Configuring Shared PC mode with OneDrive sync enabled and configured

This week another short blog post about another nice configuration addition to Windows. This time it’s about configuring Shared PC mode with OneDrive sync. Shared PC mode on itself is nothing new, or special, but there was something missing. That something was the OneDrive sync, as there are scenarios in which it’s still required to use OneDrive on a Shared PC. The default behavior of Windows, however, was to prevent the usage of OneDrive, once Shared PC mode was enabled. That’s still the case but starting with Windows 11 version 22H2 a new setting is introduced that enables IT administrators to enable Shared PC mode with OneDrive sync enabled. A new setting to enabled Shared PC mode. This post will start with a short introduction about that new setting, followed with the steps to configure Shared PC mode with OneDrive sync enabled and configured. This post will end with showing the behavior after applying the configuration.

Note: This new setting is introduced with the updates to MDM in Windows 11 version 22H2 and are also expected to be available for Windows 10 and later. There is, however, no clear documentation about that.

Introducing new Shared PC mode setting

When looking at configuring Shared PC mode, the configuration is achieved by relying on the SharedPC CSP. That CSP contains the different settings that are available for configuring the different components of Shared PC mode on Windows devices. Starting with Windows 11 version 22H2, that CSP now contains an additional node that can be used to enable Shared PC mode with OneDrive sync enabled. The table below provides an overview of that new setting and how it can be used.

SettingsDescription
EnableSharedPCModeWithOneDriveSyncThis policy setting can be used to configure a device to Shared PC mode with OneDrive sync turned on. That setting can be configured with a boolean value that can be set to true or false.

Note: The root node of the SharedPC CSP is ./Device/Vendor/MSFT/SharedPC/.

Configuring Shared PC mode with OneDrive sync

When looking at configuring Shared PC mode with OneDrive sync enabled and configured, that requires multiple configuration steps. Especially since the new setting in the SharedPC CSP is not yet available within Microsoft Intune. That means a custom configuration profile is currently required to at least configure that setting. At this moment the most obvious configuration strategy for Shared PC mode with OneDrive sync enabled and configured, contains three steps.

Step 1: Enable Shared PC mode with OneDrive sync

The first step is to actually configure Windows devices, to enable Shared PC mode with OneDrive sync enabled. When looking at that configuration, using the SharedPC CSP, and using Microsoft Intune for the configuration, the configuration is actually pretty straight forward. In the future it will probably even become easier. For now, the configuration will still rely on using a custom device configuration profile. The following nine steps walk through the creation of that custom device configuration profile, with the settings to enabled Shared PC mode with OneDrive sync enabled.

  1. Open Microsoft Endpoint Manager admin center navigate to Devices Windows > Configuration profiles
  2. On the Windows | Configuration profiles blade, click Create profile
  3. On the Create a profile blade, provide the following information and click Create
  • Platform: Select Windows 10 and later as the platform for the configuration profile
  • Profile type: Select Templates as the profile type for the configuration profile
  • Template name: Select Custom as the template name for the configuration profile
  1. On the Basics page, specify a valid Name and optionaly a Description and click Next
  2. On the Configuration settings page, as shown below in Figure 1, click Add to add rows for the following custom settings and click Next
  • OMA-URI setting 1 – This setting is used to enable Shared PC mode with OneDrive sync enabled
    • Name (1): Provide a name for the OMA-URI setting to distinguish it from other similar settings
    • Description: (Optional) Provide a description for the OMA-URI setting to further differentiate settings
    • OMA-URI (2): Specify ./Device/Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync
    • Data type (3): Select Boolean as data type for the configuration of the value of the setting
    • Value (4): Select True as value to configure Shared PC mode with OneDrive sync enabled
  1. On the Scope tags page, configure the required scope tags click Next
  2. On the Assignments page, configure the required assignment and click Next
  3. On the Applicability rules page, configure the required applicability rules and click Next
  4. On the Review + create page, verify the configuration and click Create

Note: At some point in time these settings might become directly available within Microsoft Intune.

Step 2: Configuring additional Shared PC mode settings

The second step is to further configure Shared PC mode. When looking at that configuration, using the SharedPC CSP, and using Microsoft Intune for the configuration, the focus goes to the Settings Catalog. The Settings Catalog contains the required settings and provides an easy method for applying those settings. The following eight steps walk through the configuration of further configuring Shared PC mode, by using the available settings in the Settings Catalog. It provides all the settings that might add value to the configuration of Shared PC mode itself.

