Building lock down device – Part 3 (Shared PC mode)

For earlier posts, please find them here:

• Building lock down device – Part 1 – (Keyboard Filter)
• Building lock down device – Part 2 (Shell Launcher)

For more details how to configure Shared PC mode, you can read Maurice’s excellent post Building a shared pc mode kiosk with Microsoft Intune

Shared PC mode is very useful feature when building lock down device, most useful setting that I like is restrict access to local storage, there are other main features as well.

• Account Models
• Account management
• Local Storage
• Power Policy
• Sleep time out
• Sign in when PC wakes
• Maintenance policy
• Education Policies
• Fast first sign in

I will focus talk about Account models, Account management and Local Storage in this post

Account Models

This option controls how users can sign-in on the PC. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC.  In my Shared PC mode settings, I have configured Account mode is Guest and domain user. This is how it looks when you enable Guest option, see below picture.

For a very long time, I thought this is ok to use. I choose “Guest”, click on Sign in, very easy, right? There are only two options, Other user and Guest, so it’s just 50% chance you know how to choose the correct account. Well, yes, it looks easy or an IT or someone that has a bit knowledge about computers, but not for everyone.

Asked from normal users, this logon screen is very confusing for public usage devices. The ideal of enable Guest account, you want people use Guest account, but why this Other user is in middle of log on screen asking work or school account? It really doesn’t make it easy to understand.

Hold on. You might wonder why not use Kiosk mode Assigned Access auto logon? I will talk about that in next post.

Account management

This is quite useful feature, I have seen lots of questions about how to delete user profile after log off, so this might be your solution, BUT still depends on your requirements. User profile deletion only works for four kind of account types:

• new local accounts created by the Guest options
• new local accounts created by the Kiosk options, includes Assigned Access auto logon account
• Azure AD accounts
• Active Directory domain accounts

This means, if you create normal local account, account management will not do anything with it.

Notes:

• When you configure this settings, it applies slowly, so take cup of tea and wait a little.
• When is using Guest account, it actually creates a new Guest account every time when Guest is logged off.
• If you are using Azure AD account or Active Directory domain accounts with immediately delete profile, it takes about 30-45 seconds to delete the profile after logged off.

Local Storage

Set as True to restrict the user from saving or viewing local storage when using File Explorer.

When it is allowed access to local storage, we can see everything in File explorer.

When restrict access to local storage, explorer looks way more better, user can only access to Downloads folder. As you notice, user can access to external DVD drive

What is wrong?

Ok, restrict access to local storage looks working, file explorer is clean and nice, if I try to go any other folder then download, it gave me error. But is it already secure??

As in the official documents about this feature, it did mentioned it’s only for File Explorer ! Please don’t misunderstand that it is actually restrict access to local storage from everything. So let’t create a shortcut call cmd.bat in Download folder with run command: cmd.exe /c cmd.exe

Now run this cmd.bat file, it will call out the command prompt, and I will have access to local storage.

If you really want restrict to any storage, this setting is not enough. I will talk about bit more in next posts. https://msendpointmgr.com/2019/04/25/building-lock-down-device-part-4-kiosk-pc-mode/

Until next time.