Shared Windows and M365 Apps

Jonas Bøgvad
Jonas Bøgvad

Table of Contents

I got interested in sharing and have been asked about sharing devices with Windows and Microsoft 365 Apps. One thing always comes up is the licenses that need to be covered since compliance is essential when speaking about sharing and can get a little complicated.

Microsoft has focused on licensing users instead of devices and shared scenarios, but that does not mean that they haven't built a solution for it.

The technology we will be using in this article is:

  • Windows 10 Pro with TPM 2.0 (not a VM)
  • Endpoint Manager Intune for management
  • Autopilot (self-deploying mode)
  • Microsoft 365 Apps

Scenarios

Possible scenarios where shared devices with Microsoft 365 Apps would be a great solution.

  • Three workers at a factory share the same physical computer, with each worker using Office on that computer during their eight-hour shift.
  • Fifteen nurses at a hospital use Office on ten different computers throughout the day.
  • Five employees connect remotely to the same computer to run Office.
  • Multiple employees use Office on a computer located in a conference room or some other public space in the company.
  • Multiple users access Office instances hosted through Remote Desktop Services (RDS).

Endpoint Manager Intune and shared device

Since we are deploying our device with no primary user, also called without user affinity, to be compliant, we will be using an Intune device license. When we deploy our device with Autopilot, we leverage the deployment method "self-deploying mode".

Der er ingen alternativ tekst for dette billede

Self-deploying in preview

Self-deploying is still in preview, and I have experienced some issues with this deployment method. When you want to wipe the device, you might experience an error on the new deployment. Assigning a new Autopilot profile seems to fix the issue.

  • TPM 2.0 cant be virtual, which means you won't be able to deploy VM with this method.

Reading the following article sums up some of the issues

License

First, you must consider how many devices will be shared or have no primary user. For each device you enroll without user affinity, you need to have a intune device license in your tenant.

Der er ingen alternativ tekst for dette billede

Management with Intune

To optimize our housekeeping, I recommend enabling "Shared PC mode" to give you a headstart on managing account deletion and power management. Consider locking down the device for accessing areas of windows that won't be necessary with Intune.

Der er ingen alternativ tekst for dette billede

Microsoft 365 Apps shared computer activation.

Shared computer activation is required for scenarios where multiple users share the same computer and the users are logging in with their accounts. Normally, users can install and activate Microsoft 365 Apps only on a limited number of devices, such as 5 PCs. Using Microsoft 365 Apps with shared computer activation enabled doesn't count against that limit.

Licenses

To be using M365 Apps shared computer, activation we will need at least a plan that includes M365 Apps for enterprise(found in M365 E3/E5) or a plan that has M365 Apps for business(found in M365 Business Premium) assigned to our users(that will be using a shared machine)

  • Any plan includes Microsoft 365 Apps for enterprise (previously named Office 365 Plus). For example, Office 365 E3 or Microsoft 365 E5.
  • The Microsoft 365 Business Premium plan includes Microsoft 365 Apps for business.

Creating the XML file

To activate shared computer activation, we will use config.office.com to create our XML file, including our shared computer activation configuration. Then, we will use this XML file together with Office deployment tool.

Der er ingen alternativ tekst for dette billede

If you open up the XML file you will see the following line

<Property Name="SharedComputerLicensing" Value="1" />

What about security?

We will still be able to secure our identities with conditional access every time a user connects to Office 365.

Endpoints need to be secured with Defender for Endpoint and Security baselines found inside Intune.

What about Windows Hello for Business?

Since WHfB does not roam with the user or is centrally stored on any server, users will need to be onboarded each time they wish to take advantage of WHfB. Takes this into consideration.

Conclusion

Combining Microsoft 365 Apps Shared activation with Windows Shared multi-user, you get a solid solution managed by Intune.

Credits

Windows Autopilot self-deploying mode (Public Preview) | Microsoft Docs

Licenses available for Microsoft Intune | Microsoft Docs