Kevin Malinoski

Struggling with Windows 11 Kiosks in Intune? Here’s What the Docs Aren’t Telling You

Hey folks, if you’ve ever banged your head against the wall trying to get Assigned Access (aka Kiosk mode) working smoothly on Windows 11 via Intune, you’re not alone. Microsoft’s documentation is… let’s call it “sparse” when it comes to the unique differences from Windows 10. The current Intune Kiosk templates? They were built for Windows 10, and while single-app mode kinda-sorta works on 11, multi-app is where things get real interesting—and real frustrating.

I’ve spent way too much time in the trenches with this lately, especially after running into some nasty AppLocker pop-ups with Microsoft Edge. So here’s the no-fluff rundown of the gotchas I’ve hit, plus some practical fixes to get you moving forward as we head into 2026.

Common Pain Points Everyone Asks About

  • No icons in the multi-app Start menu?
  • Custom Start layouts (JSON) not applying?
  • How do I set a friendly display name without juggling local/service accounts?
  • AppLocker errors popping up randomly when running Edge in kiosk mode?

If any of these sound familiar, keep reading.

That Annoying AppLocker Error with Edge

This one started popping up more in 2025: random “This app has been blocked by your system administrator” messages when using Microsoft Edge in kiosk mode—sometimes in the foreground, sometimes lurking in the background.

Turns out Assigned Access leans heavily on AppLocker to lock things down. In single-app mode, you don’t get useful Event Viewer logs, but multi-app mode does provide us with the needed logs.

After digging through AppLocker events (Applications and Services Logs > Microsoft > Windows > AppLocker), the culprit turned out to be related to the component of Windows 11, MicrosoftWindows.Client.CBS_cw5n1h2txyewy, more specifically CrossDeviceResume.exe

Honestly there is not much documented about this component – so we have reported this directly with Microsoft and are early awaiting validation regarding this behavior with Assigned Access.

*UPDATE* Microsoft has confirmed this error in behavior and is pushing a fix in 2026, “[The team] team has made a fix for that message. It will finish rolling out to all users by the January preview update (February update for users who don’t take previews)…

Fix: Preferably deploy this via your Assigned Access XML rather than the old kiosk template. Once added, the pop-ups vanish. Add it to your allowed apps in the XML (multi-app mode lets you do this easily; single-app doesn’t…).

Multi App XML Configuration

<App DesktopAppPath="%windir%\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\CrossDeviceResume.exe" />

Multi App Kiosk Intune Templates (NOT RECCOMENDED)

AUMID/PATH: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS\_cw5n1h2txyewy\CrossDeviceResume.exe

DesktopApplicationID/AUMID for the Win32 app: MicrosoftWindows.Client.CBS_cw5n1h2txyewy

The Big Shift: Ditch the Old Kiosk Templates for Windows 11 and Embrace Assigned Access XML Profiles

The Intune “Kiosk” profiles you’re used to? They’re legacy Windows 10 tech. On Windows 11, multi-app Assigned Access behaves differently—Start menu customization requires the use of the XML, auto-pinning of applications has been removed, and some restrictions (like File Explorer namespaces) were buggy until recent cumulative updates.

Sticking with the old templates introduces technical debt and blocks you from true zero-touch deployment. The future-proof way? Switch to the AssignedAccess CSP with a custom XML configuration.

Yes, it’s a bit more work upfront, but it gives you full control—and it’s the only way to reliably handle multi-app on Windows 11. Below we are going to discuss four very common use cases and how to deploy them with the Assigned Access XML profiles.

Example Configurations

Example 1: Single-App Edge Kiosk
Disclaimer: I’m holding off recommending this for production until Microsoft patches the lingering AppLocker quirks with Edge & the CrossDeviceResume windows 11 component. I’ve escalated this concern, and I’m optimistic we’ll see a fix soon.