  1. Open Microsoft Endpoint Manager admin center and navigate to Devices > Windows > Configuration profiles
  2. On the Windows | Configuration profiles blade, click Create profile
  3. On the Create a profile blade, provide the following information and click Create
  • Platform: Select Windows 10 and later to create a profile for Windows 10 devices
  • Profile: Select Settings catalog to select the required setting from the catalog
  1. On the Basics page, provide the following information and click Next
  • Name: Provide a name for the profile to distinguish it from other similar profiles
  • Description: (Optional) Provide a description for the profile to further differentiate profiles
  • Platform: (Greyed out) Windows 10 and later
  1. On the Configuration settings page, as shown below in Figure 2, perform the following actions and click Next
  • Click Add settings and perform the following in Settings picker
    • Select Shared PC as category
    • Select the required settings related to Shared PC mode of the available settings Account ModeDeletion PolicyDisk Level Caching, Disk Level Deletion, Enabled Account Manager, Inactive Threshold, Maintenance Start Time, Kiosk Mode User Tile Display Text, Kiosk Mode AUMID, Restrict Local Storage, Set Power Policies and Sign In On Resume as setting
    • Configure the required settings that suite the environment with the values like the following (examples)
      • Select Guest and Domain with Account Mode to configure the type of accounts that are available
      • Select Delete at disk space threshold with Deletion Policy to configure when accounts will be deleted
      • Specify 25 with Disk Level Caching to configure when to stop deleting accounts
      • Specify 25 with Disk Level Deletion to configure when to start deleting accounts
      • Select true with Enabled Account Manager to enabled account manager
      • Specify 30 with Inactive Threshold to configure when to start deleting inactive accounts
      • Specify 1080 with Maintenance Start Time to configure maintenance mode daily at 6PM
      • Specify a text with Kiosk Mode User Tile Display Text to display a text with the account shown on the sign-in screen that launches the app specified with the Kiosk Mode AUMID setting
      • Specify an AUMID with Kiosk Mode AUMID to configure the app to be used assigned access
      • Select false with Restrict Local Storage to allow the use of local storage on the device
      • Select true with Set Power Policies to configure the power policies on the device
      • Select true with Sign In On Resume to require the signing in after waking up from sleep
  1. On the Scope tags page, configure the required scope tags and click Next
  2. On the Assignments page, configure the assignment and click Next
  3. On the Review + create page, verify the configuration and click Create

Important: Keep in mind that to be able to access OneDrive storage, access to local storage should not be restricted.

Step 3: Configuring OneDrive sync

The third step is to further configure OneDrive sync. When looking at that configuration, the most obvious option would also be to use the Settings Catalog. The Settings Catalog contains the required settings and provides an easy method for applying those settings. The configuration of those settings are similar to the steps used in step 2, to further configure Shared PC mode. Simply walkthrough the different steps again and use at least the following settings instead.

  • Enable Silently sign in users to the OneDrive sync app with their Windows credentials, to automatically configure the OneDrive sync app for the user
  • Enable Use OneDrive Files On-Demand, to automatically configure the files on demand feature for the OneDrive sync app
  • Enable Silently move Windows known folders to OneDrive, to automatically move known folders to OneDrive

Verifying Shared PC mode with OneDrive sync configuration

When all the configurations are in place, it’s time to verify the experience. The easiest method would be to simply sign-in to Windows with an Azure AD account and to experience the automatic enablement and configuration of OneDrive sync. All the settings, configured in the different steps, are part of that complete experience that will result in a successfully configured OneDrive sync (as shown below in Figure 3, with number 2). Another easy method to show the successful configuration in a single screenshot, is by looking at the SharedPCSetup.log file that is available in C:\Windows. That log file will clearly state that Shared PC mode with OneDrive sync is configured (as shown below in Figure 3, with number 1).

More information

For more information about configuring Shared PC Mode, refer to the following docs.


Discover more from All about Microsoft Intune

Subscribe to get the latest posts sent to your email.

71 thoughts on “Configuring Shared PC mode with OneDrive sync enabled and configured”

  1. Hello Peter,

    Another great blog !!.

    This is also possible with Windows 10 with a Custom profile.

    ./Device/Vendor/MSFT/Policy/Config/System/DisableOneDriveFileSync (Integer = 0)

    ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP (Integer = 1)

    I use this policy for years now one Shares pc’s

    Reply
  2. This is great news and one of the main reasons we still have some on prem machines hanging around.

    Couple of things though as I understand it still with shared PC mode you do not get app installs available via the company portal and Conditional access may not be supported too according to the MS docs. I need to test this but from your experience is this the case?

