MicrosoftThere are still some improvements needed for the Shared Mode to further secure the device during enrollment.
1. At the end of the enrollment stage, the device goes to a fully unlocked Home Screen with full access for a few minutes until all the policies are applied. The device remains vulnerable to tampering during this period of time. The device should remain inaccessible until all Intune policies including MHS policies are successfully applied.
2. Device based App Configuration policies (tested with MS Edge - URL Allow List) do not apply. Such policies have to be deployed via App Channel to be successfully applied. This is not documented anywhere.
3. At the end of the enrollment, while the MHS permission policies are still being applied, user is prompted to grant the permissions. If we wait for few minutes OR login without granting permission and then log out, the permission request goes away. This defeats the whole point of having this improvement as the user will end up tapping the permission request to grant the permissions.