THAT WAS FAST! *UPDATE* Microsoft has confirmed this error in behavior and is pushing a fix in 2026, “[The team] team has made a fix for that message. It will finish rolling out to all users by the January preview update (February update for users who don’t take previews)…

https://github.com/kevinmalinoski/Intune-Blog-Resources/blob/main/Assigned%20Access%20Windows%2011%20Kiosk%20Templates/Example1_SingleAppKiosk.xml

<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config">
  <Profiles>
    <Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}">
      <KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" v4:ClassicAppArguments="--kiosk https://www.malinoski.me/ --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=5" />
      <v4:BreakoutSequence Key="Ctrl+A" />
    </Profile>
  </Profiles>
  <Configs>
    <Config>
      <AutoLogonAccount rs5:DisplayName="Single App Kiosk Account" />
      <DefaultProfile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}" />
    </Config>
  </Configs>
</AssignedAccessConfiguration>

Example 2: Multi-App with Edge (Recommended for Web-Focused Kiosks)

https://github.com/kevinmalinoski/Intune-Blog-Resources/blob/main/Assigned%20Access%20Windows%2011%20Kiosk%20Templates/Example2_MultiAppKiosk.xml

<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config">
  <Profiles>
    <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
      <AllAppsList>
        <AllowedApps>
          <App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" rs5:AutoLaunch="true" />
          <App DesktopAppPath="C:\Windows\SystemApps\MicrosoftWindows.Client.CBS\_cw5n1h2txyewy\CrossDeviceResume.exe" />
        </AllowedApps>
      </AllAppsList>
      <rs5:FileExplorerNamespaceRestrictions>
        <rs5:AllowedNamespace Name="Downloads" />
        <v3:AllowRemovableDrives />
      </rs5:FileExplorerNamespaceRestrictions>
      <v5:StartPins><![CDATA[{
                    "pinnedList":[
                        {"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"}
                    ]
                }]]></v5:StartPins>
      <Taskbar ShowTaskbar="true" />
    </Profile>
  </Profiles>
  <Configs>
    <Config>
      <AutoLogonAccount rs5:DisplayName="Multi App Kiosk Experience" />
      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}" />
    </Config>
  </Configs>
</AssignedAccessConfiguration>

Example 3: Restricted User Experience
Taken direct from Microsoft documentation (https://learn.microsoft.com/en-us/windows/configuration/assigned-access/quickstart-restricted-user-experience?tabs=intune&pivots=windows-11#configure-a-restricted-user-experience)

https://github.com/kevinmalinoski/Intune-Blog-Resources/blob/main/Assigned%20Access%20Windows%2011%20Kiosk%20Templates/Example3_RestrictedUserAccess.xml

<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config" xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config">
  <Profiles>
    <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
    <AllAppsList>
        <AllowedApps>
          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
          <App DesktopAppPath="C:\Windows\system32\cmd.exe" />
          <App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
          <App DesktopAppPath="%windir%\explorer.exe" />
          <App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
          <App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
          <App DesktopAppPath="C:\Windows\SystemApps\MicrosoftWindows.Client.CBS\_cw5n1h2txyewy\CrossDeviceResume.exe" />
        </AllowedApps>
      </AllAppsList>
      <rs5:FileExplorerNamespaceRestrictions>
        <rs5:AllowedNamespace Name="Downloads" />
        <v3:AllowRemovableDrives />
      </rs5:FileExplorerNamespaceRestrictions>
      <v5:StartPins><![CDATA[{
                    "pinnedList":[
                        {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
                        {"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
                        {"packagedAppId":"Microsoft.BingWeather_8wekyb3d8bbwe!App"},
                        {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk"},
                        {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk"},
                        {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
                        {"packagedAppId": "windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"},
                        {"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"}
                    ]
                }]]></v5:StartPins>
      <Taskbar ShowTaskbar="true" />
    </Profile>
  </Profiles>
  <Configs>
    <Config>
      <AutoLogonAccount rs5:DisplayName="MALINOSKI Web Browser" />
      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}" />
    </Config>
  </Configs>
</AssignedAccessConfiguration>

Example 4: Multi-User Kiosk via Restricted User Experience

Yes, It’s Possible! This is the profile you want to try. Too often I have heard the request, “How do we restrict users from logging into the kiosk?” Here’s the thing – if you have seen that scene from Men-in-Black where Will Smith’s character exhibits out-of-the-ordinary reasoning and critical thinking skills….

We need start asking ourselves a different question – how do we control the access that our end users gain to the system if they were to decide to log into a public kiosk?