    Reply
      • I’de like to add incase anyone else has the issue do not enable both of Shared PC setting and the enableonedriveforsharedpc setting. We were trying to figgure out why it was working for some and not for others. Turns out if you turn shared pc on it will fight with the onedriveshared pc setting and who ever gets installed first wins.

        Reply
  3. Hi Peter!

    Me again, just a note for you, for the Maintenance Start Time setting that you have with a value of 6, this means that the it’ll start at 12:06am, we need to specify number of minutes as an offset from midnight, for example, if we wanted 2am, then we’d need to put in 120 minutes.

    All the best,
    Alex.

    Reply
  4. I am confused by the Kiosk Mode AUMID settings? I was hoping to use this for our on-prem computer lab desktops that are signed in by multiple students every day. I do not want to restrict the device to KIOSK mode or to certain apps. I just want to make them a shared device and remove the primary user. Most of our devices are co-managed through SCCM and InTune

    Reply
  5. Hej Peter,
    Great blog!!! thank you so much.
    I have tried to add the OMA-URI to a test device already running in shared PC måde. The settings failed with an error code: “-2016281112 0x87D1FDE8 Remediation failed” .The device is running Windows 10 22H2.
    I tried to find an explanation and ran across this from Microsoft article:
    https://learn.microsoft.com/en-us/windows/configuration/shared-pc-technical
    “EnableSharedPCMode and EnableSharedPCModeWithOneDriveSync are the two policies that enable Shared PC mode. The only difference between the two is that EnableSharedPCModeWithOneDriveSync enables OneDrive synchronization, while EnableSharedPCMode disables it.”

    My CSP runs ./Vendor/MSFT/SharedPC/EnableSharedPCMode at the end of the CSP which sets the sharePC måde policy. I am not sure but I guess that could be the reason why running “EnableSharedPCModeWithOneDriveSync” failed.
    My question is: can I replace the ‘EnableSharedPCMode’ setting with ‘EnableSharedPCModeWithOneDriveSync’ in my CSP and still get all the settings in the csp to work?

    Reply
  6. Hi Peter great article that I have followed part 1 of as 2-3 are already in place in my environment. I can see from the logs that it is enabled but OneDrive still does not enable itself even if I manually go to OneDrive to launch it nothing starts.

    My test laptops are provisioned using the Setup School PC’s package creator with SharedMode enabled and the rest of the policies applied via InTune.

    Have a missed something obvious out here?

    Windows 11 22H2 laptops in a shared environment that need OneDrive Sync to start on login.

    Reply
      • The same thing happened to me, but it’s because of what Peter says that he had duplicated the Enable Shared PC Mode configuration. I did it running and I checked the 14 boxes instead of the ones he said in the tutorial. After doing it as he said and removing the ones from the Kiosk mode that did not interest me, it works wonderfully. Thanks Peter for the tutorial.

        Reply
  7. Hi Peter,

    graet job and many thanks for sharing!
    I just have one question, is the format of the OMA-URI right?
    I see in the Microsoft doc https://learn.microsoft.com/en-us/windows/client-management/mdm/sharedpc-csp?WT.mc_id=EM-MVP-5001447 that shows the string as ./Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync
    In your guide you configure the string as ./Device/Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync

    which one is the right one? or are both fine?

    Again many thanks

    Reply
  8. is is possible to enable OneDrive sync option but still leave local storage disabled? i don’t want students saving to the local PC i only want them saving to OneDrive

    Reply
  9. Our users can gain administrator access on shared computers which would allow a user to see another user’s downloaded OneDrive files. Is there a way to automatically dehydrate a user’s downloaded OneDrive files on logout? Is there another solution for this scenario?

    Reply
  10. After going through all these settings i still cannot get onedrive to automatically login (configure) for the shared devices, i was able to make it enabled by using the “EnableSharedPCModeWithOneDriveSync” instead of the default one available in settingscatalog.

    i just cant get the “Silently sign in users to the OneDrive sync app with their Windows credentials” to work properly, i can sign in manually and everything works but not auto.

    Any tips?

