |SetPowerPolicies=True|
|Specify the system hibernate timeout (plugged in)|Enabled, 0|SetPowerPolicies=True|
|Specify the system hibernate timeout (on battery)|Enabled, 0|SetPowerPolicies=True|
### Admin Templates>System>Power Management>Video and Display Settings
|Policy Name| Value|When set?|
|--- |--- |--- |
|Turn off the display (plugged in)|*SleepTimeout*|SetPowerPolicies=True|
|Turn off the display (on battery|*SleepTimeout*|SetPowerPolicies=True|
### Admin Templates>System>Power Management>Energy Saver Settings
|Policy Name| Value|When set?|
|--- |--- |--- |
|Energy Saver Battery Threshold (on battery)|70|SetPowerPolicies=True|
### Admin Templates>System>Logon
|Policy Name| Value|When set?|
|--- |--- |--- |
|Show first sign-in animation|Disabled|Always|
|Hide entry points for Fast User Switching|Enabled|Always|
|Turn on convenience PIN sign-in|Disabled|Always|
|Turn off picture password sign-in|Enabled|Always|
|Turn off app notification on the lock screen|Enabled|Always|
|Allow users to select when a password is required when resuming from connected standby|Disabled|SignInOnResume=True|
|Block user from showing account details on sign-in|Enabled|Always|
### Admin Templates>System>User Profiles
|Policy Name| Value|When set?|
|--- |--- |--- |
|Turn off the advertising ID|Enabled|SetEduPolicies=True|
### Admin Templates>Windows Components
|Policy Name| Value|When set?|
|--- |--- |--- |
|Do not show Windows Tips |Enabled|SetEduPolicies=True|
|Turn off Microsoft consumer experiences |Enabled|SetEduPolicies=True|
|Microsoft Passport for Work|Disabled|Always|
|Prevent the usage of OneDrive for file storage|Enabled|Always|
### Admin Templates>Windows Components>Biometrics
|Policy Name| Value|When set?|
|--- |--- |--- |
|Allow the use of biometrics|Disabled|Always|
|Allow users to log on using biometrics|Disabled|Always|
|Allow domain users to log on using biometrics|Disabled|Always|
### Admin Templates>Windows Components>Data Collection and Preview Builds
|Policy Name| Value|When set?|
|--- |--- |--- |
|Toggle user control over Insider builds|Disabled|Always|
|Disable pre-release features or settings|Disabled|Always|
|Do not show feedback notifications|Enabled|Always|
|Allow Telemetry|Basic, 0|SetEduPolicies=True|
### Admin Templates>Windows Components>File Explorer
|Policy Name| Value|When set?|
|--- |--- |--- |
|Show lock in the user tile menu|Disabled|Always|
### Admin Templates>Windows Components>Maintenance Scheduler
|Policy Name| Value|When set?|
|--- |--- |--- |
|Automatic Maintenance Activation Boundary|*MaintenanceStartTime*|Always|
|Automatic Maintenance Random Delay|Enabled, 2 hours|Always|
|Automatic Maintenance WakeUp Policy|Enabled|Always|
### Admin Templates>Windows Components>Windows Hello for Business
|Policy Name| Value|When set?|
|--- |--- |--- |
|Use phone sign-in|Disabled|Always|
|Use Windows Hello for Business|Disabled|Always|
|Use biometrics|Disabled|Always|
### Admin Templates>Windows Components>OneDrive
|Policy Name| Value|When set?|
|--- |--- |--- |
|Prevent the usage of OneDrive for file storage|Enabled|Always|
### Windows Settings>Security Settings>Local Policies>Security Options
|Policy Name| Value|When set?|
|--- |--- |--- |
|Interactive logon: Do not display last user name|Enabled, Disabled when account model is only guest|Always|
|Interactive logon: Sign-in last interactive user automatically after a system-initiated restart|Disabled |Always|
|Shutdown: Allow system to be shut down without having to log on|Disabled|Always|
|User Account Control: Behavior of the elevation prompt for standard users|Auto deny|Always|
[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package
[WIN-3]: /windows/client-management/mdm/sharedpc-csp

137
windows/configuration/shared-pc-technical.md Normal file
View File

@ -0,0 +1,137 @@
---
title: Shared PC technical reference
description: List of policies and settings applied by the Shared PC options.
ms.date: 10/15/2022
ms.prod: windows
ms.technology: windows
ms.topic: reference
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer:
manager: aaroncz
ms.collection:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows 11 SE</b>
---
# Shared PC technical reference
## Local group policy settings list
The different options offered by Shared PC configure the local group policy object (LGPO) with different settings. The following tables list the settings configured by each Shared PC option.
