In this post, we will walk through how to configure a Shared PC (Shared Device) using Microsoft Intune.

Shared PCs are commonly used in environments such as:

• Meeting rooms
• Training centers
• Lobby kiosks
• Factory floor terminals

Because multiple users access the same device, credential management and data persistence prevention are critical.

For example:

• User A finishes work but forgets to sign out.
• User B logs in next and unintentionally gains access to User A’s session or data.

This scenario can create serious risks from a privacy and compliance perspective.

To mitigate this risk, Intune provides the Shared multi-user device policy, which allows you to automatically delete user profiles when users sign out.

Official documentation:
Shared or multi-user Windows device settings in Microsoft Intune - Microsoft Intune | Microsoft Learn

Youtube: https://youtu.be/GNIXtqwN6Ck

Step 1. Enroll the Device into Intune

Before deploying policies, the device must first be enrolled in Intune.

Even if the device is intended for shared usage, enrollment should be performed using an administrator or master account.

After enrollment:

1. Create a Security Group for policy deployment
2. Add the shared PC to the group

Only after completing these steps can the policy be successfully assigned.

Step 2. Create a Shared Multi-User Device Policy

Navigation Path

Intune Admin Center > Devices > Windows > Manage Devices > Configuration > Create > New Policy

Select the following options:

• Platform: Windows 10 and later
• Profile Type: Templates
• Template: Shared multi-user device

Then assign a policy name.

Policy Configuration Example

Below is an example configuration:

Key Design Intent of This Configuration

1️⃣ Immediate Profile Deletion Upon Sign-out

When a user signs out, their profile is immediately deleted.

→ Prevents residual data from remaining on the shared device.

Note: The contents of the Downloads folder are also removed after sign-out.

2️⃣ Local Storage Restriction

By disabling local storage, files are not permanently stored on the shared device.

3️⃣ Sign-in Required After Sleep

• Device enters sleep after inactivity
• User must sign in again when waking the device

→ Prevents session hijacking

4️⃣ When Entra ID Sign-in Is Allowed

If users sign in with their M365 (Entra ID) account:

• OneDrive integration is available
• Personal environment is maintained during the session
• Profile is deleted after sign-out

This enables temporary personalization while maintaining shared-device security.

Assigning the Policy

Assign the policy to the device group and create it.

Once applied:

• Users can sign in using Guest or Domain accounts

• A new profile is created each time a user signs in

• Only the Downloads folder is accessible in File Explorer

• Data inside Downloads is removed after sign-out

Considerations When Using Guest Accounts

Guest accounts do not require a password by default.

If a user leaves without signing out:

• The next user may access the active session
• Previous user activity may be visible

This can create a security vulnerability.

Advantages of Allowing Entra ID Sign-in

When Domain (Entra ID) sign-in is enabled:

• Re-authentication is required after screen lock
• Session protection is enhanced
• Overall security posture improves

Depending on the enterprise environment, Entra ID-based sign-in is generally recommended.

Additional Mitigation for Guest-Based Environments

If operating primarily with Guest accounts, consider implementing:

• Automatic forced sign-out after a defined idle time
• Screen lock enforcement
• Additional session protection policies

This can be achieved through PowerShell scripts or Intune remediation scripts.

M365 Log Management (4): Building a Windows Update Dashboard from Update History (Intune + Log Analytics + Power BI)

Recently, I’ve been getting more and more interested in visualizing operational logs and device records in a Power BI dashboard. In the Microsoft ecosystem, one of the biggest advantages is that the reporting and data pipelines are designed by the same vendor that built the platform, which often makes the integration more efficient than many third‑party approaches.

At first, I considered pulling everything with PowerShell, but I found that Intune policies + Log Analytics can load the relevant Windows Update signals with far less friction—and then you can build a dashboard on top of them quickly.

This post walks through how to create a Windows Update dashboard using Windows Update for Business reports, Azure Log Analytics, and a Power BI template.

Youtube: https://youtu.be/ToqAFJpoh_g

What You’ll Need (Requirements)

To build the dashboard described here, you’ll need:

• An Azure subscription
• A Log Analytics workspace
• Devices enrolled and managed with Microsoft Intune
• Power BI Desktop (to open the template and customize the report)

Reference Materials (Official/Community)

These were the key resources used while implementing the solution:

• Windows Update for Business reports overview - Windows Update for Business reports | Microsoft Learn
• Tailor Windows Update for Business reports with Power BI | Windows IT Pro Blog
• Configure devices using Microsoft Intune - Windows Update for Business reports | Microsoft Learn

High-Level Flow (How the Data Gets to Your Dashboard)

At a high level, the process looks like this:

1. Intune policy enables required diagnostic/telemetry settings on devices
2. Windows Update for Business reports is enabled and connected to your Log Analytics workspace
3. Devices upload update status signals → stored in Log Analytics tables (e.g., tables prefixed with UC*)
4. A Power BI template queries the Log Analytics workspace and visualizes update health

Step 1) Configure Intune Devices for Windows Update for Business Reports

This step ensures that devices can send the required diagnostic data (including device name, if needed for reporting clarity). I followed the Microsoft Learn guidance and created a configuration policy using the Settings catalog. 1.%20Windows%20Update%20%EA%B8%B0%EB%A1%9D%EC%9D%84%20%ED%86%B5%ED%95%9C%20%EB%8C%80%EC%8B%9C%EB%B3%B4%EB%93%9C%20%EB%A7%8C%EB%93%A4%EA%B8%B0.loop)

1. Create a Configuration Profile

In Intune admin center:

Devices → Windows

Configuration → Policies → New policy

Platform: Windows 10 and later | Profile type: Settings catalog

Create the profile and give it a name (example used: AllowDeviceNameInDiagnosticData)

2. Add Required Settings

In the Settings catalog, search and add the following:

• Allow Telemetry
  • Category: System
  • Value: Basic
• Configure Telemetry Opt In Settings UX
  • Value: Disabled
• Configure Telemetry Opt In Change Notification
  • Value: Disabled
• Allow device name to be sent in Windows diagnostic data
  • Value: Allowed

3. Assign and Monitor the Policy

• Assign the profile to the target users/devices

• Complete Review + create

• Monitor the deployment status in Intune to confirm devices are checking in successfully 

Step 2) Enable Windows Update for Business Reports and Connect Log Analytics

Once devices are ready, you need to enable Windows Update for Business reports and link it to your Azure subscription and Log Analytics workspace. 

1. Open the Built-In Workbook in Azure

In Azure Portal:

• Go to Monitor

• Select Workbooks > Choose Windows Update for Business reports

• Click Get started 

2. Configure Enrollment (Subscription + Workspace)

• Select your Azure subscription & Log Analytics workspace > Save settings

During this flow, you can see that configuration is handled through Microsoft Graph (the UI surfaces the Graph endpoint being called). 

3. Wait for Data to Populate

The UI mentions it may take up to 24 hours, but in my case it took 48+ hours before data appeared.

4. Confirm Data in Log Analytics

In Log Analytics, the data lands in tables that start with UC (for example, multiple UC* tables will appear once ingestion begins). 

5. Understand Collection / Upload Frequency

Microsoft documentation also lists data types and upload frequency/latency. Practically speaking, you should expect some tables/events to arrive on different cadences (some daily, some per update event, and with latency that can span hours to a day or more). 

Step 3) Tailor the Reports with Power BI

Once data is available in Log Analytics, the easiest path to a polished dashboard is to use the official Power BI template published for Windows Update for Business reports. 

1. Download the Power BI Template

From the Tech Community / Windows IT Pro blog post, download the Power BI template referenced in the guide.

Tailor Windows Update for Business reports with Power BI | Windows IT Pro Blog

2. Copy the Workspace ID

In Azure Portal:

• Open Log Analytics workspaces

• Copy the Workspace ID

3. Open the Template and Load Data

• Open the Power BI template file
• When prompted, paste the Workspace ID

• Click Load 

4. Authenticate

When Power BI prompts for access to the Log Analytics endpoint:

• Choose Organizational account

• Click Connect 

5. View Your Windows Update Dashboard

After authentication completes and data is loaded, the dashboard visuals populate and you can begin customizing pages, KPIs, filters, and device group views. 

Wrap-Up

With just Intune, Log Analytics, and the Power BI template, you can build a practical Windows Update dashboard without writing custom scripts or maintaining a separate data pipeline. The key is getting device diagnostics configured correctly, enabling WUfB reports, and allowing enough time for ingestion to stabilize. 

While organizing Intune policies, I discovered the existence of the Intune Data Warehouse and realized that it’s possible to build BI dashboards using Power BI.

Searching on YouTube, I found that connection methods have been available for quite some time.

My goal is to visualize every area of M365, so I decided to take on the challenge right away.

Youtube:  M365. Creating an Intune Dashboard

1. Import Data

There are two main ways to connect Intune Data Warehouse to Power BI.

Method 1. OData Feed

In Power BI, select Get data > OData feed

Feed URL Input

Enter your organizational account and click Connect

All available tables will be listed – check all and click Load

Data Loading

Import complete

Method 2. Connector

In Power BI, select Get Data > More

Online Services > Intune Data Warehouse

Specify Period

Select tables and click Load (the following steps are the same)

The Connector brings in more tables, but the meaningful data is similar
OData Feed allows for custom queries via Advanced Query
The Connector allows you to specify the period

This post will proceed using the Connector method.

2. Download Power BI Template

Most Intune dashboard resources are based on the following template:

PowerBiDashboards/Intune Dashboard.pbix at main · JayRHa/PowerBiDashboards · GitHub

Dashboard Example

Transform data > Data source settings to check the Connector-based connection.

Refresh

you may encounter an error like below:

The template creator’s blog suggested checking the technical documentation below and changing the locale, but even after changing it, the issue was not resolved. Therefore, I proceeded by copying the template instead.

Supported languages and countries/regions for Power BI

https://learn.microsoft.com/en-us/power-bi/fundamentals/supported-languages-countries-regions

In your BI file connected to your data, add pages with the same names as the template at the bottom.

Copy and paste the three pages as shown below.

3. Add Objects and Set Relationships

Since the structure may not match, you might encounter some errors.

Adjust the structure to match.

This error occurs because the Text Filter object is missing.

Go to More visuals > From AppSource.

Search for and add the Text Filter.

After refreshing or switching pages, you’ll see the issue is resolved.

Errors on the Devices page occur because table relationships do not match the template.

Model View menu to check the differences in Relationships count.

First import data, BI automatically sets relationships.

Since each environment is different, table relationships may vary. Use the following approach as a reference, and match the relationships to the template as needed.

Go to Manage relationships.

Some relationships in the template are missing in your BI.

Match Structure

After do it. Save

Sometimes, relationships are not automatically created because there’s no data on one side.

Inactive/Active reversed, fix them as well.

Errors on the Devices page will be resolved.

There are no errors on the ConfigProfiles page as well.

4. Conclusion

By leveraging Power BI, you can intuitively manage Intune devices.