    Reply
      • Hej, I have about the same obesrvation… In my expiriance, this setting is not always working… i had some cases through my tests where I just couldn’t get it to work automatically as it usually does… I can as well tell, that although I had a successful test back in April with just changing the one setting – ‘EnableSharedPCMode’ with the ‘EnableSharedPCModeWithOneDriveSync’, I kept on getting error when I tryed to set it op on the production environment i July.
        I tested again and again – in July, but could not get this to work.
        In the end, I choos insted to use the ‘old methode’ by using: ./Device/Vendor/MSFT/Policy/Config/System/DisableOneDriveFileSync (Integer = 0)
        ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP (Integer = 1) – (thanks Sjoerd), and then, I got the policy to work without errors.
        My thoughts are that somthing in my Intune environmet has been changed in the time between April 2023 and July 2023… this is not new. I have tryed this before… 🙂
        Looking in the settings catalog, i cannot not find the ‘EnableSharedPCModeWithOneDriveSync’ in the settings catalog so my thoughts are that the policy is maybe not ready to use yet…

        Reply
          • Hej Peter, sorry for the delay answering… I have been away… No it didn’t work for me in July. I hav’nt tryed it since. As I kept getting the error then, I chose to use ‘the old methode’ instead as I wrote. I could’nt use more time on that and decided to stop there. I may try looking into it again when I will again get a large service window… 🙂

    • Did you solve this issue?
      We are having the same issue. We have Shared PC Mode with OneDrive Sync Enabled (and no other Shared PC setting is enabled).
      OneDrive works, BUT, user still has to open OneDrive manually the first time and sign-in, it does not auto run or auto sign-in even with all the relevant OneDrive policies enabled such as: –
      Silently sign in users to the OneDrive sync app with their Windows credentials – Enabled
      Use OneDrive Files On-Demand – Enabled
      Silently move Windows known folders to OneDrive – Enabled (and with correct Tenant ID)

      Reply
  11. Thanks Peter,
    It would be so nice if MS would update their templates to properly support the options. As it stands many of the Intune templates like “shared multi-user device” have become so outdated that they are actually misleading.

    Keith

    Reply
  12. Not working i did the oma uri setting ./Device/Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSyncDatatype : Boolean Value : True

    Configuration profile Shared PC, Enable shared pc
    Local storage is also enabled.Of course is also did the normal settings like implementation profile for shared device configuration profile for Shared PC etc.

    The log file in C:\Windows\sharedpc confirms that the setting is applied. Also in Intune no error.OneDrive just does not startup when you click on it, the app is there but when i start it nothing happens. Any suggestions?

    Reply
  13. Hi Peter,

    I know this is an oldie, but I was wondering…
    With Azure Virtual Desktop (w11 22h2 / 23h2 multisession) I’m running into the same issue. These are pure Azure AD joined devices, managed through Intune
    I found that the regkey ‘DisableFileSyncNGSC’ is the culprit, as it is getting value 1.
    Even though I place it at value 0, it gets reverted to 1 when the AVD hosts check in, supposedly due to the Shared PC service (haven’t verified it).

    Long story short; The Custom URI is ‘not applicable’ according to Intune.
    So, what are my options? Is there a way to get OneDrive enabled once more for Azure Virtual Desktop multisession Windows 11?

    Thanks in advance!

    Reply
    • Hi Jeroen,
      Could it be that there is also a normal Shared PC configuration applicable to the device that just enables Shared PC mode? That by default disables OneDrive sync and creates this conflicting configuration.
      Regards, Peter

      Reply
  14. This is a great blog post. I am having an issue with the following:

    1. I don’t see evidence that the profile is deleting after logout despite selecting immediately.
    2. If I reboot the computer, it appears to break the PRT. OneDrive does not automatically sign in nor is the user signed into Office. They have the ! telling them they need to fix their account and re-sign in.

    Reply
  15. Hi Peter,

    Quick question. In step 3 are you enabling both settings that are named “Silently move Windows folders to OneDrive” or just one? If not which one, are you using?

    Thanks,
    Aaron

    Reply
    • @Aaron: Hi Aaron,

      I hope it’s alright for me to respond. I really hope this is okay, Peter.

      I am using this setting for all the ‘Windows folders’, such as Pictures, Desktop, and Documents. After giving it some thought, I decided this setup suits our situation best. Our tenant is an educational tenant, and my clients frequently install new devices. We use MDT for that. Since they are not very diligent about saving all their data to OneDrive, this approach reduces the chances of losing data.

      However, there is a minor issue with duplicate desktop shortcuts. There is a policy in place that’s supposed to prevent this by excluding specific kinds of files from being uploaded. I have enabled it, but I can’t say it resolves the issue 100%. Despite using these policies for a few years now, I haven’t received any complaints from my clients, so I believe it is beneficial for them. 🙂

      Reply
  16. Hi Peter,

    Thank you for posting this;

    I have an issue that it doesn’t automatically sign in users in onedrive. I have no MFA enabled for these users.

    I had this as my intial configuration.
    I can also reproduce this on multiple devices.

