Shared devices – Deployments of apps, WebApps, Store apps, scripts, and configuration profiles work perfectly for the first person logging in, but fail on subsequent users
Question
Has anyone got a RELIABLE solution when managing shared devices?
Summary of issues –
Deployments of apps (exe and MSI), WebApps, Microsoft Store apps, scripts, and configuration profiles work perfectly for the first person logging in.
On secondary user login (and subsequent users), these do not work consistently.
Microsoft Store Apps can be delayed by several hours or multiple reboots before fully installed.
Configuration profiles have major issues applying, and in some instances fail to apply at all.
In particular, I cannot deploy a solution that applies to secondary and subsequent logins.
OST solution –
I have create three different solutions for disabling OST creation.
All three work on initial user login, but not on subsequent users
PowerShell script – Create registry entries to block OST creation
Config Profile – Do not allow an OST to be created
Config Profile – Use Cached Exchange Mode for new and existing Outlook profiles (Disabled)
This issue happens on both Windows 10 Pro devices and Windows 10 Enterprise devices.
It happens when using a DEM account – Device Enrollment Manager as well as autopilot devices.
It happens in my dev environment and my client’s production environment.
Has anyone got a RELIABLE solution when managing shared devices?
I have a workaround for WebApps not deploying reliably (a PowerShell script to create favorites shortcuts to the Public Desktop), but Config Profiles failing is a pretty big issue. If my OST config profiles aren’t applying correctly, does that mean my Device Restriction config profiles are failing too.
I have logged a ticket with Microsoft support and I am waiting for a follow-up from them.
Answers ( 4 )
Thanks so much for replying Anoop, much appreciated.
To confirm, the Config Profiles for managing OST creation are only applied to a group with the shared device as a member. The profiles apply to the first user logging in to the device, but not subsequent users.
Is that what you mean?
Does this mean you are assigning profile to Azure AD User groups? If so, that might create issue.
Checkout the note in the Microsoft docs?
“Be sure to assign the profile to device groups in your organization.”
https://docs.microsoft.com/en-us/mem/intune/configuration/shared-user-device-settings
These config profiles or scripts are targeting groups with ONLY DEVICES as members. This is because I don’t want the profile or script targeting the user on their dedicated device, only the ‘shared device’.
Well, for shared PC scenario, do you think all the user deployments scenarios are supported?
I don’t think so all those scenarios are supported.
So you should be very careful when use user groups for shared PC deployments.
My advice would be only to use device based deployments for shared PC scenarios