The idea that employees use a single device all day is long gone.
In most enterprise environments I’ve worked in, a “normal” day might involve a laptop at home, a docking station in the office, a virtual desktop for privileged tasks, and sometimes a secondary device for testing or support work. Users don’t think in terms of devices anymore — they think in terms of tasks.
The problem is that Windows, security controls, and management tooling historically did think in terms of devices. That mismatch is where friction, shadow IT, and risky workarounds start to appear.
Microsoft’s answer to this problem is Windows Cross-Device Participation, also referred to as Shared Experiences. When configured correctly, it allows users to move between devices without constantly emailing files to themselves, copying notes into Teams chats, or storing data in unapproved tools.
When configured poorly — or not managed at all — it can quietly become a data leakage risk.
This is where Microsoft Intune earns its keep.
What Windows Cross-Device Participation Really Is
At a technical level, Windows Cross-Device Participation enables cloud-backed features that allow certain activities to follow the user across multiple Windows devices signed in with the same identity.
Common capabilities include:
- Shared clipboard (copy on one device, paste on another)
- App and activity continuity for supported workloads
- Identity-based experiences rather than device-based ones
From the user’s perspective, it feels simple and intuitive. From an IT perspective, it introduces questions around where data lives, how it moves, and who controls it.
This isn’t a new idea — we’ve seen similar functionality in consumer ecosystems for years. What’s different in the enterprise is the expectation that every data movement is intentional, logged, and defensible.
Why Cross-Device Participation Actually Matters in Enterprise Environments
1. Productivity Gains Are Real (and Measurable)
I’ve seen users lose more time than most IT teams realise just trying to move small pieces of information between devices.
Copying logs from a virtual desktop to a physical laptop. Moving snippets of PowerShell code. Grabbing reference text during incident response.
When cross-device clipboard works:
- Tasks finish faster
- Users stop emailing themselves data
- Fewer “temporary” OneDrive or personal cloud workarounds appear
That last point alone is a security win.
2. It Reduces Shadow IT, Not Increases It
There’s a common fear that enabling cross-device features increases risk. In practice, unmanaged friction creates far bigger problems.
If users can’t move information easily:
- They screenshot sensitive data
- They paste it into chat tools
- They use personal cloud storage
A controlled, policy-driven shared experience is almost always safer than a frustrated user improvising.
3. Identity-Centric Computing Is the Direction of Travel
Windows cross-device participation aligns with modern Zero Trust thinking.
- Identity becomes the control plane
- Device compliance becomes a gate
- Data follows the user only when conditions are met
This is far more manageable than the old “everything lives on the device” model — especially in hybrid and remote work environments.
The Security Reality IT Teams Need to Acknowledge
Cross-device participation isn’t inherently unsafe — but it absolutely must be managed.
Uncontrolled deployment introduces risks such as:
- Clipboard data moving to devices outside policy scope
- Sensitive data copied during privileged sessions
- Compliance gaps in regulated environments
This is why Intune-based enforcement isn’t optional if you care about governance.
How Intune Controls Cross-Device Participation
Microsoft exposes shared experience controls through Intune device configuration policies, specifically via the Settings catalog for Windows 10 and later.
This is important for two reasons:
- Policies are enforced at scale
- Users cannot override them locally
In other words, you decide — not the endpoint user.
Step-by-Step: Enabling Cross-Device Participation with Intune
Step 1: Create a Configuration Profile
In the Microsoft Intune Admin Center:
- Go to Devices → Configuration profiles
- Select Create profile
- Platform: Windows 10 and later
- Profile type: Settings catalog
This gives you access to granular, modern Windows settings rather than legacy templates.
Step 2: Configure Shared Experiences
Search for and configure the following settings:
- Allow Shared Experiences
This is the master switch. If this is disabled, nothing else works. - Allow Cross-Device Clipboard
Enables copy and paste between devices. - Allow Cross-Device App Experiences
Enables supported activity continuity features.
In most environments I recommend:
- Enabled for standard corporate-managed devices
- Disabled for high-risk or shared systems
Step 3: Assign the Policy Thoughtfully
This is where many implementations go wrong.
Avoid blanket deployment on day one. Instead:
- Start with a pilot group
- Validate behaviour and user feedback
- Roll out by department or role
Also consider whether to target:
- Device groups (preferred for enforcement)
- User groups (useful for role-based access)
Step 4: Monitor and Validate
After deployment:
- Review policy status in Intune
- Check for conflicts with existing profiles
- Monitor device compliance
If something breaks, it’s usually due to legacy GPOs or overlapping policies, not the shared experience settings themselves.
Best Practices from the Field
1. Combine with Conditional Access
Cross-device experiences should only work when:
- Devices are compliant
- Users pass MFA
- Risk signals are acceptable
This ensures productivity doesn’t bypass security controls.
2. Restrict High-Risk Scenarios
Do not enable shared experiences on:
- Kiosk devices
- Privileged Access Workstations (PAWs)
- Break-glass or admin-only systems
Some friction is intentional in high-security contexts.
3. Educate Users (Briefly, Not Excessively)
Users don’t need a whitepaper. They need clarity.
Explain:
- What can be shared
- When it’s appropriate
- What still shouldn’t be copied
Clear guidance prevents accidental misuse.
4. Align with Data Protection Controls
Cross-device participation should respect:
- Sensitivity labels
- Microsoft Purview DLP
- Information protection policies
Shared experiences should work with your data controls, not around them.
Common Mistakes I See Repeated
- Enabling without monitoring
- Ignoring older GPO conflicts
- Over-enabling for all roles
- Treating productivity features as “all or nothing”
Good endpoint management is nuanced — not binary.
Compliance and Governance Impact
When managed correctly, cross-device participation actually strengthens governance:
- Centralised policy enforcement
- Identity-driven access control
- Auditable configuration changes
- Alignment with Zero Trust architecture
When unmanaged, it becomes a blind spot. That’s the difference Intune makes.
Final Thoughts
Windows Cross-Device Participation reflects a broader shift in enterprise computing: from device-first to identity-first.
Used carelessly, it can introduce risk.
Used deliberately, it removes friction, reduces shadow IT, and improves how people actually work.
Key takeaway for IT professionals:
Enable shared experiences with intent. Control them with Intune. Align them with your security posture. When productivity and governance move together, cross-device participation becomes an advantage — not a liability.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.