## EnableSharedPCMode and EnableSharedPCModeWithOneDriveSync
| Policy setting | Status |
|--|--|
| Security Settings/Local Policies/Security Options/User Account Control: Behavior of elevation prompt for standard user | Automatically deny elevation requests |
| Security Settings/Local Policies/Security Options/Interactive logon: Don't display last signed-in | Enabled |
| Control Panel/Personalization/Prevent enabling lock screen slide show | Enabled |
| System/Logon/Block user from showing account details on sign-in | Enabled |
| System/Logon/Enumerate local users on domain-joined computers | Disabled |
| System/Logon/Hide entry points for Fast User Switching | Enabled |
| System/Logon/Show first sign-in animation | Disabled |
| System/Logon/Turn off app notifications on the lock screen | Enabled |
| System/Logon/Turn off picture password sign-in | Enabled |
| System/Logon/Turn on convenience PIN sign-in | Disabled |
| Windows Components/App Package Deployment/Allow a Windows app to share application data between users | Enabled |
| Windows Components/Biometrics/Allow the use of biometrics | Disabled |
| Windows Components/Biometrics/Allow users to log on using biometrics | Disabled |
| Windows Components/Biometrics/Allow domain users to log on using biometrics | Disabled |
| Windows Components/Data Collection and Preview Builds/Do not show feedback notifications | Enabled |
| Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds | Disabled |
| Windows Components/File Explorer/Show lock in the user tile menu | Disabled |
| Windows Components/File History/Turn off File History | Enabled |
| Windows Components/OneDrive/Prevent the usage of OneDrive for file storage | Enabled |
| Windows Components/Windows Hello for Business/Use biometrics | Disabled |
| Windows Components/Windows Hello for Business/Use Windows Hello for Business | Disabled |
| Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart | Disabled |
| Extra registry setting | Status |
|-------------------------------------------------------------------------------------------------------------------|----------|
| Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0 |
| Software\Policies\Microsoft\Windows\PreviewBuilds\EnableConfigFlighting (Disable pre-release features or settings) | 0 |
| Software\Policies\Microsoft\Windows\PreviewBuilds\AllowBuildPreview () | 0 |
## SetEDUPolicy
SetEDUPolicy configures the following settings:
| LGPO setting | Status |
|--|--|
| System/User Profiles/Turn off the advertising ID | Enabled |
| Windows Components/Cloud Content/Do not show Windows tips | Enabled |
| Windows Components/Cloud Content/Turn off Microsoft consumer experiences | Enabled |
## SetPowerPolicies
SetPowerPolicies configures the following settings:
| LGPO setting | Status |
|--|--|
| System/Power Management/Button Settings/Select the lid switch action (on battery) | Enabled --> Sleep |
| System/Power Management/Button Settings/Select the lid switch action (plugged in) | Enabled --> Sleep |
| System/Power Management/Button Settings/Select the Power button action (on battery) | Enabled --> Sleep |
| System/Power Management/Button Settings/Select the Power button action (plugged in) | Enabled --> Sleep |
| System/Power Management/Button Settings/Select the Sleep button action (on battery) | Enabled --> Sleep |
| System/Power Management/Button Settings/Select the Sleep button action (plugged in) | Enabled --> Sleep |
| System/Power Management/Energy Saver Settings/Energy Saver Battery Threshold (on battery) | Enabled --> 70% |
| System/Power Management/Sleep Settings/Allow standby states (S1-S3) when sleeping (on battery) | Enabled |
| System/Power Management/Sleep Settings/Allow standby states (S1-S3) when sleeping (plugged in) | Enabled |
| System/Power Management/Sleep Settings/Specify the system hibernate timeout (on battery) | 0 (Disables hibernation) |
| System/Power Management/Sleep Settings/Specify the system hibernate timeout (plugged in) | 0 (Disables hibernation) |
| System/Power Management/Sleep Settings/Turn off hybrid sleep (on battery) | Enabled |
| System/Power Management/Sleep Settings/Turn off hybrid sleep (plugged in) | Enabled |
## MaintenanceStartTime
| Policy setting | Status |
|--------------------------------------------------------------------------------------|--------------------------------|
| Windows Components/Maintenance Scheduler/Automatic Maintenance Activation Boundary | 2000-01-01T00:00:00 (midnight) |
| Windows Components/Maintenance Scheduler/Automatic Maintenance Random Delay | Enabled PT2H |
| Windows Components/Maintenance Scheduler/Automatic Maintenance WakeUp Policy | Enabled |
## SignInOnResume
SignInOnResume configures the following settings:
| LGPO setting | Status |
|--|--|
| System/Logon/Allow users to select when a password is required when resuming from connected standby | Disabled |
| System/Power Management/Sleep Settings/Require a password when a computer wakes (on battery) | Enabled |
| System/Power Management/Sleep Settings/Require a password when a computer wakes (plugged in) | Enabled |
## Enableaccountmanager
Enables scheduled task:
\Microsoft\Windows\SharedPC\,"Account Cleanup"
[SharedModeSettings.ShouldAvoidLocalStorage Property](/uwp/api/windows.system.profile.sharedmodesettings.shouldavoidlocalstorage)
Account Model has been set to not configured --> no GPO changes --> removes Guest from login screen
Restrict Local Storage has been set to not configured --> no GPO changes
removed all diskleveldeletion, threshold --> no GPO changes
##### to check
### Windows Settings>Security Settings>Local Policies>Security Options
|Policy Name| Value|When set?|
|--- |--- |--- |
|Interactive logon: Do not display last user name|Enabled, Disabled when account model is only guest|Always|
|Interactive logon: Sign-in last interactive user automatically after a system-initiated restart|Disabled |Always|
|Shutdown: Allow system to be shut down without having to log on|Disabled|Always|
|User Account Control: Behavior of the elevation prompt for standard users|Auto deny|Always|