    Reply
  17. Hi Peter,

    This is a related onedrive config question. Are you aware of any way to set onedrive on a PC that is NOT in SHaredPCMode so that users other than the primary user get auto logged in ? ie Employee B needs to temporarily use Employee A’s computer and logs on with his own userid ? I think I had this working in Win10 but Win11 just seems to want to autologon the primary user and not any subsequent users.

    Reply
  18. Hi Peter,

    We are working on a modern endpoint with shared pc mode enabled and are in the process of determining whether to support OneDrive synchronisation or not. We have identified a couple of challenges because of the shared nature of this particular endpoint:

    – Some users need accounts with elevated rights for specific use cases (yes I know..)
    – OneDrive libraries might be accessible for other others with elevated rights.

    Going forward, we are looking for ways to support OneDrive on shared physical endpoints and want to make sure it is safe and secure to do so and will functionally work as intended like it does on personal or AVD endpoints. What is your experience regarding securing personal data with Onedrive sync enabled on shared endpoints?

    Reply
    • Hi Max,
      That is indeed always challenging. That being said, have you seen my recent post about Personal Data Encryption for known Windows folders? That might be a big step into your direction.
      Regards, Peter

      Reply
      • Thank you Peter, I need to start checking your posts more often. Great post about PDE, pretty much exactly what I was hoping for and now it’s there with 24H2! Regards, Max

        Reply
  19. Hi Peter,

    We are testing this in the new Windows 24H2. The device is hanging in the Autopilot enrollment. If we look at the log (SharedPCSetup.log), the device is hanging in Configure EnableSharedPcModeWithOneDriveSync. The log is filled with Node GetValues.

    Any suggestions?

    Reply
    • Hi Nicky,
      I haven’t seen that behavior yet. For my understanding; you are not combining the configuration with the normal EnableSharedPcMode setting and you can reproduce the behavior on multiple devices?
      Regards, Peter

      Reply
  20. Hi Peter,

    We have followed your guide inn trying to get a version of a shared PC that will have onedrive enabled and our hopes for that was to have it so that users logon with their AAD account and that onedrive will automatically logon the different users after they login to the PC. But that is not happening, if the user login in manually it works, but automatically it does not.

    My guess is that we have MFA required for all users and that is what is stopping the auto login for the users, cause when they login they get prompted for MFA.

    Is it a pre req to get this to working to exclude the users from MFA or can it be solved in any other way? Are there any other pre reqs that is worthy noting?

    Reply
      • Hello,

        There is no autologin for the users on the shared PC. They will logon with their AAD account. But when a user login even though they have the onedrive configuration profile it will not automatically logon the logged on user onedrive will stay offline until a user manually click onedrive and login then authenticate with MFA and then all is fine.

        We did a test and excluded a user from the MFA requirement and then it actually works. So if the user is not required to authenticate with MFA onedrive is able to auto login the user to their onedrive when they logon to the shared PC.

        So we are currently looking into the CA policies to perhaps exclude our Shared PC:s from the MFA requirement.

        Is this something you have seen in your testing?

        Reply
  21. Hi! I get an error in Endpoint if i use Boolean like you…

    But with Integer IT WORKS 🙂
    So if you have a problem, try this:

    ./Device/Vendor/MSFT/Policy/Config/System/DisableOneDriveFileSync (Integer = 0)
    ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP (Integer = 1)

    THX

    Reply
  22. Hi there! Thank you for putting up such good tutorial that one can turn to at need. I just ran into a conundrum with a few laptops configured for Shared PC Mode that were working in Windows 10 (22H2) and then Windows 11 (23H2). After the update to 24H2, the Guest account displayed on the login screen no longer works. Clicking the login button results only in a brief flash on the screen and no “Welcome…” message. Do you know what configuration error causes this problem, or do you suspect any culprits that I should investigate?

    P.S. It may be worth mentioning that attempting to configure Shared PC Mode on these laptops with a provisioning package (PPKG) also results in errors, none of which are described sufficiently in the log.

    Reply
      • Hi Peter, I don’t think that I see errors with respect to the configuration, but I do see errors in the Windows Security logs with every guest login attempt: 4673 and 4724. Here are some snippets from the events:

        Event 4673

        4673
        0
        0
        13056
        0
        0x8010000000000000

        Event 4724

        4724
        0
        0
        13824
        0
        0x8010000000000000

        The latter appears to relate to an attempt to change an account’s password. That leads me to wonder if my configuration of LAPS is involved, even though that should only affect the local administrator account. Do you have any thoughts on that?

        Reply

Leave a Reply to Nathan Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.