The answer is to extend the Assigned Access restrictions to all user accounts, not just the targeted “kioskuser0” builtin account.

Use the XML code below to test this out in your environment! There are some minor restrictions with this approach to keep in mind:

  • You can ONLY have one single app config, but you can have multiple multi app configs in the multi user XML
  • Keep in mind that the following terms are (basically) interchangeable when we are talking about Windows 11 Kiosks
    • Assigned Access – Kiosk Mode
    • Single App Kiosk – KioskModeApp
    • Multi App Kiosk – AllAppList – Restricted User Experience
  • User groups can only use a Restricted User Experience profile
  • Restricted User Experience profiles only work with Standard user accounts, they should NOT be targeted at Administrator accounts
  • User logins CANNOT be tied to Conditional Access Policies that require user interaction – https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-configuration/users-cannot-logon-windows-multi-app-kiosk

Without further ado…. the XML profile that you have been waiting to test out!

https://github.com/kevinmalinoski/Intune-Blog-Resources/blob/main/Assigned%20Access%20Windows%2011%20Kiosk%20Templates/Example4_MultiUserKiosk.xml

<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config" xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config">
  <Profiles>
    <Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}">
      <KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" v4:ClassicAppArguments="--kiosk https://www.malinoski.me/ --edge-kiosk-type=public-browsing --kiosk-idle-timeout-minutes=15" />
      <v4:BreakoutSequence Key="Ctrl+A" />
    </Profile>
    <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
    <AllAppsList>
        <AllowedApps>
          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
          <App DesktopAppPath="C:\Windows\system32\cmd.exe" />
          <App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
          <App DesktopAppPath="%windir%\explorer.exe" />
          <App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
          <App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
          <App DesktopAppPath="C:\Windows\SystemApps\MicrosoftWindows.Client.CBS\_cw5n1h2txyewy\CrossDeviceResume.exe" />
        </AllowedApps>
      </AllAppsList>
      <rs5:FileExplorerNamespaceRestrictions>
        <rs5:AllowedNamespace Name="Downloads" />
        <v3:AllowRemovableDrives />
      </rs5:FileExplorerNamespaceRestrictions>
      <v5:StartPins><![CDATA[{
                    "pinnedList":[
                        {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
                        {"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
                        {"packagedAppId":"Microsoft.BingWeather_8wekyb3d8bbwe!App"},
                        {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk"},
                        {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk"},
                        {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
                        {"packagedAppId": "windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"},
                        {"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"}
                    ]
                }]]></v5:StartPins>
      <Taskbar ShowTaskbar="true" />
    </Profile>
  </Profiles>
  <Configs>
    <Config>
      <AutoLogonAccount rs5:DisplayName="MALINOSKI Web Browser" />
      <DefaultProfile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}" />
    </Config>
    <Config>
      <UserGroup Type="LocalGroup" Name="Users" />
      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}" />
    </Config>
  </Configs>
</AssignedAccessConfiguration>

Assigning the XML configuration through Intune

Once you have picked an XML format that you want to try – follow the steps below to publish the configuration through a Custom OMA-URI Intune config. You can download the above XML files from my GitHub repo – https://github.com/kevinmalinoski/Intune-Blog-Resources/tree/main/Assigned%20Access%20Windows%2011%20Kiosk%20Templates

  1. Navigate to Intune Admin Center > Devices > Windows > Configuration > + Create > New Policy
  2. Platform: Windows 10 and later
    Profile Type: Templates
    Template Name: Custom
  3. Click Create
  4. Choose and Name and provide a description for your policy
  5. Under OMA-URI Settings click Add
  6. Add the following values
    • Name
    • Description
    • OMA-URI: ./Vendor/MSFT/AssignedAccess/Configuration
    • Data Type: String (XML file) – Upload your custom XML Assigned Access config file
  7. Click Save and assign to a device group for testing in your environment

Wrapping Up

Assigned Access on Windows 11 is legitimately a game-changer—way beyond basic “kiosk” mode. It lets you build dedicated production terminals, controlled single-app machines, or locked-down frontline worker desktops with real flexibility.

Once you nail the fundamentals (and switch to XML configs), the possibilities are endless.

What’s your experience been like? Are you already using Assigned Access in creative ways, or did this post answer (or miss) a burning question? Drop it in the comments—I’d love to hear how you’re tackling Windows 11 kiosks as we kick off 2026 with a ton of new Intune features on the horizon.

Let’s make endpoint management a little less painful together! 🚀

Kevin Malinoski Avatar

Published by

Kevin Malinoski
Categories:
Tags: , , , , ,

22 responses to “Struggling with Windows 11 Kiosks in Intune? Here’s What the Docs Aren’t Telling You”

  1. Miguel S Avatar
    Miguel S

    Great read. I have been trying to utilize the Kiosk Intune Template but finding it to be hit and miss regardless if its Single or Mult App mode. After reading this it appears that the better approach is to ditch the built in Kiosk template and instead pivot to Custom and utlize XML.? My biggest pain-point has been autologon not working (having to use .kioskuser0) then after first logon it seems to work after, but its hit and miss.

    Like

    Reply
    1. Kevin Malinoski Avatar
      Kevin Malinoski

      Hi Miguel!
      Yes, for full Windows 11 compatibility with multi-app kiosk setups (now powered by Assigned Access), you’ll want to move away from the legacy Intune Kiosk templates—they’re primarily tuned for Windows 10 and don’t fully support the newer features.

      Instead, switch to the XML-based configuration method via the Assigned Access CSP (using a Custom profile in Intune with OMA-URI ./Vendor/MSFT/AssignedAccess/Configuration). This gives you the flexibility needed for Windows 11.

      A few quick tips for success:

      Keep it lean: Deploy only the essential applications to avoid bloat and ensure a smooth, reliable locked-down experience.
      Test thoroughly: Start minimal (e.g., just Edge + one or two core apps) to validate your setup before adding more—this really helps you understand what a solid Windows 11 kiosk looks like in practice.

      I highly recommend watching this in-depth Microsoft session for a complete technical walkthrough (including demos, config examples, and Intune integration best practices):
      “Windows 11 kiosks: Cloud management for the win” – Microsoft Technical Takeoff
      Link: https://techcommunity.microsoft.com/event/windowsevents/windows-11-kiosks-cloud-management-for-the-win/4376223

      It’s extremely thorough and will save you a ton of trial-and-error. Let me know how it goes or if you run into any snags—I’d be happy to help troubleshoot!

      Like

      Reply
      1. Miguel S Avatar
        Miguel S

        Great advice. I did take Example #3 into my lab as I have a new use case this would be exactly useful for. Unfortunately taking that XML and applying its running into errors thus not working. Any thoughts?

        The custom OMA-URI policy device status shows me the following —

        Setting Name: Configuration [./Vendor/MSFT/AssignedAccess/Configuration]
        Setting Status: Error
        Error Code: -2016345612

        Like

      2. Kevin Malinoski Avatar
        Kevin Malinoski

        All of the examples should have been tested – if you are applying the XMLs through Intune CSP – give the machine some time…..

        The computer can require multiple restarts as well over the course of an hour.

        Also – are you deploying Microsoft edge to the machine through Intune? I am validating #3 on a 24H2 system and will report back if I observe any problems

        Like

      3. Kevin Malinoski Avatar
        Kevin Malinoski

        I found an error with the reference to the profile GUID in example 3 – I updated the XML here and on Git

        Liked by 1 person

  2. butteryjellyfish6f5bf4ecb5 Avatar
    butteryjellyfish6f5bf4ecb5

    Hi Kevin. Please disregard as I got it to work by using the actual XML from the Microsoft documentation. Although its missing CrossDeviceResume when I uploaded and refreshed the policy it turned succcessfully applied. Restarted my device and its working perfectly now.

    I will circle back with this XML and inject the CrossDeviceResume to it and harden it further with our use case. Hope this helps bud.!

    Liked by 2 people

    Reply
    1. Kevin Malinoski Avatar
      Kevin Malinoski

      Great to hear! When in doubt, give it a Microsoft Minute! (aka 24 hours)
      😛

      Like

      Reply
      1. Miguel S. Avatar
        Miguel S.

        This article has been a breath of fresh air for me. After what seems like months of working with Microsoft Premier and getting things sorted this has been refreshing to know it wasnt just me. Planning to give Example 2 and also Example 4 a demo drive as well to see the capabilities they provide.

        Btw, is the only difference with Example 2 and Example 3 being that Example 2 is web based and when only needing Edge along with select allowed native apps.?

        Liked by 1 person

      2. Kevin Malinoski Avatar
        Kevin Malinoski

        Sorry to miss your question here – in short the big difference is that example 3 dips more into the default “Assigned Access” concept. Give the users access to those core system apps and let them use an extremely restricted Windows 11 OS.

        Example 2 is just a baseline for using only Edge, as the error message will be present without the whitelist in both modes. Single app mode does not log AppLocker restrictions, but multi app does.

        Think of the examples this way:

        1 – Single App Kiosk (traditional kiosk experience)
        2 – Multi App Kiosk (traditional kiosk experience)
        3 – User Assigned Access; modern approach to self service employee terminals
        4 – Assigned Access, Single App & Optional User Assigned Access (this also is how to resolve the current bug with single app mode)

        Like

    2. Kevin Malinoski Avatar
      Kevin Malinoski

      While you are on a roll – read over this. It is VERY important because profile targeting to different users and groups can have limitations:

      https://learn.microsoft.com/en-us/windows/configuration/assigned-access/configuration-file?pivots=windows-11#configs

      Under Configs, define one or more user accounts, or groups, and their association with a profile. When the user account signs in, the associated Assigned Access profile is enforced along with policy settings that are part of the restricted user experience.

      You can assign:
      -A standard user account, which can be local, domain, or Microsoft Entra ID
      -A group account, which can be local, Active Directory (domain), or Microsoft Entra ID

      Limitations:
      Configs that specify group accounts can’t use a kiosk profile, only a restricted user experience profile
      Apply the restricted user experience to standard users only. It’s not supported to associate an admin user with an Assigned Access profile
      Don’t apply the profile to users or groups that are targeted by conditional access policies that require user interaction. For example, multi-factor authentication (MFA), or Terms of Use (TOU). For more information, see Users can’t log on to Windows if a multi-app kiosk profile is assigned

      https://learn.microsoft.com/en-us/windows/configuration/assigned-access/configuration-file?pivots=windows-11#configs

      Like

      Reply
      1. Thomas Avatar
        Thomas

        Hello Kevin,

        thank you very much for your very helpful post. I have also been looking more deeply into the Multi‑App mode. However, one exclusion criterion for me was that I wanted to implement a Windows kiosk system as a thin‑client replacement. In doing so, I encountered the issue that the Teams SlimCore engine — despite being explicitly allowed in AppLocker — continues to be blocked.

        Do you happen to have a solution or an approach to work around this behavior? Is there perhaps already an unofficial fix from Microsoft?

        I would greatly appreciate any feedback.
        Thank you and kind regards,
        Thomas

        Like

      2. Kevin Malinoski Avatar
        Kevin Malinoski

        Thomas – can you provide me the working config that you are using for this image?

        Like

      3. loudlyzorro6a394d91c5 Avatar
        loudlyzorro6a394d91c5

        Hello Kevin, yes that’s no problem. Here is a config I’ve been experimenting with. Everything works except for Teams VDI. I added additional Teams VDI settings, but they don’t bring any success either!
        Actually, this entry should be sufficient:
        XML

        If you run the config for the first time and establish a Citrix session, the Teams VDI component works.
        However, when you log off the session, restart the thin client, and then try to access Citrix again, you will find in the Event Log that the Teams VDI component is being blocked by AppLocker!

        Like

  3. Miguel S. Avatar
    Miguel S.

    Have you run into this scenario yet or found a way to address it? I’m working with a web application that downloads a small .EXE agent used for remote control (BeyondTrust). The download completes, but the file is being blocked because it’s not listed as an AllowedApp.

    This raises the question: have you had any success allowing dynamically downloaded executables where a wildcard can be used in the XML policy? Each agent download is generated with a unique string in its filename — for example:Beyond-scc-win_x64-xxxxxxxxxxx.exe

    I’m trying to determine whether there’s a workable method to support these dynamically named agents without explicitly defining every unique filename which would be impossible.

    Like

    Reply
  4. Jaap Avatar
    Jaap

    Many thanks,

    I was testing the kiosk setup a while ago and documented the restrictions popup as ‘can be ignored’. Good insight.

    Liked by 1 person

    Reply
  5. Andrew McNaughton Avatar
    Andrew McNaughton

    I had a few months from hell there with this… I hoped it was going to be this CrossDevice thing because this is the second time I’d seen it referenced but it still didn’t help our case. We’re using a 3rd party mapping app.

    Went down lots of rabbit holes with the AppLocker event logs…

    Finally cracked the case when I saw all these instances of Edge WebView2. At first, i was going to ignore them. I thought, if they’re running, they must be fine. Not true. Processes can get running but go on to be blocked by Assigned Access pulling AppLocker’s strings.

    Adding:

    App DesktopAppPath=”%ProgramFiles(x86)%MicrosoftEdgeWebViewApplication*msedgewebview2.exe”

    Saved the day.

    Added this for good measure:

    App DesktopAppPath=”%ProgramFiles(x86)%MicrosoftEdgeCoreOptimizedmsedgewebview2.exe”

    It seems our 3rd party app is using the version-specific binary of WebView2. Thankfully, Assigned Access supported a wildcard in the path.

    I added the evergreen version just in case and encouraged them to review Microsoft’s best practice recommendation of using the evergreen path.

    Liked by 1 person

    Reply
    1. Kevin Malinoski Avatar
      Kevin Malinoski

      Andrew – this is really good information as I was ALSO seeing something similar and did not get around to tracking it down, but I think you are spot on. It really seems like some components of native and 3rd party apps and exhibit this in Single App mode. Once I start to use 3rd party apps this error message can become far more persistent. I am going to work to validated this and will update the post and credit your contributions.

      Also – worth noting – an upcoming quality release is on the way for my iteration of this issue in Windows 11 Builds 26100.7701 and 26200.7701 “[Kiosk mode] Changed: Removed an error message that might show after logging in for multi-app kiosk mode, saying “This operation has been cancelled due to restrictions in effect on this computer”.”

      https://blogs.windows.com/windows-insider/2026/01/27/releasing-windows-11-builds-26100-7701-and-26200-7701-to-the-release-preview-channel/

      Like

      Reply
  6. Jaap Avatar
    Jaap

    I keep seeing Applocker blocking these (and a nice blue Windows screen popup up telling the same):

    ??C:Program FilesWindowsAppsMicrosoftWindows.Client.WebExperience_524.30502.30.9_x64__cw5n1h2txyewyWidgetBoard.exe was prevented from running.
    ??C:Program Files (x86)MicrosoftEdgeApplication144.0.3719.104identity_helper.exe was prevented from running.
    ??C:Program Files (x86)MicrosoftEdgeWebViewApplication144.0.3719.104msedgewebview2.exe was prevented from running.

    The annoying restrictions popup I don’t see anymore.

    Like

    Reply
    1. fayas Avatar
      fayas

      Hi, did you find any sollution for this pop? same for me identity_helper.exe. I cant add it in allowlist as the version number could change

      Like

      Reply
  7. Alexej Fedorov Avatar
    Alexej Fedorov

    Would you know why the Windows App isn’t opening with this config? Link

    Like

    Reply
  8. moonlovingfb7c4838dc Avatar
    moonlovingfb7c4838dc

    Hi Kevin,

    Great article thank you –

    Do you have any advice about running Wireless Display with a Kiosk? Ripping my hair out currently over this. Seems to work once only and never again after restart, even with a local admin. Have all the firewall settings to allow it and also have tried enabling with the projection settings in the settings catalogue to allow for connection.

    Like

    Reply
  9. Assigned Access April – A Month Dedicated to Windows 11 Assigned Access (The Real Kiosk Future) – Kevin Malinoski

    […] you’ve followed the blog, you know I’ve spent a lot of time working with kiosk-style deployments on Windows devices. This month we’re going all-in on the technology that has become the proper way to lock down […]

    Like

    Reply

Leave a reply to Assigned Access April – A Month Dedicated to Windows 11 Assigned Access (The Real Kiosk Future) – Kevin Malinoski Cancel reply